Internal device configuration should include the front-end SSL parameters, including a CA certificate and Private Key, bypass/inspect rules, as well as the service (VAS) chaining configuration. The SSL Inspection wizard is updated to support deployment of an internal device.

External device configuration should include the back-end SSL parameters, a filter that intercepts decrypted HTTP traffic and performs back-end encryption, and filters that forward all other traffic as is (the original HTTP, other protocols).

If front-end SSL is enabled in the same SSL policy, the SNI data received on the client-side SSL connection is copied to the Client SSL Hello message sent by Alteon to the server.

If front-end is not enabled in the same SSL policy, the value of the Host header in the HTTP request is inserted as an SNI in the Client SSL Hello message sent by Alteon to the server.

The Include SNI option should not be enabled on HTTPS virtual services with HTTP multiplexing enabled or in Basic SLB virtual services with TCP Multiplexing enabled, if multiple domains are delivered over that same service.

When performing outbound SSL Inspection, the Include SNI parameter on the back-end SSL policy is ignored and SNI is always included in the Client SSL Hello.

The command SSL::sni <value> lets you set the SNI value

The event SERVERSSL_CLIENTHELLO_SEND is triggered just before the Client SSL Hello message is sent to server, letting you set the SNI value.

TCP connection pooling ─ When a server is selected for a new client connection, Alteon reuses an idle connection from the server connection pool. If no idle connection is available, a new back-end connection is opened.

TCP request multiplexing ─ When a server is selected for a new client TCP request, Alteon reuses an idle connection from the server connection pool. If no idle connection is available, a new back-end connection is opened. This is required for applications that have long-lived client connections and there is a need to load balance per transaction. To achieve this behavior, an AppShape++ script is required on this service – the script must identify a TCP transaction and signal its completion (and release of the back-end connection back to the idle connection pool) using the new TCP::detach command.

Connection Shutdown – Traffic that belongs to connections that are still active on the server continues being forwarded to the server, but Alteon does not accept new connections (shut connection).

Sessions Shutdown – Traffic that belongs to connections that are still active on the server continues being forwarded to the server, and Alteon accepts new connections that belong to active persistent sessions on that server (cookie, SSLID, Client IP) (shut psession).

This is not relevant for persistent sessions recorded using AppShape++ scripting.

When the last real server is moved to shut psession/connection, the virtual server also moves to the down state (DE25609).

Connection Shutdown – Traffic that belongs to connections that are still active on the server continues being forwarded to the server, but Alteon does not accept new connections (shut connection).

Sessions Shutdown – Traffic that belongs to connections that are still active on the server continues being forwarded to the server, and Alteon accepts new connections that belong to active persistent sessions on that server (cookie, SSLID, Client IP) (shut psession).

Note: This is not relevant for persistent sessions recorded using AppShape++ scripting.

WBM: Monitoring > Application Delivery > Virtual Servers > Virtual Service > Traffic.

Note: Currently this capability is available only for real servers attached to virtual services.

Starting with this version, VMware ESXi version 6.5 is officially supported.