Product Documentation

Configure SSL offloading with end-to-end encryption

A simple SSL offloading setup terminates SSL traffic (HTTPS), decrypts the SSL records, and forwards the clear text (HTTP) traffic to the back-end web servers. However, the clear text traffic is vulnerable to being spoofed, read, stolen, or compromised by individuals who succeed in gaining access to the back-end network devices or web servers.

You can, therefore, configure SSL offloading with end-to-end security by re-encrypting the clear text data and using secure SSL sessions to communicate with the back-end Web servers.

Additionally, you can configure the back-end SSL transactions so that the Citrix ADC appliance uses SSL session multiplexing to reuse existing SSL sessions with the back-end web servers, thus avoiding CPU-intensive key exchange (full handshake) operations. This reduces the overall number of SSL sessions on the server, and therefore accelerates the SSL transaction while maintaining end-to-end security.

To configure SSL Offloading with end-to-end encryption, add SSL based services that represent secure servers with which the Citrix ADC appliance will carry out end-to-end encryption. Then create an SSL based virtual server, and create and bind a valid certificate-key pair to the virtual server. Bind the SSL services to the virtual server to complete the configuration.

To configure an end-to-end encryption deployment, perform the following steps:

  • Create SSL services
  • Create an SSL virtual server
  • Add a certificate-key pair
  • Bind the certificate-key pair to the SSL virtual server
  • Bind the services to the SSL virtual server

For information about adding services, virtual servers, certificate-key pairs, see SSL offloading configuration.

Sample values used in the configuration are listed in the table

Entity

Name

IP Address

Port

SSL service

service-ssl-1

198.51.100.5

443

SSL service

service-ssl-2

198.51.100.10

443

SSL virtual server

vserver-ssl

203.0.113.5

443

SSL certificate-key pair

certkey-1

Example:

add service service-ssl-1 198.51.100.5 SSL 443

add service service-ssl-2 198.51.100.10 SSL 443

add lb vserver vserver-ssl SSL 203.0.113.5 443

add ssl certKey certkey-1 -cert server_rsa_1024.pem -key server_rsa_1024.ky

bind ssl vserver vserver-ssl -certkeyName certkey-1

bind lb vserver vserver-ssl service-ssl-1

bind lb vserver vserver-ssl service-ssl-2

Configure SSL offloading with end-to-end encryption

In this article