Policy Pages Reference : Optimization Policy Settings : Secure Peering (SSL)
  
Secure Peering (SSL)
You configure SSL peers for the selected optimization policy in the Secure Peering (SSL) page.
Secure, encrypted peering extends beyond traditional SSL traffic encryption. In addition to SSL-based traffic like HTTPS that always needs a secure connection between the client-side and the server-side appliance, you can also secure other types of traffic such as:
•  MAPI-encrypted, SMB1, and SMB2-signed traffic.
•  Citrix traffic (RiOS 7.0 and later).
•  all other traffic that inherently does not require a secure connection.
For details about SSL, see the SteelHead Management Console User’s Guide for SteelHead CX.
RiOS 6.5 provides a way to configure Certificate Revocation Lists (CRLs) for an automatically discovered CA. This is not available as a configuration option. By default, CRLs are not used in the SCC.
<<does this still apply in 8.5?When pushing SSL peering certificates to a group of appliances, only the peering certificates that are either configured directly on the SCC itself or from connected appliances will be pushed. Any disconnected appliances peering certificates will not be updated by the policy push, and all other appliances will not get the peering certificates from the disconnected appliances if they are not configured directly on the SCC.
The Secure Peering (SSL) page contains the following groups of settings:
•  SSL Secure Peering Settings
•  Trusted Peer Certificates and Peer CAs
•  Mobile Trust
•  Trusted Peers
SSL Secure Peering Settings
Complete the configuration as described in this table.
Control
Description
Traffic Type
Select one of the following traffic types from the drop-down list:
•  SSL Only - The peer client-side appliance and the server-side SCC authenticate each other and then encrypt and optimize all SSL traffic: for example, HTTPS traffic on port 443. This is the default setting.
•  SSL and Secure Protocols - The peer client-side appliance and the server-side appliance authenticate each other and then encrypt and optimize all traffic traveling over the following secure protocols: SSL, SMB signed, and encrypted MAPI. When you select this traffic type, SMB-signing and MAPI encryption must be enabled. Enabling this option requires an optimization service restart.
SMB-signing, MAPI encryption, or Secure ICA encryption must be enabled on both the client-side and server-side appliances when securing SMB-signed traffic, encrypted MAPI traffic, or encrypted Citrix ICA traffic (RiOS 7.0).
Enabling this option requires an optimization service restart.
•  All - The peer client-side appliance and the server-side appliance authenticate each other and then encrypt and optimize all traffic. Only the optimized traffic is secure; pass-through traffic is not. Enabling this option requires an optimization service restart.
Selecting All can cause up to a 10 percent performance decline in higher-capacity appliances. Take this performance metric into account when sizing a complete secure appliance peering environment.
Fallback to No Encryption
Specifies that the appliance optimizes but does not encrypt the connection when it is unable to negotiate a secure, encrypted inner channel connection with the peer. This is the default setting. Enabling this option requires an optimization service restart.
Important: Riverbed strongly recommends enabling this setting on both the client-side and the server-side appliances, especially in mixed deployments where one appliance is running RiOS 6.0 or later and the other SteelHead is running an earlier RiOS version.
This option applies only to non-SSL traffic and is unavailable when you select SSL Only as the traffic type.
Clear the check box to pass through connections that do not have a secure encrypted inner channel connection with the peer. Use caution when disabling this setting, as doing so specifies that you strictly do not want traffic optimized between non-secure SCC. Consequently, configurations with this setting disabled risk the possibility of dropped connections. For example, consider a configuration with a client-side SCC running RiOS 5.5.x or earlier and a server-side SteelHead running RiOS 6.0 or later. When this setting is disabled on the server-side SCC and All is selected as the traffic type, it will not optimize the connection when a secure channel is unavailable, and can drop it.
Trusted Peer Certificates and Peer CAs
You can add and view the following types of entities:
•  Certificates of trusted peers.
•  Certificates of trusted Certificate Authorities (CAs) that may sign certificates for peers.
Complete the configuration as described in this table.
Control
Description
Add a New Trusted Entity
Displays the controls for adding trusted entities.
Trust Existing CA
Select an existing CA from the drop-down list.
Trust New Certificate
Adds a new CA or peer certificate. The appliance supports RSA and DSA for peering trust entities.
Optional Local Name
Optionally, specify a local name for the entity (for example, the fully qualified domain name).
Local File
Browse to the local file.
Cert Text
Paste the content of the certificate text file into the text box.
Add
Adds the trusted entity (or peer) to the trusted peers list.
Remove Selected
Select the check box next to the name and click Remove Selected.
 
Mobile Trust
You can add and view trusted SteelHead Mobile entities that may sign certificates for SteelHead Mobile Clients.
Complete the configuration as described in this table.
Control
Description
Add a New Mobile Entity
Displays the controls for adding a trusted SteelHead Mobile entity.
Optional Local Name
Optionally, specify a local name for the entity (for example, the fully qualified domain name).
Local File
Browse to the local file.
Cert Text
Paste the content of the certificate text file into the text box.
Add
Adds the trusted entity (or peer) to the trusted peers list.
Trusted Peers
The first time a client-side appliance attempts to connect to the server, the optimization service detects peers and populates the peer entry tables. On both appliances, an entry appears in a peering list with the information and certificate of the other peer. A peer list provides you with the option of accepting or declining the trust relationship with each appliance requesting a secure inner channel.
Complete the configuration as described in this table.
Control
Description
Trust Selected Peers (only SSL-capable or disconnected appliances are shown)
Specify this option to trust only SSL-capable or disconnected appliances.
Trust All Peers
Specify this option trust all peers.
Update
Updates the policy to reflect the new settings.