SSL Optimization overview
The SSL feature is actually an enabler for applying any SD-WAN optimization service to the SSL encrypted flows (mainly Compression).
Deployment
SSL Optimization can apply wherever there are Compression-capable appliances deployed on the flows path, on both sides of the WAN (branch-side and datacenter-side).
Applications
SSL Optimization applies to any application over SSL. This includes (but is not limited to):
| • | 443 HTTPS (HTTP over SSL), |
| • | 636 LDAPS (LDAP over SSL), |
| • | 992 TelnetS (Telnet over SSL), |
| • | 993 IMAPS (IMAP over SSL), |
| • | 994 IRCS (IRC over SSL), |
| • | 995 POP3S (POP3 over SSL), |
| • | 5061 SIPS (SIP over SSL). |
SSL Optimization does not apply to applications that are not over SSL (whatever is over IPsec, encrypted MAPI, encrypted SMBv2, SSH).
Principles
The datacenter-side Appliance acts as a SSL proxy and intercepts the SSL handshake between the client and the server.
The SSL proxy re-signs server certificates on the fly, using a proxy CA certificate that is provided by the end-user company IT. Therefore, it is not the original certificate that the client application (e.g. HTTPS browser) presents, but rather a clone of this certificate, issued by the SSL proxy and signed with the proxy CA certificate.
Once the security parameters are negotiated on both sides of the proxy connection (client-to-proxy and proxy-to-server), the session keys are sent over a secure encrypted tunnel to the branch-side Appliance.
Then both Appliances can decrypt and re-encrypt the flows, hence enabling any optimization service to work on the decrypted traffic.
