- Frequently Asked Questions (FAQ’s)
1. Why do we parse the SAN?
It is tedious to create multiple profiles for FQDNS for each of the domains, to overcome this we parse the SAN from the certificates.
2. What is an exclude list?
An error/warning message is displayed If the browser/app does not contain the CA certificate, in such cases the client’s IP address will be added to an exclude list after few attempts to connect from browser/app (2-3 times). In the next attempt, connection is not SSL proxied and the page loads without any error/warning. The client IP address will remain in the exclude list for 48hrs. The exclude list is maintained only for split proxy.
3. Where to check for office 365 acceleration connection information?
In the CloudBridge appliance UI click Monitoring > Connections > Accelerated Connections, check for the SSL proxy state. For connection details, click the details icon.
4. What happens if exclude list option is not enabled by default as part of SSL profile configuration?
If the browser/app does not contain the CA certificate, it displays an error/warning and the connections from that client/App will be blocked. To avoid such issues, select Exclude List option as part of SSL profile configuration.
5. What happens if the required SAN's are not part of the configured/created proxy certificate?
The connections will not be SSL proxied and there will be no acceleration benefits for non proxied SSL connections.
6. What happens when the client is not part of the domain or if the client does not have the root certificate of the domain?
The connections get blocked if exclude list is not enabled.
7. What happens if the Data Center side CloudBridge does not have root or intermediate CA’s?
The connections are blocked or the Office 365 application pages which require the missing root or intermediate CA’s are partially loaded. To unblock the connections or to have these page fully loaded, either add the appropriate CA certificates or disable the SSL profile from acceleration.
8. How to know which clients are excluded from acceleration?
Excluded client information can be known from logs or by using the CLI command show ssl-exclude -list.
9. What to do when clients are excluded?
By default, exclude list information from the appliance will be cleared after 48 hours. User can forcibly clear the exclude list information using CLI commands clear ssl-exclude-list -<all>/<Client_IP>.
10. How to know which SSL connections(SNI’s) are not proxied?
From the logs or by using the CLI command show ssl-non-proxied-sni, you can know the list of the non proxied SNI’s.
11. How to clear non proxied SNI's?
Using the CLI command clear ssl-non-proxied-sni -<all>/<server name identifier>.
12. What is the default time for client in exclude state?
Client remains in the exclude state for 48 hrs.
13. Can we have multiple profile applied for a particular service class?
Yes, we can apply service classes with multiple SSL profiles.
To do this, on your Virtual WAN appliance navigate to Configuration > Service Class > Web (Internet-Secure) > Edit > Edit (Application) and add the available profiles.
14. How do you check the reason for non proxied connections?
Check the TCP connection page, for more information check the logs. To debug the non-proxied connection issues, do the following.
a. If the log shows no valid configuration -
Set the valid configuration. For more information on configuring office 365 feature, see Office 365 Acceleration.
b. If the log shows certification verification failed -
Add valid CA certificates to the data center side CloudBridge apliance.
c. if the log shows client excluded -
Information about excluded clients can be cleared from the appliance using the CLI command clear ssl-exclude-list -<all>/<Client_IP>.