Table Of ContentDEPLOYMENT GUIDE
SSL Insight Deployment for Thunder ADC
Deployment Guide | SSL Insight Deployment for Thunder ADC
Table of Contents
1 Overview ...................................................................................................................................................................................................................................4
2 Deployment Prerequisites ..............................................................................................................................................................................................4
3 Architecture Overview ......................................................................................................................................................................................................4
3.1 SSL Insight with an Inline Security Deployment ...................................................................................................................................5
4 New SSL Insight Features ...............................................................................................................................................................................................6
4.1 Features ...........................................................................................................................................................................................................................6
4.2 CA Certificate ..............................................................................................................................................................................................................6
5 Configuration Overview ..................................................................................................................................................................................................7
5.1 Thunder ADC Appliance Configuration Overview ...............................................................................................................................7
6 Configuration Steps for Thunder ADC Appliances ..........................................................................................................................................8
6.1 Network Configuration on the Thunder ADC Appliances ...............................................................................................................9
6.2 Configure VLANs and add Ethernet and Router Interfaces.............................................................................................................9
6.3 Configure IP Addresses on the VLAN Router Interfaces .................................................................................................................10
6.4 SSL Insight Configuration on the Thunder ADC Appliances.......................................................................................................10
7 Configuration Steps for Security Device .............................................................................................................................................................18
8 Summary ................................................................................................................................................................................................................................19
Appendix .......................................................................................................................................................................................................................................20
Appendix A. Complete Configuration File for the Thunder ADC Appliance .......................................................................................20
Appendix B. Webroot BrightCloud URL Classification ......................................................................................................................................21
Appendix C. Dynamic Port Intercept ...........................................................................................................................................................................23
Configuration Samples for Dynamic Port Intercept ....................................................................................................................................23
Appendix D. Single Appliance SSL Insight Solution ...........................................................................................................................................24
Appendix E. Appendix ICAP Support in Client Authentication Architecture .....................................................................................25
ICAP Workflow .....................................................................................................................................................................................................................25
Configuration Requirements .....................................................................................................................................................................................26
Appendix F. Bypass Client Certificate Authentication ......................................................................................................................................26
Configuration for Bypassing SSL Insight for Client Authentication Traffic ....................................................................................27
Sample Configuration for Bypassing SSL Insight for Client Authentication Traffic ..................................................................27
Appendix G. Explicit Proxy .................................................................................................................................................................................................29
Explicit Proxy Configuration .......................................................................................................................................................................................29
Appendix H. Detailed Walkthrough of SSL Insight Packet FLow ................................................................................................................31
Appendix I. SSL Insight Certificate Installation Guide ........................................................................................................................................32
Generating a CA Certificate ........................................................................................................................................................................................32
Installing a Certificate in Microsoft Windows 7 for Internet Explorer ...............................................................................................33
Installing Certificate in Google Chrome ............................................................................................................................................................39
Installing a Certificate in Mozilla Firefox ..............................................................................................................................................................42
Disclaimer
This document does not create any express or implied warranty about A10 Networks or about its products or services, including but not limited to
fitness for a particular use and noninfringement. A10 Networks has made reasonable efforts to verify that the information contained herein is accurate,
but A10 Networks assumes no responsibility for its use. All information is provided “as-is.” The product specifications and features described in this
publication are based on the latest information available; however, specifications are subject to change without notice, and certain features may not
be available upon initial product release. Contact A10 Networks for current information regarding its products or services. A10 Networks’ products and
services are subject to A10 Networks’ standard terms and conditions.
2
Deployment Guide | SSL Insight Deployment for Thunder ADC
Appendix J. SSL Insight 4.0.3 Features .........................................................................................................................................................................44
OCSP Certificate Validation .........................................................................................................................................................................................44
OCSP Certificate Validation Process .......................................................................................................................................................................45
SSL Debug Alert Messages .................................................................................................................................................................................................47
Forward Proxy Failsafe ...........................................................................................................................................................................................................48
Command to disable Forward Proxy Failsafe: ................................................................................................................................................48
Forward Proxy Inspect ...........................................................................................................................................................................................................48
Internal Thunder ADC Ends-with Class-list Sample ...........................................................................................................................................49
Internal Thunder ADC Key-string Length Class-list Sample ..........................................................................................................................49
Appendix K. Reference Topologies ................................................................................................................................................................................50
SSL Insight – Inline Single Appliance Deployment......................................................................................................................................50
SSL Insight – Inline and Passive Mode Security Devices ..........................................................................................................................50
SSL Insight – Network and Passive Mode Security Devices ...................................................................................................................50
SSL Insight – Inline Mode with Explicit Proxy ..................................................................................................................................................51
SSL Insight – ICAP Topology with Explicit Proxy ............................................................................................................................................51
SSL Insight in Passive Inline with Explicit Proxy ..............................................................................................................................................52
Inline Mode with Bypass Switch/AFO ................................................................................................................................................................52
HA Inline Mode with Bypass Switch/AFO .......................................................................................................................................................52
About A10 Networks .............................................................................................................................................................................................................53
3
Deployment Guide | SSL Insight Deployment for Thunder ADC
1 Overview
Security devices such as firewalls, intrusion detection systems (IDS), data loss prevention (DLP), analytics and
forensics, and advanced threat prevention platforms require visibility into all traffic, including SSL traffic, to
discover attacks, intrusions, and data exfiltration hidden in encrypted communications. Many types of security
devices are deployed non-inline to monitor network traffic. These devices cannot decrypt out bound SSL traffic.
Growing SSL bandwidth, coupled with increasing SSL key lengths and more computationally complex SSL
ciphers, make it difficult for even the most powerful inline security devices to decrypt SSL traffic. To solve
this challenge, A10 Networks® Thunder® ADC line of application delivery controllers’ SSL Insight™ feature
eliminates the blind spot imposed by SSL encryption, offloading CPU-intensive SSL decryption functions that
enable security devices to inspect encrypted traffic – not just clear text. The Thunder ADC SSL Insight feature
acts as an SSL forward proxy, intercepts SSL encrypted traffic, decrypts it and forwards it through a firewall or
Intrusion Prevention System (IPS). It can also mirror the unencrypted traffic to non-inline security devices such
as analytics or forensics products. A second Thunder ADC appliance then takes this traffic and encrypts it again,
and sends it to the remote destination.
Using A10’s Application Delivery Partitions (ADPs), it is possible to use a single Thunder ADC appliance for
encryption, decryption, and load balancing.
2 Deployment Prerequisites
Here are the requirements for an SSL Insight deployment:
• Thunder ADC appliances with A10 Networks Advanced Core Operating System (ACOS®) version 4.0.3 SP9
or later
• Third-party security device such as a firewall, security analytics or forensics appliance or threat prevention
platform
• Deployed in inline (Layer2), routed (Layer 3) or ICAP mode (DLP or AV ICAP enabled solutions only)
Note: The CLI commands and GUI screenshots presented in this guide are based on ACOS version 4.0.1 SP9. There are
some features in this release that may require CLI configuration only. If the guide does not provide the GUI, then it is
only available for CLI configuration.
3 Architecture Overview
This section illustrates a joint solution using Thunder ADC appliances and a third-party security device for SSL
Insight capability. The SSL Insight services are provided by Thunder ADC appliances while traffic inspection and
monitoring services are provided by third-party security devices. This is a simple, in-line SSL Intercept solution,
using two Thunder ADC appliances for SSL decryption and re-encryption.
For additional SSL Insight deployment options, please refer to Appendix J.
Note: The security devices in this deployment guide are setup in Layer 2 (L2) mode.
Security
Internal Appliance External
Client Internet
Figure 1. SSL Insight and Firewall Load Balancing topology example
4
Deployment Guide | SSL Insight Deployment for Thunder ADC
ADP 1 ADP 2
“Internal” “External”
ÒClient ÒFirewall
ÒFirewall ÒRouter
Client
Internet
Security
Appliance
Figure 2. SSL Insight and Firewall Load Balancing topology in one-box solution
3.1 SSL Insight with an Inline Security Deployment
The main feature of SSL Insight is to transparently intercept SSL traffic, decrypt it and send it through
the security device(s) in clear text. After the security device has inspected the intercepted traffic, it is re-
encapsulated in SSL and sent to the destination. A ladder-diagram is provided in Appendix B to show this
process in greater detail.
There are three distinct stages for traffic in such a solution, depicted in Figure 2:
1. Encrypted: From client to the internal Thunder ADC appliance, where traffic is encrypted.
2. Decrypted: From the internal Thunder ADC appliance to the external Thunder ADC appliance, through
the security device. Traffic is in clear text in this segment.
3. Encrypted: Traffic from the external Thunder ADC appliance to the remote server, where traffic is
encrypted again.
Note: Please refer to the ACOS Application Delivery & Server Load Balancing Guide1 for additional details on the SSL
Insight feature.
Application Server
Internet
3 Encrypted
External Thunder ADC
Inspection
and Protection
DLP UTM
2 Decrypted
IDS Others
Internal Thunder ADC
1 Encrypted
Client
Figure 3. SSL Insight overview
1 Go to https://www.a10networks.com/support to download/view this guide. Site registration is required.
5
Deployment Guide | SSL Insight Deployment for Thunder ADC
4 New SSL Insight Features
With the growing request of SSL Insight features, A10 has proactively delivered a new set of SSL Insight features
in ACOS 4.x releases. Each upgrade release within 4.x has its special features and administrator must determine
the build release based on solution needs. Upgrading to 4.0.3 build will cover all the features of 4.0.1.
4.1 Features
4.1.1 Enhancements for ACOS 4.0.3
• OCSP Support for Server Certificate Validation – this feature is an enhancement version of the server
certificate validation introduced in 4.0.3. This feature is used to validate a server certificate before enabling
an SSL session with a remote server. This provides support for OCSP and OCSP stapling.
• Debug Messages for SSL Failures – this feature enables TLS alerts to be logged when an SSL session
fails, and can be deployed on a client or server SSL template.
• Forward Proxy Failsafe – this feature is a bypass option when an SSL forward proxy fails. Enabling this
feature will bypass SSL Insight traffic when SSL handshake fails.
• Forward Proxy Inspect – this feature inspects Aho-Corasick class-list and performs SSL Insight if it
matches to the class-list entries.
Note: The features described above are shown in detail in Appendix J.
4.1.2 Enhancements for ACOS 4.0.1
With ACOS 4.0.1, A10 introduced significant new features and capabilities that lay the foundation of a rapid
services integration platform for enterprise, cloud, and service provider networks. Within the A10 SSL Insight
framework, the following features have been added:
• URL Classification Web Category – Classifies all traffic that passes through the A10 device with the
capability to bypass specific, sensitive data (for example, healthcare websites due to HIPAA regulations).
Refer to Appendix B for more information.
• Single Appliance SSL Insight Feature – Supports internal and external partitions deployed in a single
A10 appliance. Refer to Appendix D for more information. Hypervisor-based SSL Insight Support –
Supports SSL Insight on ESXi, KVM and Hyper-V hypervisors through A10 Networks vThunder® line of
virtual appliances.
• Dynamic Port Intercept – dynamically detects and intercepts the use of SSL, regardless of the protocol
running on top of TCP. Refer to Appendix C for more information.
• ICAP Support in Client Authentication Architecture – Enables the A10 device to support Internet
Content Adaption Protocol (ICAP) on HTTP/HTTPS sessions. ICAP typically serves to provide data loss
prevention (DLP) and antivirus services.
• Explicit Proxy Support for SSL Insight – Enables the Thunder ADC device to control client access to
hosts based on lists of allowed traffic source (clients) and destination (hosts).
• Bypass Client Authentication Traffic - Enables the A10 device to bypass certain HTTPS traffic that
requires client certificate authentication (CAC/PKI). When subjecting this type of traffic to SSL Insight, the
CAC transaction will fail.
Note: To see configuration details for these features, refer to the A10 Thunder System and Administration Guide2. These
features are all available in the 4.0.1 SP9 build.
4.2 CA Certificate
A prerequisite for configuring the SSL Insight feature is a CA certificate with a known private key, such as a self-
signed CA certificate generated on the A10 Thunder ADC appliance or on a Linux system.
The following CLI command generates and initializes a self-signed CA certificate on the Thunder ADC
appliance:
2 Go to https://www.a10networks.com/support to download/view this guide. Site registration is required.
6
Deployment Guide | SSL Insight Deployment for Thunder ADC
slb ssl-create certificate <certificate name>
The following two commands generate and initialize a CA certificate on a Linux system with an OpenSSL
package installed:
openssl genrsa -out <name>.key
openssl req -new -x509 -days 3650 -key <name>.key -out <name>.crt
Once generated, the certificate can be imported onto the Thunder ADC appliances in the internal zone using
SFTP or SCP.
import ssl-cert <certificate name> scp://[user@]host/<source file>
This CA certificate must also be pushed to all client machines on the internal network. If the CA certificate
is not pushed, the internal hosts will get an SSL “untrusted root” error whenever they try to connect to a
site with SSL enabled. This can be done manually (see Appendix C), or using an automated service such as
Microsoft Group Policy Manager. Automated login scripts can achieve the same result for organizations that
use Linux or UNIX clients.
Note: Further details for Group Policy Manager can be found at:
http://technet.microsoft.com/en-us/library/cc772491.aspx
5 Configuration Overview
Configuration options for the SSL Insight feature are as follows:
1. Network configuration on the Thunder ADC appliance
2. SSL Insight configuration on the Thunder ADC appliance
3. Configuration on the third-party security device
5.1 Thunder ADC Appliance Configuration Overview
The following sections provide more information about the Thunder ADC configuration items listed in the
previous section.
5.1.1 Network Configuration Overview
This solution has one Thunder ADC appliance in the external zone of the security devices and another Thunder
ADC appliance in the internal zone of the security devices. This solution assumes that the security devices are
configured in L2 transparent mode. Therefore, the Thunder ADC interfaces can be configured in one of the
following modes:
• As untagged VLAN interfaces with L3 Virtual Ethernet (VE) configured in the same subnet
• As tagged VLAN interfaces with L3 VEs configured in the same subnet
• As L3 PHY interfaces without requiring any VLANs
This guide follows the first approach where the Thunder ADC appliances are configured with untagged VLAN
interfaces.
5.1.2 SSL Insight Configuration Overview
The SSL Insight configuration is slightly different on the external Thunder ADC appliance compared to the
internal Thunder ADC appliance. The primary difference is that client-SSL and server-SSL templates are required
on the internal and the external Thunder ADC appliance respectively. Only SSL traffic is intercepted.
SSL Insight Configuration on Internal Thunder ADC Appliance
SSL Insight configuration on the internal Thunder ADC appliance has the following key elements:
• SSL traffic entering on port 443 is intercepted.
- Port 443 is defined under a wildcard VIP to achieve this.
• The SSL server certificate is captured during the SSL handshake; all X.509 DN attributes are duplicated,
except for the issuer and base64 encoded public key.
7
Deployment Guide | SSL Insight Deployment for Thunder ADC
- Client-SSL template is used for this. The Client-SSL template includes the required command forward-
proxy-enabled, along with the local CA certificate (from 4.1) and its private key which is used for
signing dynamically forged certificates.
• The remote VE address of Thunder ADC is added as an SLB server, establishing the security device path.
Port 8080 is defined for the security device path.
- The command slb server defines a security device path and port number 8080 is added.
• Along with the protocol (HTTPS to HTTP), the destination port also gets changed from 443 to 8080.
- Service group is defined with port 8080 and bound to the virtual port.
• However, the destination IP (i.e. Internet server IP) remains unchanged.
• The command no-dest-nat port-translation achieves this.
- The incoming SSL traffic is intercepted and decrypted, and is then forwarded in clear text over HTTP on
port 8080 through the security device.
SSL Insight Configuration on External Thunder ADC Appliance
SSL Insight configuration on the external Thunder ADC appliance is simpler compared to the internal Thunder
ADC appliance configuration. This configuration has the following key elements:
• Clear-text HTTP traffic entering on port 8080 is intercepted.
- Port 8080 is defined under a wildcard VIP to achieve this.
• The next-hop gateway (default router) is defined as an SLB server.
- The command slb server defines the default router IP address and port number 443 is added.
• Along with the protocol (HTTP to HTTPS), the destination port also gets changed from 8080 to 443.
- Service group is defined with port 443 and bound to the virtual port.
• However, the destination IP (i.e. Internet Server IP) remains unchanged.
- The command no-dest-nat port-translation achieves this.
• Incoming HTTP traffic is converted into SSL traffic and sent out on port 443.
- A server-SSL template is defined and applied to the virtual port. The template includes the command
forward-proxy-enable. Optionally, a root CA certificate store file also may be applied to the server-SSL
template.
5.1.3 Security Device Configuration
Third-party security devices must be configured according to the recommend best practices of the security
vendor. The key requirements for enabling SSL Insight in this configuration are:
• ARP packets should be allowed for both internal and external Thunder ADC appliances.
• Health-check packets should be allowed from the internal Thunder ADC appliance to the external
Thunder ADC appliance; unless health-checks are disabled.
6 Configuration Steps for Thunder ADC Appliances
This section provides detailed steps for configuring SSL Insight on Thunder ADC. Complete configuration
details for both internal and external Thunder ADC appliances are shown in Appendix A.
8
Deployment Guide | SSL Insight Deployment for Thunder ADC
6.1 Network Confi guration on the Thunder ADC Appliances
The steps in this section confi gure the following networking parameters:
• VLANs and their router interfaces
• Virtual Ethernet (VE) interfaces, which are IP addresses assigned to VLAN router interfaces
The goal is to achieve the following IP addressing scheme on both Thunder ADC appliances as shown in Figure 1:
VLAN VE IP Address Interface
10 10.10.1.2 /24 eth1
Internal ADC
15 10.15.1.2 /24 eth5
20 20.1.1.2 /24 eth1
External ADC
15 10.15.1.12 /24 eth5
6.2 Confi gure VLANs and add Ethernet and Router Interfaces
Confi gure the following VLAN parameters on the internal Thunder ADC appliance as shown in Figure 1:
• VLAN-10: This is the uplink to the internal network. Add router-interface ve 10 along with the Ethernet
interface.
• VLAN-15: This is the path to the external Thunder ADC appliance through the security device. Add router-
interface ve 15 along with the Ethernet interface.
Using the CLI:
ACOS(confi g)#vlan 10
ACOS(confi g-vlan:10)#untagged ethernet 1
ACOS(confi g-vlan:10)#router-interface ve 10
ACOS(confi g-vlan:10)#exit
ACOS(confi g)#vlan 15
ACOS(confi g-vlan:15)#untagged ethernet 5
ACOS(confi g-vlan:15)#router-interface ve 15
ACOS(confi g-vlan:15)#exit
Using the GUI:
1. Navigate to Network > VLAN.
2. Click Create.
3. Enter the VLAN ID, select the interfaces.
4. Name (Optional).
5. Check Create Virtual Interface.
6. Click Create VLAN.
7. Repeat for each VLAN.
9
Deployment Guide | SSL Insight Deployment for Thunder ADC
6.3 Confi gure IP Addresses on the VLAN Router Interfaces
Verify that you have enabled the promiscuous VIP option under ve10, in order to subject inbound traffi c to
wildcard VIP.
Using the CLI:
ACOS(confi g)#interface ve 10
ACOS(confi g-if:ve10)#ip address 10.10.1.2 /24
ACOS(confi g-if:ve10)#ip allow-promiscuous-vip
ACOS(confi g-if:ve10)#exit
ACOS(confi g)#interface ve 15
ACOS(confi g-if:ve15)#ip address 10.15.1.2 /24
ACOS(confi g-if:ve15)#exit
Using the GUI:
1. Navigate to Network > Interfaces > Virtual Ethernets. The interfaces confi gured above should be visible.
2. Click edit on ifnum “100” and confi gure the general fi elds and IPv4 address.
3. Click update when done.
4. Repeat for each VE.
5. Enter the IP Address and Subnet and click add.
6. Enable “Allow Promiscuous VIP” option.
7. Click update and continue.
Repeat the steps above on the external Thunder ADC appliance pair, and make sure to use unique IP addresses.
6.4 SSL Insight Confi guration on the Thunder ADC Appliances
SSL Insight configuration on the internal Thunder ADC appliance will intercept traffic on TCP port 443,
decrypt it, and send it in clear text over TCP port 8080 to the security device. Consequently, the external
Thunder ADC appliance will intercept clear text traffic arriving on TCP port 8080 and encrypt it back before
sending it to the remote hosts. All other traffic will be bypassed using wildcard TCP and UDP ports as
configured in the following sections.
10
Description:but A10 Networks assumes no responsibility for its use. OCSP Support for Server Certificate Validation – this feature is an enhancement version of
