Configure transparent SSL acceleration

Note: Depending on your deployment, you might need to enable L2 mode on the NetScaler appliance.

Transparent SSL acceleration is useful for running multiple applications on a secure server with the same public IP. It is also useful for SSL acceleration without using an extra public IP.

In a transparent SSL acceleration setup, the NetScaler appliance is transparent to the client. It is transparent because the IP address at which the appliance receives requests is the same as the web server’s IP address.

The NetScaler appliance offloads SSL traffic processing from the Web server and sends either clear text or encrypted traffic (depending on the configuration) to the web server. All other traffic is transparent to the appliance and is bridged to the Web server. Therefore, other applications running on the server are unaffected.

There are three modes of transparent SSL acceleration available on the appliance:

  • Service-based transparent access, where the service type can be SSL or SSL_TCP.
  • Virtual server-based transparent access with a wildcard IP address (*:443).
  • SSL VIP-based transparent access with end-to-end encryption.

Note: An SSL_TCP service is used for non-HTTPS services (for example SMTPS and IMAPS).

Service-based transparent SSL acceleration

To enable transparent SSL acceleration using the SSL service mode, configure an SSL or an SSL_TCP service with the IP address of the actual back-end web server. Instead of a virtual server intercepting SSL traffic and passing it on to the service, the traffic is now directly passed on to the service. The service decrypts the SSL traffic and sends clear text data to the back-end server.

The service-based mode allows you to configure individual services with a different certificate, or with a different clear text port. Also, you can also select individual services for SSL acceleration.

You can apply service-based transparent SSL acceleration to data that uses different protocols. To do so, set the clear text port of the SSL service to the port on which the data transfer between the SSL service and the back end server occurs.

To configure service-based transparent SSL acceleration, first enable both the SSL and the load balancing features. Then create an SSL based service and configure its clear text port. After the service is created, create and bind a certificate-key pair to this service.

Example:

Enable SSL offloading and load balancing.

Create an SSL based service, Service-SSL-1 with the IP address 10.102.20.30 using port 443 and configure its clear text port.

Next, create a certificate-key pair, CertKey-1, and bind it to the SSL service.

Table 1. Entities in the Service-based Transparent SSL Acceleration

Entity Name Value
SSL Service Service-SSL-1 102.20.30
Certificate - Key Pair Certkey-1 -

Virtual server-based acceleration with a wildcard IP address (*:443)

Use an SSL virtual server in the wildcard IP address mode if you want to enable SSL acceleration for multiple servers that host the secure content of a website. In this mode, a single-digital certificate is enough for the entire secure website, instead of one certificate per virtual server. As a result, there are significant cost savings on SSL certificates and renewals. The wildcard IP address mode also enables centralized certificate management.

To configure global transparent SSL acceleration on the NetScaler appliance, create a *:443 virtual server. This virtual server accepts any IP address associated with port 443. Then, bind a valid certificate to this virtual server, and also bind all services to which the virtual server is to transfer. Such a virtual server can use the SSL protocol for HTTP-based data or the SSL_TCP protocol for non-HTTP-based data.

Configure virtual server-based acceleration with a wildcard IP address

  1. Enable SSL, as described in Enable SSL.
  2. Enable load balancing, as described in Load balancing.
  3. Add an SSL based virtual server and set the clearTextPort parameter as described in SSL offloading configuration.
  4. Add a certificate-key pair, as described in Add or update a certificate-key pair.

Note: The wildcard server automatically learns the servers configured on the appliance, so you do not need to configure services for a wildcard virtual server.

Example:

Enable SSL offloading and load balancing. Create an SSL based wildcard virtual server with IP address set to * and port number 443, and configure its clear text port (optional).

If you specify the clear text port, decrypted data is sent to the back-end server on that particular port. Otherwise, encrypted data is sent to port 443.

Next, create an SSL certificate key pair, CertKey-1, and bind it to the SSL virtual server.

Table 2. Entities in the Virtual Server-based Acceleration with a Wildcard IP Address Example

Entity Name IP Address Port
SSL Based Virtual Server Vserver-SSL-Wildcard * 443
Certificate - Key Pair Certkey-1 - -

SSL virtual server IP address based transparent access with end-to-end encryption

You can use an SSL virtual server for transparent access with end-to-end encryption if you have no clear text port specified. In such a configuration, the appliance terminates, and offloads all SSL processing. Then, it initiates a secure SSL session, and sends the encrypted data, instead of clear text data, to the web servers. It sends this data on the port that is configured on the wildcard virtual server.

Note: In this case, the SSL acceleration feature runs at the back-end, using the default configuration, with all 34 ciphers available.

To configure SSL VIP based transparent access with end-to-end encryption, follow the instructions for Configuring a Virtual Server-based Acceleration with a Wildcard IP Address (*:443). But do not configure a clear text port on the virtual server.

Configure transparent SSL acceleration