To enable DTLS, you need to craft virtual-server and enabled the protocol UDP. Also within the Access Policy you have to enable the DTLS option. The port you enable in the access-policy network-access settings, must match the virtual-server configuration for the destination-address.
Here's a simple Virtual-Server for support DTLS using the connection profile
Notice: protocol UDP and port 4433
The apm policy network resource needs the DTLS check box enabled and the defined service port which should match the ltm virtual server service-port. { access-policy > network-access > setting }
If you monitor the client access details from the tmsh, you will see no reference to DTLS v1.0 being used directly.
e.g
But to validate DTLS usage , monitor the statistics for the ltm profile client-ssl profile, use the grep to-match on DTLS.
or;
When the edeg-client connect you will see the edge-client statistics listing the connect as DTLS and the cipher that's in use for the session.
And the apm log message will display a output that's similar when a client negotiates a DTLS v1.0 connection.
- if the client can't negotiate DTLS the client will falback to TLS.
- beware of any forward proxies preventing DTLS negotiation for port 4433 and udp
- any local and remote firewall could prevent access to port udp.port == 4433
- initial contact is via TLS but if the APM and client negotiate DTLS the data path will be switched to DTLS.
Ken Felix
NSE ( network security expert) and Route/Switching Engineer
kfelix -----a----t---- socpuppets ---dot---com
^ ^
=( @ @ )=
o
/ \
No comments:
Post a Comment