Product Documentation

Configuring SSL Compression

May 09, 2013
For SSL compression to work, the CloudBridge appliance needs certificates from either the server or the client. To support multiple servers, multiple private keys can be installed on the appliance, one per SSL profile. Special SSL rules in the service class definitions match up servers to SSL profiles, and thus SSL profiles to private keys.
To configure SSL compression
  1. Acquire copies of your server’s CA certificate and private certificate-key pair and install them on the server-side appliance. These credentials are likely to be application-specific. That is, a server might have different credentials for an Apache Web server than for an Exchange Server running RPC over HTTPS.
  2. (Split-proxy mode only.) For split-proxy mode, configure, on the server-side appliance only, a split-proxy SSL profile for your SSL server, as follows:
    1. On the Configuration: Secure Acceleration: SSL Profile tab, click Add to add a new profile. The SSL Profile screen appears.
    2. On the SSL Profile screen, enter a name for your SSL profile (usually the name of the server).
    3. Select the Profile Enabled check box.
    4. If your SSL server uses more than one virtual host name, type the target virtual host name into the Virtual Host Name field. This is the host name listed in the server credentials. Otherwise, you can leave this field blank. (To support multiple virtual hosts, create a separate SSL profile for each host name.) This option is effective only with TLS.
    5. For Proxy Type, select Split.
    6. Leave the Certificate Verification field at its default value (Signature/Expiration) unless your policies dictate otherwise.
    7. Perform server-side proxy configuration:
      1. In the Verification Store field, select an existing server CA from the pull-down menu, or click the “+” icon to upload a server CA.
      2. If you want to require the server’s credentials to match the credentials used in this profile, select the Authentication required check box.
      3. Using the Protocol Version menu, select the protocols your server accepts.
      4. If necessary, edit the Cipher Specification string, using the OpenSSL syntax.
      5. If you want to allow server-side SSL session renegotiation, select the type of renegotiation from the Renegotiation type drop-down list.
        Caution: This option is disabled by default, to prevent renegotiation exploits.
    8. Perform client-side proxy configuration:
      1. Certificate/Private Key field. Leave at its default value.
      2. Leave the Build Certificate Chain check box selected (the default). This option causes the SSL certificate chain to be built by the server-side appliance.
      3. If desired, select or upload a CA store to use as the Certificate Chain Store.
      4. Select the Protocol Versions you want to support on the client side.
      5. If necessary, edit the client-side Cipher Specification.
      6. If you want to allow client-side SSL session renegotiation, select the type of renegotiation from the Renegotiation type drop-down list.

  3. (Transparent proxy mode only.) For transparent proxy only, on the server-side appliance only, go to the Configuration: Secure Acceleration: SSL Profile tab and click Add.
    1. On the SSL Profile screen, enter a name for your SSL profile (usually the name of the server).
    2. Select the Profile Enabled check box.
    3. If your SSL server uses more than one virtual host name, in the Virtual Host Name field, type the virtual host name that matches the server credentials that you provided earlier. Otherwise, you can leave the field blank. This option is effective only for TLS. To support multiple virtual host names, create multiple SSL Profiles.
    4. For Proxy Type, select Transparent.
    5. In the SSL Server’s Private Key field, select your server’s private key from the pull-down menu, or click the “+” icon to upload a new private key.
    6. Click Add.

  4. Add or modify a service class. You must attach the SSL profile to a service class on the server-side appliance. This can be done either with a new service class based on the server IP, or an existing service class based on the application.
  5. (Creating a new IP-based service class.) On the server-side appliance, create a new service class with appropriate SSL rules:
    1. On the Configuration: Optimization Rules: Service Classes page, click Add.
    2. In the Name field, enter a name for the new service class (for example, “Accelerated HTTPS”).
    3. Enable compression by setting the Acceleration Policy to Disk or Memory.
    4. Create a service-class rule.
    5. In the Filter Rules section, click Add. In the Dst IP field, type the server’s IP address (for example, 172.16.0.1 or, equivalently, 172.16.0.1/32.
    6. In the Direction field, set the rule to Unidirectional. (SSL profiles are disabled if Bidirectional is specified.)
    7. In the SSL Profiles section, select at least one available SSL profile and move it to the Configured section.
    8. Click Create to save the rule.
  6. (Modifying an existing service class.) On the server-side appliance, edit an existing service class to allow SSL acceleration.
    1. On the Configuration: Optimization Rules: Service Classes page, select an appropriate service class, such as “Web (Private-Secure)” for HTTPS traffic on private subnets, and click Edit.
    2. Enable compression by setting the Acceleration Policy to Disk or Memory.
    3. Select the service-class rule and click Edit.
    4. In the Direction field, set the rule to Unidirectional. (SSL profiles are disabled if Bidirectional is specified.)
    5. In the SSL Profiles section, select at least one available SSL profile and move it to the Configured section.
    6. Click Save to save the rule.
  7. Set service classes on the client-side appliance. SSL traffic is not compressed unless it falls into a service class, on the client-side appliance, that enables acceleration and compression. This can be an ordinary service-class rule, not an SSL rule (only the server-side appliance needs SSL rules), but it must enable acceleration and compression. The traffic falls into an existing service class, such as “HTTPS” or “Other TCP Traffic.” If this class’s policy enables acceleration and compression, no additional configuration is needed.
  8. Verify operation of the rule. Send traffic that should receive SSL acceleration through the appliances. On the server-side appliance, on the Monitoring: Optimization: Connections: Accelerated Connections tab, the Service Class column should match the service class you set up for secure acceleration, and the SSL Proxy column should list True for appropriate connections.