How to Configure Security Policies to Allow SSL Offloading

In SSL offloading scenarios, a firewall decrypts the HTTPS service of the server that a client accesses and restores the service to the HTTP service. The firewall functions as an SSL proxy server and is responsible for SSL encryption and decryption, reducing the service load on the server.

Figure 11-2 SSL offloading

Similar to the Layer 7 load balancing scenario, two sessions are established on the firewall for the access requests of each client in the SSL offloading scenario. The difference between the two scenarios is that security policies need to be configured for both the session for a client to access the virtual server and the session for a client to access the real server.

• Session for the client to access the virtual server: In the security policy, the destination security zone is the security zone where the real server resides, and the destination IP address is the IP address of the virtual server.
• Session for the client to access the real server: In the security policy, the destination security zone is the security zone where the real server resides, the destination IP address is the IP address of the real server, and the source security zone is Local or the security zone where the client resides.
  • In USG6000E V600R007, USG6000/USG9500 V500R005C20, and their later versions, the source security zone in the security policy of the session for the client to access the real server must be Untrust, that is, the security zone where the client resides.
  • In versions earlier than USG6000E V600R007 and USG6000/USG9500 V500R005C20, the source security zone in the security policy of the session for the client to access the real server must be Local.