SSL Decryption

A virtual server can decrypt SSL traffic. This can be useful for two reasons:

1.After decryption, a rule can analyze the request's headers and contents to make an informed routing decision. Without decrypting the packets very little information is available.

2.Decrypting requests requires processing power. It may be more efficient if the Traffic Manager decrypts requests before passing them on to the nodes, reducing the load on the back-end servers.

If traffic is decrypted in order to apply rules, you may wish to re-encrypt it before sending it on to the back ends. Re-encryption is handled by the pools (see SSL Encryption).

To set up a virtual server to decrypt SSL traffic, go to the Virtual Servers > Edit page for that virtual server and click SSL Decryption. You can choose whether to decrypt traffic, and which certificate from the SSL Certificates Catalog to use. You can also configure the allowed cipher suites and the SSL or TLS (Transport Layer Security) versions for each virtual server.

You can also choose whether to request an SSL client certificate. These serve to identify the client, and you can use them to restrict access to only those individuals you choose.

The Traffic Manager can also check client certificates using OCSP (Online Certificate Status Protocol). OCSP is an alternative to Certificate Revocation Lists (CRLs) and allows the Traffic Manager to obtain the revocation status of a client certificate. Clients making TLS connections can request that the virtual server supply status information for the server's certificate as part of the TLS handshake. Enable “OCSP Stapling” to instruct the Traffic Manager to retrieve the necessary OCSP responses and include them in its handshake messages.

The Traffic Manager’s SSL capability is described in detail in SSL Encryption.

Decrypting SSL Pass-Through Traffic

Recall that the protocol value for a virtual server refers to the internal protocol that the Traffic Manager is managing, after performing transformations such as SSL decryption.

If the protocol value for the virtual server is set to "SSL", this indicates that the virtual server is just forwarding SSL traffic in SSL pass-through mode. If you want to configure SSL decryption, you must first change the protocol value to the correct value for the internal protocol (for example, HTTP). In this case, your pools are probably sending traffic to nodes which expect SSL encrypted traffic, so you will also need to configure SSL encryption in the pools.

You can use the “SSL Decrypt a Service” wizard to configure an SSL pass-through service to decrypt traffic in the virtual server, and re-encrypt it in the pool. This wizard is described in SSL Decryption Wizard.

Note that only some protocols support SSL decryption. SSL decryption is not available for UDP based protocols, or for protocols that cannot be automatically wrapped with SSL such as SIP.