Managing Policies

The CVDM-SSLSM supports defining policies for Proxy Services. The policy templates help the Administrator customize the attributes associated with SSL and TCP stack to suit the needs.

Policies are grouped by their type and are displayed as a tree node in the object selector. All configured policies of a type are listed as child nodes under the policy node.

TCP Policy

The TCP commands for the SSL Services Module apply either globally or to a particular proxy server.

The TCP policy template allows you to define parameters associated with the TCP stack.

Viewing TCP Policies

Step 2

Click Policies from the left-most pane, then select TCP Policy from the object selector. The policy information appears on the page.

Fields	Description
Policy Name	Name of the TCP Policy
Number of Proxy Services (Use Count)	Number of proxy services using the TCP Policy.

Select a policy, then click Assign to Proxy Services to assign a policy to the proxy services.

Select a policy, then click Edit to edit a TCP policy. The Edit TCP Policy dialog box appears.

Step 3

Select a policy from the TCP Policy table, then click Policy Tab to view the policy details or click Associated Proxy Services tab to view the proxy services associated with the policies.


Fields	Description
Policy
Policy Name	Name of the TCP Policy.
MSS	The maximum segment size (MSS), in bytes, that the connection will identify in the SYN packet that it generates.
Syn Timeout	The connection establishment timeout.
Inactivity Timeout	The amount of time, in seconds, that an established connection can be inactive.
Reassembly Timeout	The amount of time, in seconds, before the reassembly queue is cleared. If the transaction is not complete within the specified time, the reassembly queue is cleared and the connection is dropped.
Fin Timeout	The FIN wait timeout in seconds.
Buffer Share Rx	The maximum receive buffer share per connection in bytes.
Buffer Share Tx	The maximum transmit buffer share per connection in bytes.
Associated Proxy Services
Name	The name of the associated proxy service.
Type	Type of the proxy service.
Side	Indicates whether the policy is applied to the client side or server side of the proxy service.
Virtual Server	The IP address of the virtual server.
Server	The IP address of the server.
Oper Status	The operational status of the proxy server.
Status	The status of the proxy server.
Certificate	Status of the certificate associated with the proxy service.

Assigning Policies to Proxy Services

Step 2

Click Policies from the left-most pane, then select a Policy from the object selector. The policy information appears on the page.

Step 3

Select a policy from the Policies table, then click Assign to Proxy Services.

The Assign Policy to Proxy Services dialog box appears with the following details:


Field	Description
Policy	The name of the selected policy.
Proxy Service Name	Name of the proxy service.
Client Side (Virtual)	Name of the virtual server configured for the proxy service.
Selected Services	The list of services to which the policy is associated. The list appear only after adding proxy services for the policies.

Step 4

Select a Proxy Service Name, then click Add >> to add the policy to the selected service.

You can remove the a proxy service from the list. Select a service from the list, then click << Remove.

You can clear all the services selected for assigning to a policy. Select a service from the list, then click Clear All.

Adding TCP Policy

Step 2

Click Policies from the left-most pane, then select TCP Policy from the object selector. The policy information appears on the page.


Field	Description
Policy
Policy Name	Enter a name for the TCP Policy.
MSS	Enter the maximum segment size (MSS), in bytes, that the connection will identify in the SYN packet that it generates. The default is 1460 bytes. The valid range is from 256 to 2460 bytes.
Timers
Syn Timeout	Enter the connection establishment timeout. The default is 75 seconds. The valid range is from 5 to 75 seconds.
Inactivity Timeout	Enter the amount of time, in seconds, that an established connection can be inactive. The default is 600 seconds. The valid range is 0 to 960 seconds (0 = disabled).
Reassembly Timeout	Enter the amount of time, in seconds, before the reassembly queue is cleared. If the transaction is not complete within the specified time, the reassembly queue is cleared and the connection is dropped. The default is 60 seconds. The valid range is 0 to 960 seconds (0 = disabled).
Fin-wait Timeout	Enter the FIN wait timeout in seconds. The default value is 600 seconds. The valid range is from 75 to 600 seconds.
Buffer Share	Enter the maximum receive buffer share per connection in bytes. The default value is 32768 bytes. The valid range is from 8192 to 262144 bytes.
Buffer Share Rx	Enter the maximum transmit buffer share per connection in bytes. The default value is 32768 bytes. The valid range is from 8192 to 262144 bytes.

Editing TCP Policy

Step 2

Click Policies from the left-most pane, then select TCP Policy from the object selector. The policy information appears on the page.


Field	Description
Policy
Policy Name	Name of the TCP Policy
MSS	Modify the maximum segment size (MSS), in bytes, that the connection will identify in the SYN packet that it generates. The default is 1460 bytes. The valid range is from 256 to 2460 bytes.
Timers
Syn Timeout	Modify the connection establishment timeout. The default is 75 seconds. The valid range is from 5 to 75 seconds.
Inactivity Timeout	Enter the amount of time, in seconds, that an established connection can be inactive. The default is 600 seconds. The valid range is 0 to 960 seconds (0 = disabled).
Reassembly Timeout	Enter the amount of time, in seconds, before the reassembly queue is cleared. If the transaction is not complete within the specified time, the reassembly queue is cleared and the connection is dropped. The default is 60 seconds. The valid range is 0 to 960 seconds (0 = disabled).
Fin-wait Timeout	Enter the FIN wait timeout in seconds. The default value is 600 seconds. The valid range is from 75 to 600 seconds.
Buffer Share	Enter the maximum receive buffer share per connection in bytes. The default value is 32768 bytes. The valid range is from 8192 to 262144 bytes.
Buffer Share Rx	Enter the maximum transmit buffer share per connection in bytes. The default value is 32768 bytes. The valid range is from 8192 to 262144 bytes.

Deleting TCP Policy

Step 2

Click Policies from the left-most pane, then select TCP Policy from the object selector. The policy information appears on the page.

SSL Policy

The SSL policy option allows you to define parameters associated with the SSL stack.

If you do not associate an SSL policy with a particular proxy server, the proxy server enables all the supported cipher suites and protocol versions by default.

Viewing SSL Policy

Step 2

Click Policies from the left-most pane, then select SSL Policy from the object selector. The policy information appears on the page.

Field	Description
SSL Policies
Policy Name	The name of the SSL policy.
Number of Proxy Services (Use Count)	Number of proxy services using the SSL Policy.

Select a policy from the SSL Policies table, then Click Policy Tab to view the policy details or click Associated Proxy Services tab to view the proxy services associated with the policies

Select a policy, then click Assign to Proxy Services to assign a policy to the proxy services.

Select a policy, then click Edit to edit a TCP policy. The Edit TCP Policy dialog box appears.


Field	Description
Policy
Version	The version of the SSL to one of the following: •ALL—Both SSL3 and TLS1 versions are used. •SSL3—SSL version 3 is used. •TLS1—TLS version 1 is used.
Close Protocol	Indicates whether the SSL close-protocol behavior is present.
Session Cache	Indicates whether the session caching is enabled.
Handshake Timeout (secs)	The amount of time the module keeps the connection in handshake phase.
Absolute	Indicates whether the values should be absolute values.
Session Timeout (secs)	The amount of time the module waits for the session timeout.
Cipher Suites	The list of cipher-suites acceptable to the proxy server.
Associated Proxy Services
Name	Name of the proxy service.
Type	Type of the proxy service. For example: Server Proxy.
Side	The side to which the policy is applied.
Client Side (Virtual)	The IP address of the virtual server.
Server	The IP address of the server.
Oper Status	Indicates the operational status of the proxy service.
Status	Indicates the status of the proxy service.
Certificate	Status of the certificate associated with the proxy.

Adding SSL Policies

Step 2

Click Policies on the left-most pane, then select SSL Policy from the object selector. The policy information appears on the page.


Field	Description
Policy
Policy Name	Enter a name for your new SSL Policy.
Version	Select a version for the SSL Policy. Values are: •ALL—Both SSL3 and TLS1 versions are used. •SSL3—SSL version 3 is used. •TLS1—TLS version 1 is used.
Close Protocol	Indicate whether to use an SSL close protocol. Values are: •SSL close protocol is not followed •Follow strict SSL close protocol.
Handshake Timeout (Secs)	Enter the handshake timeout in seconds.Valid values are from 0 to 65535 seconds.
Absolute	Indicates whether the values should be absolute values.
Session Timeout (Secs)	Enter the session timeout in seconds. Valid values are from 0 to 72000 seconds.
Absolute	Select the check-box to view the absolute values.
Session Cache	Select Enabled to enable session cache. You can decide not to cache the session by selecting Disabled.
Session Cache Size	The size of the Session Cache. Select Absolute check-box to view the absolute value.
Cipher Suite	Select the cipher-suite from the list. The Cipher-suites that are acceptable to the proxy-server are: •RSA_WITH_3DES_EDE_CBC_SHA—RSA with 3des-sha. •RSA_WITH_DES_CBC_SHA—RSA with des-sha. •RSA_WITH_RC4_128_MD5—RSA with rc4-md5. •RSA_WITH_RC4_128_SHA—RSA with rc4-sha. •all—All supported ciphers.

Editing SSL Policies

Step 2

Click Policies from the left-most pane, then select SSL Policy from the object selector. The policy information appears on the page.


Field	Description
Policy
Policy Name	Enter a name for your new SSL Policy.
Version	Select a version for the SSL Policy. Values are: •ALL—Both SSL3 and TLS1 versions are used. •SSL3—SSL version 3 is used. •TLS1—TLS version 1 is used.
Close Protocol	Indicate whether to use an ssl close protocol. Values are: •SSL close protocol is not followed •Follow strict SSL close protocol.
Handshake Timeout (Secs)	Enter the handshake timeout in seconds.Valid values are from 0 to 65535 seconds.
Session Timeout (Secs)	Enter the session timeout in seconds. Valid values are from 0 to 72000 seconds.
Session Cache	Select Enabled to enable session cache. You can decide not to cache the session by selecting Disabled.
Session Cache	Select Enabled to enable session cache. You can decide not to cache the session by selecting Disabled.
Cipher Suite	Select the cipher-suite from the list. The Cipher-suites that are acceptable to the proxy-server are: •RSA_WITH_3DES_EDE_CBC_SHA—RSA with 3des-sha •RSA_WITH_DES_CBC_SHA—RSA with des-sha •RSA_WITH_RC4_128_MD5—RSA with rc4-md5 •RSA_WITH_RC4_128_SHA—RSA with rc4-sha •al—All supported ciphers

Deleting SSL Policy

Step 2

Click Policies from the left-most pane, then select SSL Policy from the object selector. The policy information appears on the page.

HTTP Header Insertion Policy

HTTP header insertion is performed for the following methods: GET, HEAD, PUT, TRACE, POST, DELETE. HTTP header insertion is not performed for the CONNECT method.

Note You can configure up to 100 HTTP header insertion policies, each policy consisting of up to 32 prefixes or headers. Prefix and custom headers can include up to 240 characters.

•

Client Certificate Headers--Allow the backend server to see the attributes of the client certificate that the SSL module has authenticated and approved. Client certificate headers are sent only once per session. The server is expected to cache these values using the session ID, which is also inserted with the headers. In subsequent requests, the server uses the session ID to look up the cached client certificate headers on the server itself.

If the client does not send a certificate, the SSL handshake fails. There is no data phase or header insertion.

Network address translation (NAT) changes the client IP address and destination TCP port number information. When you specify Client IP Port, the SSL module inserts the client IP address and TCP destination port information in the HTTP header, allowing the server to see the client IP address and destination port number.

When you specify a custom string, the SSL module inserts the user-defined header verbatim in the HTTP header. You can configure up to 16 custom headers per HTTP header policy. The custom string can include up to 240 characters.

The SSL module adds the specified prefix to every inserted HTTP header. Adding a prefix enables the server to identify connections as coming from the SSL module, and not from other appliances. A prefix is not added to standard HTTP headers from the client. The prefix_string can be up to 240 characters.

•

SSL Session Headers-- including the session ID, are used to cache client certificates based on the session ID. Session headers are also cached based on the session ID if the server wants to track connections based on a particular cipher suite. The SSL module inserts the full session headers in the HTTP request during full SSL handshake, but inserts only the session ID when the session resumes.

When you configure the SSL module as a client, the SSL module inserts the session ID of the connection between the module and the backend SSL server.

Viewing HTTP Header Insertion Policy

Step 2

Click Policies from the left-most pane, then select HTTP Header Insertion Policies from the object selector. The policy information appears on the page.

Fields	Description
Policy Name	Name of the policy.
Use Count	Number of proxy services using the policy.

Select a policy from the HTTP Header Insertion Policy table, then click Policy Tab to view the policy details or click Associated Proxy Services tab to view the proxy services associated with the policies

Select a policy, then click Assign to Proxy Services to assign a policy to the proxy services.

Select a policy, then click Edit to edit a TCP policy. The Edit TCP Policy dialog box appears.


Fields	Description
Policy
Policy Name	The name of the policy.
General
Prefix	The prefix or the type of header.
Client Certificate Insertion	Indicates whether the client certificate insertion is enabled.
Client Ip Port Insertion	Indicates whether the client IP Port insertion is enabled.
Session Header Insertion	Indicates whether the Session Header insertion is enabled.
Custom Headers
Header Name	The user-defined header verbatim in the HTTP header.
Value	Value of the header.
Associated Proxy Services
Name	The name of the proxy service associated with the policy.
Type	The type of the proxy service. Example: Server Proxy.
Virtual Server	The IP address of the virtual server.
Server	The IP address of the server.
Oper Status	The operational status of the service.
Status	The status of the proxy service.
Certificate	The status of the certificate associated with the proxy service.

Adding HTTP Header Insertion Policy

Step 2

Click Policies from the left-most pane, then select HTTP Header Insertion Policy from the object selector. The policy information appears on the page.

Step 3

Click Add. The Add HTTP Header Insertion Policy dialog box appears:


Field	Description
Policy
Policy Name	Enter a name for your new policy.
Prefix	Enter a prefix to be used with the policy. For example: cisco.com
Client Certificate Insertion	Select Enabled to enable the client certificate insertion.
Client IP Port Insertion	Select Enabled to enable the client IP port insertion.
Session Header Insertion	Select Enabled to enable Session Header Insertion.
Custom Headers
Header	The user-defined header verbatim in the HTTP header. You can include up to 16 custom headers per HTTP header policy. Click Add to add the header name.
Value	Enter a header name, then enter the value. Click Add to add a value to the header.

Editing HTTP Header Insertion Policy

Step 2

Click Policies from the left-most pane, then select HTTP Header Insertion Policy from the object selector. The policy information appears on the page.

Step 3

Click Edit. The Edit HTTP Header Insertion Policy dialog box appears:


Field	Description
Policy
Policy Name	Name of the policy.
Prefix	Modify the existing prefix or you can enter a new prefix.
Client Certificate Insertion	Select Enabled to enable the client certificate insertion.
Client IP port Insertion	Select Enabled to enable the client IP Port insertion.
Session Header Insertion	Select Enabled to enable the Session Header insertion.
Custom Headers
Header	The user-defined header verbatim in the HTTP header. You can configure up to 16 custom headers per HTTP header policy.
Value	Enter the value.

Deleting HTTP Header Insertion Policy

Step 2

Click Policies from the left-most pane, then select HTTP Header Insertion Policy from the object selector. The policy information appears on the page.

URL Rewrite Policy

The URL rewrite feature supports the rewriting of redirection links. The system scans only the Location: HTTP header field in the response from the server and rewrites the rules accordingly. The URL rewrite feature does not support embedded links.

The URL rewrite feature rewrites the protocol and the non-default port (default ports are port 80 for cleartext and port 443 for SSL).

Note You can configure up to 100 URL rewrite policies, each policy consisting of up to 32 rewrite rules per SSL proxy service, up to 200 characters per rule.

•

An exact URL match takes precedence over a wildcard rule. A suffix wildcard rule takes precedence over a prefix wildcard rule.

For example, www.cisco.com takes precedence, then www.cisco.*, then *.cisco.com.

•

Enter only one suffix or prefix wildcard rule at one time. For example, do not enter www.cisco.* and www.cisco.c* in the same policy. Similarly, do not enter *w.cisco.com and *.cisco.com in the same policy.

•

Do not enter two exact URL match rules in the same policy. For example, do not enter www.cisco.com clearport 80 sslport 443 and www.cisco.com clearport 81 sslport 444 in the same policy. In this case, the second rule entered overwrites the first rule.

•

URL rewrite is performed for both offload and backend (HTTP-to-HTTPS, and HTTPS-to-HTTP). This includes port rewrites.

Viewing URL Rewrite Policy

Step 2

Click Policies from the left-most pane, then select URL Rewrite Policy from the object selector. The policy information appears on the page.

Fields	Description
Policy Name	The name of the URL-Rewrite policy.
Number of Proxy Services (Use Count)	Number of proxy services using the SSL Policy.

Select a policy from the URL Rewrite Policy table, then Click Policy Tab to view the policy details or click Associated Proxy Services tab to view the proxy services associated with the policies

Select a policy, then click Assign to Proxy Services to assign a policy to the proxy services.

Click Add to add a URL Rewrite Policy. The Add URL Rewrite Policy dialog box appears.

Select a policy, then click Edit to edit a URL Rewrite Policy. The Edit URL Rewrite Policy dialog box appears.


Fields	Description
Policy
Policy Name	Name of the selected policy.
URL Host String	The host string of the URL.
HTTP Port	The HTTP port to be used for the traffic.
HTTPS Port	The HTTPS port to be used for the traffic.
Associated Proxy Services
Name	The name of the associated proxy service.
Type	The type of the proxy service. For example: Server Proxy.
Client Side	The IP address of the virtual server.
Server	The IP address of the server.
Oper Status	The operational status of the server.
Certificate	Status of the certificate associated with the proxy service.

Adding URL Rewrite Policy

Step 2

Click Policies from the left-most pane, then select URL Rewrite Policy from the object selector. The policy information appears on the page.


Field	Action/Description
Policy Name	Enter a name for the policy.
URL Host String	The host string of the url.
HTTP Port	The HTTP Port to be used for the traffic.
HTTPS Port	The HTTPS port to be used for the traffic.
URL Host String	Enter the URL host string for rewriting, then click Add to create the new URL Rewrite Rule.
HTTP Port	(Optional) Enter the clear port value. The HTTP port specifies the port portion of the URL to be rewritten. If you do not enter a value, the default value is used.
HTTPS Port	(Optional) Enter the HTTPS port value. The HTTPS port specifies the port portion of the URL that should be rewritten.If you do not enter a value, the default value is used.

You can specify URL alone. But you cannot add clear port and SSL port without entering a URL value.

Note

You can configure up to 32 rewrite rules per SSL proxy service, up to 240 characters per rule. You should enter only one suffix or prefix wildcard character (*) only once per rewrite rule.

To remove a URL Rewrite Rule, select the rule from the table, then click Remove.

Editing URL Rewrite Policy

Step 2

Click Policies from the left-most pane, then select URL Rewrite Policy from the object selector. The policy information appears on the page.

Step 3

Select a policy, then click Edit. The Edit URL Rewrite Policy dialog box appears.


Field	Action/Description
Policy Name	Enter a name for the policy.
URL Host String	The host string of the url.
HTTP Port	The HTTP Port used for the traffic.
HTTPS Port	The HTTPS port used for the traffic.
URL Host String	Enter the URL for rewriting, then click Add to create the new URL Rewrite Rule.
HTTP Port	(Optional) Enter the clear port value. The HTTP port specifies the port portion of the URL to be rewritten. If you do not enter a value, the default value is used.
HTTPS Port	(Optional) Enter the HTTPS port value. The HTTPS port specifies the port portion of the URL that should be rewritten. If you do not enter a value, the default value is used

You can specify URL alone. But you cannot add Clear Port and SSL Port without entering a URL value.

Note

You can configure up to 32 rewrite rules per SSL proxy service, up to 240 characters per rule. You should enter only one suffix or prefix wildcard character (*) only once per rewrite rule.

To remove a URL Rewrite Rule, select the rule from the table, then click Remove.

Viewing URL Rules and Outcome

The URL Rules and Outcome dialog box helps you view the URL rules you have set and the outcome of the rules.

Step 2

Click Policies from the left-most pane, then select URL Rewrite Policy from the object All Router View. The policy information appears on the page.

Step 3

Select a policy from the table. The details appear on the URL Rewrite Policy Details pane. If you have set a URL rewrite for the policy, The View Rules and Outcome button will be active.

Step 4

Click View Rules and Outcome. The Rules and Outcome dialog box appears.

To view rules and outcome for server proxy, Click Rules and Outcome for Client Proxy tab. The following fields appear:

Field	Action/Description
URLs that Match	URL match criterion.
URL Rewrite	The new URL.

To view rules and outcome for server proxy, Click Rules and Outcome for Server Proxy tab. The following fields appear:

Deleting URL Rewrite Policy

Field	Action/Description
URLs that Match	URL match criterion.
URL Rewrite	The new URL.

Step 2

Click Policies from the left-most pane, then select URL Rewrite Policy from the object selector. The policy information appears on the page.

Table Of Contents