Support User Manuals

SonicWALL 5.8.1 Microscope & Magnifier User Manual

Open as PDF

of 1490

DPI-SSL > Server SSL

802

SonicOS 5.8.1 Administrator Guide

• On the User Object/Group line, select a user object or group from the Exclude pulldown

menu to exempt it from DPI-SSL inspection.

Note The Include pulldown menu can be used to fine tune the specified exclusion list. For

example, by selecting the Remote-office-California address object in the Exclude

pulldown and the Remote-office-Oakland address object in the Include pulldown.

Configuring Server-to-Certificate Pairings

Server DPI-SSL inspection requires that you specify which certificate will be used to sign traffic

for each server that will have DPI-SSL inspection performed on its traffic. To configure a server-

to-certificate pairing, perform the following steps:

1. Navigate to the DPI-SSL > Server SSL page and scroll down to the SSL Servers section.

2. Click the Add button.

3. In the Address Object/Group pulldown menu, select the address object or group for the

server or servers that you want to apply DPI-SSL inspection to.

4. In the SSL Certificate pulldown menu, select the certificate that will be used to sign the

traffic for the server. For more information on importing a new certificate to the appliance,

see“Selecting the Re-Signing Certificate Au

thority” on page 796. For information on

creating a certificate, see “Creating PKCS-12 Formatted Certificate File” on page 797.

5. Select the Cleartext checkbox to enable SSL offloading. See “SSL Offloading” on page 802

for more information.

6. Click Add.

SSL Offloading

When adding server-to-certificate pairs, a cleartext option is available. This option indicates

that the portion of the TCP connection between the UTM appliance and the local server will be

in the clear without SSL layer, thus allowing SSL processing to be offloaded from the server by

the appliance.

Please note that in order for such configuration to work properly, a NAT policy needs to be

created on the Network > NAT Policies page to map traffic destined for the offload server from

an SSL port to a non-SSL port. For example, in case of HTTPS traffic being used with SSL

offloading, an inbound NAT policy remapping traffic from port 443 to port 80 needs to be

created in order for things to work properly.

previous next