SSL Insight and Load Balancing For Thunder ADC: Deployment Guide
SSL Insight and Load Balancing For Thunder ADC: Deployment Guide
SSL Insight and Load Balancing For Thunder ADC: Deployment Guide
Table of Contents
1 Overview....................................................................................................................................................................................................................................3
2 Deployment Prerequisites...............................................................................................................................................................................................3
3 Architecture Overview.......................................................................................................................................................................................................3
3.1 SSL Insight with an Inline Security Deployment....................................................................................................................................4
3.2 Firewall Load Balancing..........................................................................................................................................................................................5
4 Configuration Overview...................................................................................................................................................................................................6
4.1 CA Certificate ...............................................................................................................................................................................................................6
4.2 Thunder ADC Appliance Configuration Overview................................................................................................................................7
4.2.1 L2/L3 and High Availability.....................................................................................................................................................................7
4.2.2 Firewall Load Balancing Configuration Overview....................................................................................................................7
4.2.3 SSL Insight Configuration Overview.................................................................................................................................................8
4.3 Security Device Configuration Overview....................................................................................................................................................9
5 Configuration Steps for Thunder ADC Appliance.............................................................................................................................................9
5.1 L2/L3 and High Availability on the Thunder ADC Appliances.......................................................................................................9
5.2 FWLB Configuration on the Thunder ADC Appliances....................................................................................................................18
5.2.1 Internal Thunder ADC Appliance.....................................................................................................................................................18
5.2.2 External Thunder ADC Appliance....................................................................................................................................................24
5.3 SSL Insight Configuration on the Thunder ADC Appliances.......................................................................................................25
5.3.1 Internal Thunder ADC Appliance.....................................................................................................................................................25
5.3.2 External Thunder ADC Appliance....................................................................................................................................................31
6 Configuration Steps for Security Device..............................................................................................................................................................33
7 Summary.................................................................................................................................................................................................................................33
Appendix A. Complete Configuration File for the Thunder ADC Appliance........................................................................................34
Appendix B. Detailed Walkthrough of SSL Insight Packet FLow..................................................................................................................39
Appendix C. SSL Insight Certificate Installation Guide.......................................................................................................................................40
Generating a CA Certificate.........................................................................................................................................................................................40
Exporting a Certificate from Thunder ADC........................................................................................................................................................40
Installing a Certificate in Microsoft Windows 7 for Internet Explorer................................................................................................41
Installing Certificate in Google Chrome .............................................................................................................................................................47
Installing a Certificate in Mozilla Firefox...............................................................................................................................................................50
About A10 Networks...............................................................................................................................................................................................................52
Disclaimer
This document does not create any express or implied warranty about A10 Networks or about its products or services, including but not limited to
fitness for a particular use and noninfringement. A10 Networks has made reasonable efforts to verify that the information contained herein is accurate,
but A10 Networks assumes no responsibility for its use. All information is provided “as-is.” The product specifications and features described in this
publication are based on the latest information available; however, specifications are subject to change without notice, and certain features may not
be available upon initial product release. Contact A10 Networks for current information regarding its products or services. A10 Networks’ products and
services are subject to A10 Networks’ standard terms and conditions.
2
Deployment Guide | SSL Insight and Load Balancing for Thunder ADC
1 Overview
A wide range of security devices require visibility into network traffic—including encrypted traffic--to discover
attacks, intrusions, and data exfiltration. Growing SSL bandwidth, coupled with increasing SSL key lengths
and more computationally complex SSL ciphers, make it difficult for even the most powerful inline security
devices to decrypt SSL traffic. On top of today’s SSL performance challenges, many types of security devices are
deployed non-inline to monitor network traffic. Often, these devices cannot decrypt outbound SSL traffic.
To eliminate the SSL blind spot in corporate defenses, A10 Networks® has introduced SSL Insight™, a feature
included in the A10 Thunder® Application Delivery Controller (ADC) product line. A10 Networks SSL Insight
decrypts SSL traffic and enables third party security products to inspect the unencrypted traffic.
When configured for SSL Insight, the Thunder ADC intercepts SSL traffic, decrypts it and forwards it to a
security device such as a firewall, an Intrusion Prevention System (IPS) or an advanced threat prevention
platform. Thunder ADC can also mirror the unencrypted traffic to non-inline security devices such as
analytics or forensics products. A second Thunder ADC appliance then takes this traffic and encrypts it again,
and sends it to the remote destination.
Using A10’s Application Delivery Partitions (ADPs), SSL Insight can be configured with a single Thunder ADC
appliance for encryption, decryption, and load balancing.
2 Deployment Prerequisites
The requirements for SSL Insight deployment are:
• One or more Thunder ADC appliance(s) with A10 Networks Advance Core Operating System (ACOS®)
version 2.7.0 or later.
• A third-party security device such as a firewall, security analytics or forensics appliance or threat
prevention platform.
Note: The CLI commands and GUI screenshots presented in this guide are based on ACOS version 2.7.2.
3 Architecture Overview
This section illustrates a joint solution of A10 Networks Thunder ADCs and a third party security device for SSL
Insight. The SSL Insight services are provided by the Thunder ADC appliances while the traffic inspection and
monitoring services are provided by the third party security devices. This deployment also utilizes firewall load
balancing (FWLB) and VRRP-A features, which makes the SSL Insight solution highly available and efficient.
Notes:
• VRRP-A is a Thunder ADC high availability protocol optimized for Server Load Balancing (SLB), and differs
significantly from the industry-standard implementation of Virtual Router Redundancy Protocol (VRRP). For
purposes of operational familiarity, VRRP-A borrows concepts from VRRP, but is not VRRP. VRRP-A will not inter-
operate with VRRP.
• The security devices in this deployment guide are set up in Layer 2 (L2) mode.
3
Deployment Guide | SSL Insight and Load Balancing for Thunder ADC
Internet
Remote Server
20 V
VR LAN
AN ult .10 ID
VL defa de 20
I D fau
VR lt
eth1 .2 20.1.1.1 .3 eth1
VLAN 199
eth18 10.199.1.x eth18
eth5 eth6 eth5 eth6
VRID 15 .12 10.15.1.11 .13
.12 10.16.1.11 .13 VRID 16
VLAN 15
VLAN 16
VRID 15
VRID 16
15 VL
A
AN VR N 16
VL ID 15 ID
V R 16
eth3 eth4 eth3 eth4
External External
Internal Internal
eth1 eth2 eth1 eth2
VL
A 16
VR N 15 AN
VL ID 6
VLAN 15
VLAN 16
ID VR
VRID 5
VRID 6
5
.2 10.16.1.1 .3 VRID 6
VRID 5 .2 10.15.1.1 .3
eth5 eth6 eth5 eth6
eth18 VLAN 99 eth18
10.99.1.x
eth1 .2 10.1.1.1 .3 eth1
V 10
VR LAN
ID AN ult
de 10 VL defa
fau ID
lt VR
Internet Users
Note: Please refer to the ACOS Application Delivery & Server Load Balancing Guide for additional details on the SSL
Insight feature.
4
Deployment Guide | SSL Insight and Load Balancing for Thunder ADC
Application Server
Internet
3 Encrypted
Inspection
and Protection
DLP UTM
2 Decrypted
IDS Others
1 Encrypted
Client
Figure 2. SSL Insight overview
5
Deployment Guide | SSL Insight and Load Balancing for Thunder ADC
4 Configuration Overview
The configuration for the SSL Insight solution can be divided into the following portions:
1. Layer 2/3 (L2/L3) and High Availability on the Thunder ADC appliance
2. SSL Insight configuration on the Thunder ADC appliance
3. FWLB configuration on the Thunder ADC appliance
4. Configuration on the third-party security device
4.1 CA Certificate
A prerequisite for configuring the SSL Insight feature is a CA certificate with a known private key, such as a self-
signed CA certificate generated on the A10 Thunder appliance or on a Linux system.
The following CLI command generates and initializes a self-signed CA certificate on the Thunder ADC appliance.
The following two commands generate and initialize a CA Certificate on a Linux system with an OpenSSL
package installed.
6
Deployment Guide | SSL Insight and Load Balancing for Thunder ADC
Once generated, the certificate can be imported onto the Thunder ADC appliances in the internal zone using
SFTP or SCP.
This CA certificate must also be pushed to all client machines on the internal network. If the CA certificate is
not pushed, the internal hosts will get an SSL “untrusted root” error whenever they try to connect to a site with
SSL enabled. This can be done manually (Appendix C), or using an automated service such as Microsoft Group
Policy Manager. Automated login scripts can achieve the same result for organizations that use Linux or UNIX
clients.
Note: Further details for Group Policy Manager can be found at:
http://technet.microsoft.com/en-us/library/cc772491.aspx
7
Deployment Guide | SSL Insight and Load Balancing for Thunder ADC
Note: SSL Insight can decrypt HTTPS traffic only. In ACOS 4.0.1, SSL Insight will also support SMTPS and XMPP traffic.
8
Deployment Guide | SSL Insight and Load Balancing for Thunder ADC
9
Deployment Guide | SSL Insight and Load Balancing for Thunder ADC
The goal is to achieve the following IP addressing scheme on all four Thunder ADC appliances as shown in
Figure 1:
10
Deployment Guide | SSL Insight and Load Balancing for Thunder ADC
The VLAN configuration should look similar to the following after all four VLANs have been added.
11
Deployment Guide | SSL Insight and Load Balancing for Thunder ADC
12
Deployment Guide | SSL Insight and Load Balancing for Thunder ADC
Note: The VRIDs must be unique on the internal and external Thunder ADC appliances.
13
Deployment Guide | SSL Insight and Load Balancing for Thunder ADC
14
Deployment Guide | SSL Insight and Load Balancing for Thunder ADC
15
Deployment Guide | SSL Insight and Load Balancing for Thunder ADC
16
Deployment Guide | SSL Insight and Load Balancing for Thunder ADC
8. Navigate to Config Mode > System > VRRP-A > VRRP-A Interface.
a. Click on Ethernet 18.
b. Configure VLAN 99.
c. Enable all options: Status, VRRP-A Status, and Heartbeat.
d. Click OK.
17
Deployment Guide | SSL Insight and Load Balancing for Thunder ADC
9. Repeat the steps above on the external Thunder ADC appliance pair. Make sure to use unique IP
addresses.
10. Enable VRRP-A under General section in Config Mode > System > VRRP-A > Setting > VRRP-A Global.
18
Deployment Guide | SSL Insight and Load Balancing for Thunder ADC
19
Deployment Guide | SSL Insight and Load Balancing for Thunder ADC
20
Deployment Guide | SSL Insight and Load Balancing for Thunder ADC
21
Deployment Guide | SSL Insight and Load Balancing for Thunder ADC
22
Deployment Guide | SSL Insight and Load Balancing for Thunder ADC
Add UDP port 0, TCP port 0 and Others Port 0 to a Wildcard VIP
These commands add the service groups to TCP, UDP and “others” wildcard VIP ports. The no-dest-nat
command is used to preserve the destination IP address load-balanced traffic. The “others” wildcard port can
take an already defined TCP service group or UDP service group. In this example, the UDP service group is used.
ACOS(config)#slb virtual-server Outbound_Wildcard_VIP 0.0.0.0 acl 100
ACOS(config-slb vserver)#port 0 tcp
ACOS(config-slb vserver-vport)#service-group LB_Paths_TCP
ACOS(config-slb vserver-vport)#no-dest-nat
ACOS(config-slb vserver-vport)#exit
ACOS(config-slb vserver)#port 0 udp
ACOS(config-slb vserver-vport)#service-group LB_Paths_UDP
ACOS(config-slb vserver-vport)#no-dest-nat
ACOS(config-slb vserver-vport)#exit
ACOS(config-slb vserver)#port 0 others
ACOS(config-slb vserver-vport)#service-group LB_Paths_UDP
ACOS(config-slb vserver-vport)#no-dest-nat
ACOS(config-slb vserver-vport)#exit
ACOS(config-slb vserver)#exit
23
Deployment Guide | SSL Insight and Load Balancing for Thunder ADC
Note: For brevity, only the CLI commands are shown in this section.
24
Deployment Guide | SSL Insight and Load Balancing for Thunder ADC
Configure an ACL to Intercept Incoming Traffic on VLAN-15 and VLAN-16 for a Wildcard VIP
These steps configure an extended ACL to intercept traffic on VLAN-15 and VLAN-16. This ACL will be used as
part of the wildcard VIP configuration, below.
Add UDP port 0, TCP port 0 and Others Port 0 to a Wildcard VIP
These commands add the service groups to TCP, UDP and “others” wildcard VIP ports. The no-dest-nat
command is used to preserve the destination IP address load-balanced traffic. The command use-rcv-hop-for-
resp is used so that response traffic goes back through the same path through which the request traffic arrives.
ACOS(config)#slb virtual-server Inside_To_Outside 0.0.0.0 acl 101
ACOS(config-slb vserver)#port 0 tcp
ACOS(config-slb vserver-vport)#service-group DG_TCP
ACOS(config-slb vserver-vport)#use-rcv-hop-for-resp
ACOS(config-slb vserver-vport)#no-dest-nat
ACOS(config-slb vserver-vport)#exit
ACOS(config-slb vserver)#port 0 udp
ACOS(config-slb vserver-vport)#service-group DG_UDP
ACOS(config-slb vserver-vport)#use-rcv-hop-for-resp
ACOS(config-slb vserver-vport)#no-dest-nat
ACOS(config-slb vserver-vport)#exit
ACOS(config-slb vserver)#port 0 others
ACOS(config-slb vserver-vport)#service-group DG_UDP
ACOS(config-slb vserver-vport)#use-rcv-hop-for-resp
ACOS(config-slb vserver-vport)#no-dest-nat
ACOS(config-slb vserver-vport)#exit
ACOS(config-slb vserver)#exit
25
Deployment Guide | SSL Insight and Load Balancing for Thunder ADC
26
Deployment Guide | SSL Insight and Load Balancing for Thunder ADC
27
Deployment Guide | SSL Insight and Load Balancing for Thunder ADC
Note: These steps assume that the CA certificate and the private key has been uploaded to the Thunder ADC
appliance. For instructions on uploading CA certificates and keys, please refer to the ACOS Application Delivery and
Server Load Balancing Guide
28
Deployment Guide | SSL Insight and Load Balancing for Thunder ADC
30
Deployment Guide | SSL Insight and Load Balancing for Thunder ADC
Note: For brevity, only the CLI commands are shown in this section.
31
Deployment Guide | SSL Insight and Load Balancing for Thunder ADC
32
Deployment Guide | SSL Insight and Load Balancing for Thunder ADC
7 Summary
The sections above show how to deploy the Thunder ADC device with a third party security device for SSL
Insight. SSL Insight, included as a standard feature of Thunder ADC, offers organizations a powerful load-
balancing, high availability and SSL decryption solution. Using SSL Insight, organizations can:
• Analyze all network data, including encrypted data, for complete threat protection
• Deploy best-of-breed content inspection solutions to fend off cyber attacks
• Maximize the performance, availability and scalability of corporate networks by leveraging A10’s 64-bit
ACOS platform, Flexible Traffic Acceleration (FTA) technology and specialized security processors
For more information about Thunder ADC products:
• http://www.a10networks.com/products/thunder-application-delivery-controller.php
• http://www.a10networks.com/resources/solutionsheets.php
• http:/www.a10networks.com/resources/casestudies.php
33
Deployment Guide | SSL Insight and Load Balancing for Thunder ADC
34
Deployment Guide | SSL Insight and Load Balancing for Thunder ADC
35
Deployment Guide | SSL Insight and Load Balancing for Thunder ADC
36
Deployment Guide | SSL Insight and Load Balancing for Thunder ADC
37
Deployment Guide | SSL Insight and Load Balancing for Thunder ADC
38
Deployment Guide | SSL Insight and Load Balancing for Thunder ADC
A10 Thunder ADC Security Device A10 Thunder ADC Remote Server
Client
Encrypted Zone Clear-Text Zone Encrypted Zone
SYN
SYN/ACK
ACK
Client Hello
1
SYN
SYN/ACK
ACK
Client Hello
Server-Hello
(Server Cert +
Public Key, Signed
by well-known CA
SSL-Handshake
2 Messages
Server-Hello
+ Finished
(Server Cert +
Local Public Key,
Signed by Local CA
SSL-Handshake
Messages
+ Finished
Encrypted
Application Data 3
Clear Text 4
Application Data SYN
SYN/ACK
ACK
Client Hello
SSL-Handshake
Messages
+ Finished
Encrypted
Application Data
Encrypted
5 Application
Response
Encrypted Clear Text
Application 6
Application
Response Response
If the certificate exists in cache, send it to client and Data encrypted and sent in cleat-text through the
move to (2). Otherwise, establish SSL connection with
3 security device.
1 the remote server and get the certificate from the
remote server.
New SSL session initiated with remote server.
4
Data encrypted and sent to remote server.
Extract header information from server certificate.
Change the Issuer and the Public Key as defined in
2 Response is decrypted and sent through the security
Client-SSL-Template. 5
Re-sign the new certificate using the CA-Certificate as device.
specified in Client-SSL-Template.
Send the reconstructed Server-Hello to client. 6 Response is encrypted again and sent to the client.
39
Deployment Guide | SSL Insight and Load Balancing for Thunder ADC
Generating a CA Certificate
The SSLI insight feature relies on an SSL certificate and key pair to encrypt traffic between clients and the
Thunder ADC appliance. A self-signed certificate can be generated by the Thunder ADC appliance or can be
created by a Linux system with OpenSSL installed. Alternatively, from the Thunder ADC appliance, an ADC
administrator can request and install a CA-signed certificate. For instructions on requesting a CA-signed
certificate, please see the “Application Delivery and Server Load Balancing Guide.”
To generate a self-signed certificate from Thunder ADC in ACOS version 2.7.2:
1. Select Config Mode > SLB > Service > SSL Management.
2. On the menu bar, select Certificate.
3. Click Add.
4. Enter the name for certificate.
5. In the Issuer drop-down list, select Self.
6. Enter the rest of the certificate information in the remaining fields of the Certificate section.
Note: If you need to create a wildcard certificate, use an asterisk as the first part of the common name.
7. From the Key drop-down list, select the length in bits for the key.
8. Click OK. The ACOS device generates the self-signed certificate and a key. The new certificate and key
appear in the certificate list. The certificate is ready to be used in client-SSL and server-SSL templates.
Instead of creating a self-signed certificate within Thunder ADC, administrators can generate a certificate from
a Linux server. The following two commands generate and initialize a CA Certificate on a Linux system with an
OpenSSL package installed. Once generated, the certificate can be imported onto the Thunder ADC device
using FTP or SCP.
openssl genrsa -out ca.key
openssl req -new -x509 -days 3650 -key ca.key -out ca.crt
The root certificate must be imported onto the client machines. This can be done manually or using an
automated service such as Microsoft Group Policy Manager.
Note: Further details for Group Policy Manager can be found at: http://technet.microsoft.com/en-us/library/cc772491.
aspx
40
Deployment Guide | SSL Insight and Load Balancing for Thunder ADC
4. Click Save.
5. Navigate to the save location.
6. Click Save again.
7. To export a key:
a. Select the SSL key.
b. Click Export.
c. Click Save. Navigate to the save location.
d. Click Save again.
See the “Application Delivery and Server Load Balancing Guide” for more information and for instructions for the
command line interface (CLI).
41
Deployment Guide | SSL Insight and Load Balancing for Thunder ADC
2. In Certificate Manager, select the folder that you want to import the certificate into. In this exercise, we
have selected the folder: Trusted Root Certification Authorities > Certificates.
3. Click the Action menu, point to All Tasks, and then click Import.
42
Deployment Guide | SSL Insight and Load Balancing for Thunder ADC
4. In Certificate Import Wizard, click Next to proceed to the File Import page.
Note: the Open dialog box only displays X.509 certificates by default. If you want to import another type of certificate,
select the certificate type you want to import in the Open dialog box and click Open.
43
Deployment Guide | SSL Insight and Load Balancing for Thunder ADC
44
Deployment Guide | SSL Insight and Load Balancing for Thunder ADC
9. In the Security Warning popup, select Yes, since you made an informed decision to import this
certificate.
45
Deployment Guide | SSL Insight and Load Balancing for Thunder ADC
10. If the import is successful, you will see a dialog box with the message “The import was successful.”
11. You can see the newly installed CA certificate under the specified folder.
46
Deployment Guide | SSL Insight and Load Balancing for Thunder ADC
3. Navigate to the HTTPS/SSL section of Chrome Settings and click the Manage certificates button.
47
Deployment Guide | SSL Insight and Load Balancing for Thunder ADC
4. In the certificate folder on the Trusted Root Certification Authorities tab, click the Import button and a
Certificate Import Wizard will appear.
48
Deployment Guide | SSL Insight and Load Balancing for Thunder ADC
7. Once the correct certificate has been located, click Next to install the certificate in the “Trusted Root
Certificate Authorities” certificate store. Click Next and Finish and then click OK.
49
Deployment Guide | SSL Insight and Load Balancing for Thunder ADC
50
Deployment Guide | SSL Insight and Load Balancing for Thunder ADC
2. From the Options window, select the Advanced settings option and then click the Certificate tab. From
the Certificates window, click the View Certificates button. Mozilla will display the Certificate Manager
dialog.
5. Select the Trust this CA to identify websites checkbox and click OK. Now, the certificate should be
imported and the client machine can access HTTPS applications without receiving an error message.
51
Deployment Guide | SSL Insight and Load Balancing for Thunder ADC
Corporate Headquarters Worldwide Offices To learn more about the A10 Thunder Application Service
Gateways and how it can enhance your business, contact
A10 Networks, Inc North America Taiwan
3 West Plumeria Ave. [email protected] [email protected] A10 Networks at: www.a10networks.com/contact or call
San Jose, CA 95134 USA to talk to an A10 sales representative.
Europe Korea
Tel: +1 408 325-8668 [email protected] [email protected]
Fax: +1 408 325-8666 South America Hong Kong
www.a10networks.com [email protected] [email protected]
Japan South Asia
[email protected] [email protected]
Part Number: A10-DG-16141-EN-02 China Australia/New Zealand
Dec 2015 [email protected] [email protected]
©2015 A10 Networks, Inc. All rights reserved. A10 Networks, the A10 Networks logo, ACOS, Thunder and SSL Insight are trademarks or
registered trademarks of A10 Networks, Inc. in the United States and other countries. All other trademarks are property of their respective
owners. A10 Networks assumes no responsibility for any inaccuracies in this document. A10 Networks reserves the right to change, modify,
transfer, or otherwise revise this publication without notice. For the full list of trademarks, visit: www.a10networks.com/a10-trademarks. 52