Apache simplifies the process with the SSLHonorCipherOrder directive. This directive indicates that Apache must respect the sequence of the encryption processes in SSLCipherSuite that is the first match found must be used. With the SSLCipherSuite list above and the SSLHonorCipherOrder on directive in place, Perfect Forward Secrecy (PFS) is enabled.
On the Home page, click Access Gateways > Edit > Advanced Options and set the following advanced options:
SSLHonorCipherOrder On SSLCipherSuite ECDH+AESGCM:ECDH+AES256:ECDH+AES128:ECDH+3DES:RSA+AESGCM:RSA+AES:!aNULL:!DES:!MD5:!DSS
For information about PFS and prerequisites for enabling it, see Enabling Perfect Forward Secrecy.