2-8
SSL Appliance Administration & Deployment Guide
Chapter 2 System Behavior & Deployment Examples
Deployment Modes
• Device port: A network interface that is connected to the primary attached appliance which is
dealing with inspected traffic from the SSL Appliance.
• Copy port: A network interface connected to a secondary passive appliance that is receiving a copy
of the inspected traffic.
• Aggregation port: A network interface providing a connection to an additional network tap, so that
a segment can receive traffic from more than one network tap.
• Symmetric traffic: Traffic where packets for both directions of a network flow are seen on the same
network interface on the SSL Appliance.
• Asymmetric traffic: Traffic where the packets for both directions of a network flow are seen on
different network interfaces on the SSL Appliance.
• Active-active: An HA deployment scenario where packets on a given flow might be sent over either
of the HA network links. From the SSL Appliance’s perspective this is equivalent to the Asymmetric
traffic scenario, in that packets belonging to a single flow might arrive on either one of two different
network interfaces.
There are three main deployment modes for the SSL Appliance, with many variants within each mode.
The following sections describe the way each of the modes operates. For details on how to configure a
segment and its mode of operation refer to Example Passive-Tap Mode Inspection, page 3-12, Example
Passive-Inline Mode Inspection, page 3-21, Example Active-Inline Mode Inspection, page 3-27, and
–Certificate Status, page 5-23.
Note The actual physical interfaces on an SSL Appliance that are used by a particular segment are allocated
when the segment is activated. The WebUI allows the user to choose the network interfaces from the set
of interfaces that are not currently in use by other, already active, segments.
Segment Elements
Segment configuration can be considered to have five elements; not all of these elements apply to a given
segment:
• The network interfaces connecting traffic to the SSL Appliance. In a passive-tap mode, the minimum
number of such interfaces is one. In an in-line mode, the minimum number is two, as the SSL
Appliance is a bump-in-the-wire.
• Whether the traffic being inspected is symmetric or asymmetric. If the traffic is asymmetric, more
network interfaces are required as the SSL Appliance must see the packets for both directions of an
SSL flow if it is going to be able to inspect the flow.
• Whether there is an active appliance connected to the SSL Appliance. An active appliance requires
a minimum of two interfaces connecting it to the SSL Appliance.
• Whether there are any passive appliances connected to the SSL Appliance. A passive appliance
requires a minimum of one interface connecting it to the SSL Appliance.
• Whether there is more than one passive appliance connected to the SSL Appliance. If more than one
passive appliance is connected, then decide if all traffic should be copied to each passive appliance,
or if it should be load balanced between the passive appliances.
Passive-Tap Mode
This section provides details on the different Passive-Tap modes of operation supported by the SSL
Appliance. Passive-Tap mode connectivity options fall into three groups based on: