SSL Insight and Load Balancing For Thunder ADC: Deployment Guide

DEPLOYMENT GUIDE
SSL Insight and Load Balancing for

Thunder ADC
Deployment Guide | SSL Insight and Load Balancing for Thunder ADC
Table of Contents
1 Overview....................................................................................................................................................................................................................................3
2 Deployment Prerequisites...............................................................................................................................................................................................3
3 Architecture Overview.......................................................................................................................................................................................................3
3.1 SSL Insight with an Inline Security Deployment....................................................................................................................................4
3.2 Firewall Load Balancing..........................................................................................................................................................................................5
4 Configuration Overview...................................................................................................................................................................................................6
4.1 CA Certificate ...............................................................................................................................................................................................................6
4.2 Thunder ADC Appliance Configuration Overview................................................................................................................................7
4.2.1 L2/L3 and High Availability.....................................................................................................................................................................7
4.2.2 Firewall Load Balancing Configuration Overview....................................................................................................................7
4.2.3 SSL Insight Configuration Overview.................................................................................................................................................8
4.3 Security Device Configuration Overview....................................................................................................................................................9
5 Configuration Steps for Thunder ADC Appliance.............................................................................................................................................9
5.1 L2/L3 and High Availability on the Thunder ADC Appliances.......................................................................................................9
5.2 FWLB Configuration on the Thunder ADC Appliances....................................................................................................................18
5.2.1 Internal Thunder ADC Appliance.....................................................................................................................................................18
5.2.2 External Thunder ADC Appliance....................................................................................................................................................24
5.3 SSL Insight Configuration on the Thunder ADC Appliances.......................................................................................................25
5.3.1 Internal Thunder ADC Appliance.....................................................................................................................................................25
5.3.2 External Thunder ADC Appliance....................................................................................................................................................31
6 Configuration Steps for Security Device..............................................................................................................................................................33
7 Summary.................................................................................................................................................................................................................................33
Appendix A. Complete Configuration File for the Thunder ADC Appliance........................................................................................34
Appendix B. Detailed Walkthrough of SSL Insight Packet FLow..................................................................................................................39
Appendix C. SSL Insight Certificate Installation Guide.......................................................................................................................................40
Generating a CA Certificate.........................................................................................................................................................................................40
Exporting a Certificate from Thunder ADC........................................................................................................................................................40
Installing a Certificate in Microsoft Windows 7 for Internet Explorer................................................................................................41
Installing Certificate in Google Chrome .............................................................................................................................................................47
Installing a Certificate in Mozilla Firefox...............................................................................................................................................................50
About A10 Networks...............................................................................................................................................................................................................52
Disclaimer
This document does not create any express or implied warranty about A10 Networks or about its products or services, including but not limited to
fitness for a particular use and noninfringement. A10 Networks has made reasonable efforts to verify that the information contained herein is accurate,
but A10 Networks assumes no responsibility for its use. All information is provided “as-is.” The product specifications and features described in this
publication are based on the latest information available; however, specifications are subject to change without notice, and certain features may not
be available upon initial product release. Contact A10 Networks for current information regarding its products or services. A10 Networks’ products and
services are subject to A10 Networks’ standard terms and conditions.
2
1 Overview
A wide range of security devices require visibility into network traffic—including encrypted traffic--to discover
attacks, intrusions, and data exfiltration. Growing SSL bandwidth, coupled with increasing SSL key lengths
and more computationally complex SSL ciphers, make it difficult for even the most powerful inline security
devices to decrypt SSL traffic. On top of today’s SSL performance challenges, many types of security devices are
deployed non-inline to monitor network traffic. Often, these devices cannot decrypt outbound SSL traffic.
To eliminate the SSL blind spot in corporate defenses, A10 Networks® has introduced SSL Insight™, a feature
included in the A10 Thunder® Application Delivery Controller (ADC) product line. A10 Networks SSL Insight
decrypts SSL traffic and enables third party security products to inspect the unencrypted traffic.
When configured for SSL Insight, the Thunder ADC intercepts SSL traffic, decrypts it and forwards it to a
security device such as a firewall, an Intrusion Prevention System (IPS) or an advanced threat prevention
platform. Thunder ADC can also mirror the unencrypted traffic to non-inline security devices such as
analytics or forensics products. A second Thunder ADC appliance then takes this traffic and encrypts it again,
and sends it to the remote destination.
Using A10’s Application Delivery Partitions (ADPs), SSL Insight can be configured with a single Thunder ADC
appliance for encryption, decryption, and load balancing.
2 Deployment Prerequisites
The requirements for SSL Insight deployment are:
• One or more Thunder ADC appliance(s) with A10 Networks Advance Core Operating System (ACOS®)
version 2.7.0 or later.
• A third-party security device such as a firewall, security analytics or forensics appliance or threat
prevention platform.
Note: The CLI commands and GUI screenshots presented in this guide are based on ACOS version 2.7.2.
3 Architecture Overview
This section illustrates a joint solution of A10 Networks Thunder ADCs and a third party security device for SSL
Insight. The SSL Insight services are provided by the Thunder ADC appliances while the traffic inspection and
monitoring services are provided by the third party security devices. This deployment also utilizes firewall load
balancing (FWLB) and VRRP-A features, which makes the SSL Insight solution highly available and efficient.
Notes:
• VRRP-A is a Thunder ADC high availability protocol optimized for Server Load Balancing (SLB), and differs
significantly from the industry-standard implementation of Virtual Router Redundancy Protocol (VRRP). For
purposes of operational familiarity, VRRP-A borrows concepts from VRRP, but is not VRRP. VRRP-A will not inter-
operate with VRRP.
• The security devices in this deployment guide are set up in Layer 2 (L2) mode.
3
Internet
Remote Server
20 V
VR LAN
AN ult .10 ID
VL defa de 20
I D fau
VR lt
eth1 .2 20.1.1.1 .3 eth1
VLAN 199
eth18 10.199.1.x eth18
eth5 eth6 eth5 eth6
VRID 15 .12 10.15.1.11 .13
.12 10.16.1.11 .13 VRID 16
VLAN 15
VLAN 16
VRID 15
VRID 16
15 VL
A
AN VR N 16
VL ID 15 ID
V R 16
eth3 eth4 eth3 eth4
External External
Internal Internal
eth1 eth2 eth1 eth2
VL
A 16
VR N 15 AN
VL ID 6
VLAN 15
VLAN 16
ID VR
VRID 5
VRID 6
5
.2 10.16.1.1 .3 VRID 6
VRID 5 .2 10.15.1.1 .3
eth5 eth6 eth5 eth6
eth18 VLAN 99 eth18
10.99.1.x
eth1 .2 10.1.1.1 .3 eth1
V 10
VR LAN
ID AN ult
de 10 VL defa
fau ID
lt VR
Internet Users
Figure 1. SSL Insight and Firewall Load Balancing topology example
3.1 SSL Insight with an Inline Security Deployment

The objective of the SSL Insight feature is to transparently intercept SSL traffic, decrypt it and send it through
the security device(s) in clear text. After the security device has inspected the intercepted traffic, it is re-
encapsulated in SSL and sent to the destination. A ladder-diagram is provided in Appendix B to show this
process in more detail.
There are three distinct stages for traffic in such a solution, depicted in Figure 2:
1. From client to the internal Thunder ADC appliance, where traffic is encrypted.
2. From the internal Thunder ADC appliance to the external Thunder ADC appliance, through the security
device. Traffic is in clear text in this segment.
3. Traffic from the external Thunder ADC appliance to the remote server, where traffic is encrypted again.
Note: Please refer to the ACOS Application Delivery & Server Load Balancing Guide for additional details on the SSL
Insight feature.
4
Application Server
Internet
3 Encrypted
A10 Thunder ADC
Inspection
and Protection
DLP UTM
2 Decrypted
IDS Others
A10 Thunder ADC
1 Encrypted
Client
Figure 2. SSL Insight overview
3.2 Firewall Load Balancing

The firewall load balancing (FWLB) feature allows load sharing between multiple security devices. The typical
deployment is in a sandwich style design where the Thunder ADC appliance load balances the external and
internal zones of the security devices. The number of security devices in the solution can be extended as
required. The A10 firewall load balancing solution can work with HTTP, HTTPS, Generic TCP, Generic UDP, DNS,
SIP and FTP.
This design can scale up to fifteen separate firewall load balancing paths.
5
Remote 1 Traffic originates from

Internet clients
Server
2 Traffic intercepted:
6 5 - A path through one of the
Security Devices is selected
- Load balancing happens here
Internet 3 Traffic inspected by Security

Device & forwarded to next hop
A10 Thunder ADC 4 Traffic intercepted again:

- Session is created
7 4
- MAC address stored for session
- Traffic forwarded to
Default Gateway
VLAN 1 VLAN 2 5 Traffic received by Remote Server

8 3
6 Response is sent
Security Security
Device Device 7 Return traffic is matched with a
stored session
- MAC address is retrieved
9 2 - Traffic is sent to the same
MAC address
A10 Thunder ADC
8 Return traffic ends up on the
same Security Device
9 Traffic sent to A10 Thunder ADC
end 1 end Client receives response

Clients
Figure 3. Load balancing packet flow
4 Configuration Overview
The configuration for the SSL Insight solution can be divided into the following portions:
1. Layer 2/3 (L2/L3) and High Availability on the Thunder ADC appliance
2. SSL Insight configuration on the Thunder ADC appliance
3. FWLB configuration on the Thunder ADC appliance
4. Configuration on the third-party security device
4.1 CA Certificate
A prerequisite for configuring the SSL Insight feature is a CA certificate with a known private key, such as a self-
signed CA certificate generated on the A10 Thunder appliance or on a Linux system.
The following CLI command generates and initializes a self-signed CA certificate on the Thunder ADC appliance.
slb ssl-create certificate <certificate name>
The following two commands generate and initialize a CA Certificate on a Linux system with an OpenSSL
package installed.
openssl genrsa -out <name>.key

openssl req -new -x509 -days 3650 -key <name>.key -out <name>.crt
6
Once generated, the certificate can be imported onto the Thunder ADC appliances in the internal zone using
SFTP or SCP.
import ssl-cert <certificate name> scp://[user@]host/<source file>
This CA certificate must also be pushed to all client machines on the internal network. If the CA certificate is
not pushed, the internal hosts will get an SSL “untrusted root” error whenever they try to connect to a site with
SSL enabled. This can be done manually (Appendix C), or using an automated service such as Microsoft Group
Policy Manager. Automated login scripts can achieve the same result for organizations that use Linux or UNIX
clients.
Note: Further details for Group Policy Manager can be found at:
http://technet.microsoft.com/en-us/library/cc772491.aspx
4.2 Thunder ADC Appliance Configuration Overview

The following sections provide more information about the Thunder ADC configuration items listed above.
4.2.1 L2/L3 and High Availability

The solution has a pair of Thunder ADC appliances in the external zone of the security devices and another pair
in the internal zone of the security devices. Each pair is running VRRP-A to provide redundancy.
A key requirement of this solution is to have each security device in a separate VLAN. The topology shown in
Figure 1 has a Red VLAN and a Green VLAN. There is one security device in the Red VLAN and one in the Green
VLAN. Each security device is tied to one VRRP-A instance on the external appliance pair, and one VRRP-A
instance on the internal appliance pair. The VRIDs must be unique on either side of the security device to avoid
MAC address conflicts.
Each VRRP-A instance is attached to a single VLAN and tracks the member interface and the upstream interface
that connects to the gateway. This ensures that a failover occurs under any of the following circumstances:
• An interface goes down
• A cable is disconnected
• The entire device goes down
4.2.2 Firewall Load Balancing Configuration Overview

Firewall load balancing configuration is required in order to ensure that all traffic is load balanced across all
available security devices. The FWLB configuration is slightly different on the external Thunder ADC appliance
pair compared to the internal Thunder ADC appliance pair. Additionally, the configuration is identical on both
devices in the same high availability pair, except for the VRRP-A priority. This guide discusses the configuration
of only one external Thunder ADC appliance and one internal Thunder ADC appliance.
Load Balancing Configuration on Internal Thunder ADC Appliance

• All TCP and UDP traffic is intercepted.
-- Access Control List (ACL) is created to define traffic of interest.
-- Wildcard VIP is defined, and uses this ACL.
-- TCP port 0, UDP port 0 and “others” port 0 are defined under the wildcard VIP.
• The remote VRRP-A address of each VLAN is added as an SLB server. Each security device path is
associated with a single VLAN and thus traffic from the internal Thunder ADC potentially will traverse each
security device.
-- The command slb server is used to define security device paths.
• Once traffic is intercepted, it is routed to one of the security devices based on the configured algorithm
(in this case, round-robin). Destination-NAT is disabled for this traffic.
-- The command no-dest-nat helps achieve this.
7
Load Balancing Configuration on External Thunder ADC Appliance

Another wildcard VIP is configured on the external Thunder ADC pair. This wildcard VIP intercepts all incoming
traffic from the security devices, and sends it to the default router. However, while doing so, the Thunder ADC
appliance also creates internal sessions. The MAC address of the security device from which the traffic was
received is also stored in this session. This step is to ensure that the return traffic belonging to this session will
be sent through the same security device from which it was received.
• All TCP, UDP and IP traffic is intercepted.
-- ACL is created to define traffic of interest.
-- Wildcard VIP is defined with this ACL.
-- TCP port 0, UDP port 0 and “others” port 0 are defined on the wildcard VIP.
• Next-hop gateway (default router) is defined and added to a service group.
-- The command slb server is used to define the default router IP address.
• The source MAC address of the incoming traffic is preserved so that the response traffic can be sent
through the same security device path.
-- The command use-rcv-hop-for-resp is used for this.
• Destination-NAT is disabled for this traffic.
-- The command no-dest-nat helps achieve this.
4.2.3 SSL Insight Configuration Overview

The SSL Insight configuration has many similarities to the FWLB configuration. The primary difference is that
client-SSL and server-SSL templates are required on the internal and the external Thunder ADC appliances
respectively. Additionally, only SSL traffic is intercepted.
Just like FWLB, the SSL Insight configuration is slightly different on the external Thunder ADC appliances
compared to the internal Thunder ADC appliances. Also, the configuration is identical on both devices in the
same high availability pair, except for the VRRP-A priority. This guide discusses the configuration of only one
external Thunder ADC appliance and one internal Thunder ADC appliance.
Note: SSL Insight can decrypt HTTPS traffic only. In ACOS 4.0.1, SSL Insight will also support SMTPS and XMPP traffic.
SSL Insight Configuration on Internal Thunder ADC Appliance

SSL Insight configuration on the internal Thunder ADC appliance has the following key elements:
• SSL traffic entering on port 443 is intercepted.
-- Port 443 is defined under a wildcard VIP to achieve this.
• The SSL server certificate is captured during the SSL handshake; all X.509 DN attributes are duplicated,
except for the issuer and base64 encoded public key.
-- Client-SSL template is used for this. The Client-SSL template includes the required command forward-
proxy-enabled, along with the local CA certificate (from 4.1) and its private key which is used for
signing dynamically forged certificates.
• The remote VRRP-A address of each VLAN is added as an SLB server. Each security device path is
associated with a single VLAN and thus traffic from the internal Thunder ADC potentially will traverse each
security device. Port 8080 is defined for each security device path.
-- The command slb server defines a security device path and port number 8080 is added.
• Along with the protocol (HTTPS to HTTP), the destination port also gets changed from 443 to 8080.
-- Service group is defined with port 8080 and bound to the virtual port.
• However, the destination IP (i.e. Internet Server IP) remains unchanged.
-- The command no-dest-nat port-translation achieves this.
• The incoming SSL traffic is intercepted and decrypted, and is then forwarded in clear text over HTTP on
port 8080 through the security device.
8
SSL Insight Configuration on External Thunder ADC Appliance

SSL Insight configuration on the external Thunder ADC appliance is simpler than on the internal Thunder ADC
appliance; it has the following characteristics:
• Clear-Text HTTP traffic entering on port 8080 is intercepted.
-- Port 8080 is defined under a wildcard VIP to achieve this.
• The next-hop gateway (default router) is defined as an SLB server.
-- The command slb server defines the default router IP address and port number 443 is added.
• Along with the protocol (HTTP to HTTPS), the destination port also gets changed from 8080 to 443.
• Service group is defined with port 443 and bound to the virtual port.
-- However, the destination IP (i.e. Internet Server IP) remains unchanged.
-- The command no-dest-nat port-translation achieves this.
• The source MAC of the incoming traffic is preserved so that the response traffic can be sent through the
same security device path.
-- The command use-rcv-hop-for-resp is used for this.
• Incoming HTTP traffic is converted into SSL traffic and sent out on port 443.
-- A server-SSL template is defined and applied to the virtual port. The template includes the command
forward-proxy-enable. Optionally, a root CA certificate store file also may be applied to the server-SSL
template.
4.3 Security Device Configuration Overview

The security devices must be configured according to the recommend best practices of the security vendor.
The key requirements for an SSL Insight and load balancing deployment are:
• ARP packets should be allowed for VRRP-A packets on both internal and external Thunder ADC appliances.
• Health-check packets should be allowed from internal Thunder ADC appliances to the VRRP-A addresses
on the external Thunder ADC appliances, since the security devices are configured as SLB servers.
5 Configuration Steps for Thunder ADC Appliance

This section provides detailed steps for configuring the Thunder ADC appliances for SSL Insight. In order to
avoid redundancy, most of the CLI commands and GUI screenshots will focus on the primary, internal Thunder
ADC, unless explicitly specified. Complete configuration from both internal and external Thunder ADC pairs is
given in Appendix A.
5.1 L2/L3 and High Availability on the Thunder ADC Appliances

The steps in this section configure the following L2/L3 parameters:
• VLANs and their router interfaces.
• Virtual Ethernet (VE) interfaces, which are IP addresses assigned to VLAN router interfaces.
• VRRP-A for high availability.
9
The goal is to achieve the following IP addressing scheme on all four Thunder ADC appliances as shown in
Figure 1:
VLAN VE IP Address Interface VRID VRID IP

Address
Inside Primary 10 10.10.1.2 /24 eth1 default 10.10.1.1
ADC 15 10.15.1.2 /24 eth5 5 10.15.1.1
16 10.16.1.2 /24 eth6 6 10.16.1.1
99 10.99.1.1 /24 eth18 n/a n/a
Inside 10 10.10.1.3 /24 eth1 default 10.10.1.1
Secondary ADC 15 10.15.1.3 /24 eth5 5 10.15.1.1
16 10.16.1.3 /24 eth6 6 10.16.1.1
99 10.99.1.2 /24 eth18 n/a n/a
Outside 20 20.1.1.2 /24 eth1 default 20.1.1.1
Primary ADC 15 10.15.1.12 /24 eth5 15 10.15.1.11
16 10.16.1.12 /24 eth6 16 10.16.1.11
199 10.199.1.1 /24 eth18 n/a n/a
Outside 20 20.1.1.3 /24 eth1 default 20.1.1.1
Secondary ADC 15 10.15.1.13 /24 eth5 15 10.15.1.11
16 10.16.1.13 /24 eth6 16 10.16.1.11
199 10.199.1.2 /24 eth18 n/a n/a
Configure the VLANs and add Ethernet and Router Interfaces

Configure the following VLAN parameters as shown in Figure 1:
• VLAN-10: This is the uplink to the internal network. Add router-interface ve 10 along with the Ethernet
interface.
• VLAN-15: This is the path to the external Thunder ADC appliances through security device-1. Add router-
interface ve 15 along with the Ethernet interface.
• VLAN-16: This is the path to the external Thunder ADC appliances through security device-2. Add router-
interface ve 16 along with the Ethernet interface.
• VLAN-99: This is the VLAN for VRRP-A sync messages. Add router-interface ve 99 along with the Ethernet
interface.
Using the CLI:

ACOS(config)#vlan 10
ACOS(config-vlan:10)#untagged ethernet 1
ACOS(config-vlan:10)#router-interface ve 10
ACOS(config-vlan:10)#exit
ACOS(config)#
10
Using the GUI:

1. Navigate to Config Mode > Network > VLAN > VLAN.
2. Click Add.
3. Enter the VLAN ID, select the interfaces, and enter the VE ID (same as the VLAN number).
4. Click OK.
5. Repeat for each VLAN.
Figure 4. VLAN configuration
The VLAN configuration should look similar to the following after all four VLANs have been added.
Figure 5. VLAN settings
11
Configure IP Addresses on the VLAN Router Interfaces

Make sure to enable the promiscuous VIP option under ve10, in order to subject inbound traffic to Wildcard VIP
(more to be discussed later).
Using the CLI:

ACOS(config)#interface ve 10
ACOS(config-if:ve10)#ip address 10.10.1.2 /24
ACOS(config-if:ve10)#ip allow-promiscuous-vip
ACOS(config-if:ve10)#exit
Using the GUI:

1. Navigate to Config Mode > Interface > Virtual. The interfaces configured above should be visible.
2. Click on “ve-10” and configure the IPv4 address.
3. Click on VIP to display the configuration options.
4. Select Allow Promiscuous VIP.
5. Click OK when done.
6. Repeat for each VE.
Figure 6. Virtual Ethernet (VE) interface configuration
12
Configure VRRP-A on the Internal Thunder ADC Appliances

1. Set unique VRRP-A device IDs on both Thunder ADC appliances.
2. Configure the same set ID on both Thunder ADC appliances.
3. Configure VRIDs and assign floating IPs.
In this step, the following VRIDs are configured:
• VRID-Default: This VRID will be used for the enterprise switch, floating IP 10.10.1.1.
• VRID-15: This VRID will be used for VLAN-15, floating IP 10.15.1.1.
• VRID-16: This VRID will be used for VLAN-16, floating IP 10.16.1.1.
4. Configure and enable a VRRP-A interface.
5. Repeat the steps above on the external Thunder ADC appliance pair.
Note: The VRIDs must be unique on the internal and external Thunder ADC appliances.
Using the CLI:

ACOS(config)#vrrp-a device-id 1
ACOS(config)#vrrp-a set-id 1
ACOS(config)#vrrp-a vrid default
ACOS(config-vrid-default)#floating-ip 10.10.1.1
ACOS(config-vrid-default)#priority 200
ACOS(config-vrid-default)#tracking-options
ACOS(config-vrid-tracking)#interface ethernet 1 priority-cost 60
ACOS(config-vrid-tracking)#exit
ACOS(config-vrid-default)#vrrp-a vrid 5
ACOS(config-vrid)#floating-ip 10.15.1.1
ACOS(config-vrid)#priority 200
ACOS(config-vrid)#tracking-options
ACOS(config-vrid)#vrrp-a vrid 6
ACOS(config-vrid)#floating-ip 10.16.1.1
ACOS(config-vrid)#priority 200
ACOS(config-vrid)#tracking-options
ACOS(config-vrid)#exit
ACOS(config)#vrrp-a interface ethernet 18 vlan 99
ACOS(config)#vrrp-a enable
Repeat on the external Thunder ADC appliance pair. Make sure to use unique IP addresses.
13
Using the GUI:

1. Navigate to Config Mode > System > VRRP-A > Setting > VRRP-A Global.
2. Select the Device ID. Each device in the VRRP-A set must have a unique VRRP-A device ID.
3. In the Set ID field, enter “1”.
Figure 7. VRRP-A global configuration
4. Click on VRID to display the options.

a. Select “default” from the VRID drop-down list.
b. Enter priority “200”.
c. Click Add.
14
Figure 8. VRRP-A global configuration – VRIDs
5. Repeat for VRIDs 5 and 6.

6. Click Float IP Address to display floating IP address options.
a. Select “default” from the VRID drop-down list.
b. Add IPv4 address 10.10.1.1.
c. Click Add.
d. Repeat for VRIDs 5 and 6.
15
Figure 9. VRRP-A global configuration - floating IP
7. Click VRRP-A Tracking to display VRRP-A tracking options.

a. Under Interface: Select “5” from the VRID drop-down list.
b. Select “Ethernet1” from the Interface drop-down list.
c. Enter “60” under Priority Cost.
d. Click Add.
e. Repeat for Interfaces Ethernet5 and Ethernet6.
f. Repeat for VRIDs “default” and “6”.
16
Figure 10. VRRP-A tracking configuration
8. Navigate to Config Mode > System > VRRP-A > VRRP-A Interface.
a. Click on Ethernet 18.
b. Configure VLAN 99.
c. Enable all options: Status, VRRP-A Status, and Heartbeat.
d. Click OK.
17
Figure 11. VRRP-A interface configuration
9. Repeat the steps above on the external Thunder ADC appliance pair. Make sure to use unique IP
addresses.
10. Enable VRRP-A under General section in Config Mode > System > VRRP-A > Setting > VRRP-A Global.
5.2 FWLB Configuration on the Thunder ADC Appliances

The following commands will configure firewall load balancing configuration on the Thunder ADC appliances.
5.2.1 Internal Thunder ADC Appliance

The steps in this section configure load balancing parameters on the internal Thunder ADC appliance.
Configure Servers for VLAN-15 and VLAN-16

These steps configure an slb server with TCP port 0 and UDP port 0, and with the VRRP-A address of the first
VLAN. Then a second server is configured, with the VRRP-A address of the second VLAN.
Using the CLI:

ACOS(config)#slb server SecurityDevice1_Path 10.15.1.11
ACOS(config-real server)#port 0 tcp
ACOS(config-real server-node port)#no health-check
ACOS(config-real server)#port 0 udp
ACOS(config-real server-node port)#exit
ACOS(config-real server)#exit
18
Using the GUI:

1. Navigate to Config Mode > SLB > Service > Server.
2. Click Add.
3. Enter the following settings:
a. Name: “SecurityDevice1_Path”
b. IP Address: 10.15.1.11
4. Enter Port parameters:
a. Port: “0”
b. Protocol: “TCP”
c. Health Monitor: Select blank (disabled).
d. Click Add.
e. Repeat for UDP port 0.
5. Click OK.
Figure 12. Server configuration (internal)
19
Figure 13. Server port configuration (internal)
6. Repeat for the second VLAN, using a unique IP address.
Figure 14. Server configuration (internal)
Configure a Service Group

These steps add the SLB servers to SLB service groups.
Using the CLI:

ACOS(config)#slb service-group LB_Paths_TCP tcp
ACOS(config-slb svc group)#member SecurityDevice1_Path:0
ACOS(config-slb svc group)#exit
ACOS(config)#slb service-group LB_Paths_UDP udp
20
Using the GUI:

1. Navigate to Config Mode > SLB > Service > Service Group.
2. Click Add.
3. Enter the following parameters:
a. Name: “ LB_Paths_TCP”
b. Type: “TCP”
4. Click on Server.
5. Select the Server, “SecurityDevice1_Path”, from the drop-down list.
6. Select the Port, “0”.
7. Click Add.
8. Repeat for UDP port 0.
9. Repeat for the second server, “SecurityDevice2_Path“.
10. Click OK.
Figure 15. Service group configuration (internal)
21
Figure 16. Servers (internal)
Configure the ACL

These steps configure an extended ACL to intercept incoming traffic on VLAN-10. This ACL will be used as part
of the wildcard VIP configuration, below.
Using the CLI:

ACOS(config)#access-list 100 permit ip any any vlan 10
Using the GUI:

1. Navigate to Config Mode > Security > Network > ACL > Extended.
2. Click Add.
3. Enter or select the following settings:
a. ID: “100”
b. Action: “Permit”
c. Protocol: “IP”
d. Source Address: “Any”
e. Destination Address: “Any”
f. VLAN ID: “10”
4. Click OK.
22
Figure 17. Extended ACL configuration (internal)
Add UDP port 0, TCP port 0 and Others Port 0 to a Wildcard VIP
These commands add the service groups to TCP, UDP and “others” wildcard VIP ports. The no-dest-nat
command is used to preserve the destination IP address load-balanced traffic. The “others” wildcard port can
take an already defined TCP service group or UDP service group. In this example, the UDP service group is used.
ACOS(config)#slb virtual-server Outbound_Wildcard_VIP 0.0.0.0 acl 100
ACOS(config-slb vserver)#port 0 tcp
ACOS(config-slb vserver-vport)#service-group LB_Paths_TCP
ACOS(config-slb vserver-vport)#no-dest-nat
ACOS(config-slb vserver-vport)#exit
ACOS(config-slb vserver)#port 0 udp
ACOS(config-slb vserver-vport)#service-group LB_Paths_UDP
ACOS(config-slb vserver)#port 0 others
ACOS(config-slb vserver-vport)#service-group LB_Paths_UDP
ACOS(config-slb vserver)#exit
Using the GUI:

1. Navigate to Config Mode > Service > SLB > Virtual Server.
2. Click Add.
a. Name: “Outbound_Wildcard_VIP”
b. Wildcard: Select the checkbox.
c. Access List: “100”
4. Click Add in the Port section.
23

a. Type: “TCP”
b. Port: “0”
c. Service Group: “ LB_Paths_TCP”
d. Direct Server Return: Select Enabled.
6. Click OK to exit the Virtual Server Port configuration page.
7. Click OK to exit the Virtual Server configuration page.
Figure 18. Configuring Wildcard VIP (internal)
5.2.2 External Thunder ADC Appliance

The steps in this section configure FWLB parameters on the external Thunder ADC appliance.
Note: For brevity, only the CLI commands are shown in this section.
Add TCP Port 0 and UDP Port 0 to the Gateway Path

ACOS(config)#slb server Default_Gateway 20.1.1.10
24
Add the TCP and UDP Gateway Path to Service Groups

ACOS(config)#slb service-group DG_TCP tcp
ACOS(config-slb svc group)#member Default_Gateway:0
ACOS(config)#slb service-group DG_UDP udp
Configure an ACL to Intercept Incoming Traffic on VLAN-15 and VLAN-16 for a Wildcard VIP
These steps configure an extended ACL to intercept traffic on VLAN-15 and VLAN-16. This ACL will be used as
part of the wildcard VIP configuration, below.
Using the CLI:

Add UDP port 0, TCP port 0 and Others Port 0 to a Wildcard VIP
These commands add the service groups to TCP, UDP and “others” wildcard VIP ports. The no-dest-nat
command is used to preserve the destination IP address load-balanced traffic. The command use-rcv-hop-for-
resp is used so that response traffic goes back through the same path through which the request traffic arrives.
ACOS(config)#slb virtual-server Inside_To_Outside 0.0.0.0 acl 101
ACOS(config-slb vserver)#port 0 tcp
ACOS(config-slb vserver-vport)#service-group DG_TCP
ACOS(config-slb vserver-vport)#use-rcv-hop-for-resp
ACOS(config-slb vserver)#port 0 udp
ACOS(config-slb vserver-vport)#service-group DG_UDP
ACOS(config-slb vserver)#port 0 others
ACOS(config-slb vserver-vport)#service-group DG_UDP
5.3 SSL Insight Configuration on the Thunder ADC Appliances

SSL Insight configuration is very similar to FWLB configuration, with the following difference: The internal
Thunder ADC will intercept traffic on TCP port 443, decrypt it, and send it in clear text over TCP port 8080 to the
security devices. Consequently, the external Thunder ADC will intercept clear text traffic arriving on TCP port
8080 and encrypt it back before sending it to the remote hosts.
The same ACL wildcard VIPs used for FWLB can be used for SSL Intercept.
5.3.1 Internal Thunder ADC Appliance

Use the following steps to configure SSL Insight parameters in the internal Thunder ADC appliance.
Configure Servers for VLAN-15 and VLAN-16

These steps configure TCP port 8080, under the SLB servers configured in FWLB configuration.
25
Using the CLI:

Using the GUI:

1. Navigate to Config Mode > SLB > Service > Server.
2. Select slb server “SecurityDevice1_Path” and click Edit.
3. Enter Port parameters:
a. Port: “8080”
b. Protocol: “TCP”
c. Health Monitor: Select blank (disabled).
d. Click Add.
4. Click OK.
5. Repeat for the slb server “SecurityDevice2_Path” as well.
Figure 19. Server port configuration (internal)
Configure a Service Group

These steps add the servers to a service group.
Using the CLI:

ACOS(config)#slb service-group SSLi tcp
26
Using the GUI:

1. Navigate to Config Mode > SLB > Service > Service Group.
2. Click Add.
3. Enter the following parameters:
a. Name: “SSLi”
b. Type: “TCP”
4. Click on Server.
5. Select the Server, “SecurityDevice1_Path “, from the drop-down list.
6. Select the Port, “8080”.
7. Click Add.
8. Repeat for the second server, “SecurityDevice2_Path“.
9. Click OK.
Figure 20. Service group configuration (internal)
27
Figure 21. Adding Servers to Service Group (internal)
Configure the Client-SSL Template

These steps configure the client-SSL template. The command forward-proxy-enable essentially enables SSL
Insight on the client-ssl template. The forward-proxy is an A10 specific term and is different than the traditional
explicit-proxy function.
Note: These steps assume that the CA certificate and the private key has been uploaded to the Thunder ADC
appliance. For instructions on uploading CA certificates and keys, please refer to the ACOS Application Delivery and
Server Load Balancing Guide
Using the CLI:

ACOS(config)#slb template client-ssl SSLInsight_ClientSide
ACOS(config-client ssl)#forward-proxy-ca-cert SSLi-CA
ACOS(config-client ssl)#forward-proxy-ca-key SSLi-CA
ACOS(config-client ssl)#forward-proxy-enable
ACOS(config-client ssl)#exit
Using the GUI:

1. Navigate to Config Mode > SLB > Template > SSL > Client SSL.
2. Click Add.
3. Enter a Name, “SSLInsightt_ClientSide”.
4. Select Enabled next to SSL Forward Proxy.
5. Select the CA certificate from the CA Certificate drop-down list.
6. Select the private key from the CA Private Key drop-down list.
7. Click OK.
28
Figure 22. Client-SSL configuration (internal)
Configure the Wildcard VIP

These steps will use the same wildcard VIP from FWLB configuration add virtual port 443 for SSL Insight
configuration. The no-dest-nat port-translation command is used to convert incoming 443 traffic to port 8080,
while preserving the destination IP address.
Using the CLI:

ACOS(config)#slb virtual-server Outbound_Wildcard_VIP 0.0.0.0 acl 100
ACOS(config-slb vserver)#port 443 https
ACOS(config-slb vserver-vport)#service-group SSLi
ACOS(config-slb vserver-vport)#template client-ssl SSLInsight_ClientSide
ACOS(config-slb vserver-vport)#no-dest-nat port-translation
Using the GUI:

1. Navigate to Config Mode > SLB > Service > Virtual Server.
2. Select the “Outbound_Wildcard_VIP” and click Edit.
29
3. Click Add in the Port section.

a. Type: “HTTPS”
b. Port: “443”
c. Service Group: “SSLi”
d. Direct Server Return: Select Enabled, and select the Port Translation checkbox.
e. Client-SSL Template: “SSLInsight_ClientSide”
5. Click OK to exit the Virtual Server Port configuration page.
6. Click OK to exit the Virtual Server configuration page.
Figure 23. Virtual server port configuration (internal)
30
5.3.2 External Thunder ADC Appliance

Use the following steps to configure SSL Insight parameters in the external Thunder ADC appliance.
Note: For brevity, only the CLI commands are shown in this section.
Add TCP Port 443 to the FWLB Gateway Path

These steps add TCP port 443 for HTTPS traffic under the default gateway path in FWLB configuration.
Using the CLI:

ACOS(config)#slb server Default_Gateway 20.1.1.10
Add the Server Port Configuration to a Service Group

These steps add the server port to a service group.
Using the CLI:

ACOS(config)#slb service-group DG_SSL tcp
Configure the Server-SSL Template

These steps configure the server-SSL template.
Using the CLI:

ACOS(config)#slb template server-ssl SSLInsight_ServerSide
ACOS(config-server ssl)#forward-proxy-enable
ACOS(config-server ssl)#exit
Using the GUI:

1. Navigate to Config Mode > SLB > Template > SSL > Server SSL.
2. Click Add.
3. Enter a Name, “SSLInsight_ServerSide”.
4. Select Enabled next to SSL Forward Proxy.
5. Leave other fields blank.
6. Click OK.
31
Figure 24. Server-SSL configuration (external)
Configure the Wildcard VIP

These steps will use the same wildcard VIP from FWLB configuration add virtual port 8080 for SSL Insight
configuration. The no-dest-nat port-translation command is used to convert incoming TCP port 8080 traffic
to HTTPS port 443, while preserving the destination IP address. The command use-rcv-hop-for-resp is used so
that response traffic goes back through the same path through which the request traffic arrives.
Using the CLI:

ACOS(config)#slb virtual-server Inside_To_Outside 0.0.0.0 acl 101
ACOS(config-slb vserver)#port 8080 http
ACOS(config-slb vserver-vport)#service-group DG_SSL
ACOS(config-slb vserver-vport)#template server-ssl SSLInsight_ServerSide
ACOS(config-slb vserver-vport)#no-dest-nat port-translation
32
6 Configuration Steps for Security Device

For this deployment guide, the security devices need to be configured in Layer-2, transparent mode. Refer to
the configuration steps from the security device documentation.
7 Summary
The sections above show how to deploy the Thunder ADC device with a third party security device for SSL
Insight. SSL Insight, included as a standard feature of Thunder ADC, offers organizations a powerful load-
balancing, high availability and SSL decryption solution. Using SSL Insight, organizations can:
• Analyze all network data, including encrypted data, for complete threat protection
• Deploy best-of-breed content inspection solutions to fend off cyber attacks
• Maximize the performance, availability and scalability of corporate networks by leveraging A10’s 64-bit
ACOS platform, Flexible Traffic Acceleration (FTA) technology and specialized security processors
For more information about Thunder ADC products:
• http://www.a10networks.com/products/thunder-application-delivery-controller.php
• http://www.a10networks.com/resources/solutionsheets.php
• http:/www.a10networks.com/resources/casestudies.php
33
Appendix A. Complete Configuration File for the Thunder ADC

Appliance
Internal Primary Unit Configuration Internal Standby Unit Configuration
vrrp-a device-id 1 vrrp-a device-id 2
vrrp-a set-id 1 vrrp-a set-id 1
hostname ACOS hostname ACOS
! !
vlan 10 vlan 10
untagged ethernet 1 untagged ethernet 1
router-interface ve 10 router-interface ve 10
! !
vlan 15 vlan 15
! !
vlan 16 vlan 16
! !
vlan 99 vlan 99
tagged ethernet 18 tagged ethernet 18
! !
access-list 100 permit ip any any access-list 100 permit ip any any
vlan 10 vlan 10
! !
interface ve 10 interface ve 10
ip address 10.10.1.2 255.255.255.0 ip address 10.10.1.3 255.255.255.0
ip allow-promiscuous-vip ip allow-promiscuous-vip
! !
! !
! !
! !
VRRP-A enable VRRP-A enable
vrrp-a vrid default vrrp-a vrid default
floating-ip 10.10.1.1 floating-ip 10.10.1.1
priority 200 priority 180
tracking-options tracking-options
interface ethernet 1 priority- interface ethernet 1 priority-
cost 60 cost 60
cost 60 cost 60
cost 60 cost 60
34
Appendix B. Detailed Walkthrough of SSL Insight Packet FLow

! !
vrrp-a vrid 5 vrrp-a vrid 5
cost 60 cost 60
cost 60 cost 60
cost 60 cost 60
! !
cost 60 cost 60
cost 60 cost 60
cost 60 cost 60
! !
VRRP-A interface ethernet 18 vlan 99 VRRP-A interface ethernet 18 vlan 99
! !
slb server SecurityDevice1_Path slb server SecurityDevice1_Path
10.15.1.11 10.15.1.11
port 0 tcp port 0 tcp
no health-check no health-check
port 0 udp port 0 udp
! !
slb server SecurityDevice2_Path slb server SecurityDevice2_Path
10.16.1.11 10.16.1.11
! !
slb service-group LB_Paths_UDP udp slb service-group LB_Paths_UDP udp
member SecurityDevice1_Path:0 member SecurityDevice1_Path:0
! !
slb service-group LB_Paths_TCP tcp slb service-group LB_Paths_TCP tcp
35

! !
slb service-group SSLi tcp slb service-group SSLi tcp
! !
slb template client-ssl SSLInsight_ slb template client-ssl SSLInsight_
ClientSide ClientSide
forward-proxy-enable forward-proxy-enable
forward-proxy-ca-cert SSLi-CA forward-proxy-ca-cert SSLi-CA
forward-proxy-ca-key SSLi-CA forward-proxy-ca-key SSLi-CA
! !
slb virtual-server Outbound_Wildcard_ slb virtual-server Outbound_Wildcard_
VIP 0.0.0.0 acl 100 VIP 0.0.0.0 acl 100
service-group LB_Paths_TCP service-group LB_Paths_TCP
no-dest-nat no-dest-nat
service-group LB_Paths_UDP service-group LB_Paths_UDP
port 0 others port 0 others
service-group LB_Paths_UDP service-group LB_Paths_UDP
port 443 https port 443 https
service-group SSLi service-group SSLi
template client-ssl SSLInsight_ template client-ssl SSLInsight_
ClientSide ClientSide
no-dest-nat port-translation no-dest-nat port-translation
! !
end end
External Primary Unit Configuration External Standby Unit Configuration

vrrp-a set-id 2 vrrp-a set-id 2
hostname ACOS hostname ACOS
! !
vlan 20 vlan 20
! !
vlan 15 vlan 15
! !
vlan 16 vlan 16
! !
vlan 99 vlan 99
tagged ethernet 18 tagged ethernet 18
36
External Primary Unit Configuration External Standby Unit Configuration

! !
vlan 15 vlan 15
vlan 16 vlan 16
! !
! !
! !
! !
! !
VRRP-A enable VRRP-A enable
vrrp-a vrid default vrrp-a vrid default
cost 60 cost 60
cost 60 cost 60
cost 60 cost 60
! !
cost 60 cost 60
cost 60 cost 60
cost 60 cost 60
! !
cost 60 cost 60
cost 60 cost 60
cost 60 cost 60
37
External Primary unit Configuration External Standby unit Configuration

! !
VRRP-A interface ethernet 18 vlan 99 VRRP-A interface ethernet 18 vlan 99
! !
slb template server-ssl SSLInsight_ slb template server-ssl SSLInsight_
ServerSide ServerSide
forward-proxy-enable forward-proxy-enable
! !
slb server Default_Gateway 20.1.1.10 slb server Default_Gateway 20.1.1.10
! !
slb service-group DG_TCP tcp slb service-group DG_TCP tcp
member Default_Gateway:0 member Default_Gateway:0
! !
slb service-group DG_UDP udp slb service-group DG_UDP udp
! !
slb service-group DG_SSL tcp slb service-group DG_SSL tcp
! !
slb virtual-server Inside_To_Outside slb virtual-server Inside_To_Outside
0.0.0.0 acl 101 0.0.0.0 acl 101
service-group DG_TCP service-group DG_TCP
use-rcv-hop-for-resp use-rcv-hop-for-resp
service-group DG_UDP service-group DG_UDP
port 0 others port 0 others
service-group DG_UDP service-group DG_UDP
port 8080 http port 8080 http
service-group DG_SSL service-group DG_SSL
template server-ssl SSLInsight_ template server-ssl SSLInsight_
ServerSide ServerSide
no-dest-nat port-translation no-dest-nat port-translation
! !
end end
38
Appendix B. Detailed Walkthrough of SSL Insight Packet FLow
A10 Thunder ADC Security Device A10 Thunder ADC Remote Server
Client
Encrypted Zone Clear-Text Zone Encrypted Zone
SYN
SYN/ACK
ACK
Client Hello
1
SYN
SYN/ACK
ACK
Client Hello
Server-Hello
(Server Cert +
Public Key, Signed
by well-known CA
SSL-Handshake
2 Messages
Server-Hello
+ Finished
(Server Cert +
Local Public Key,
Signed by Local CA
SSL-Handshake
Messages
+ Finished
Encrypted
Application Data 3
Clear Text 4
Application Data SYN
SYN/ACK
ACK
Client Hello
SSL-Handshake
Messages
+ Finished
Encrypted
Application Data
Encrypted
5 Application
Response
Encrypted Clear Text
Application 6
Application
Response Response
If the certificate exists in cache, send it to client and Data encrypted and sent in cleat-text through the
move to (2). Otherwise, establish SSL connection with
3 security device.
1 the remote server and get the certificate from the
remote server.
New SSL session initiated with remote server.
4
Data encrypted and sent to remote server.
Extract header information from server certificate.
Change the Issuer and the Public Key as defined in
2 Response is decrypted and sent through the security
Client-SSL-Template. 5
Re-sign the new certificate using the CA-Certificate as device.
specified in Client-SSL-Template.
Send the reconstructed Server-Hello to client. 6 Response is encrypted again and sent to the client.
39
Appendix C. SSL Insight Certificate Installation Guide

A prerequisite for configuring Thunder ADC’s SSL Insight feature is generating a CA certificate with a known
private key. This CA certificate must then be installed to all client machines on the internal network. If the CA
certificate is not installed, internal users will see an SSL “untrusted root” error whenever they try to connect to
an SSL-enabled website.
This guide includes the following contents:
• Generating a CA Certificate
• Exporting a Certificate from Thunder ADC
• Installing a Certificate in Microsoft Windows 7 for Microsoft Internet Explorer
• Installing a Certificate in Google Chrome
• Installing a Certificate in Mozilla Firefox
Generating a CA Certificate
The SSLI insight feature relies on an SSL certificate and key pair to encrypt traffic between clients and the
Thunder ADC appliance. A self-signed certificate can be generated by the Thunder ADC appliance or can be
created by a Linux system with OpenSSL installed. Alternatively, from the Thunder ADC appliance, an ADC
administrator can request and install a CA-signed certificate. For instructions on requesting a CA-signed
certificate, please see the “Application Delivery and Server Load Balancing Guide.”
To generate a self-signed certificate from Thunder ADC in ACOS version 2.7.2:
1. Select Config Mode > SLB > Service > SSL Management.
2. On the menu bar, select Certificate.
3. Click Add.
4. Enter the name for certificate.
5. In the Issuer drop-down list, select Self.
6. Enter the rest of the certificate information in the remaining fields of the Certificate section.
Note: If you need to create a wildcard certificate, use an asterisk as the first part of the common name.
7. From the Key drop-down list, select the length in bits for the key.
8. Click OK. The ACOS device generates the self-signed certificate and a key. The new certificate and key
appear in the certificate list. The certificate is ready to be used in client-SSL and server-SSL templates.
Instead of creating a self-signed certificate within Thunder ADC, administrators can generate a certificate from
a Linux server. The following two commands generate and initialize a CA Certificate on a Linux system with an
OpenSSL package installed. Once generated, the certificate can be imported onto the Thunder ADC device
using FTP or SCP.
openssl genrsa -out ca.key
openssl req -new -x509 -days 3650 -key ca.key -out ca.crt
The root certificate must be imported onto the client machines. This can be done manually or using an
automated service such as Microsoft Group Policy Manager.
Note: Further details for Group Policy Manager can be found at: http://technet.microsoft.com/en-us/library/cc772491.
aspx
Exporting a Certificate from Thunder ADC

To export a self-signed certificate from Thunder ADC from the Thunder ADC GUI in ACOS 2.7.2:
1. Select Config Mode > SLB > Service > SSL Management.
2. On the menu bar, select Certificate.
3. To export a certificate:
40
a. Select the Certificate checkbox.

b. Click Export.
Note: If the browser security settings normally block downloads, you may need to override the settings. For
example, in Internet Explorer, hold the Ctrl key while clicking Export.
4. Click Save.
5. Navigate to the save location.
6. Click Save again.
7. To export a key:
a. Select the SSL key.
b. Click Export.
c. Click Save. Navigate to the save location.
d. Click Save again.
See the “Application Delivery and Server Load Balancing Guide” for more information and for instructions for the
command line interface (CLI).
Installing a Certificate in Microsoft Windows 7 for Internet Explorer

To import an untrusted or self-signed CA certificate into your Windows 7 computer, you must be logged on
as an administrator, and the untrusted or self-signed CA certificate should have been imported onto your
computer already.
1. Open Certificate Manager by clicking the Start button , typing certmgr.msc into the search box, and
then pressing Enter. If you’re prompted for an administrator password or confirmation, type the
password or provide confirmation.
41
2. In Certificate Manager, select the folder that you want to import the certificate into. In this exercise, we
have selected the folder: Trusted Root Certification Authorities > Certificates.
3. Click the Action menu, point to All Tasks, and then click Import.
42
4. In Certificate Import Wizard, click Next to proceed to the File Import page.
5. Select Browse to locate the certificate file that is to be imported.
Note: the Open dialog box only displays X.509 certificates by default. If you want to import another type of certificate,
select the certificate type you want to import in the Open dialog box and click Open.
43
6. Click the Next button.
7. Click the Next button.
44
8. Confirm your selections and click Finish.
9. In the Security Warning popup, select Yes, since you made an informed decision to import this
certificate.
45
10. If the import is successful, you will see a dialog box with the message “The import was successful.”
11. You can see the newly installed CA certificate under the specified folder.
46
Installing Certificate in Google Chrome

1. To install the CA certificate on Google Chrome, open the Chrome browser.
2. Click the “Customize and Control Google Chrome” option located on the right hand corner of the
browser window.
3. Navigate to the HTTPS/SSL section of Chrome Settings and click the Manage certificates button.
47
4. In the certificate folder on the Trusted Root Certification Authorities tab, click the Import button and a
Certificate Import Wizard will appear.
5. In the Certificate Import Wizard, click the Next button.
48
6. Click the Next button to browse to the location of the CA certificate.
7. Once the correct certificate has been located, click Next to install the certificate in the “Trusted Root
Certificate Authorities” certificate store. Click Next and Finish and then click OK.
49
Installing a Certificate in Mozilla Firefox

Mozilla Firefox utilizes a certificate store and all root CA certificates are stored within the certificate store.
In order for SSL Insight to perform properly, each client must download and install the SSL root certificate.
Otherwise, Firefox will generate an error message warning clients about SSL error connection attempts.
1. To install a SSL root certificate in Firefox, launch the Firefox browser and open the Options window.
50
2. From the Options window, select the Advanced settings option and then click the Certificate tab. From
the Certificates window, click the View Certificates button. Mozilla will display the Certificate Manager
dialog.
3. Click the Import button.

4. Navigate to where the certificate is located and click Open. A Downloading Certificate window will be
displayed.
5. Select the Trust this CA to identify websites checkbox and click OK. Now, the certificate should be
imported and the client machine can access HTTPS applications without receiving an error message.
51
About A10 Networks

A10 Networks is a leader in application networking, providing a range of high-performance application
networking solutions that help organizations ensure that their data center applications and networks remain
highly available, accelerated and secure. Founded in 2004, A10 Networks is based in San Jose, California, and
serves customers globally with offices worldwide. For more information, visit: www.a10networks.com
Corporate Headquarters Worldwide Offices To learn more about the A10 Thunder Application Service
Gateways and how it can enhance your business, contact
A10 Networks, Inc North America Taiwan
3 West Plumeria Ave. [email protected] [email protected] A10 Networks at: www.a10networks.com/contact or call
San Jose, CA 95134 USA to talk to an A10 sales representative.
Europe Korea
Tel: +1 408 325-8668 [email protected] [email protected]
Fax: +1 408 325-8666 South America Hong Kong
www.a10networks.com [email protected] [email protected]
Japan South Asia
[email protected] [email protected]
Part Number: A10-DG-16141-EN-02 China Australia/New Zealand
Dec 2015 [email protected] [email protected]
©2015 A10 Networks, Inc. All rights reserved. A10 Networks, the A10 Networks logo, ACOS, Thunder and SSL Insight are trademarks or
registered trademarks of A10 Networks, Inc. in the United States and other countries. All other trademarks are property of their respective
owners. A10 Networks assumes no responsibility for any inaccuracies in this document. A10 Networks reserves the right to change, modify,
transfer, or otherwise revise this publication without notice. For the full list of trademarks, visit: www.a10networks.com/a10-trademarks. 52

SSL Insight and Load Balancing For Thunder ADC: Deployment Guide

Uploaded by

Copyright:

Available Formats

SSL Insight and Load Balancing For Thunder ADC: Deployment Guide

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

SSL Insight and Load Balancing For Thunder ADC: Deployment Guide

Uploaded by

Copyright:

Available Formats

DEPLOYMENT GUIDE

SSL Insight and Load Balancing for

Figure 1. SSL Insight and Firewall Load Balancing topology example

3.1 SSL Insight with an Inline Security Deployment

A10 Thunder ADC

A10 Thunder ADC

3.2 Firewall Load Balancing

Remote 1 Traffic originates from

Internet 3 Traffic inspected by Security

A10 Thunder ADC 4 Traffic intercepted again:

VLAN 1 VLAN 2 5 Traffic received by Remote Server

9 Traffic sent to A10 Thunder ADC

end 1 end Client receives response

slb ssl-create certificate <certificate name>

openssl genrsa -out <name>.key

import ssl-cert <certificate name> scp://[user@]host/<source file>

4.2 Thunder ADC Appliance Configuration Overview

4.2.1 L2/L3 and High Availability

4.2.2 Firewall Load Balancing Configuration Overview

Load Balancing Configuration on Internal Thunder ADC Appliance

Load Balancing Configuration on External Thunder ADC Appliance

4.2.3 SSL Insight Configuration Overview

SSL Insight Configuration on Internal Thunder ADC Appliance

SSL Insight Configuration on External Thunder ADC Appliance

4.3 Security Device Configuration Overview

5 Configuration Steps for Thunder ADC Appliance

5.1 L2/L3 and High Availability on the Thunder ADC Appliances

VLAN VE IP Address Interface VRID VRID IP

Configure the VLANs and add Ethernet and Router Interfaces

Using the CLI:

Using the GUI:

Figure 4. VLAN configuration

Figure 5. VLAN settings

Configure IP Addresses on the VLAN Router Interfaces

Using the CLI:

Using the GUI:

Figure 6. Virtual Ethernet (VE) interface configuration

Configure VRRP-A on the Internal Thunder ADC Appliances

Using the CLI:

Using the GUI:

Figure 7. VRRP-A global configuration

4. Click on VRID to display the options.

Figure 8. VRRP-A global configuration – VRIDs

5. Repeat for VRIDs 5 and 6.

Figure 9. VRRP-A global configuration - floating IP

7. Click VRRP-A Tracking to display VRRP-A tracking options.

Figure 10. VRRP-A tracking configuration

Figure 11. VRRP-A interface configuration

5.2 FWLB Configuration on the Thunder ADC Appliances

5.2.1 Internal Thunder ADC Appliance

Configure Servers for VLAN-15 and VLAN-16

Using the CLI:

Using the GUI:

Figure 12. Server configuration (internal)

Figure 13. Server port configuration (internal)

6. Repeat for the second VLAN, using a unique IP address.

Figure 14. Server configuration (internal)

Configure a Service Group

Using the CLI:

Appendix A. Complete Configuration File for the Thunder ADC