About Policies : About policy settings for HTTPS/TLS
  
About policy settings for HTTPS/TLS
You configure TLS for your controller in the SSL tab of the Manage > Services: Policies page. TLS is a cryptographic protocol that provides secure communications between two parties over the internet. For detailed information about configuring TLS for the controller, see Configuring HTTPS/TLS. For detailed information about configuring TLS in the SteelHead, see the SteelHead User Guide.
On the SSL tab of the Manage > Services: Policies page, configure the following options:
Enable TLS Optimization—Enables TLS simplification. TLS simplification is a method of TLS optimization using a TLS agent. TLS simplification provides zero-touch certificate management for endpoints that have the Client Accelerator software installed. This feature requires RiOS 9.12 or later installed on both the client-side and server-side SteelHeads and Client Accelerator Controller 6.2.2 or later on each client endpoint. For detailed procedures on configuring TLS simplification in the SteelHead, see the SteelHead User Guide. When you enable TLS optimization, the old SSL blade and the new TLS blade are active in the SteelHead and controller. TLS optimization is activated only when it is enabled on both SteelHead peers and the controller. Otherwise, the old SSL blade will continue to be used.
Beginning with Client Accelerator 6.4.0, TLS 1.3 acceleration is fully supported and does not require SSL settings.
To enable TLS simplification on the client software for managed endpoints, ensure you’ve enabled TLS optimization in endpoint policies.
Enable SSL Optimization—Enables TLS optimization, which accelerates applications that use TLS to encrypt traffic. This option is disabled by default. You can choose to enable TLS optimization only on certain sessions (based on source and destination addresses, subnets, and ports), or on all TLS sessions, or on no TLS sessions at all. A TLS session that is not optimized simply passes through the controller unmodified. To enable SNI support, you need to enable TLS optimization on the controller and enable SNI on the SteelHead. For details, see Basic steps for configuring SNI support.
Enable Client Certificate Support—Enables support for client certificates during TLS authentication. This option enables acceleration of TLS traffic to those TLS servers that authenticate TLS clients. The TLS server verifies the TLS client certificate. In the client authentication TLS handshake, each client has a unique client certificate and the TLS server, in most cases, maintains the state that is specific to each client when answering the client's requests. The TLS server must receive exactly the same certificate that is originally issued for a client on all the connections between the client and the server. Typically, the client's unique certificate and private key are stored on a smart card, such as a Common Access Card (CAC), or on a similar location that is inaccessible to other devices on the network.
Enabling the client authentication allows controllers to compute the encryption key while the TLS server continues to authenticate the original TLS client exactly as it would without the controllers. The server-side controller observes the TLS handshake messages as they go back and forth. With access to the TLS server's private key, the controller computes the session key exactly as the TLS server does. The TLS server continues to perform the actual verification of the client, so any dependencies on the uniqueness of the client certificate for correct operation of the application are met. Because the controller doesn’t modify any of the certificates (or the handshake messages) exchanged between the client and the server, there’s no change to their trust model. The client and server continue to trust the same set of certificate authorities as they did without the controllers accelerating their traffic.
Client authentication supports branch and optimize modes. Client authentication supports certificates installed locally in the certificate store, and certificates carried physically with Common Access Card (CAC). Client authentication supports only Windows clients. Make sure ports 7881 (server-side) and 7882 (client-side are open to support certificate management activities.
Ensure you also enable General TLS Settings on this page for CAC support. Choose Manage > Policies > SSL: General TLS Settings.
Enable SSL Proxy Support—Enables support for SSL proxy.
SSL Secure Peering Settings, Traffic Type—Passes through connections that don’t have a secure encrypted inner channel connection with the peer. Use caution when disabling this setting, as doing so specifies that you strictly don’t want traffic optimized between nonsecure appliances. When this setting is disabled on the server-side SteelHead and All is selected as the traffic type, it will not optimize the connection when a secure channel is unavailable, and might drop it. Select one of these traffic types from the drop-down list.
SSL Only—The peer controller and the server-side SteelHead authenticate each other and then encrypt and optimize all SSL traffic: for example, HTTPS traffic on port 443. This is the default setting.
SSL and Secure Protocols—The peer controller and the server-side SteelHead authenticate each other and then encrypt and optimize all traffic traveling over these secure protocols: Citrix, HTTPS/TLS, SMB-signed, and encrypted MAPI. SMB-signing, MAPI encryption, or Secure ICA encryption must be enabled on both the controller and server-side SteelHeads when securing SMB-signed traffic, encrypted MAPI traffic, or encrypted Citrix ICA traffic. Enabling this option requires an optimization service restart.
All—The peer controller and the server-side SteelHead authenticate each other and then encrypt and optimize all traffic. Only the optimized traffic is secure; pass-through traffic is not. Enabling this option requires an optimization service restart.
Fallback to No Encryption—Specifies that the controller optimizes but does not encrypt the connection when it is unable to negotiate a secure, encrypted inner channel connection with the peer. This is the default setting. Enabling this option requires an optimization service restart. This option applies only to non-TLS traffic and is unavailable when you select SSL Only as the traffic type.
We strongly recommend enabling this setting on both the controller and the server-side SteelHeads, especially in mixed deployments.
Trust All Pre-configured Peering Certificates—Enables a trust relationship for all preconfigured Client Accelerator certificates listed in Effective List of all the Peering Certificates.
Trust Selected Peering Certificates—Enables a trust relationship only with selected peering certificates in the Selected Peering Certificates list. When you select this option, the Selected Peering Certificates options are displayed.
About certificate expiry
When certificates on endpoints expire, Client Accelerator generates new certificates, automatically updating the endpoints’ trusted stores. Certificate regeneration is the same regardless of Client Accelerator’s mode of operation.