Configure Inline SSL Decryption Using GigaVUE‑FM

This section describes how to configure inline SSL decryption using GigaVUE‑FM.

Note:  Before configuring, review Get Started with Inline SSL Decryption for pre-requisites and review Introduction to Inline SSL Map Workflows.

Inline  SSL Configuration Workflow Steps:

  • Keychain Password
  • Key Store
  • Signing CA
  • Trust Store
  • Policy Profile
  • Network Access

Inline SSL Map Workflow Steps (for Flow B) :

  • Inline Network(s)
  • Inline Tool(s)
  • GS Group
  • Virtual Port
  • GS Operation
  • Inline Rule Based Map
  • Inline First Level Map
  • Inline Second Level Map
  • Collector Map (bypass)

1 Select Inline SSL Configuration Workflow

Refer Offloading TLS Decryption for an One-armed Inline Tool in L3 or IP Forwarding Mode for more detailed information.

 

Inline SSL L3 Tool NAT or PAT Support

 

HTTP/1.1 over TLS

The HTTP request in HTTP/1.1 has an option to include a cookie field in its header. The GS passes client hello SNI from client side GS to server side GS by inserting a cookie in the HTTP request packet before sending to inline tool. Server side GS will use the SNI in the cookie field to start SSL connection to server.

GET /sample_page.html HTTP/1.1

User-agent: Wge/1.12

Connection: Keep-Alive

Cookie: SNI=www.example.com

 

 

 

Limitations:

■   Decrypted data to inline tool is limited to HTTP/1.1 protocol over TLS, inline tool will only see encrypted data on other application protocols.
■   The StartTLS traffic will not be decrypted as it is non HTTP traffic.
■   It does not support bypass tool since all the packets from client or server need to pass to inline tool for NAT or PAT.
■   This feature will not co-exist with features such as Network group multiple entries, Inline network high availability, RIA, Tool early engage, one-arm, and Destination port translation.
■   IPv6 is not supported.