How to configure SSL Proxy Support on SteelHead appliances?

Categories: SteelHead CX (Appliance), SteelHead CX (Virtual Steelhead), SteelHead DX (Appliance), SteelHead EX (Appliance)
Solution Number: S26506

Issue

How to configure SSL Proxy Support on SteelHead appliances?

Solution

 Traditional SSL optimization uses destination IP address, port number to identify back-end server.

- Reuse cached server specific information (optimizable server table)
- Bypass table is also maintained per {destination IP/port}
- Assumes client begins communication with SSL messages
 
Client <---> CFE <---> SFE <---> SSL Server
 
 
SSL connection via Proxy
- Connections to multiple SSL servers go through the same Proxy 
- Destination is {proxy IP address, proxy port number}
- IP/port of the actual SSL server is not known to SHs
- IP/port can no longer be used as the key
- Communication begins with HTTP then switches to SSL
 
 
Client <---> CFE <---> SFE <---> Proxy <---> SSL Server
 
Client -> Proxy: CONNECT sslserver.com:443 HTTP/1.1
Proxy <-> SSL Server: TCP connection setup
Proxy -> Client: HTTP/1.1 200 OK
Client -> Proxy: Client Hello
Proxy <-> SSL: forwarded 
Proxy -> Client: Server Hello
 
 
 
What if proxy is configured for both HTTP and HTTPS?
- Bypass SSL opt if method is regular HTTP (e.g., GET, POST)
- Continue to perform HTTP opt for regular HTTP traffic
What if a non-SSL/non-HTTP packet is received?
- Bypass SSL opt as well as HTTP opt entirely
- Additionally enable mid-session-ssl for late-start SSL traffic 
 
 
Configuration CLI:
- Proxy support (SFE/CFE)
protocol ssl ssl-proxy enable 
show protocol ssl proxy-support
 
- Bypass table (SFE)
show protocol ssl backend bypass-table
no protocol ssl backend bypass-table [client-ip *] server-ip * [port *] server-hostname *
 
 
Configuration Web UI:
SSL > Configure > Optimization > Advanced Settings page
Enable SSL Proxy Support (CFE/SFE)
*Need service restart
 
 
In-path rule for proxy ip/port (CFE)
Pre-opt policy: SSL
 
Test and Validation:
Reports > Current Connections
 
Configure > Optimization > SSL Main Settings page
Discovered SSL Servers (Optimizable)
 
NOTICE: Riverbed® product names have changed. Please refer to the Product List for a complete list of product names.
Last Modified: 2018-03-01
Can't find an answer? Create a case