Configure SSL offloading with end-to-end encryption
A simple SSL offloading setup terminates SSL traffic (HTTPS), decrypts the SSL records, and forwards the clear text (HTTP) traffic to the back-end web servers. However, the clear text traffic is vulnerable to being spoofed, read, stolen, or compromised by individuals who succeed in gaining access to the back-end network devices or web servers.
You can, therefore, configure SSL offloading with end-to-end security by re-encrypting the clear text data and using secure SSL sessions to communicate with the back-end Web servers.
Additionally, you can configure the back-end SSL transactions so that the Citrix ADC appliance uses SSL session multiplexing to reuse existing SSL sessions with the back-end web servers, thus avoiding CPU-intensive key exchange (full handshake) operations. This reduces the overall number of SSL sessions on the server, and therefore accelerates the SSL transaction while maintaining end-to-end security.
To configure SSL Offloading with end-to-end encryption, add SSL based services that represent secure servers with which the Citrix ADC appliance will carry out end-to-end encryption. Then create an SSL based virtual server, and create and bind a valid certificate-key pair to the virtual server. Bind the SSL services to the virtual server to complete the configuration.
To configure an end-to-end encryption deployment, perform the following steps:
- Create SSL services
- Create an SSL virtual server
- Add a certificate-key pair
- Bind the certificate-key pair to the SSL virtual server
- Bind the services to the SSL virtual server
For information about adding services, virtual servers, certificate-key pairs, see SSL offloading configuration.
Sample values used in the configuration are listed in the table
SSL virtual server
SSL certificate-key pair
add service service-ssl-1 198.51.100.5 SSL 443 add service service-ssl-2 198.51.100.10 SSL 443 add lb vserver vserver-ssl SSL 203.0.113.5 443 add ssl certKey certkey-1 -cert server_rsa_1024.pem -key server_rsa_1024.ky bind ssl vserver vserver-ssl -certkeyName certkey-1 bind lb vserver vserver-ssl service-ssl-1 bind lb vserver vserver-ssl service-ssl-2