About policy settings for SSL

SSL is a cryptographic protocol that provides secure communications between two parties over the internet. For detailed information about configuring SSL for the controller, see Configuring SSL. For detailed information about configuring SSL in the SteelHead, see the SteelHead User Guide.

Enable SSL Optimization enables SSL optimization, which accelerates applications that use SSL to encrypt traffic. This option is disabled by default. You can choose to enable SSL optimization only on certain sessions (based on source and destination addresses, subnets, and ports), or on all SSL sessions, or on no SSL sessions at all. An SSL session that is not optimized simply passes through the controller unmodified. To enable SNI support, you need to enable SSL optimization on the controller and enable SNI on the SteelHead. For details, see Basic steps for configuring SNI support.

Enable Client Certificate Support enables support for client certificates during SSL authentication. This option enables acceleration of SSL traffic to those SSL servers that authenticate SSL clients. The SSL server verifies the SSL client certificate. In the client authentication SSL handshake, each client has a unique client certificate and the SSL server, in most cases, maintains the state that is specific to each client when answering the client's requests. The SSL server must receive exactly the same certificate that is originally issued for a client on all the connections between the client and the server. Typically, the client's unique certificate and private key are stored on a smart card, such as a Common Access Card (CAC), or on a similar location that is inaccessible to other devices on the network.

Enabling the client authentication allows controllers to compute the encryption key while the SSL server continues to authenticate the original SSL client exactly as it would without the controllers. The server-side controller observes the SSL handshake messages as they go back and forth. With access to the SSL server's private key, the controller computes the session key exactly as the SSL server does. The SSL server continues to perform the actual verification of the client, so any dependencies on the uniqueness of the client certificate for correct operation of the application are met. Because the controller doesn’t modify any of the certificates (or the handshake messages) exchanged between the client and the server, there’s no change to their trust model. The client and server continue to trust the same set of certificate authorities as they did without the controllers accelerating their traffic.

Client authentication supports branch and optimize modes. Client authentication supports certificates installed locally in the certificate store, and certificates carried physically with Common Access Card (CAC). Client authentication supports only Windows clients. Make sure ports 7881 (server-side) and 7882 (client-side are open to support certificate management activities.

Enable SSL Proxy Support enables support for SSL proxy.

Disable SSL Secure Peering Settings Traffic Type to pass through connections that don’t have a secure encrypted inner channel connection with the peer. Use caution when disabling this setting, as doing so specifies that you strictly don’t want traffic optimized between nonsecure appliances. When this setting is disabled on the server-side SteelHead and All is selected as the traffic type, it will not optimize the connection when a secure channel is unavailable, and might drop it. Select one of these traffic types from the drop-down list.

• SSL Only—The peer controller and the server-side SteelHead authenticate each other and then encrypt and optimize all SSL traffic: for example, HTTPS traffic on port 443. This is the default setting.

• SSL and Secure Protocols—The peer controller and the server-side SteelHead authenticate each other and then encrypt and optimize all traffic traveling over these secure protocols: Citrix, SSL, SMB-signed, and encrypted MAPI. SMB-signing, MAPI encryption, or Secure ICA encryption must be enabled on both the controller and server-side SteelHeads when securing SMB-signed traffic, encrypted MAPI traffic, or encrypted Citrix ICA traffic. Enabling this option requires an optimization service restart.

• All—The peer controller and the server-side SteelHead authenticate each other and then encrypt and optimize all traffic. Only the optimized traffic is secure; pass-through traffic is not. Enabling this option requires an optimization service restart.

• Fallback to No Encryption—Specifies that the controller optimizes but does not encrypt the connection when it is unable to negotiate a secure, encrypted inner channel connection with the peer. This is the default setting. Enabling this option requires an optimization service restart. This option applies only to non-SSL traffic and is unavailable when you select SSL Only as the traffic type.

Trust All Pre-configured Peering Certificates enables a trust relationship for all preconfigured Client Accelerator certificates listed in Effective List of all the Peering Certificates.

Trust Selected Peering Certificates enables a trust relationship only with selected peering certificates in the Selected Peering Certificates list. When you select this option, the Selected Peering Certificates options are displayed.

Enable TLS optimization enables SSL simplification. SSL simplification is a method of TLS optimization using an SSL agent. SSL simplification provides zero-touch certificate management for endpoints that have the Client Accelerator software installed. This feature requires RiOS 9.12 or later on the client-side and server-side SteelHeads and controller 6.2.2 or later on each client endpoint. For detailed procedures on configuring SSL simplification in the SteelHead, see the SteelHead User Guide. When you enable TLS optimization, the old SSL blade and the new TLS blade are active in the SteelHead and controller. TLS optimization is activated only when it is enabled on both SteelHead peers and the controller. Otherwise, the old SSL blade will continue to be used. You must have RiOS 9.12 or later installed on the server-side SteelHead appliance to use this feature.

When certificates on endpoints expire, Client Accelerator generates new certificates, automatically updating the endpoints’ trusted stores. Certificate regeneration is the same regardless of Client Accelerator’s mode of operation.