SSLi L2 Topology with Proxy Chaining (Configuration File)

Example Configuration File

active-partition shared
system ve-mac-scheme system-mac
!
active-partition ssli_in
!
access-list 190 remark ssli_in
!
access-list 190 permit ip any any vlan 850
!
class-list bypass-clientauth ac
user-tag ssli_in
!
class-list bypass_domains ac
user-tag ssli_in
contains bank
!
class-list inspect-domains ac
user-tag ssli_in
!
class-list HTTP_traffic ac
user-tag ssli_in
starts-with http://
!
vlan 850
untagged ethernet 1
untagged ethernet 2
router-interface ve 850
name ssli_in_ingress_egress
user-tag ssli_in_ingress_egress
!
interface ethernet 1
name ssli_in_ingress
enable
!
interface ethernet 2
name ssli_in_egress
enable
!
interface ve 850
name ssli_in_ingress_egress
ip address 10.1.1.2 /24
ip allow-promiscuous-vip
!
ip route 0.0.0.0 /0 10.1.1.3
!
slb template cipher cl_cipher_template
user-tag ssli_in
SSL3_RSA_DES_192_CBC3_SHA
SSL3_RSA_DES_40_CBC_SHA
SSL3_RSA_DES_64_CBC_SHA
SSL3_RSA_RC4_128_MD5
SSL3_RSA_RC4_128_SHA
SSL3_RSA_RC4_40_MD5
TLS1_RSA_AES_128_SHA
TLS1_RSA_AES_256_SHA
TLS1_RSA_EXPORT1024_RC4_56_MD5
TLS1_RSA_EXPORT1024_RC4_56_SHA
TLS1_RSA_AES_128_SHA256
TLS1_RSA_AES_256_SHA256
TLS1_DHE_RSA_AES_128_GCM_SHA256
TLS1_DHE_RSA_AES_128_SHA
TLS1_DHE_RSA_AES_128_SHA256
TLS1_DHE_RSA_AES_256_GCM_SHA384
TLS1_DHE_RSA_AES_256_SHA
TLS1_DHE_RSA_AES_256_SHA256
!
slb server Chained_Proxy 20.2.2.10
user-tag ssli_in
port 8080 tcp
user-tag ssli_in_chained_proxy_proxy_port
health-check-disable
port 3130 tcp
user-tag ssli_in_chained_proxy_signaling_port
health-check-disable
!
slb server fw1 10.1.1.3
user-tag ssli_in
port 0 tcp
user-tag ssli_in_1_tcp_port
health-check-disable
port 0 udp
user-tag ssli_in_1_udp_port
health-check-disable
port 8443 tcp
user-tag ssli_signaling
health-check-disable
!
slb service-group Chained_Proxy_Port tcp
user-tag ssli_in
member Chained_Proxy 8080
exit
!
slb service-group Chained_Proxy_Signaling_Port tcp
user-tag ssli_in
member Chained_Proxy 3130
exit
!
slb service-group SG_SSLi_TCP tcp
user-tag ssli_in
member fw1 0
exit
!
slb service-group SG_SSLi_UDP udp
user-tag ssli_in
member fw1 0
exit
!
slb service-group SG_SSLi_Xlated tcp
user-tag ssli_in
member fw1 8443
exit
!
slb template client-ssl cl_ssl
user-tag ssli_in
template cipher cl_cipher_template
forward-proxy-ssl-version 33
forward-proxy-ocsp-disable
forward-proxy-enable
forward-proxy-cert-cache timeout 3600
forward-proxy-cert-expiry hours 1
forward-proxy-cert-cache limit 524288
forward-proxy-ca-key test1
forward-proxy-ca-cert test1
forward-proxy-bypass class-list bypass_domains
forward-proxy-inspect class-list inspect-domains
forward-proxy-bypass client-auth class-list bypass-clientauth
forward-proxy-bypass web-category financial-services
forward-proxy-bypass web-category health-and-medicine
!
slb template policy policy_SSLi
user-tag ssli_in
forward-policy
action default
forward-to-internet SG_SSLi_Xlated
action http
forward-to-service-group Chained_Proxy_Port proxy-chaining
action https
forward-to-service-group Chained_Proxy_Signaling_Port proxy-chaining
source src1
match-any
destination class-list HTTP_traffic action http url priority 1
destination any action https
!
slb template http ClientIPInsert
user-tag ssli_in
!
slb virtual-server SSLi_EP_VIP 10.1.1.10
user-tag ssli_in
port 3128 http
user-tag ssli_in_explicit_proxy_port
service-group SG_SSLi_Xlated
template policy policy_SSLi
template client-ssl cl_ssl
!
slb virtual-server SSLi_in_ingress 0.0.0.0 acl 190
user-tag ssli_in
port 0 tcp
no-dest-nat
service-group SG_SSLi_TCP
port 0 udp
no-dest-nat
service-group SG_SSLi_UDP
port 0 others
no-dest-nat
service-group SG_SSLi_UDP
port 443 https
no-dest-nat port-translation
service-group SG_SSLi_Xlated
template http ClientIPInsert
!
active-partition ssli_out
!
access-list 191 remark ssli_out
!
access-list 191 permit ip any any vlan 860
!
vlan 860
untagged ethernet 3
untagged ethernet 4
router-interface ve 860
name ssli_out_ingress_egress
user-tag ssli_out_ingress_egress
!
interface ethernet 3
name ssli_out_ingress
enable
!
interface ethernet 4
name ssli_out_egress
enable
!
interface ve 860
name ssli_out_ingress_egress
ip address 10.1.1.3 /24
ip allow-promiscuous-vip
!
ip route 0.0.0.0 /0 10.1.1.254
!
slb template cipher sr_cipher_template
user-tag ssli_out
SSL3_RSA_DES_192_CBC3_SHA
SSL3_RSA_DES_40_CBC_SHA
SSL3_RSA_DES_64_CBC_SHA
SSL3_RSA_RC4_128_MD5
SSL3_RSA_RC4_128_SHA
SSL3_RSA_RC4_40_MD5
TLS1_RSA_AES_128_SHA
TLS1_RSA_AES_256_SHA
TLS1_RSA_EXPORT1024_RC4_56_MD5
TLS1_RSA_EXPORT1024_RC4_56_SHA
TLS1_RSA_AES_128_SHA256
TLS1_RSA_AES_256_SHA256
TLS1_DHE_RSA_AES_128_GCM_SHA256
TLS1_DHE_RSA_AES_128_SHA
TLS1_DHE_RSA_AES_128_SHA256
TLS1_DHE_RSA_AES_256_GCM_SHA384
TLS1_DHE_RSA_AES_256_SHA
TLS1_DHE_RSA_AES_256_SHA256
!
slb template server-ssl sr_ssl
user-tag ssli_out
forward-proxy-enable
template cipher sr_cipher_template
!
slb server GW 10.1.1.254
user-tag ssli_out
port 0 tcp
user-tag ssli_out_1_tcp_port
health-check-disable
port 0 udp
user-tag ssli_out_1_udp_port
health-check-disable
port 443 tcp
health-check-disable
!
slb server Chained_Proxy 20.2.2.10
user-tag ssli_out
port 8080 tcp
user-tag ssli_out_chained_proxy_port
health-check-disable
!
slb service-group GW_SSL_443 tcp
user-tag ssli_out
member GW 443
exit
!
slb service-group GW_TCP_0 tcp
user-tag ssli_out
member GW 0
exit
!
slb service-group GW_UDP_0 udp
user-tag ssli_out
member GW 0
exit
!
slb service-group sg-Chained_Proxy_Port tcp
user-tag ssli_out
member Chained_Proxy 8080
exit
!
slb virtual-server SSLi_out_ingress 0.0.0.0 acl 191
user-tag ssli_out
port 0 tcp
no-dest-nat
service-group GW_TCP_0
use-rcv-hop-for-resp
port 0 udp
no-dest-nat
service-group GW_UDP_0
use-rcv-hop-for-resp
port 8443 http
no-dest-nat port-translation
template server-ssl sr_ssl
service-group GW_SSL_443
use-rcv-hop-for-resp
port 3130 http
service-group sg-Chained_Proxy_Port
template server-ssl sr_ssl
no-dest-nat port-translation
!