ServerIron ADX Security Guide 177
53-1002440-03
Configuration Examples for SSL Termination and Proxy Modes 6
Create SSL profile with required settings
ServerIronADX(config)# ssl profile myprofile
ServerIronADX(config-ssl-profile-myprofile)# keypair-file rsakey-file
ServerIronADX(config-ssl-profile-myprofile)# certificate-file mycert
ServerIronADX(config-ssl-profile-myprofile)# cipher-suite all
ServerIronADX(config-ssl-profile-myprofile)# exit
Define HTTP ports on real servers
ServerIronADX(config)# server real rs1 10.1.1.1
ServerIronADX(config-rs-rs1)# port http
ServerIronADX(config-rs-rs1)# exit
ServerIronADX(config)# server real rs2 10.1.1.2
ServerIronADX(config-rs-rs2)# port http
ServerIronADX(config-rs-rs2)# exit
Within virtual server: Define SSL port, specify server profile and enable SSL terminate
ServerIronADX(config)# server virtual-name-or-ip vip1 10.1.1.7
ServerIronADX(config-vs-vip1)# port ssl
ServerIronADX(config-vs-vip1)# port ssl ssl-terminate myprofile
Bind SSL in virtual server to real server HTTP ports
ServerIronADX(config-vs-vip1)# bind ssl rs1 http rs2 http
Configuring SSL Proxy Mode
The ServerIron ADX acts as a client to the real server. The real server presents a certificate, but the
certificate needs to be verified by the ServerIron ADX. Because the ServerIron ADX needs the CA
certificate from the issuing authority to verify the certificate from the real server, the CA certificate
must be uploaded to the ServerIron ADX before it can be used.
To configure SSL in proxy mode, perform the following tasks in sequence:
1. Upload the CA certificate to the ServerIron ADX as described in “Transferring a Keypair File and
a Certificate File” on page 149.
NOTE
If the server is using a self-signed certificate, the allow-self-signed certificate command must
be configured within the profile.
2. Create a Client Side SSL Profile.
3. Associate an RSA key pair and certificate with the Client Side SSL Profile.
4. Within the Client Side SSL profile select a Cipher Suite as described in “Specifying a cipher
suite” on page165. This is optional.
5. Create a Server Side SSL Profile
6. In the Server Side profile specify the name of the certificate to be associated with the SSL
Server Side profile.
7. Configure Real and Virtual Servers as described in “Configuring Real and Virtual Servers for
SSL Proxy Mode” on page174