Managing Proxy Services

Table Of Contents

Managing Proxy Services

Proxy Service Wizards

Basic Proxy Service Wizard

Advanced Proxy Service Wizard

Selecting Available NAT Pools

Selecting Available CA Pools

Viewing Proxy Services

Viewing Proxy Services Details

Editing Proxy Service Configuration

NAT Pools

Understanding NAT Pools

Viewing NAT Pools

Adding NAT Pools

Deleting NAT Pools

Assigning NAT Pools to Proxy Services

Selecting Available CA Pools

Selecting Available NAT Pools

Selecting Available Certificate Trustpoints

How Do I...

How Do I Setup a Proxy Service?

Troubleshooting Proxy Services

Managing Proxy Services

CVDM-SSLSM allows you to view, configure, and edit Proxy Services. The Proxy Service Wizards helps you set up proxy services.

This chapter contains the following topics:

• Proxy Service Wizards

• Viewing Proxy Services

• Viewing Proxy Services Details

• Troubleshooting Proxy Services

• NAT Pools

You can configure the virtual IP address and port associated with the proxy service, and the associated target server IP address and port. You can define TCP and SSL policies for both client (virtual) and server sides of the proxy.

You can configure SSL client proxy services to specify that the proxy service accepts clear text traffic, encrypts the traffic into SSL traffic, and forwards the traffic to the backend SSL server.

While you are required to configure a certificate for the SSL server proxy, you are not required to configure a certificate for SSL client proxy. If you configure the certificate for the SSL client proxy, that certificate is sent in response to the Certificate Request message that is sent by the server during the client authentication phase of the handshake protocol.

Proxy Service Wizards

CVDM-SSLSM supports the following proxy service wizards. You can use the basic Proxy Service Wizard to configure a proxy service and assign a certificate. The advanced proxy service wizards helps you to configure the proxy service, assign a certificate and policies, and configure peer certificate authentication.

• Basic Proxy Service Wizard

• Advanced Proxy Service Wizard

Figure 7-1 Proxy Service Wizards

Basic Proxy Service Wizard

The Basic Proxy Service wizard helps you set up a server proxy service or a client proxy/backend encryption service.

To launch the basic proxy service wizard:

Step 1 Click Setup in the task bar.

Step 2 Click Wizards in the left-most pane. The Wizards page appears.

Step 3 Click Proxy Services Wizard tab. The Proxy services wizard page appears.

Step 4 Select Basic Proxy Service Configuration, then click Launch the Selected Task The Welcome page for basic proxy service wizard appears.

Step 5 The Welcome page describes the steps to follow for creating a proxy service. Click Next to continue.

To create a proxy service:

Step 1 Define the proxy service name and type. For more information on defining the name and type, see Defining Proxy Service Name and Type.

Step 2 Configure the client side (virtual) parameters and server parameters. For more information on configuring the client side (virtual) parameters and the server parameters, see Configuring Client Side (Virtual) and Server Parameters.

Step 3 Assign certificate to proxy service (optional for client proxy service). For more information on assigning certificates to a proxy service, see Assigning Certificate to Proxy Services.

Defining Proxy Service Name and Type

This page of the basic proxy service setup wizard helps you define the name and type of the proxy service.

The following fields appear:

Field

Description

Proxy Service Name

Enter a name for your proxy service.

Admin Status

Select the admin status of the proxy service.

Values are:

•Up

•Down

Service Type

Server Proxy

Select this option if you want to create a server proxy service.

Server proxy service accepts clear text traffic, encrypts the traffic into SSL traffic, and forwards it to the backend SSL Server.

Client Proxy / Backend Encryption

Select this option if you want to create a client proxy service.

Client server proxy service accepts SSL traffic, decrypts the traffic into clear text, and forwards it to the backend server or virtual server.

Click < Back to read the welcome page.

Click Next > to move to step 2 of the task.

Configuring Client Side (Virtual) and Server Parameters

This page of the basic proxy setup wizard helps you in configuring the client side parameters and server parameters. You can configure NAT and also enable SSL Version 2.0 connections to be forwarded to a server using this page.

The following fields appear:

Field

Description

Client Side (Virtual)

Virtual IP Address

Enter the virtual IP address.

Secondary

Select the checkbox if you want to use the IP address as a secondary IP address.

Virtual IP Mask

Select any one of the following netmasks:

•0.0.0.0

•255.0.0.0

•255.255.0.0

•255.255.255.0

Wildcard Virtual IP Address

Select the checkbox to configure a wildcard virtual IP address.

Port (1-65535)

Enter the number of the port to be used for proxy service traffic.

Server

Server IP Address

Enter the server IP address.

Port (1-65535)

Enter the number of the port to be used for the traffic.

NAT

Server NAT

Select the check-box if you want to use a Server NAT.

Client NAT

Select the check-box if you want to use a Server NAT.

Client NAT Pool

Select any of the following options:

•Create and assign a new NAT Pool.

•Select an existing NAT Pool.

•Clear the NAT pool.

Forward SSL version 2.0 Connections

Select the check-box if you want to forward SSL version 2.0 connection to a SSLv2 server.

Server IP Address

The IP address of the server to be used for SSL version 2.0.

Port (1-65535)

The port to be used for the traffic.

Click < Back to move back to Step 1 of the basic setup wizard.

Click Next > to move to step 3 of the basic setup wizard.

Assigning Certificate to Proxy Services

This page of the Basic Proxy Service setup wizard helps you assign a certificate to the proxy service.

The following fields are displayed:

Field

Description

Certificate

Certificate Trustpoint

Select one of the following options:

•Select an existing Trustpoint.

•Clear the Trustpoint.

Status

Displays the status of the certificate.

Selecting Available Certificate Trustpoints

The available certificate Trustpoints dialog box provides information on the certificate Trustpoints available for the proxy services.

The following fields appear:

Field

Description

Trustpoint

The name of the Trustpoint.

Certificate Authority (CA)

The certification authority details of the certificate Trustpoint.

Subject

The subject of the certificate Trustpoint.

Select a Trustpoint, then click OK to select an existing certificate Trustpoint.

Viewing Proxy Service Setup Summary

From this window you can view a summary of the configured settings. You can review the configuration information.

Click < Back to move to the previous page of the wizard.

Click Finish to complete the setting up of proxy service.

Advanced Proxy Service Wizard

The Advanced Proxy Service wizard helps you in setting up a server proxy service or a client proxy/backend encryption service, and allows you to configure certificate authentication. The wizards also helps you set up policies for client (virtual) side and server connections.

To launch the advanced proxy service wizard:

Step 1 Click Setup in the task bar.

Step 2 Click Wizards in the left-most pane. The Wizards page appears.

Step 3 Click Proxy Services Wizard tab. The Proxy services wizard page appears.

Step 4 Select Advanced Proxy Service Configuration, then click Launch the Selected Task The Welcome page of the basic proxy service wizard appears.

Step 5 The Welcome page describes the steps to follow for creating a proxy service. Click Next to continue.

To create a proxy service:

Step 1 Define Proxy Service Name and Type.

Step 2 Configure Client Side (Virtual) and Server Parameters.

Step 3 (Optional for client proxy service) Assign Certificate to Proxy Service.

Step 4 (Optional) Assign policies to proxy service.

Defining Proxy Service Name and Type

This page of the Advanced Proxy Service setup wizard helps you in defining proxy service name and type.

The following fields appear:

Field

Description

Proxy Service Name

Enter a name for your proxy service.

Admin Status

Select the admin status of the proxy service.

Values are:

•Up

•Down

Service Type

Server Proxy

Select this option if you want to create a server proxy service.

Server proxy service accepts clear text traffic, encrypts the traffic into SSL traffic, and forwards it to the backend SSL Server.

Client Proxy / Backend Encryption

Select this if option if you want to create a Client proxy service.

Client server proxy service accepts SSL traffic, decrypts the traffic into clear text, and forwards it to the backend server or virtual server.

Configuring Client Side (Virtual) and Server Parameters

This page of the advanced proxy setup wizard helps you in configuring the client side parameters and server parameters. You can configure NAT using this page and also enable SSL Version 2.0 connections to be forwarded to a server.

The following fields appear:

Field

Description

Client Side (Virtual)

Virtual IP Address

Enter the virtual IP address.

Secondary

Select the check-box if you want to make the sever secondary.

Virtual Netmask

Select any one of the following netmasks:

•0.0.0.0

•255.0.0.0

•255.255.0.0

•255.255.255.0

Wildcard Virtual IP Address

Select this checkbox to configure a wildcard virtual IP address.

Port (1-65535)

Enter the number of the port to be used for proxy service traffic.

Server

Server IP Address

Enter the server IP address.

Port (1-65535)

Enter the number of the port to be used for the traffic.

NAT

Server NAT

Select the checkbox if you want to use a server NAT.

Client NAT Pool

Click and select any of the following options:

•Create and assign a new NAT Pool.

•Select an existing NAT Pool.

•Clear the NAT pool.

Click < Back to move back to Step 1 of the basic setup wizard.

Click Next > to move to step 3 of the basic setup wizard.

Assigning Certificate to Proxy Service

This page of the advanced proxy setup wizard helps you in assigning a certificate to the proxy service.

The following fields appear:

Field

Description

Certificate

Certificate Trustpoint

Click and select one of the following options:

•Select an existing Trustpoint.

•Clear the Trustpoint.

Status

Displays the status of the certificate.

Peer Certificate Authentication

Certificate Authentication

Enable or disable the certificate authentication.

Trusted CA Pool

The name of the trusted CA Pool.

Assigning Policies to Proxy Services

This page of the wizard helps you to assign policies to virtual and server proxy services.

The following fields appear:

Field

Description

Client Side (Virtual) TCP Policy

Select a client side TCP policy.

Client Side (Virtual) SSL Policy

Select a client side SSL policy.

Server TCP Policy

Select a server TCP policy.

Server SSL Policy

Select a server SSL policy.

URL Rewrite Policy

Select a URL rewrite policy.

HTTP Header Insertion Policy

Select an HTTP header insertion policy.

The dialog box helps you to:

•Create and use a new policy.

•Select an existing policy. You can select a policy from the list of existing policies.

•Clear the policy.

Assigning TCP Policy to Proxy Services

This page of the wizard helps you to assign policies to virtual and server proxy services.

The following fields appear:

Field

Action/Description

Policy

The name of the TCP Policy.

Proxy Service Name

The name of the proxy service.

Client Side (Virtual)

The name of the client side server.

Selected Services

The list of selected services.

Side

Select one of the following:

Both-the policy is assigned to both server and client.

Client-the policy is assigned to client only.

Server-the policy is assigned to server only.

To assign a policy:

Step 1 Select a proxy service name from the table, then click Add>>. The proxy service name is added to the list of selected services.

Step 2 Select the side to which the policy has to be assigned.

Step 3 Click OK.

Viewing Advanced Proxy Service Setup Summary

The summary page of the Advanced Proxy Service setup wizard provides the details of the proxy service you have configured.

Click < Back to move to step 3 of the wizard.

Click Finish to complete the setting up of proxy service.

Selecting Available NAT Pools

The Available NAT Pools dialog box provides information on the NAT Pools configured on the SSLSM.

Select a NAT Pool from the list, then click OK to select a NAT Pool.

The following fields appear:

Field

Description

Name

Name of the NAT pool.

Start IP Address

The first IP address in the NAT pool.

End IP Address

The last IP address in the NAT pool.

Netmask

The Netmask used by the addresses in the NAT pool.

Selecting Available CA Pools

The Available CA Pools dialog box provides information on the CA Pools configured on the SSLSM.

Select a CA Pool from the list, then click OK to select a CA Pool.

The following fields appear:

Field

Description

Name

The name of the CA Pool.

Number of Trustpoints

The number of Trustpoints associated to each CA Pool.

Status

The status of the CA Pool.

Viewing Proxy Services

Figure 7-2 Proxy Services

To view proxy services:

Step 1 Click Setup from the task bar.

Step 2 Click Proxy Services. The proxy services page appears.

Step 3 Open Proxy Services Group Folder. Proxy services are grouped under two sub-group folders:

•Server Proxy Services

•Client Proxy Services

Step 4 Click any of the sub-group folder.

The following fields appear:

Field

Description

Proxy Services

Name

Name of the proxy service.

Type

The type of the proxy service.

Client Side

The IP address and port number of the client.

Server

The IP address and port number of the server.

Admin Status

The admin status of the service.

Oper Status

Indicates the operational status of the service.

A icon indicates that the service is administratively down.

A icon indicates that the service is operationally down.

A icon indicates that the service is up.

Certificate

Indicates the status of the certificate.

A icon indicates that the certificate is valid.

A icon indicates that the certificate invalid.

A icon indicates that the certificate is valid only for less than 10 days.

A icon indicates that the certificate is valid only for less than 20 days.

A icon indicates that the certificate is valid only for less than 30 days.

A icon indicates that the certificate chain is complete.

A icon indicates that the certificate chain is incomplete.

Select any of the proxy service from the table, the following information appears for the selected service:

Proxy Service Status Details

Field

Description

Proxy Service

Name of the proxy service.

General

Service Type

The type of the service provided by the proxy.

For example: Server Proxy

Client Side

The IP address and port number of the client.

Server

The IP address and port number of the server.

Operation Status

Indicates the operational status of the service.

Client NAT

Indicates whether the client NAT is enabled.

Server NAT

Indicates whether the server NAT is enabled.

Server/Client Certificate Authentication

Indicates whether the peer certificate authentication is enabled.

Certificate

Trustpoint

Name of the certificate Trustpoint associated with the proxy service.

Subject Name

The subject name of the associated certificate.

CA Name

The issuer name of the associated certificate.

Key Pair

The key pair name, key size and indicates whether key pair is exportable.

Certificate Status

Indicates the validity of the certificate.

Certificate Chain

Indicates the status of the certificate chain.

Viewing Proxy Services Details

Figure 7-3 Proxy Service Details

To view the configured proxy services:

Step 1 Click Setup from the task bar.

Step 2 Click Proxy Services. The proxy services page appears.

Step 3 Open Proxy Services Group Folder. Proxy services are grouped under two sub-group folders:

•Server Proxy

•Client Proxy

Step 4 Open any of the sub-group folder, then click any of the object in the sub-group folder.

You can also view the details by clicking the proxy service hyperlink in the proxy service status details panel

The following fields appear:

Field

Description

Configuration

Proxy Service Name

Name of the proxy service

Admin Status

The administrative status of the proxy service.

Service Type

The type of the proxy service handled by the proxy service.

Operation Status

The operation status of the proxy service.

Client Side (Virtual)

Virtual IP Address

The client side IP address of the proxy service.

Virtual IP Mask

The client side mask used by the proxy service.

Port

The TCP port used by the client side proxy service.

Server

IP Address

The server IP address used by the proxy service.

Port

The TCP port used by the server side proxy service.

NAT

Server NAT

Indicates whether the server NAT is enabled.

Client NAT

Indicates whether the client NAT is enabled.

Client NAT Pool

The client NAT Pool used by the proxy service.

SSLV2 Server

IP Address

The IP address of the SSLV2 server used by the service.

Port

The port used by the SSLv2 server.

Certificate

Certificate Trustpoint

The name of the certificate Trustpoint associated by the service.

Trusted CA Pool

The name of the trusted CA pool used by the service.

Server/Client Certificate Authentication

Indicates whether a peer certificate authentication is being used.

Policy

Client Side (Virtual) TCP Policy

The virtual TCP policy used by the service.

Client Side (Virtual) SSL Policy

The virtual SSL policy used by the service.

Server TCP Policy

The server TCP Policy used by the service.

URL Rewrite Policy

The URL rewrite policy used by the service.

HTTP Header Insertion Policy

The HTTP header insertion policy used by the service.

Click Certificate Details Tab to view the Certificate details.

Field

Description

Certificate Status

The status of the certificate used by the selected service.

Example: Valid until Tue Nov 02 04:22:11 GMT +05:30 2004

Trusted CA Certificates

CA Name

The name of the CA associated with the service.

Certificate Status

The status of the certificate.

Associated Trustpoint

Trustpoints associated with the certificate.

Click Certificate Chain Tab to view the Certificate chain.

Figure 7-4 Proxy Service - Certificate Chain

Field

Description

Status

The status of the certificate chain.

Example: Certificate chain is complete.

Certificate Details

Certificate

Displays the time until which the certificate is valid and the certificate.

Example: Valid until Tue Nov 02 04:22:11 GMT +05:30 2004

Associated Trustpoints

This field appears only if the certificate has an associated Trustpoint.

Click Policy Details Tab to view the Certificate chain.

Field

Description

Policies

The list of applicable policies.

•Client Side (Virtual) SSL policy

•Client Side (Virtual) TCP policy

•Server TCP Policy

•URL Rewrite Policy

•HTTP Header Insertion policy

Select any of the policies to view the details.

Policy Details

The content in the policy details area changes according to the policies you select.

Editing Proxy Service Configuration

Step 1 Click Setup from the task bar.

Step 2 Click Proxy Services. The proxy services page appears.

Step 3 Open Proxy Services Group Folder. Proxy services are grouped under two sub-group folders:

•Server Proxy Services

•Client Proxy Services

Step 4 Open any of the sub-group folder, then click any of the object in the sub-group folder. The proxy service details page appears.

Step 5 Click Edit....

The following information appears:

Field

Action/Description

Proxy Service Name

Name of the proxy service you are editing.

Admin Status

Select the admin status for the service.

Client Side (Virtual)

Virtual IP Address

Enter the virtual IP address for the service.

Secondary

Select the checkbox if you need to make the virtual IP address a secondary IP address.

Secondary is required if the IP address is not on a directly connected network.

Virtual IP Mask

Select wildcard virtual IP address option to make this field active.

Select the IP mask from the drop-down list.

Wildcard Virtual IP Address

Select this option to use wildcard IP address.

Port (1-65535)

Enter the port number to be used by the service.

Server

IP Address

Enter the server IP address.

Port (1-65535)

Enter the port number used by the server.

SSLV2 Server

IP Address

Enter the IP address of the SSLV2 server.

Port (1-65535)

Enter the port number to be used by the server.

NAT

Server NAT

Select this option to use a server NAT.

Client NAT

Select this option to use a server NAT.

Client NAT Pool

Select one of the following:

•Create and use a new NAT Pool

•Select an existing NAT Pool

•Clear the NAT Pool

To edit the certificate details of the service, click Certificate tab. The following fields appear:

Field

Action/Description

Certificate Trustpoint

Select any of the following options:

•Select an existing Trustpoint

•Clear the Trustpoint

Trusted CA Pool

Select any of the following options:

•Create and use a new CA Pool

•Select an existing CA Pool

•Clear the CA Pool

Client/Server Certificate Authentication

Select any of the following options:

•Disabled

•Verify Signature, Check CRL and Certificate ACL

•Verify Signature Only

To edit the policy details of the service, click Policy tab. The following fields appear:

Field

Action/Description

Client Side (Virtual) TCP Policy

Select any of the following:

•Create and use a new TCP Policy

•Select an existing TCP Policy

•Clear TCP Policy

Client Side (Virtual) SSL Policy

Select any of the following:

•Create and use a new SSL Policy

•Select an existing SSL Policy

•Clear SSL Policy

Server TCP Policy

Select any of the following:

•Create and use a new TCP Policy

•Select an existing TCP Policy

•Clear TCP Policy

Server SSL Policy

Select any of the following:

•Create and use a new SSL Policy

•Select an existing SSL Policy

•Clear SSL Policy

URL Rewrite Policy

Select any of the following:

•Create and use a new URL Rewrite Policy

•Select an existing URL Rewrite Policy

•Clear URL Rewrite Policy

HTTP Header Insertion Policy

Select any of the following:

•Create and use a new HTTP Header Insertion Policy

•Select an existing HTTP Header Insertion Policy

•Clear HTTP Header Insertion Policy

NAT Pools

CVDM-SSLSM allows you to create Network Address Translation (NAT) pools.

Figure 7-5 NAT Pools

This section describes the following topics:

• Viewing NAT Pools

• Adding NAT Pools

• Deleting NAT Pools

• Assigning NAT Pools to Proxy Services

Understanding NAT Pools

Client connections originate from the client and are terminated on the SSL Services Module. Server connections originate from the SSL Services Module.

You can configure client NAT, server NAT, or both, on the server connection.

Server NAT

If you configure server NAT, the server IP address is used as the destination IP address for the server connection. If the server NAT is not configured, the destination IP address for the server connection is the same as the virtual IP address for which SSL Services Module is a proxy.

Client NAT

If you configure client NAT, the server connection source IP address and port are derived from a NAT pool. If client NAT is not configured, the server connection source IP address and port are derived from the source IP address and source port of the client connection.

Allocate enough IP addresses to satisfy the total number of connections supported by the SSL Services Module (256,000 connections). Assuming you have 32,000 ports per IP address, configure 8 IP addresses in the NAT pool. If you try to configure fewer IP addresses than required by the total connections supported by the SSL Services Module, the command is rejected.

Viewing NAT Pools

Step 1 Click Setup in the task bar.

Step 2 Click Proxy Services in the left-most pane. The Proxy Services page appears.

Step 3 Click NAT Pools in the object selector.

The following information appears:

Field

Description

Name

The Name of the NAT Pool.

Start IP Address

The first IP address used by the NAT Pool.

End IP Address

The last IP address used by the NAT Pool.

Netmask

The netmask used for the NAT pool.

For example: 255.255.0.0

Use Count

Number of proxy services using the NAT pool.

Select a NAT Pool, then click Assign to Proxy Services to assign a NAT Pool to a proxy service

Click Add... to add a new NAT Pool.

Select a NAT Pool, then click Delete to delete a NAT Pool.

Step 4 Select any NAT Pool from the table to display the configuration details.

Field

Description

General

Start IP Address

The first IP address in the NAT pool.

End IP Address

The last IP address in the NAT pool.

Netmask

The netmask used for the NAT pool.

For example: 255.255.255.0

Associated VLAN

The VLAN associated with the NAT pool.

Use Count

The number of proxy services associated with the NAT Pool.

Associated Proxy Services

Name

The name of the associated proxy service.

Client Side

The IP address of the virtual server.

Server

The IP address of the server.

Adding NAT Pools

Step 1 Click Setup in the task bar.

Step 2 Click Proxy Services in the left-most pane. The Proxy Services page appears.

Step 3 Click NAT Pools in the object selector.

Step 4 Click Add.... The Add New NAT Pool dialog box appears.

Field

Description

NAT Pool Name

Enter a name for your new NAT Pool.

Start IP Address

Enter the first IP address to be used for the NAT Pool.

End IP Address

Enter the last IP address to be used for the NAT Pool.

Net Mask

The IP mask to be used by the NAT Pool.

Alternatively, you can add NAT Pools using the Wizards.

Deleting NAT Pools

Step 1 Click Setup in the task bar.

Step 2 Click Proxy Services in the left-most pane. The Proxy Services page appears.

Step 3 Click NAT Pools in the object selector.

Step 4 Select a NAT pool from the list, then click Delete.

Assigning NAT Pools to Proxy Services

Step 1 Click Setup in the task bar.

Step 2 Click Proxy Services in the left-most pane. The Proxy Services page appears.

Step 3 Click NAT Pools in the object selector.

Step 4 Select a NAT pool from the list, then click Assign to Proxy Services. The Assign NAT Pool to Proxy Services dialog box appears.

Field

Description

Pool Name

The name of the NAT Pool you have selected.

Proxy Service Name

The name of the proxy service. You can select any one of the service from the list.

Client Side (Virtual)

Virtual server associated with the proxy service.

Selected Proxy Services

The list of services to which you want to assign the NAT Pool.

Step 5 Select a Proxy Service Name, then click Add >> to add the policy to the selected service.

You can remove the a proxy service from the list. Select a service from the list, then click << Remove.

You can clear all the services selected for assigning to a policy. Select a service from the list, then click Clear All.

Step 6 Click OK to assign NAT pool to the selected proxy services.

Selecting Available CA Pools

The following information appears:

Field

Action/Description

Name

Name of the CA Pool.

Number of Trustpoints

Number of Trustpoints associated with the CA Pool.

Status

Indicates the status of the CA Pool.

Select a CA Pool from the table, then click OK.

Selecting Available NAT Pools

The following information appears:

Field

Action/Description

Pool Name

Name of the NAT pool.

Start IP Address

The start IP address of the pool.

End IP Address

The end IP address of the pool.

Netmask

The netmask and port used by the selected NAT pool.

Select a NAT Pool from the table, then click OK.

Selecting Available Certificate Trustpoints

The following information appears:

Field

Action/Description

Trustpoint

The name of the Trustpoint.

Certificate Authority (CA)

The certificate authority details in the certificate.

Subject

The subject in the certificate.

Select a Certificate Trustpoint from the table, then click OK.

How Do I...

This section describes on how to achieve a task. The following question is answered:

• How Do I Setup a Proxy Service?

How Do I Setup a Proxy Service?

You can use Proxy Service Setup Wizards to create a proxy service.

The Basic Proxy Service wizard helps you set up a server proxy service or a client proxy/backend encryption service.

Step 1 Click Setup in the task bar.

Step 2 Click Wizards in the left-most pane. The Wizards page appears.

Step 3 Click Proxy Services Wizard tab. The Proxy services wizard page appears.

Step 4 Select Basic Proxy Service Configuration, then click Launch the Selected Task The Welcome page for basic proxy service wizard appears. The Welcome page describes the steps to follow to complete the task.

Step 5 Click Next to continue.

Step 6 Define the proxy service name and type. For more information on defining the name and type, see Defining Proxy Service Name and Type

Step 7 Click Next to continue.

Step 8 Configure the client side (virtual) parameters and server parameters. For more information on configuring the client side (virtual) parameters and the server parameters, see Configuring Client Side (Virtual) and Server Parameters.

Step 9 Click Next to Continue.

Step 10 Assign certificate to proxy service (optional for client proxy service). For more information on assigning certificates to a proxy service, see Assigning Certificate to Proxy Services.

Troubleshooting Proxy Services

This section describes the proxy service operations status and the possible cause.

Proxy Service Operation Status

Possible Cause/Action

No cert

The certificate Trustpoint associated with the proxy service does not have a valid certificate or the certificate chain is incomplete.

You must make sure that the Trustpoint has a valid certificate and that the certificate chain is complete.

No Virtual IP

Virtual IP address has not been configured for the proxy service.

No Server IP

Server IP address has not been configured for the proxy service.

Cert not configured

No certificate has been configured for the proxy service. You must assign a certificate for server proxy service. For client proxy service a certificate is optional.

No CA pool

If you have enabled peer certificate authentication to verify all (signature, CRL check and ACL check), you must configure a CA pool with valid CA certificates for the proxy service.

No connectivity

No Client VLAN

If the virtual IP address (VIP) is not secondary, you must configure a VLAN for the client side network.

If you configure the VIP as secondary, it does not have to be in the VLAN (subnet) connected to the SSL Services Module.

No Server VLAN

If the server is in a network that is directly connected to SSL Services Module, you must configure a VLAN for the server side network.

If the server is not in a directly connected network, you must configure a route to the server.

No SSLv2 Server VLAN

If you have enabled forwarding of SSLv2 connections to a server and if the SSLv2 server is in a directly connected network, you must configure a VLAN for the server side network.

If the SSLv2 server is not in a directly connected network, you must configure a route the SSLv2 server.

No Server/Next Hop MAC

The server or the next hop (gateway) to the server is not responding to ARP.

No SSLv2 Server/Next Hop MAC

The SSLv2 server or the next hop (gateway) to the SSLv2 server is not responding to ARP.

Field	Description
Proxy Service Name	Enter a name for your proxy service.
Admin Status	Select the admin status of the proxy service. Values are: •Up •Down
Service Type
Server Proxy	Select this option if you want to create a server proxy service. Server proxy service accepts clear text traffic, encrypts the traffic into SSL traffic, and forwards it to the backend SSL Server.
Client Proxy / Backend Encryption	Select this option if you want to create a client proxy service. Client server proxy service accepts SSL traffic, decrypts the traffic into clear text, and forwards it to the backend server or virtual server.

Field	Description
Client Side (Virtual)
Virtual IP Address	Enter the virtual IP address.
Secondary	Select the checkbox if you want to use the IP address as a secondary IP address.
Virtual IP Mask	Select any one of the following netmasks: •0.0.0.0 •255.0.0.0 •255.255.0.0 •255.255.255.0
Wildcard Virtual IP Address	Select the checkbox to configure a wildcard virtual IP address.
Port (1-65535)	Enter the number of the port to be used for proxy service traffic.
Server
Server IP Address	Enter the server IP address.
Port (1-65535)	Enter the number of the port to be used for the traffic.
NAT
Server NAT	Select the check-box if you want to use a Server NAT.
Client NAT	Select the check-box if you want to use a Server NAT.
Client NAT Pool	Select any of the following options: •Create and assign a new NAT Pool. •Select an existing NAT Pool. •Clear the NAT pool.
Forward SSL version 2.0 Connections	Select the check-box if you want to forward SSL version 2.0 connection to a SSLv2 server.
Server IP Address	The IP address of the server to be used for SSL version 2.0.
Port (1-65535)	The port to be used for the traffic.

Field	Description
Certificate
Certificate Trustpoint	Select one of the following options: •Select an existing Trustpoint. •Clear the Trustpoint.
Status	Displays the status of the certificate.

Field	Description
Trustpoint	The name of the Trustpoint.
Certificate Authority (CA)	The certification authority details of the certificate Trustpoint.
Subject	The subject of the certificate Trustpoint.

Field	Description
Certificate
Certificate Trustpoint	Click and select one of the following options: •Select an existing Trustpoint. •Clear the Trustpoint.
Status	Displays the status of the certificate.
Peer Certificate Authentication
Certificate Authentication	Enable or disable the certificate authentication.
Trusted CA Pool	The name of the trusted CA Pool.

Field	Description
Client Side (Virtual) TCP Policy	Select a client side TCP policy.
Client Side (Virtual) SSL Policy	Select a client side SSL policy.
Server TCP Policy	Select a server TCP policy.
Server SSL Policy	Select a server SSL policy.
URL Rewrite Policy	Select a URL rewrite policy.
HTTP Header Insertion Policy	Select an HTTP header insertion policy.

Field	Action/Description
Policy	The name of the TCP Policy.
Proxy Service Name	The name of the proxy service.
Client Side (Virtual)	The name of the client side server.
Selected Services	The list of selected services.
Side	Select one of the following: Both-the policy is assigned to both server and client. Client-the policy is assigned to client only. Server-the policy is assigned to server only.

Field	Description
Name	Name of the NAT pool.
Start IP Address	The first IP address in the NAT pool.
End IP Address	The last IP address in the NAT pool.
Netmask	The Netmask used by the addresses in the NAT pool.

Field	Description
Name	The name of the CA Pool.
Number of Trustpoints	The number of Trustpoints associated to each CA Pool.
Status	The status of the CA Pool.

Field	Description
Proxy Services
Name	Name of the proxy service.
Type	The type of the proxy service.
Client Side	The IP address and port number of the client.
Server	The IP address and port number of the server.
Admin Status	The admin status of the service.
Oper Status	Indicates the operational status of the service. A icon indicates that the service is administratively down. A icon indicates that the service is operationally down. A icon indicates that the service is up.
Certificate	Indicates the status of the certificate. A icon indicates that the certificate is valid. A icon indicates that the certificate invalid. A icon indicates that the certificate is valid only for less than 10 days. A icon indicates that the certificate is valid only for less than 20 days. A icon indicates that the certificate is valid only for less than 30 days. A icon indicates that the certificate chain is complete. A icon indicates that the certificate chain is incomplete.

Field	Description
Proxy Service	Name of the proxy service.
General
Service Type	The type of the service provided by the proxy. `For example: Server Proxy`
Client Side	The IP address and port number of the client.
Server	The IP address and port number of the server.
Operation Status	Indicates the operational status of the service.
Client NAT	Indicates whether the client NAT is enabled.
Server NAT	Indicates whether the server NAT is enabled.
Server/Client Certificate Authentication	Indicates whether the peer certificate authentication is enabled.
Certificate
Trustpoint	Name of the certificate Trustpoint associated with the proxy service.
Subject Name	The subject name of the associated certificate.
CA Name	The issuer name of the associated certificate.
Key Pair	The key pair name, key size and indicates whether key pair is exportable.
Certificate Status	Indicates the validity of the certificate.
Certificate Chain	Indicates the status of the certificate chain.

Field	Description
Configuration
Proxy Service Name	Name of the proxy service
Admin Status	The administrative status of the proxy service.
Service Type	The type of the proxy service handled by the proxy service.
Operation Status	The operation status of the proxy service.
Client Side (Virtual)
Virtual IP Address	The client side IP address of the proxy service.
Virtual IP Mask	The client side mask used by the proxy service.
Port	The TCP port used by the client side proxy service.
Server
IP Address	The server IP address used by the proxy service.
Port	The TCP port used by the server side proxy service.
NAT
Server NAT	Indicates whether the server NAT is enabled.
Client NAT	Indicates whether the client NAT is enabled.
Client NAT Pool	The client NAT Pool used by the proxy service.
SSLV2 Server
IP Address	The IP address of the SSLV2 server used by the service.
Port	The port used by the SSLv2 server.
Certificate
Certificate Trustpoint	The name of the certificate Trustpoint associated by the service.
Trusted CA Pool	The name of the trusted CA pool used by the service.
Server/Client Certificate Authentication	Indicates whether a peer certificate authentication is being used.
Policy
Client Side (Virtual) TCP Policy	The virtual TCP policy used by the service.
Client Side (Virtual) SSL Policy	The virtual SSL policy used by the service.
Server TCP Policy	The server TCP Policy used by the service.
URL Rewrite Policy	The URL rewrite policy used by the service.
HTTP Header Insertion Policy	The HTTP header insertion policy used by the service.

Field	Description
Certificate Status	The status of the certificate used by the selected service. `Example: Valid until Tue Nov 02 04:22:11 GMT +05:30 2004`
Trusted CA Certificates
CA Name	The name of the CA associated with the service.
Certificate Status	The status of the certificate.
Associated Trustpoint	Trustpoints associated with the certificate.

Field	Description
Status	The status of the certificate chain. `Example: Certificate chain is complete.`
Certificate Details
Certificate	Displays the time until which the certificate is valid and the certificate. `Example: Valid until Tue Nov 02 04:22:11 GMT +05:30 2004`
Associated Trustpoints	This field appears only if the certificate has an associated Trustpoint.

Field	Description
Policies	The list of applicable policies. •Client Side (Virtual) SSL policy •Client Side (Virtual) TCP policy •Server TCP Policy •URL Rewrite Policy •HTTP Header Insertion policy Select any of the policies to view the details.
Policy Details	The content in the policy details area changes according to the policies you select.

Field	Action/Description
Proxy Service Name	Name of the proxy service you are editing.
Admin Status	Select the admin status for the service.
Client Side (Virtual)
Virtual IP Address	Enter the virtual IP address for the service.
Secondary	Select the checkbox if you need to make the virtual IP address a secondary IP address. Secondary is required if the IP address is not on a directly connected network.
Virtual IP Mask	Select wildcard virtual IP address option to make this field active. Select the IP mask from the drop-down list.
Wildcard Virtual IP Address	Select this option to use wildcard IP address.
Port (1-65535)	Enter the port number to be used by the service.
Server
IP Address	Enter the server IP address.
Port (1-65535)	Enter the port number used by the server.
SSLV2 Server
IP Address	Enter the IP address of the SSLV2 server.
Port (1-65535)	Enter the port number to be used by the server.
NAT
Server NAT	Select this option to use a server NAT.
Client NAT	Select this option to use a server NAT.
Client NAT Pool	Select one of the following: •Create and use a new NAT Pool •Select an existing NAT Pool •Clear the NAT Pool

Field	Action/Description
Certificate Trustpoint	Select any of the following options: •Select an existing Trustpoint •Clear the Trustpoint
Trusted CA Pool	Select any of the following options: •Create and use a new CA Pool •Select an existing CA Pool •Clear the CA Pool
Client/Server Certificate Authentication	Select any of the following options: •Disabled •Verify Signature, Check CRL and Certificate ACL •Verify Signature Only

Field	Action/Description
Client Side (Virtual) TCP Policy	Select any of the following: •Create and use a new TCP Policy •Select an existing TCP Policy •Clear TCP Policy
Client Side (Virtual) SSL Policy	Select any of the following: •Create and use a new SSL Policy •Select an existing SSL Policy •Clear SSL Policy
Server TCP Policy	Select any of the following: •Create and use a new TCP Policy •Select an existing TCP Policy •Clear TCP Policy
Server SSL Policy	Select any of the following: •Create and use a new SSL Policy •Select an existing SSL Policy •Clear SSL Policy
URL Rewrite Policy	Select any of the following: •Create and use a new URL Rewrite Policy •Select an existing URL Rewrite Policy •Clear URL Rewrite Policy
HTTP Header Insertion Policy	Select any of the following: •Create and use a new HTTP Header Insertion Policy •Select an existing HTTP Header Insertion Policy •Clear HTTP Header Insertion Policy

Field	Description
Name	The Name of the NAT Pool.
Start IP Address	The first IP address used by the NAT Pool.
End IP Address	The last IP address used by the NAT Pool.
Netmask	The netmask used for the NAT pool. For example: 255.255.0.0
Use Count	Number of proxy services using the NAT pool.

Field	Description
NAT Pool Name	Enter a name for your new NAT Pool.
Start IP Address	Enter the first IP address to be used for the NAT Pool.
End IP Address	Enter the last IP address to be used for the NAT Pool.
Net Mask	The IP mask to be used by the NAT Pool.

Field	Description
Pool Name	The name of the NAT Pool you have selected.
Proxy Service Name	The name of the proxy service. You can select any one of the service from the list.
Client Side (Virtual)	Virtual server associated with the proxy service.
Selected Proxy Services	The list of services to which you want to assign the NAT Pool.

Field	Action/Description
Name	Name of the CA Pool.
Number of Trustpoints	Number of Trustpoints associated with the CA Pool.
Status	Indicates the status of the CA Pool.

Proxy Service Operation Status	Possible Cause/Action
No cert	The certificate Trustpoint associated with the proxy service does not have a valid certificate or the certificate chain is incomplete. You must make sure that the Trustpoint has a valid certificate and that the certificate chain is complete.
No Virtual IP	Virtual IP address has not been configured for the proxy service.
No Server IP	Server IP address has not been configured for the proxy service.
Cert not configured	No certificate has been configured for the proxy service. You must assign a certificate for server proxy service. For client proxy service a certificate is optional.
No CA pool	If you have enabled peer certificate authentication to verify all (signature, CRL check and ACL check), you must configure a CA pool with valid CA certificates for the proxy service.
No connectivity	No Client VLAN If the virtual IP address (VIP) is not secondary, you must configure a VLAN for the client side network. If you configure the VIP as secondary, it does not have to be in the VLAN (subnet) connected to the SSL Services Module. No Server VLAN If the server is in a network that is directly connected to SSL Services Module, you must configure a VLAN for the server side network. If the server is not in a directly connected network, you must configure a route to the server. No SSLv2 Server VLAN If you have enabled forwarding of SSLv2 connections to a server and if the SSLv2 server is in a directly connected network, you must configure a VLAN for the server side network. If the SSLv2 server is not in a directly connected network, you must configure a route the SSLv2 server. No Server/Next Hop MAC The server or the next hop (gateway) to the server is not responding to ARP. No SSLv2 Server/Next Hop MAC The SSLv2 server or the next hop (gateway) to the SSLv2 server is not responding to ARP.
No connectivity