SonicWALL 5.8.1 Microscope & Magnifier User Manual


  Open as PDF
of 1490
 
DPI-SSL > Server SSL
802
SonicOS 5.8.1 Administrator Guide
On the User Object/Group line, select a user object or group from the Exclude pulldown
menu to exempt it from DPI-SSL inspection.
Note The Include pulldown menu can be used to fine tune the specified exclusion list. For
example, by selecting the Remote-office-California address object in the Exclude
pulldown and the Remote-office-Oakland address object in the Include pulldown.
Configuring Server-to-Certificate Pairings
Server DPI-SSL inspection requires that you specify which certificate will be used to sign traffic
for each server that will have DPI-SSL inspection performed on its traffic. To configure a server-
to-certificate pairing, perform the following steps:
1. Navigate to the DPI-SSL > Server SSL page and scroll down to the SSL Servers section.
2. Click the Add button.
3. In the Address Object/Group pulldown menu, select the address object or group for the
server or servers that you want to apply DPI-SSL inspection to.
4. In the SSL Certificate pulldown menu, select the certificate that will be used to sign the
traffic for the server. For more information on importing a new certificate to the appliance,
see“Selecting the Re-Signing Certificate Au
thority” on page 796. For information on
creating a certificate, see “Creating PKCS-12 Formatted Certificate File” on page 797.
5. Select the Cleartext checkbox to enable SSL offloading. See “SSL Offloading” on page 802
for more information.
6. Click Add.
SSL Offloading
When adding server-to-certificate pairs, a cleartext option is available. This option indicates
that the portion of the TCP connection between the UTM appliance and the local server will be
in the clear without SSL layer, thus allowing SSL processing to be offloaded from the server by
the appliance.
Please note that in order for such configuration to work properly, a NAT policy needs to be
created on the Network > NAT Policies page to map traffic destined for the offload server from
an SSL port to a non-SSL port. For example, in case of HTTPS traffic being used with SSL
offloading, an inbound NAT policy remapping traffic from port 443 to port 80 needs to be
created in order for things to work properly.