SSL Policies

When AppDirector manages SSL encrypted traffic, the necessary certificates and ciphers must be defined to allow SSL handshake.

To configure AppDirector SSL policies

1.	From the AppDirector menu, select Layer 4 Traffic Redirection > SSL Policies. The AppDirector SSL Policies pane displays.

2.	Set the parameters.

 

Parameter	Description
Policy Name (Mandatory)	Name of the SSL Policy. The SSL Policy defines the certificates and ciphers necessary for an SSL handshake.
Front End SSL
Frontend SSL State	Defines whether SSL offload is required on the front end. When disabled, it supports configurations where front-end traffic arrives in clear text but traffic to the back-end servers must be SSL encrypted. Values: Enabled, Disabled Default: Enabled
Certificate (Mandatory)	Server certificate to use for SSL connections. The certificate needs to be defined prior to setting the SSL policy in Security > Certificates.
Cipher Suite (Mandatory)	Controls which cipher suites are allowed by AppDirector during SSL handshake. From the drop-down list select the cipher suite to be associated or type in a requested cipher of your choice. RSA — Cipher suite using RSA key exchange. ALL — All cipher suites. PCI DSS Compliance — Payment Card Industry Data Security Standard ALL Non-Null Ciphers — All cipher suites except the NULL ciphers and ciphers offering no authentication, which must be explicitly enabled. SSLv3 — SSL v3.0 cipher suites. TLSv1 — TLS v1.0 and v1.1 cipher suites. Export: Export encryption algorithms including 40 and 56 bit. Low — “Low” exception cipher suites, currently using 64 or 56 bit encryption algorithms but excluding export cipher suites. Medium — “Medium” encryption cipher suites, currently using 128 bit encryption High — “High” encryption cipher suites. Currently key lengths are larger than 128 bits. RSA:RC4-128:MD5 — Cipher suites using RSA key exchange, 128 bit RC4 for encryption and MD5 for MAC. RSA:RC4-128:SHA1 — Cipher suite using RSA key exchange, 128 bit RC4 for encryption and SHA1 hash for MAC. RSA:DES:SHA1 — Cipher suite using RSA key exchange, 3DES for encryption and SHA1 hash for MAC.
Cipher Suite (continued)	RSA:3DES:SHA1 — Cipher suite using RSA key exchange, 3DES for encryption and SHA1 hash for MAC. RSA:AES-128:SHA1 — Cipher suite using RSA key exchange, 128-bit AES for encryption and SHA1 hash for MAC. RSA:AES-256:SHA1 — Cipher suite using RSA key exchange, 256-bit AES for encryption and SHA1 hash for MAC. MSIE Export56 — 56-bit export version of Microsoft Internet Browser v 5. User Defined — AppDirector supports all ciphers supported by the accepted OpenSSL format and more information can be found in OpenSSL documentation. Default: RSA Notes:   To support SSLv2 clients, select User Defined and in the User Defined Cipher field insert RSA:SSLv2. For a comprehensive list of all front-end and back-end ciphers used by AppDirector, see Table 8 - Complete List of the Content Of All Cipher Suites (Front-end and Back-end), page 620.
User-Defined Ciphers	If the predefined list does not suit your needs, you can specify allowed ciphers. The OpenSSL convention for specifying ciphers must be followed. This field is non-active even if defined unless User Defined is selected in Cipher Suite.
Intermediate Certificate	Specify if server certificate used was not provided by a root CA (Certificate Authority). This is a chain of certificates of the CA-s up to a root CA. Values: Select from the list of Intermediate CA certificate imported into AppDirector. Note: If a chain of CAs needs to be sent with the server's certificate, they should all be imported together to AppDirector as a single Intermediate CA object. To perform this action, open each Intermediate CA certificate (PEM format) in text editor, copy all certificate texts into a single text chain and then paste it into the Import Certificate text box
Listening Server port	Enables you to define the port where the back-end server is listening. When changing from HTTPS (port 443) to HTTP (port 80) traffic often needs to be sent to a different port than where it was originally destined. Default: 80 Note: If the Back End listening port is not configured, the Layer 4 policy port is used to access the back end servers.
Pass SSL info in Headers	Select type of information that you need to pass to back-end servers in HTTP headers. See Step 3. Note: This feature is HTTP dependent and cannot be used with Generic-SSL offloading, if selected in the Layer 4 Policy Application. See Layer 4 Policies
Frontend SSL versions	Supported SSL versions to the front-end connection, separated by a comma (:). Values: SSLv2, SSLv3, TLSv1_0, TLSV1_1 Default: All versions
Protocol Redirection
HTTP Redirection Conversion State	See HTTP to HTTPS Protocol Redirection When back-end SSL is working, this feature is not needed and you cannot configure them together. Values: Enable, Disable Default: Disable Notes:   When enabled, conversion is always performed when hostname in response matches hostname in request. When SSL Policy Protocol Redirection and Layer 7 Header and Body Modifications are enabled on the same service, and the server sends a 302 Redirect response, the new location protocol is always set to HTTPS to enable the redirect location to work for the clients, (despite the setting in the Layer 7 Modification method). This feature is HTTP dependent and cannot be used with Generic-SSL offloading, if selected in the Layer 4 Policy Application. See Layer 4 Policies
Also Redirect When Host Match The Following Regular-Expression	If HTTP to HTTPS conversion is required for additional hosts besides service default, you can use this field to define them by Regular Expression. Default: Empty Note: This feature is HTTP dependent and cannot be used with Generic-SSL offloading, if selected in the Layer 4 Policy Application. See Layer 4 Policies.
Back End SSL
Backend SSL State	Back-end SSL provides the ability to re-encrypt traffic between AppDirector and the Web Servers in environments where enhanced security is required. Values: Enable, Disable Default: Disable
Backend SSL Cipher	This lets you define the strength of your back-end SSL cipher. Values: Low, Medium, High, User Defined
Backend SSL User Defined Ciphers	User defined ciphers in OpenSSL format. This must be specified when the Backend SSL Cipher parameter is set to User Defined.
Backend SSL versions	Supported SSL versions to the back-end connection, separated by a comma (:). Values: SSLv2, SSLv3, TLSv1_0, TLSV1_1

3.	For passing SSL information in Headers, click ... alongside this field. The Passing SSL information to Back-End servers in HTTP Headers dialog box opens.

Note: When using Generic-SSL offloading, you cannot use HTTP headers to forward data to servers.

4.	Mark the Information Type that you want to select and the accompanying Header Name field is enabled for you to add or edit the appropriate header name.

5.	Set the parameters in the following dialog box:

 

Parameter	Description
Cipher Suite	Defines which Cipher suite is to be used during the SSL handshake. The cipher suite used by the client, for example RC4-MD5.
SSL Version	The SSL version used by the client, for example SSLv3.
Cipher Bits	The number of bits used for encryption by the cipher, for example 128 Bit
Add “Front-End HTTPS” Header	Adds a special header to requests sent to the server signaling them that an SSL offloading device is being used. Servers that support this send redirect messages (HTTP 302) with the location set to HTTPS instead of HTTP (see HTTP Redirection Conversion State parameter above for more information). Example: When working with HTTPS to a back-end Outlook Web-Access (OWA) server the responses are not presented properly in a Firefox browser. This can be worked around using AppDirector SSL information headers and adding the Add Front-End HTTPS Header to the SSL policy.

6.	Click Set.