Enable mTLS (mutual TLS)

Overview

Link11 WAAP supports mTLS encryption. This is optional, and can be enabled separately for:

• Communication between Link11 WAAP and customer backends.

• Communication between clients (end users) and L11WAAP.

How it works

L11WAAP-to-customer-backend mTLS

Configuring mTLS to the customer backend is straightforward. After enabling this feature (as described below), admins add certificate(s) and assign them to . Once configured, L11WAAP will use mTLS when communicating with customer origins.

Client-to-L11WAAP mTLS

Configuring mTLS to clients also requires feature enablement. Then, admins add CA Certificates and assign them to .

Once client-to-L11WAAP mTLS is configured, end users will be required to present a client certificate at the beginning of each session during the TLS handshake. L11WAAP will validate the date and issuer of the certificate. If validation fails, the user will receive an error, and will not be permitted to connect to the protected system.

Two additional notes about this type of mTLS:

• In the user interface, mTLS is only available when using an (Network Load Balancer). To enable mTLS when using a Link11 load balancer, contact support.

• mTLS verification does not exempt a client from other types of traffic filtering. Even if a client successfully establishes an mTLS connection with L11WAAP, its requests will still be blocked if they originate from a banned source, or exceed rate limits, or match a content filtering signature, etc.

How to configure mTLS for communication with the backend(s)

Follow this process:

• Assign the appropriate certificate to each Backend Service:
• Save and publish your changes.

How to configure mTLS for communication with clients

Follow this process:

• Assign the appropriate certificate to each Server Group:
• Save and publish your changes.