SSLi in perimeter

Has anyone placed SSli in perimeter with ISP cables connected to it. I need decrypted traffic for my proxy & Perimeter firewall. Re-encryption happens after perimeter firewall.

Can I keep the NAT, ISP IP, routing in perimeter firewall itself. SSLi-Out would have ISP cables connected and recencryption happening


  • mdunnmdunn Member ✭✭

    Yes, SSLi Outside may be placed on the outside of your perimeter firewall, and I have seen this topology deployed in production. The SSLi Outside is configured in L2 ip-less mode. All sessions on SSLi Outside will show the NAT IP address as the source IP address.

  • ce07ce07 Member

    Thank you, if am doing HA for SSLi can it still placed as L2 ip-less mode.

  • mdunnmdunn Member ✭✭

    You can still do HA in L2 ip-less, but there will be no floating IP's. Typically switches and spanning tree are required to create the redundant paths in a loop-free topology. Another option is to use a Bypass Switch such as Garland or Ixia.

Sign In or Register to comment.