When the SSL Visibility (SSLV) is performing SSL offload to a proxy, does the proxy also have to be intercepting / decrypting traffic?
When initially setting up SSL offload between the SSLV and a proxy there is no requirement to configure SSL interception policy on the proxy, offloading of SSL will still occur. However there are considerations to be had. If SSLV experiences a failure and fails to appliance, the proxy will then be receiving encrypted SSL packets and in this case, for redundancy you may want to have SSL interception configured on the proxy. This is entirely up to the organization on how they want this to behave.
NOTE: In a scenario where the SSLV fails to appliance and the proxy is setup with SSL interception for redundancy purposes, you will want to be sure that the proxy has enough resources support the additional decryption it will now be doing.
Generally speaking, the suggestion it to setup SSL interception on the proxy in an offloading scenario when the proxy is fully capable of supporting the entire load of the SSLV in addition to what the proxy device was already doing. If the proxy does not have the ability to support that entire load, should a failure occur on the SSLV, you run a chance of completely overrunning your proxy. In those cases you may want to consider a fail to network segment instead of fail to appliance.
Subscribing will provide email updates when this Article is updated. Login is required.