Ok, now we have our certs installed on Radware appliance and it’s time to do something with them…
Before we go ahead and create SSL tunnels that clients are about to use, first we should discuss a little bit the traffic flow through the Radware box. For starters, let’s see a typical scenario depicted in this blueprint.
As you can see there is some usual stuff: border router connecting firewall and the Internet. The firewall is connected to the corp network via one interface (inside) and the DMZ segment where the Radware resides (DMZ interface). The Radware is connected to the firewall via Lan2 interface and this interface is the interface where all Internet connections terminate. The other Radware interface – Lan1 is connected to the corp network and is used for management purposes.
Here is what happens when e-commerce client is willing to do some business:
- Client connects to one of Radware’s IP addresses. If we are using one IP address for publishing more than one internal server, then we must use different TCP ports for each server or application. If all is set up ok, SSL tunnel is built between the client and the Radware. This tunnel protects e-commerce transactions when traversing the Internet. The tunnel termination interface is Lan2.
- This is important: the Radware does NOT use Lan1 to pass decrypted traffic to the internal server. This might be what you expected. Instead, the Radware initiate another session from Lan2 interface, through the firewall to the internal resource. In order for this to happen, several things must be taken into account:
– static route for internal server must exist on the Radware that points toward
firewall’s DMZ interface
– firewall rules must be in place that allow communication from the Internet to
selected addresses and ports of the Radware
– firewall must permit communication from the Radware’s Lan2 interface to selected
internal hosts and ports
- Radware must have appropriate tunnels set up which maps external IP addresses and ports to internal IP addresses and ports.
This is how it works. It will be clearer after a couple of examples.
So, until the next time …