Secure ADN and why do you need it.

book

Article ID: 166870

calendar_today

Updated On:

Products

ProxySG Software - SGOS

Issue/Introduction

 

When using ADN on the ProxySG why does HTTPS / TCP Tunnel and other protocols do not show the ADN icon   in the "Active Sessions" where HTTP and others do.

The following is a simple deployment where we have a single PC passing through two ProxySG's to the Internet.

Note : In this transparent deployment where the route between "client "and "end device" always go through the Edge and Core an ADN Manager is NOT required.

ProxyEdge :

  • ADN Enabled
  • HTTP Service (Transparent) Enabled with ADN
  • HTTPS Service (Transparent) Enabled with ADN (we swap between SSL / TCP Tunnel for testing)

Core Edge.

  • ADN Enabled
  • No Services Enabled.

 

Test 1 : Using the above  configuration we now access the test URL. We can see in the "Active Sessions" table ADN Tunneled HTTP requests but the HTTPS/SSL is not ADN Tunneled.

HTTP Service : SSL

 

 Test 2 : Change the HTTPS service from SSL to TCP Tunnel with "Protocol Detect" enabled. The "Protocol Detect" is required so the ProxySG can examine the TCP Connection to determine its true request (HTTPS).

Again we don't see any HTTPS ADN Tunneling.

HTTP Service : TCP Tunnel
Protocol Detent : Enabled.

 

Test 3: The next test we disabled the "Protocol Detect" in the TCP Tunnel service for HTTPS.

Now we see a different behavior, as we don't know what the true content is; we perform ADN Tunneling.

HTTP Service : TCP Tunnel
Protocol Detent : Disabled.

 

Before we do any more testing we are now going to make a simple ADN Change. In the ADN General Section we select an "SSL Device Profile". If we then look at the Connection Security we see Secure ADN is now enabled.

Notes :  The following conditions MUST be set.

  • This has to be enabled on all devices (edge and core)
  • a VALID SSL License is required on both devices.
     

 

 

 

So back to the testing.

Test 4 , 5, 6 : Now we have Secure ADN enabled we can repeat "test 1" , "test 2" and "Test 3" to verify that we now have ADN Tunneling for Secure Connections.

HTTP Service : SSL

 

HTTP Service : TCP Tunnel
Protocol Detent : Enabled.

 

 HTTP Service : TCP Tunnel
Protocol Detent : Disabled.

 

 

If we examine the Core ProxySG under the "ADN Inbound Connections" in the "Active Sessions" section we can see the connections from the Edge.

 

The Secure ADN is required in all deployments where HTTPS is need to be Tunneled.

To benefit from full optimization (object caching) then "SSL Interception" is required.

 

Attachments