Example Configuration File
active-partition shared
system ve-mac-scheme system-mac
!
active-partition ssli_in
!
access-list 190 remark ssli_in
!
access-list 190 permit ip any any vlan 850
!
class-list bypass_domains ac
user-tag ssli_in
contains bank
!
vlan 850
untagged ethernet 1
router-interface ve 850
name ssli_in_ingress
user-tag ssli_in_ingress
!
vlan 851
untagged ethernet 2
router-interface ve 851
name ssli_in_egress
user-tag ssli_in_egress
!
interface ethernet 1
name ssli_in_ingress
enable
!
interface ethernet 2
name ssli_in_egress
enable
!
interface ve 850
name ssli_in_ingress
ip address 10.1.1.2 /24
ip allow-promiscuous-vip
!
interface ve 851
name ssli_in_egress
ip address 12.1.1.1 /24
ip allow-promiscuous-vip
!
ip route 0.0.0.0 /0 12.1.1.2
!
slb server fw1 12.1.1.2
user-tag ssli_in
port 0 tcp
user-tag ssli_in_1_tcp_port
port 0 udp
user-tag ssli_in_1_tcp_port
port 8443 tcp
user-tag ssli_signaling
!
slb service-group SG_SSLi_TCP tcp
user-tag ssli_in
member fw1 0
exit
!
slb service-group SG_SSLi_UDP udp
user-tag ssli_in
member fw1 0
exit
!
slb service-group SG_SSLi_Xlated tcp
user-tag ssli_in
member fw1 8443
exit
!
slb template client-ssl cl_ssl
user-tag ssli_in
forward-proxy-ocsp-disable
forward-proxy-enable
forward-proxy-bypass class-list bypass_domains
forward-proxy-ca-key test1
forward-proxy-ca-cert test1
forward-proxy-bypass web-category financial-services
forward-proxy-bypass web-category health-and-medicine
!
slb template policy policy_SSLi
user-tag ssli_in
forward-policy
action default
source src1
match-any
destination any action default
!
slb virtual-server SSLi_EP_VIP 10.1.1.10
user-tag ssli_in
port 3128 http
user-tag ssli_in_explicit_proxy_port
template policy policy_SSLi
!
slb virtual-server SSLi_in_ingress 0.0.0.0 acl 190
user-tag ssli_in
port 0 tcp
no-dest-nat
service-group SG_SSLi_TCP
port 0 udp
no-dest-nat
service-group SG_SSLi_UDP
port 0 others
no-dest-nat
service-group SG_SSLi_UDP
port 443 https
no-dest-nat port-translation
service-group SG_SSLi_Xlated
!
active-partition ssli_out
!
access-list 191 remark ssli_out
!
access-list 191 permit ip any any vlan 860
!
vlan 861
untagged ethernet 3
router-interface ve 861
name ssli_out_ingress
user-tag ssli_out_ingress
!
vlan 860
untagged ethernet 4
router-interface ve 860
name ssli_out_egress
user-tag ssli_out_egress
!
interface ethernet 3
name ssli_out_ingress
enable
!
interface ethernet 4
name ssli_out_egress
enable
!
interface ve 861
name ssli_out_ingress
ip address 12.1.1.2 /24
ip allow-promiscuous-vip
!
interface ve 860
name ssli_out_egress
ip address 15.1.1.2 /24
ip allow-promiscuous-vip
!
ip route 0.0.0.0 /0 15.1.1.254
!
slb template server-ssl sr_ssl
user-tag ssli_out
forward-proxy-enable
!
slb server GW 15.1.1.254
user-tag ssli_out
port 0 tcp
user-tag ssli_out_1_tcp_port
port 0 udp
user-tag ssli_out_1_udp_port
port 443 tcp
!
slb service-group GW_SSL_443 tcp
user-tag ssli_out
member GW 443
exit
!
slb service-group GW_TCP_0 tcp
user-tag ssli_out
member GW 0
exit
!
slb service-group GW_UDP_0 udp
user-tag ssli_out
member GW 0
exit
!
slb virtual-server SSLi_out_ingress 0.0.0.0 acl 191
user-tag ssli_out
port 0 tcp
no-dest-nat
service-group GW_TCP_0
use-rcv-hop-for-resp
port 0 udp
no-dest-nat
service-group GW_UDP_0
use-rcv-hop-for-resp
port 0 others
no-dest-nat
service-group GW_UDP_0
use-rcv-hop-for-resp
port 8443 http
no-dest-nat port-translation
template server-ssl sr_ssl
service-group GW_SSL_443
use-rcv-hop-for-resp
!
The NetSec Noob 