< Home

Configuring SSL Offloading Using the Web UI

This section describes how to configure the SSL offloading profile on the web UI.

Prerequisites

  • A local certificate (real server certificate) has been imported. The certificate must contain a key. Usually, you can obtain the local certificate from the server administrator.
  • The CA certificate corresponding to the client has been imported. It is mandatory for the SSL bidirectional authentication scenario. Usually, you can obtain the CA certificate from the server administrator.
  • The CRL has been imported. It is optional for the SSL bidirectional authentication scenario. Usually, you can obtain the CRL from the server administrator.

For the preceding import operations, see Configuring Certificates Using the Web UI.

Procedure

  1. Choose Policy > Server Load Balancing > SSL Offloading Profile.
  2. Click Add.
  3. Configure the SSL offloading profile.

    Parameter

    Description

    Name

    Specify the name of the SSL offloading profile.

    Description

    Specify the description of the SSL offloading profile.

    SSL Server Certificate

    Select the imported local certificate.

    You can specify only one SSL server certificate for each SSL offloading profile.

    If SSL offloading is performed on the firewall and the local certificate of the server is issued by a multi-level CA, you need to import both the local certificate and the multi-level CA certificate to the firewall. After the local certificate is referenced, the firewall sends the local certificate and CA certificate chain to the client. The client uses the complete CA certificate chain to verify the validity of the local certificate. Otherwise, a certificate security alarm or connection failure may occur during SSL handshake due to the lack of a complete certificate chain.

    Enabled Protocol

    Select a protocol version for SSL offloading. Keeping the configuration consistent with that on the real server is recommended. For special requirements, you can select one of the following cipher suites:

    • TLS 1.0
    • TLS 1.1
    • TLS 1.2
    NOTE:

    TLS 1.0 and TLS 1.1 have security risks. TLS 1.2 and higher versions are recommended.

    Encryption Suite

    Select a cipher suite for SSL offloading. Keeping the configuration consistent with that on the real server is recommended. For special requirements, you can select one of the following cipher suites:

    • High security: Select this cipher suite for the scenario with high security requirements. The cipher suite may not be properly compatible with browsers in early versions.
    • Medium security: This cipher suite is compatible with most browsers but is not highly secure.
    • User-defined: Enter a user-defined cipher suite, for example, DHE-RSA-AES128-SHA:AES128-SHA:AES128-SHA256:DHE-RSA-AES128-SHA256.

    Session Cache Size

    Set the maximum number of cached SSL sessions. Caching SSL sessions can reduce SSL handshake overheads. However, a large value may waste session resources on the device, degrading performance.

    Session Timeout

    Set the timeout period of cached SSL sessions. Caching SSL sessions can reduce SSL handshake overheads. However, caching sessions for a long time may waste session resources on the device, degrading performance.

    Client Authentication

    In the SSL bidirectional authentication scenario, if the server needs to verify the client certificate, enable this function.

    CA Certificate

    Mandatory if client authentication is enabled. In the SSL bidirectional authentication scenario, the device uses this CA certificate to verify the certificate sent from the client.

    Certificate Chain Depth

    Specify the maximum number of levels a CA certificate can have. If the used CA certificate is not a root CA certificate, the device checks the validity of the superior CAs one by one.

    CRL

    Specify the certificate revocation list. The device checks whether the client certificate is in the CRL to verify its validity.

  4. Click OK.

Follow-up Procedure

If you set Protocol to HTTPS when configuring SLB, you can reference this SSL offloading profile. For details, see Configuring a Virtual Service.

  • As server certificates are applied for based on domain names, one domain name corresponds to one certificate. The SSL offloading profile can reference only one certificate. Therefore, one virtual server address (domain name) can correspond to only one SSL offloading profile. If there are multiple virtual server addresses for SSL offloading, configure multiple virtual servers.

  • One SSL offloading profile can be referenced by multiple virtual servers.

  • To allow clients to access intranet servers, you must configure a security policy for access from the security zone of the clients to the security zone of the real server with the destination address being the virtual server address, service being https, and action being permit.

Parent Topic: SSL Offloading
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >