Secure connections (SSL/TLS) : What is SSL/TLS offloading?
What is SSL/TLS offloading?
FortiADC can act as the SSL/TLS terminator: instead of clients having an encrypted tunnel along the entire path to a back-end server, the client’s HTTPS request is encrypted/decrypted partway along its path to the server, when it reaches the FortiADC. FortiADC then forwards unencrypted HTTP traffic to your servers. When the server replies, the server connects to the FortiADC via clear text HTTP. FortiADC then encrypts the response and forwards it via HTTPS to the client.
In this way, FortiADC bears the load for encryption processing instead of your back-end servers, allowing them to focus resources on the network application itself. This is called SSL offloading.
SSL offloading can be associated with improved SSL/TLS performance. In hardware models with specialized ASIC chip SSL accelerator(s), FortiADC can encrypt and decrypt packets at better speeds than a back-end server with a general-purpose CPU.
When using SSL offloading, the server does not use its own server certificate. Instead, FortiADC acts like an SSL proxy for the server, possessing the server’s certificate and using it to:
authenticate itself to clients
decrypt requests
encrypt responses
whenever a client requests an HTTPS connection to that server.
As a side effect of being an SSL terminator, the FortiADC is in possession of both the HTTP request and reply in their decrypted state. Because they are not encrypted at that point on the path, FortiADC can rewrite content and/or route traffic based upon the contents of Layer 7 (the application layer). Otherwise Layer 7 content-based routing and rewriting would be impossible: that part of the packets would be encrypted and unreadable to FortiADC.
Secure traffic between FortiADC and back-end servers when using SSL offloading. Failure to do so will compromise the security of all offloaded sessions. No attack will be apparent to clients, as SSL offloading cannot be detected by them, and therefore they will not receive any alerts that their session has been compromised.
For example, you might pass decrypted traffic to back-end servers as directly as possible, through one switch that is physically located in the same locked rack, and that has no other connections to the overall network.
Alternatively, configure FortiADC as an SSL switch, re-encrypting the traffic before forwarding to back-end servers. SSL offloading performance benefits will be lost, but this can be useful in cases where you are load balancing traffic that is forwarded along untrusted paths towards back-end servers. See “How to re-encrypt SSL/TLS to back-end servers”.
See also
Supported cipher suites & protocol versions
How to offload HTTPS