KB44881 - How to configure SSL Decryption on Virtual Server

This article describes the process of configuring SSL Decryption on a Virtual Server in vTM ( Virtual Traffic Manager ).

Usually, there may be a need for the vTM to perform SSL decryption on user initiated traffic before sending traffic to back-end server nodes. The benefits of doing this include:

• After decryption, a Traffic Script rule can analyze the request's headers and contents to exercise granular control on traffic and regulate what parts of traffic can be forwarded to backend nodes.
• Customer can make use of vTM integrated WAF functionality to add an additional level of protection for servers ( For decrypted HTTP traffic ).
• Decrypting requests requires processing power. It may be more efficient if the vTM decrypts requests before passing them on to the nodes, reducing the load on the back-end servers. For example, the back-end server can be configured to listen on plain HTTP while the the SSL encrypted traffic can be handled on vTM itself.

1) First step involves adding the SSL certificate with its private key under Catalogs > SSL > SSL Server Certificates catalog. This certificate will be presented to the users when they connect to vTM and will be used for decrypting/encrypting traffic. You can either create a Self-Signed request from vTM and present it to your CA to get it signed or you can import your custom signed cert to the vTM. Note that when importing a custom signed cert, ensure you have the private key of the cert being added. For steps on generating a new CSR from vTM for use in SSL Decryption, skip to Step 3. 



2) If you already own a cert/key pair, click on "Import Certificate and Private Key", provide a unique name for it and provide the locations of the PEM-encoded certificate and private key files to be uploaded from your machine onto the vTM. The Private key must NOT be encrypted. 



3) For generating a signing request from vTM itself, click on "Create Self-Signed Certificate/ Certificate Signing Request" and add the details to create a new request. Ensure that SAN (Subject Alternative Name) is also configured as browsers would throw an error if only Common Name is present in cert with no corresponding SAN name for it.



4) Post certificate creation above, click on "Export CSR/Update Certificate" in new page, copy the block of data and send it to the CA in a suitable format ( for instance, as a .csr file ).



5) The CA can generate a new certificate from your CSR. You should copy and paste the new certificate into the text box provided under "Replace certificate", and click Update Certificate.



6) The signed cert would be seen with its details. Click on "Add Intermediate Certificate" to add the Intermediate CA cert which signed the certificate. Repeat steps to add multiple CA's. The same applies for cert imported via Step 2 as well.



7) Configure a new Virtual Server which would be using this certificate to decrypt/encrypt user traffic. Internal protocol refers to the protocol used within the Traffic Manager to parse and interpret the traffic. In other words, if SSL Decryption is being configured for LDAPS traffic, choose the Internal Protocol as LDAP. We will be configuring SSL Decryption for HTTPS, hence the Internal protocol would be set to HTTP with port as 443 ( or the port used by users to connect to vTM on SSL ). Set the Pool to Discard for now ( or choose one if configured prior for same).

-Under "SSL Decryption" section in Virtual Server, set "ssl_decrypt" to Yes and select the newly configured cert to be added under "Default Certificates" option. vTM also allows to configure another cert for same domain for compatibility with maximum clients under "alt_certificates" section. If adding a new cert here, we must ensure the key type is separate from Default cert added. For example, Default certificate chain could be using an ECDSA key, and alternate cert could be using an RSA key to be used by pre-TLSv1.3 clients that don't support ECDSA ciphers. During SSL handshake, a valid combination (cipher suite, signature algorithm, certificate) is chosen, based, first upon the server's preferred cipher suites, then the server's preferred signature algorithms, and finally the configured order of certificates. Additional certificates can be supplied to match any hostname or IP address under "Add certificate mapping" option. If none of the addresses or hostnames match, the Default certificate will be used.



8) Optionally, you can also configure SSL Client Authentication to restrict traffic from clients to ones providing correct cert. vTM can also check client certificates using OCSP (Online Certificate Status Protocol). For more detailed info on each option, please refer to the "SSL Encryption" section in User Guide here:

https://help.ivanti.com/ps/legacy/PULSE-VADC-SOLUTIONS/Pulse-Virtual-Traffic-Manager/21.1/ps-vtm-21.1-userguide.pdf

9) When configuring a Pool for calling in above Virtual Server, ensure that the option "ssl_encrypt" is set to Yes under (Your-Pool-Name) > SSL Settings > SSL Encryption if the backend server is configured to listen on HTTPS.



-Do reach out to Technical Support for any clarifications on the above steps.