a10-ssl insight基礎(chǔ)配置xulong gao解密后轉(zhuǎn)發(fā)給防火墻

1、A10 Thunder ADC SSL透視配置（基礎(chǔ)）透明監(jiān)聽(tīng)SSL流量,解密后轉(zhuǎn)發(fā)給防火墻如左圖所示SSL透視技術(shù)處理流量時(shí)分為三個(gè)步驟數(shù)據(jù)流在客戶端和內(nèi)側(cè)Thunder ADC之間傳輸時(shí)為加密流量數(shù)據(jù)流從內(nèi)側(cè)Thunder ADC經(jīng)過(guò)防火墻再到外側(cè)Thunder 時(shí)流量為明文方式傳輸流量從外側(cè)Thunder ADC發(fā)送至互聯(lián)網(wǎng)時(shí)又被再次進(jìn)行加密SSL透視工作流程圖 SSL加密連接解密的數(shù)據(jù)流SSL加密連接配置步驟配置步驟1、調(diào)通網(wǎng)絡(luò)：客戶端能夠順利通過(guò)內(nèi)側(cè)A10及外側(cè)A10兩臺(tái)設(shè)備訪問(wèn)互聯(lián)網(wǎng)2、配置內(nèi)側(cè)A10用于SSL透視端口的端口客戶端SSL證書生成及導(dǎo)出（自簽證書）配置接收內(nèi)網(wǎng)客戶端加

2、密流量的443端口，解密流量目標(biāo)端口轉(zhuǎn)換成明文端口8080轉(zhuǎn)發(fā)給安全設(shè)備3、配置外側(cè)A10用于SSL透視端口的端口添加接收明文流量的8080端口導(dǎo)入服務(wù)器證書（明文流量重新加密）目標(biāo)端口重新改變成443發(fā)給互聯(lián)網(wǎng)4、配置客戶端：瀏覽器導(dǎo)入根證書一、調(diào)通網(wǎng)絡(luò)內(nèi)側(cè)A10配置Virtual Server/Services slb virtual-server inbound acl 100 port 0 tcp name to_gw_tcp service-group gateway_tcp_0 tcp no-dest-nat port 0 udp name to_gw_udp service-gr

3、oup gateway_udp_0 udp no-dest-natService Groupslb service-group gateway_tcp_0 tcp member gateway 0 !slb service-group gateway_udp_0 udp member gateway 0Serverslb server gateway 0 health-check-disable port 0 tcp health-check-disable port 0 udp health-check-disable一、調(diào)通網(wǎng)絡(luò)外側(cè)A10配置Virtual Server/Services

4、slb virtual-server outbound acl 100 port 0 tcp name to_gw_tcp service-group gateway_tcp_0 tcp no-dest-nat port 0 udp name to_gw_udp service-group gateway_udp_0 udp no-dest-natService Groupslb service-group gateway_tcp_0 tcp member gateway 0 !slb service-group gateway_udp_0 udp member gateway 0Server

5、slb server gateway health-check-disable port 0 tcp health-check-disable port 0 udp health-check-disable二、配置內(nèi)側(cè)A10的443端口（將收到的加密流量進(jìn)行解密）Virtual Server/Services slb virtual-server inbound acl 100 port 0 tcp name to_gw_tcp service-group gateway_tcp_0 tcp no-dest-nat port 0 udp name to_gw_udp service-group

6、 gateway_udp_0 udp no-dest-nat port 443 tcp name internal_in_to_out_443 service-group SSL template client-ssl A10-Client no-dest-nat port-translationService Groupslb service-group gateway_tcp_0 tcp member gateway 0 ! slb service-group gateway_tcp_8080 tcp member gateway 8080 ! slb service-group gate

7、way_udp_0 udp member gateway 0Serverslb server gateway 0 health-check-disable port 0 tcp health-check-disable port 0 udp health-check-disable port 8080 tcp health-check-disable內(nèi)側(cè)Thunder ADC部署細(xì)節(jié)解密所有從客戶端發(fā)起的SSL流量 通過(guò)內(nèi)測(cè)Thunder ADC解密后的明文數(shù)據(jù)被發(fā)送至后端安全設(shè)備在Thunder ADC上創(chuàng)建一個(gè)自簽發(fā)的證書或者導(dǎo)入一個(gè)CA授權(quán)簽發(fā)帶有私鑰的證書，該證書必須安裝在所有客戶端瀏

8、覽器當(dāng)HTTPS解密成為HTTP時(shí)，目的端口從443轉(zhuǎn)換成8080創(chuàng)建一個(gè)客戶端SSL模板并啟用轉(zhuǎn)發(fā)代理功能通過(guò)在wildcard VIP上關(guān)聯(lián)ACL來(lái)匹配TCP和UDP流量中的感興趣流 入向匹配的SSL會(huì)話被解密并通過(guò)HTTP 8080端口明文方式發(fā)送給第三方安全設(shè)備Virtual Server/Services slb virtual-server SSLi-Wildcard acl 101 port 0 tcp no-dest-nat service-group DG_TCP use-rcv-hop-for-resp port 0 udp no-dest-nat service-grou

9、p DG_UDP use-rcv-hop-for-resp port 0 others no-dest-nat service-group DG_UDP use-rcv-hop-for-resp port 8080 http no-dest-nat port-translation service-group DG_SSL use-rcv-hop-for-resp template server-ssl SSLi三、配置外側(cè)A10的8080端口（將收到的明文流量進(jìn)行重加密）Serverslb server Default_Gateway port 443 tcpno health-checkport 0 udpno health-checkport 0 tcpno health-checkService Group slb service-group DG_TCP tcpmember Default_Gateway:0slb service-group DG_UDP udpmember Default_Gateway:0slb service-group DG_