Skip to content

Decryption Profile

A Decryption Profile is used by the Gateway in a Reverse Proxy or Forward Proxy scenario. When a connection is proxied, the front-end session is terminated on the Gateway and a new back-end session is established to the server. The intention of this termination is to decrypt and inspect the traffic to protect against malicious activity. In order to decrypt encrypted traffic, a Decryption Profile is necessary.

Creating a Profile

  1. Navigate to Manage -> Profiles -> Decryption
  2. Click Create
  3. Specify a Profile Name and a Description
  4. For Certificate Method choose Select Existing
  5. For Certificate choose the desired certificate
  6. If using non-default (non-PFS) Cipher Suites, select the set of desired Cipher Suites from the Diffie-Hellman or PKCS (RSA) menus
  7. Click Save.

Associating a Profile

A Decryption Profile is associated with a Reverse Proxy (Ingress) or Forward Proxy (Egress/East-West) Service Object. To associate a Decryption Profile with a Service Object, refer to the following:

Cipher Suites

The Valtix Gateway supports a set of default and user-selectable Cipher Suites. The default set are PFS Cipher Suites that are always selected. The user-selectable set are Diffie-Hellman and PKCS (RSA) Cipher Suites that can be selected by the user. The combined set of Cipher Suites (default and user-selected) are used by the Gateway for establishing a secure front-end encrypted session. The client will send an ordered list of preferred Cipher Suites. The Gateway will respond with a Cipher Suite chosen from the ordered set submitted by the client and the set available by the Gateway. If the client allows the server to define the order, then the Cipher Suite chosen is from the ordered set available by the Gateway and the set submitted by the client.

The following is an ordered list of Cipher Suites supported by the Gateway and available in a Decryption Profile:

Category Cipher Suite Key Exchange Cipher Hash Default
PFS ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA AES256-GCM SHA384
PFS ECDHE-RSA-AES256-CBC-SHA384 ECDHE-RSA AES256-CBC SHA384
Diffie-Hellman DH-RSA-AES256-GCM-SHA384 DH-RSA AES256-GCM SHA384
PFS DHE-RSA-AES256-GCM-SHA384 DHE-RSA AES256-GCM SHA384
PFS DHE-RSA-AES256-CBC-SHA256 DHE-RSA AES256-CBC SHA384
Diffie-Hellman DH-RSA-AES256-SHA256 DH-RSA AES256-CBC SHA256
Diffie-Hellman DH-RSA-AES256-SHA DH-RSA AES256-CBC SHA160
PKCS (RSA) AES256-GCM-SHA384 PKCS-RSA AES256-GCM SHA384
PKCS (RSA) AES256-SHA256 PKCS-RSA AES256-CBC SHA256
PKCS (RSA) AES256-SHA PKCS-RSA AES256-CBC SHA160
PFS ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA AES128-GCM SHA256
PFS ECDHE-RSA-AES128-CBC-SHA256 ECDHE-RSA AES128-CBC SHA256
Diffie-Hellman DH-RSA-AES128-GCM-SHA256 DH-RSA AES128-GCM SHA256
PFS DHE-RSA-AES128-GCM-SHA256 DHE-RSA AES128-GCM SHA256
PFS DHE-RSA-AES128-CBC-SHA256 DHE-RSA AES128-CBC SHA256
Diffie-Hellman DH-RSA-AES128-SHA256 DH-RSA AES128-CBC SHA256
Diffie-Hellman DH-RSA-AES128-SHA DH-RSA AES128-CBC SHA160
PKCS (RSA) AES128-GCM-SHA256 PKCS-RSA AES128-GCM SHA256
PKCS (RSA) AES128-SHA256 PKCS-RSA AES128-CBC SHA256
PKCS (RSA) AES128-SHA PKCS-RSA AES128-CBC SHA160
PKCS (RSA) RC4-SHA PKCS-RSA RC4 SHA160
PKCS (RSA) RC4-MD5 PKCS-RSA RC4 SHA160