The present invention relates generally to network communications, and more particularly, but not exclusively, enabling a proxy device access to content within and/or management of an SSL connection between a client device and a server device.
An increasing number of applications within an enterprise provide secure communications between a client device and a server device. These applications include intranet portals, Webmail, front-office applications, such as Clarify, back-office applications, and the like. Many of these applications may also be accessed from a branch office either through a Virtual Private Network (VPN) tunnel, directly over the public Internet, or the like. These applications may be available on a server device inside a head office. The head office and branch office are networks of computing devices secured behind security perimeters, such as behind firewalls, or the like. The computing devices at the head office often are enabled to access sensitive information, or the like.
A traditional method of providing secure communications between the client device and the server device employs a web browser and a web server or HyperText Transfer Protocol (HTTP) server to establish an encrypted connection. Encrypted connections may be implemented using a variety of secure communication protocols, including Secure Sockets Layer (SSL) protocol, Transport Layer Security (TLS) protocol, or the like. The SSL protocol is described in Netscape Communications Corp, Secure Sockets Layer (SSL) version 3, http://home.netscape.com/eng/ss13/(November 1996). The TLS protocol is derived from SSL, and is described in Dierks, T., and Allen, C., “The TLS Protocol Version 1.0,” RFC 2246 (January 1999), is available at http://www.ietforg/rfc/rfc2246.txt.
Communications between the client device, which may reside in a branch office, and the server device, which may reside in a head office, may be secured, accelerated, and otherwise improved by communication optimizations. For example, Wide Area Network (WAN) optimization solutions may improve the communication between the branch office and the head office. WAN optimization solutions may employ data compression or binary sequence caching. Other solutions may even modify the application-level protocol. However, many of the solutions require access to unencrypted data.
One approach to access the unencrypted data is to terminate the SSL session locally at the branch office, perform inspections or WAN optimizations, and re-encrypt the data back to the head office. This SSL termination and re-encryption can be performed by an SSL accelerator such as one of the BIG-IP® family of traffic managers, by F5 Networks of Seattle, Wash. However, in order to perform the SSL termination at the branch office, the SSL accelerator may require access to certificates and private keys. This access may be a certificate management challenge. In many cases, the certificates and private keys may be stored at the head office. The branch office may require access to a directory service, such as a Lightweight Directory Access Protocol (LDAP), to provide the certificates. Additionally, distributing multiple copies of private keys to the branch office may reduce the security of the system and may violate the security policy of an enterprise.
Another challenge posed by the termination of the SSL session at the branch office is the management and control of the SSL connection. In order for the data to be inspected and/or optimized, a third-party may need to inspect the unencrypted data. Thus, it is with respect to these considerations and others that the present invention has been made.