ApplicGate
(v12.0.8874.35714 started 2024-04-18 18:00:37 on VM2)

Examples for TLS configurations:
  AppGW or                  intermediate                AppGW or any                            
  Web Browser,                AppGW                     target                                  
  source                                                                                        
  ---------+          +---------+---------+          +---------   TLS between source and target:
           |          |         |         |          |            transparent forwarding        
           |          |         |         |          |            by intermediate AppGW         
  SSLTARGET|--------->|         |         |--------->|  SSL                                     
  [SSLCC]  |          |         |         |          | [CCR]                                    
           |          |         |         |          |                                          
  ---------+          +---------+---------+          +---------                                 
                                                                                                
  ---------+          +---------+---------+          +---------   Man-in-the Middle:            
           |          |         |         |          |            intermediate AppGW acts as    
  SSLTARGET|          |   SSL   |         |          |            man-in-the middle and may     
  [SSLCC]  |--------->|  [CCR]  |SSLTARGET|--------->|  SSL       terminate sessions with       
           |          |         |[SSLC]   |          | [CCR]      invalid client certificates,  
           |          |         |         |          |            forwards session encrypted    
  ---------+          +---------+---------+          +---------                                 
                                                                                                
  ---------+          +---------+---------+          +---------   TLS only on first hop:        
           |          |         |         |          |            intermediate AppGW may        
  SSLTARGET|          |   SSL   |         |          |            terminate sessions with       
  [SSLCC]  |--------->|  [CCR]  |         |--------->|            invalid client certificates   
           |          |         |         |          |            and forwards session          
           |          |         |         |          |            unencrypted                   
  ---------+          +---------+---------+          +---------                                 
                                                                                                
  ---------+          +---------+---------+          +---------   TLS only on second hop:       
           |          |         |         |          |            intermediate AppGW forwards   
           |          |         |         |          |            unencrypted session as        
           |--------->|         |SSLTARGET|--------->|  SSL       encrypted session and my be   
           |          |         |[SSLC]   |          | [CCR]      authenticated by target AppGW 
           |          |         |         |          |            (tunnel configuration)        
  ---------+          +---------+---------+          +---------                                 
                                                                                                
  ---------+          +---------+---------+          +---------   Proxy usage:                  
           |          |         |         |          |            intermediate AppGW acts as    
           |          |         |         |          |            proxy, there may be also a    
  CONNECT  |--------->|        PRX        |--------->|            standard web proxy:           
  SSLTARGET|          |         |         |          |  SSL       target is specified within    
  [SSLCC]  |          |         |         |          | [CCR]      CONNECT keyword               
  ---------+          +---------+---------+          +---------                                 
                                                                                                
  AppGW only:                                                                                   
  ---------+          +---------+---------+          +---------   Tunnel configuration:         
  SSLTARGET|          |  SSL    |         |          |            intermediate AppGW acts as    
  [SSLCC]  |          | [CCR]   |         |          |            proxy, TLS between client and 
  CONNECT  |--------->|        PRX        |--------->|            proxy:                        
           |          |         |         |          |            target is specified within    
           |          |         |         |          |            CONNECT keyword               
  ---------+          +---------+---------+          +---------                                 
                                                                                                
  AppGW only:                                                                                   
  ---------+          +---------+---------+          +---------   Tunnel with TLS to target:    
  SSLTARGET|          |  SSL    |         |          |            intermediate AppGW acts as    
  [SSLCC]  |          | [CCR]   |         |          |            proxy, TLS between client and 
  CONNECT  |--------->|        PRX        |--------->|            proxy:                        
  SSLTARGET|          |         |         |          |  SSL       target is specified within    
  [SSLCC]  |          |         |         |          | [CCR]      CONNECT keyword               
  ---------+          +---------+---------+          +---------   nested TLS connections        

 Remark: Keyword pairs in brackets, [SSLCC] and [CCR] for client certificate requests are optional.

ApplicGate Logo  reinhold.leitner@applicgate.com (C) April 2024
www.applicgate.com