3.1. Procedure – Configuring one-sided TLS

Purpose: 

To disable encryption on one side of the connection for an existing Encryption Policy that is configured to handle HTTPS connections, complete the following steps.

Note

Obviously it is not possible to use keybridging together with one-sided TLS connections, but for a possible solution, see Procedure 3.2.3, Transferring certificate information in one-sided HTTPS.

Steps: 

  1. Navigate to Application-level Gateway > Proxies, and select the proxy to be modified, or create a new one (for example, OnesidedHttpsProxy).

    • To disable encryption on the client side, add the self.tls.client_connection_security parameter to the Changed config attributes panel, then set it to const_tls_none.

    • To disable encryption on the server side, add the self.tls.server_connection_security parameter to the Changed config attributes panel, then set it to const_tls_none.

    Python: Add one of the following lines to proxy:

    self.tls.server_connection_security = TLS_NONE
    self.tls.client_connection_security = TLS_NONE
  2. When PNS is used to protect the servers, you must deploy the certificate of the server (including its private key) to Application-level Gateway, so that Application-level Gateway can show the certificate to the clients that connect to the server. The proxy used in the connection must be configured to use this certificate when communicating with the clients. Complete the following steps.

    1. Import the certificate of the server into MS, and set the firewall to be its owner host. For details, see Procedure 11.3.8.6, Importing certificates in Proxedo Network Security Suite 2 Administrator Guide.

    2. Navigate to Application-level Gateway > Proxies, and select the proxy to be modified (for example, OnesidedHttpsProxy).

    3. Select (or add, if not already present) the self.tls.server_keypair_files parameter, then click Edit.

    4. A window showing the certificates available on the host appears. Select the certificate of the server.

      Note

      The list displays only the certificates where the firewall host is set as the owner host of the certificate (that is, both the certificate and its private key is available).