inbound ssl decryption - multi cert to single ip

Reply
Highlighted
L2 Linker

inbound ssl decryption - multi cert to single ip

Hoping to get a little feed back regarding inbound ssl decryption.

 

We have beeing doing inbound ssl decryption to our public presense on version 8.0.7.

 

Things have been going realitivley well but I am running into some issues and not sure if I can fix it at the firewall level. Where I am running into issues is when we have multiple certs applied on a load balancer to a single ip which is behind the firewall. 

 

example:

ip address 1.2.3.4 (following sites all resolve to this ip this single ip addresss)

 

decrypt rule 1 = use cert on lb (wildcard cert *.domain.com) to 1.2..3.4

www.domain.com, bob.domain.com, ie.domain.com (all using *.domain.com) - decrpyting as expected no issue

 

decrypt rule 2 = use cert on lb (*.domain1.com) to 1.2.3.4

domain1.com, cars.domain1.com - no decryption happening, traffic logs show session end reason of decrpyt-error, no url traffic logs (for https, if site is http url logs will appear as expected)- but I can get to the website as normal. 

 

Also other sites (www.domain3.com, domain4,com, etc) on this  ip 1.2.3.4 with a different domain and no decrypt rule have same symptoms as decrypt rule 2.

 

My question is there a way to decrypt to a single ip using multiple certs? Also is there an explanation behind why https url logs do not show when decryption erros occur in traffic logs?

 

All testing has been completed with IE and Chrome

 

Highlighted
L7 Applicator

Re: inbound ssl decryption - multi cert to single ip

@clewis1,

The rules are all analyzed in a top/down manner; therefore the first decryption policy that matches the source and destination is going to be the decryption policy that is applied. Unless you use the source as a differentation between the policies then something like this is not going to work. 

Highlighted
L2 Linker

Re: inbound ssl decryption - multi cert to single ip

thanks @BPry.

 

I figured the decryption follows the top/down. Do you have any thoughts why the traffic does not generate url any https logs for the unencrypted sites on this host when the decrpyt errors occur? 

Highlighted
L2 Linker

Re: inbound ssl decryption - multi cert to single ip

Add custom URL category (for single domain) in decryption policy.

L2 Linker

Re: inbound ssl decryption - multi cert to single ip

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!