beautypg.com

Amer Networks E5Web GUI User Manual

Page 441

background image

The steps to take to enable TLS in cOS Core are as follows:

1.

Upload the host and root certificates to be used with TLS to cOS Core if not done already.

2.

Define a new TLS ALG object and associate the appropriate host and root certificates with
the ALG. If the certificate is self-signed then the root and host certificate should both be set
to the same certificate. Certificate chaining is supported and more than one root certificate
can be configured.

3.

Create a new custom Service object based on the TCP protocol.

4.

Associate the TLS ALG object with the newly created service object.

5.

Create a NAT or Allow IP rule for the targeted traffic and associate the custom service object
with it.

6.

Optionally, a SAT rule can be created to change the destination port for the unencrypted
traffic. Alternatively an SLB_SAT rule can be used to do load balancing (the destination port
can also be changed through a custom service object).

URLs Delivered by Servers

It should be noted that using cOS Core for TLS termination will not change URLs in webpages
delivered by servers which lie behind the Clavister Security Gateway.

What this means is that if a client connects to a web server behind the Clavister Security Gateway
using the https:// protocol then any web pages delivered back containing absolute URLs with the
http:// protocol (perhaps to refer to other pages on the same site) will not have these URLs
converted to https:// by cOS Core. The solution to this issue is for the servers to use relative URLs
instead of absolute ones.

Cryptographic Suites Supported by cOS Core TLS

cOS Core TLS supports the following cryptographic suites:

1.

TLS_RSA_WITH_3DES_EDE_CBC_SHA.

2.

TLS_RSA_WITH_RC4_128_SHA.

3.

TLS_RSA_WITH_RC4_128_MD5.

4.

TLS_RSA_EXPORT_WITH_RC4_56_SHA (certificate key size up to 1024 bits).

5.

TLS_RSA_EXPORT_WITH_RC4_40_MD5 (certificate key size up to 1024 bits).

6.

TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 (certificate key size up to 1024 bits).

7.

TLS_RSA_WITH_NULL_MD5.

8.

TLS_RSA_WITH_NULL_SHA.

cOS Core TLS Limitations

As discussed above, cOS Core TLS provides support for server side termination only. The other
limitations that should be noted are:

Client authentication is not supported (where Clavister Security Gateway authenticates the
identity of the client).

Chapter 6: Security Mechanisms

441

This manual is related to the following products:
See also other documents in the category Amer Networks Computer Accessories: