MSS FW Best Practices: DPI-SSL (Server)
Description
CAUTION: These documents are intended to provide partners with firewall configuration recommendations ONLY. They contain examples and caution should be exercised when making changes to your firewall as unplanned changed could result in downtime based on the complexity of the environment and/or configuration.
MSS Recomended SonicWall Firewall Best Practices Index
Server DPI-SSL is one of two deployment scenarios, the other being Client DPI-SSL, used to inspect SSL-based traffic. Server DPI-SSL deployment scenario is typically used to inspect HTTPS traffic when remote clients connect over the WAN to access content located on the SonicWall security appliance’s LAN (or DMZ).
Setup/Configuration
Notes
Server DPI-SSL is able to decrypt SSL-based traffic in the following manner:
- Configure pairing of an internal address object and certificate.
- When the appliance detects SSL connections to the address object, it presents the paired certificate and negotiates an SSL connection with the connecting client. This enables the SonicWall to inspect the traffic and, if a threat is detected, to enforce Security Services and Application Firewall policies.
- In this deployment scenario the owner of the SonicWall UTM owns the certificates and private keys of the origin content servers. Administrators will have to import the server's original certificate into the UTM appliance and create appropriate server IP address to server certificate mappings in the Server DPI-SSL UI.
- Further, the pairing of internal address objects with certificates can be either encrypted or "Cleartext". If the pairing is not defined to be cleartext, then an SSL connection to the server is negotiated. This allows for end-to-end encryption of the connection. If the pairing defines the server to be 'cleartext' then a standard TCP connection is made to the server on the original (post NAT remapping) port.
- Where Can I Learn More About DPI-SSL (Comprehensive list of all SonicWall DPI-SSL KBs)