Secure peering (SSL)
You configure SSL peers for the selected optimization policy in the Secure Peering (SSL) page.
Secure, encrypted peering extends beyond traditional SSL traffic encryption. In addition to SSL-based traffic like HTTPS that always needs a secure connection between the client-side and the server-side appliance, you can also secure other types of traffic such as:
• MAPI-encrypted, SMB1, and SMB2-signed traffic.
• Citrix traffic (RiOS 7.0 and later).
• all other traffic that inherently doesn’t require a secure connection.
In RiOS 9.0 and later, SSL secure peering and secure transport traffic can co-exist. For details about SSL, see the SteelHead User Guide.
The Secure Peering (SSL) page contains these groups of settings:
SSL secure peering settings
These configuration options are available:
Traffic Type
Specifies one of these traffic types from the drop-down list:
• SSL Only—The peer client-side appliance and the server-side SCC authenticate each other and then encrypt and optimize all SSL traffic: for example, HTTPS traffic on port 443. This is the default setting.
• SSL and Secure Protocols—The peer client-side appliance and the server-side appliance authenticate each other and then encrypt and optimize all traffic traveling over these secure protocols: SSL, SMB signed, and encrypted MAPI. When you select this traffic type, SMB-signing and MAPI encryption must be enabled. Enabling this option requires an optimization service restart.
SMB-signing, MAPI encryption, or Secure ICA encryption must be enabled on both the client-side and server-side appliances when securing SMB-signed traffic, encrypted MAPI traffic, or encrypted Citrix ICA traffic (RiOS 7.0).
Enabling this option requires an optimization service restart.
• All—The peer client-side appliance and the server-side appliance authenticate each other and then encrypt and optimize all traffic. Only the optimized traffic is secure; pass-through traffic isn’t. Enabling this option requires an optimization service restart.
Selecting All can cause up to a 10 percent performance decline in higher-capacity appliances. Take this performance metric into account when sizing a complete secure appliance peering environment.
Fallback to No Encryption
Specifies that the appliance optimizes but doesn’t encrypt the connection when it is unable to negotiate a secure, encrypted inner channel connection with the peer. This is the default setting. Enabling this option requires an optimization service restart.
We recommend enabling this setting on both the client-side and the server-side appliances, especially in mixed deployments where one appliance is running RiOS 6.0 or later and the other SteelHead is running an earlier RiOS version.
This option applies only to non-SSL traffic and is unavailable when you select SSL Only as the traffic type.
Clear the check box to pass through connections that don’t have a secure encrypted inner channel connection with the peer. Use caution when disabling this setting, as doing so specifies that you strictly don’t want traffic optimized between nonsecure SCC. Consequently, configurations with this setting disabled risk the possibility of dropped connections. For example, consider a configuration with a client-side SCC running RiOS 5.5.x or earlier and a server-side SteelHead running RiOS 6.0 or later. When this setting is disabled on the server-side SCC and All is selected as the traffic type, it will not optimize the connection when a secure channel is unavailable, and can drop it.
Trusted peering CAs and peer certificates
You can add and view these types of entities:
• Certificates of trusted peers.
• Certificates of trusted Certificate Authorities (CAs) that may sign certificates for peers.
These configuration options are available:
Add a New Trusted Entity
Displays the controls for adding trusted entities.
Trust Existing CA
Specifies an existing CA from the drop-down list.
Trust New Certificate
Adds a new CA or peer certificate. The appliance supports RSA and DSA for peering trust entities.
Optional Local Name
Specifies a local name for the entity (for example, the fully qualified domain name).
Local File browses to the local file.
Cert Text
Pastes the content of the certificate text file into the text box.
Add
Adds the trusted entity (or peer) to the trusted peers list.
Mobile trust
You can add and view trusted Client Accelerator entities that may sign certificates for Client Accelerator Clients.
These configuration options are available:
Add a New Mobile Entity
Displays the controls for adding a trusted Client Accelerator entity.
Optional Local Name
Specifies a local name for the entity (for example, the fully qualified domain name).
Local File
Browses to the local file.
Cert Text
Pastes the content of the certificate text file into the text box.
Add
Adds the trusted entity (or peer) to the trusted peers list.
Trusted peers
The first time a client-side appliance attempts to connect to the server, the optimization service detects peers and populates the peer entry tables. On both appliances, an entry appears in a peering list with the information and certificate of the other peer. A peer list provides you with the option of accepting or declining the trust relationship with each appliance requesting a secure inner channel.
These configuration options are available:
Trust Selected Peers
(Only SSL-capable or disconnected appliances are shown.) Trusts only SSL-capable or disconnected appliances.
Trust All Peers
Trusts all peers.
Update
Updates the policy to reflect the new settings.