SSL Offload

##SSL offloading on UAG

SSL offload to external LoadBalancer usually a good practice to improve performance DS’s and UAG servers, avoiding it to extra work with encrypt traffic Also you should to change public Certificate in one place instead of replace it in each server

Note: all above are valid if you have alot devices registred in WS1 (more than 2000). For smaler deployments usually you may stay at much easy deployment without load balancers.

In case of SSL offloadin you should use one of the scenarios:

  1. Traffic isn’t encrypted after termination on LoadBalancer
    SSL termination without reencryption SSL termination without reencryption

This can be used for traffic to Devcie Services endpoint only. Even if you setup SSL offload check box during DS installation AWCM endpoint will use encriprion with self-generated certificate for traffic on port 2001. In this case you need to enshure tant LoadBalancer trust for this cert (or ignores SSL errors)

❗️All you internal connection to AWCM must go though LoadBalancer enpoint to proper trust

  1. Traffic is reencrypted after termination on LoadBalancer with local cert
    SSL termination without reencryption SSL termination without reencryption

Despite the availability SSL offload check box in SEG and Content setup in WS1 Console, UAG server can work only with encripted http-traffic.

SEG
The UAG does not support any non-encrypted protocols. Therefore, SEG only supports SSL re-encryption (SSL bridging) or SSL pass through

Content:
HTTP traffic is not allowed for Content Gateway on port 80 on Unified Access Gateway because TCP port 80 is used by the edge Service Manager.