About secure peering settings
Settings for secure peers are under Optimization > SSL: Secure Peering (SSL).
If you are securing encrypted MAPI, SMB-signed, or Citrix traffic, further configuration is required on the Management Console pages for those protocols.
The time setting among peers must be identical. We recommend using NTP time synchronization or manually synchronizing their clocks.
Secure peering settings
Select a traffic type. Client-side and server-side appliances authenticate each other and encrypt traffic of the selected type. Changing the traffic type requires a service restart.
SSL Only encrypts and optimizes all SSL traffic, such as HTTPS on port 443. Default.
SSL and Secure Protocols encrypts and optimizes all traffic traveling over Citrix, SSL, SMB-signed, and encrypted MAPI.
All encrypts and optimizes all traffic, except pass-through traffic.
Selecting All can cause up to a 10-percent performance decline in higher-capacity SteelHead. Take this performance metric into account when sizing a complete, secure peering environment.
Fallback to No Encryption specifies that the appliance optimizes but doesn’t encrypt connections when it’s unable to negotiate a secure, encrypted inner channel connection with the peer. Disable to pass through connections that don’t have a secure encrypted inner-channel connection with the peer. Enabled by default. This setting requires a service restart.
Use caution when disabling this setting, as doing so specifies that you strictly don’t want traffic optimized between nonsecure appliances. Consequently, connections might be dropped. For example, when this setting is disabled and All is selected as the traffic type, the appliance will not optimize the connection when a secure channel is unavailable and might drop it.
We strongly recommend enabling this setting on client-side and server-side appliances, especially in mixed version deployments. This option applies only to non-SSL traffic and is unavailable when you select SSL Only.
About peer trust tables
Appliances maintain lists of peers in their peering trust tables. You can manually add trusted peers and accept or decline the trust relationship with any listed peer requesting a secure inner channel.
Secure peering trust tables
Peering trust table lists all trusted peers. You can view any listed peer’s certificate details and certificate (PEM format).
SCEP peering trust table lists the subset of peers that can use simple certificate enrollment protocol (SCEP) certificates.
• URL specifies the URL of the SCEP responder. Example: http://<Iip-address>/certsrv/mscep/mscep.dll
• Maximum Number of Polls specifies the maximum number of polls before the SteelHead cancels the enrollment. The peering certificate is not modified. The default value is 5. A poll is a request to the server for an enrolled certificate by the SteelHead. The SteelHead polls only if the server responds with pending. If the server responds with fail then the SteelHead doesn’t poll.
• Poll Period specifies the poll frequency in minutes. The default value is 5.
• Change Challenge Passphrase specifies the challenge password phrase.
• Enable Auto Enrollment enables automatic reenrollment of a certificate to be signed by a CA using SCEP.
• Expiration Threshold specifies the amount of time (in days) to schedule reenrollment before the certificate expires. The range is from 1 to 60 days. The default value is 30 days.
• Update SCEP Settings updates the SCEP settings.
Mobile trust table lists trusted Client Accelerator Controller appliances that can sign certificates for instances of Client Accelerator endpoint software.
The self-signed peer lists are designated by color: white, black, gray. The white list includes all trusted peers. The black list includes all untrusted appliances. The gray list includes all appliances with an unknown status, and it serves as a holding place for all discovered peers attempting to establish a secure inner channel with the local appliance. In each list, information such as public key, certificate and certificate expiration date, IP address, and hostname may be included for each entry. Trusting an appliance listed in the gray or black lists moves that appliance to the white list; selecting not to trust an appliance listed in the white or gray lists moves that appliance to the black list. Entries in these lists are sorted by IP address.
Before moving a peer from the gray list to the trusted peers white list, verify that the certificate fingerprint does indeed belong to the peer appliance to avoid the potential risk of a man-in-the-middle attack.
When the same certificate appears in both the trusted entity and a self-signed peer list, deleting the certificate from one list automatically deletes it from the other.