EMAIL SUPPORT
dclessons@dclessons.comLOCATION
AUImplementing Cisco SD-WAN SSL and TLS Proxy
Implementing Cisco SD-WAN SSL and TLS Proxy
TLS Proxy—Traffic Flow
Trusted, third-party Certificate Authorities (CAs) are responsible for signing web server certificates. The clients and servers must trust these CAs to establish trust. TLS proxy acts as man-in-the-middle and runs a CA to issue proxy certificates for the connections dynamically.
Here is an example of a typical TLS traffic flow:
- The Client establishes a TCP connection with the TLS proxy. The TLS proxy establishes a TCP connection with the server.
- The Cisco SD-WAN device sends the Client hello packet to the UTD engine to evaluate the need for decryption.
- Based on the UTD verdict, one of these actions takes place:
- Drop: The device drops the hello packet and resets the connection.
- Do-not-decrypt: The device forwards the hello packet without decryption.
- Decrypt: The WAN Edge router will forward the hello packet to the destination.
4. Here is a set of actions that TLS Proxy will perform over the packet:
- TCP optimization for optimization of traffic.
- The decryption of encrypted traffic through TLS proxy.
- Threat inspection through UTD.
- Re-encryption of decrypted traffic through TLS proxy.
Certificate Authority (CA) Options
Once a network administrator configures a CA for TLS proxy, the CA issues signing certificates to the TLS proxy device. The device then securely stores the subordinate CA keys and dynamically generates and signs the proxy certificates.
Here is the list of CA options for configuring TLS proxy:
- Cisco vManage as CA
- Cisco vManage as Intermediate CA
- Enterprise CA
- Enterprise CA with Simple Certificate Enrollment Protocol (SCEP) enabled
Cisco vManage as CA
It is best to use this option if the organization does not have its own CA and issues trust certificates through Cisco vManage. The Cisco vManage, CA's certificate, must be installed in the client's trust store to use the vManage CA's certificates.
The vManage as CA option offers the benefits of certificate deployment and renewal automatization and monitoring, tracking, and validation through Cisco vManage.
Cisco vManage as Intermediate CA
You may use this option in conjunction with an internal enterprise CA. In this case, Cisco vManage acts as an intermediate CA to issue and manage subordinate CA certificates. Such a design introduces some complexity, especially with Cisco vManage clusters. The network administrator will manually deploy this design and manage two CAs.
The vManage as Intermediate CA option offers the same benefits as the vManage as CA option, with reduced risk of compromised certificates. The network administrator must install only the Enterprise CA root CA chain into the client trust store.
Enterprise CA
Use this option to issue certificates through an Enterprise CA or the organization's own internal CA. The network administrator will perform manual enrollment for Enterprise CA that does not support SCEP. Manual enrollment involves downloading a Certificate Signing Request (CSR) for your device, getting it signed by your CA, and uploading the signed certificate to the device through Cisco vManage.
Comment
TABLE OF CONTENTS
RECENT POSTS
- Becoming an AWS Solution Architect: Your Path to Cloud Expertise
- Navigating Your Journey to Docker Expertise: Master Docker with Comprehensive Training and Certification
- Transform Your Azure Networking Expertise Through AZ-700 Training
- Why Choose DClessons for Your SD-WAN Velocloud Training Needs
- Next-Level Networking: Unlocking Cisco ACI and DCACIA Potential with DClessons
- Mastering Data Center Technologies with DClessons: A Comprehensive Guide to Cisco CCIE Data Center Training
- Why Choose Cisco SD-WAN Solutions with DClessons?
- What is Docker and Why is It Important?
- Learn Python 3.0 Programming for Network Automation
- Cisco ACI Data Centre: A Comprehensive Overview
LEAVE A COMMENT
Please login here to comment.