When you subscribe to ThreatSign, you can
choose from two WAF configurations. You can install the WAF on your own network, with all requests filtered locally. This is called the Endpoint WAF. If you use this option, you are responsible for whatever SSL certificates you want to use. You need to use the Endpoint WAF if your security policies mandate that nothing should be decrypted outside your data centers.
If you choose the DNS WAF, it runs on Quttera's servers. One of its advantages is that Quttera handles your SSL management for you. The DNS WAF offers greater ease of use and scalability than the Endpoint WAF.
When you set up Quttera DNS WAF, you need to configure your DNS records on your domain registrar's site. Normally, the A and CNAME records for your domain would point at your Web server. With the WAF, all requests need to go through Quttera's servers before being passed on to yours. You will set up the A record to point your canonical domain at the IP address Quttera gives you. The CNAME records need to associate your other subdomain names with the canonical record, so that all variants of your domain are covered.
The entity registering or renewing an SSL certificate uses a piece of software called a certificate management agent. It satisfies a challenge from the certificate authority to prove that it controls the domain. Normally, the agent would run on your server. Because the DNS configuration directs requests to the WAF server, it can act in this capacity and satisfy the CA's challenge. It requests the certificate, stores it, and periodically renews it.e, and get you quick removal from blacklists. When you sign up for ThreatSign, you get ongoing, comprehensive protection of your website.