Configuring Server-to-Certificate Pairings

Server DPI-SSL inspection requires that you specify which certificate is used to sign traffic for each server that has DPI-SSL inspection performed on its traffic.

To configure a server-to-certificate pairing

1. Navigate to the POLICY | DPI-SSL > Server SSL.

2. Scroll to the SSL Servers section.

   

3. Click +Add.

   

4. Select the Address Object/Group for the server or servers to which you want to apply DPI-SSL inspection.

5. Select the SSL Certificate to be used to sign the traffic for the server.

   This certificate is used to sign traffic for each server that has DPI-SSL Server inspection performed on its traffic. For more information on:

   • Importing a new certificate to the appliance, refer to Selecting the Re-Signing Certificate Authority.

   • Creating a Linux certificate.

     Clicking the (Manage Certificates) link displays the DEVICE | Settings > Certificates page. For more information, refer to Creating a PKCS-12 Formatted Certificate File (Linux Systems Only).

6. Select Cleartext to enable SSL offloading. When adding server-to-certificate pairs, the Cleartext option provides a method of sending unencrypted data onto a server.

   For such a configuration to work properly, a NAT policy needs to be created for this server on the POLICY | Rules and Policies > NAT Rules page to map traffic destined for the offload server from an SSL port to a non-SSL port. Traffic must be sent over a port other than 443. For example, for HTTPS traffic used with SSL offloading, an inbound NAT policy remapping traffic from port 443 to port 80 needs to be created for things to work properly.

7. Click Add.