AppGW or intermediate AppGW or any
Web Browser, AppGW target
source
---------+ +---------+---------+ +--------- TLS between source and target:
| | | | | transparent forwarding
| | | | | by intermediate AppGW
SSLTARGET|--------->| | |--------->| SSL
[SSLCC] | | | | | [CCR]
| | | | |
---------+ +---------+---------+ +---------
---------+ +---------+---------+ +--------- Man-in-the Middle:
| | | | | intermediate AppGW acts as
SSLTARGET| | SSL | | | man-in-the middle and may
[SSLCC] |--------->| [CCR] |SSLTARGET|--------->| SSL terminate sessions with
| | |[SSLC] | | [CCR] invalid client certificates,
| | | | | forwards session encrypted
---------+ +---------+---------+ +---------
---------+ +---------+---------+ +--------- TLS only on first hop:
| | | | | intermediate AppGW may
SSLTARGET| | SSL | | | terminate sessions with
[SSLCC] |--------->| [CCR] | |--------->| invalid client certificates
| | | | | and forwards session
| | | | | unencrypted
---------+ +---------+---------+ +---------
---------+ +---------+---------+ +--------- TLS only on second hop:
| | | | | intermediate AppGW forwards
| | | | | unencrypted session as
|--------->| |SSLTARGET|--------->| SSL encrypted session and my be
| | |[SSLC] | | [CCR] authenticated by target AppGW
| | | | | (tunnel configuration)
---------+ +---------+---------+ +---------
---------+ +---------+---------+ +--------- Proxy usage:
| | | | | intermediate AppGW acts as
| | | | | proxy, there may be also a
CONNECT |--------->| PRX |--------->| standard web proxy:
SSLTARGET| | | | | SSL target is specified within
[SSLCC] | | | | | [CCR] CONNECT keyword
---------+ +---------+---------+ +---------
AppGW only:
---------+ +---------+---------+ +--------- Tunnel configuration:
SSLTARGET| | SSL | | | intermediate AppGW acts as
[SSLCC] | | [CCR] | | | proxy, TLS between client and
CONNECT |--------->| PRX |--------->| proxy:
| | | | | target is specified within
| | | | | CONNECT keyword
---------+ +---------+---------+ +---------
AppGW only:
---------+ +---------+---------+ +--------- Tunnel with TLS to target:
SSLTARGET| | SSL | | | intermediate AppGW acts as
[SSLCC] | | [CCR] | | | proxy, TLS between client and
CONNECT |--------->| PRX |--------->| proxy:
SSLTARGET| | | | | SSL target is specified within
[SSLCC] | | | | | [CCR] CONNECT keyword
---------+ +---------+---------+ +--------- nested TLS connections
Remark: Keyword pairs in brackets, [SSLCC] and [CCR] for client certificate requests are optional.
reinhold.leitner@applicgate.com (C) December 2024 www.applicgate.com |