You are here: Webhelp 5.5R7 > Policy > SSL Proxy

SSL Proxy

This feature may not be available on all platforms. Please check your system's actual page if your device delivers this feature.

To assure the security of sensitive data when being transmitting over networks, more and more websites adopt SSL encryption to protect their information. The device provides the SSL proxy function to decrypt HTTPS traffic. The SSL proxy function works in the following two scenarios:

The first scenario, the device works as the gateway of Web clients. The SSL proxy function replaces the certificates of encrypted websites with the SSL proxy certificate to get the encrypted information and send the SSL proxy certificates to the client’s Web browser. During the process, the device acts as a SSL client and SSL server to establish connections to the Web server and Web browser respectively. The SSL proxy certificate is generated by using the device's local certificate and re-signing the website certificate. The process is described as below:

The second scenario, the device works as the gateway of Web servers. The device with SSL proxy enabled can work as the SSL server, use the certificate of the Web server to establish the SSL connection with Web clients (Web browsers), and send the decrypted traffic to the internal Web server.

Work Mode

There are three work modes. For the first scenario, the SSL proxy function can work in the client-inspection proxy mode; for the second scenario, the SSL proxy function can work in the server-inspection offload mode.

When the SSL proxy function works in the client-inspection proxy mode, it can perform the SSL proxy on specified websites.

For the websites that do not need SSL proxy, it dynamically adds the IP address and port of the websites to a bypass list, and the HTTPS traffic will be bypassed.

For the websites proxied by the SSL proxy function, the device will check the parameters of the SSL negotiation. When a parameter matches an item in the checklist, the corresponding HTTPS traffic can be blocked or bypassed according to the action you specified.

  • If the action is Block, the HTTPS traffic will be blocked by the device.
  • If the action is Bypass, the HTTPS traffic will not be decrypted. Meanwhile, the device will dynamically add the IP address and port number of the Website to the bypass list, and the HTTPS traffic will be bypassed.

The device will decrypt the HTTPS traffic that is not blocked or bypassed.

When the SSL proxy function works in the server-inspectionoffload mode, it will proxy the SSL connections initialized by Web clients, decrypt the HTTPS traffic, and send the HTTPS traffic as plaintext to the Web server.

You can integrate SSL proxy function with the following:

  • Integrate with the application identification function. Devices can decrypt the HTTPS traffic encrypted using SSL by the applications and identify the application. After the application identification, you can configure the policy rule, QoS, session limit, policy-based route.
  • Support unilateral SSL proxy in WebAuth. SSL client can use SSL connection during authentication stage. When authentication is completed, SSL proxy will no longer take effect, and the client and server communicate directly without SSL encryption.

  • Integrate with AV, IPS, and URL. Devices can perform the AV protection, IPS protection, and URL filter on the decrypted HTTPS traffic.

Working as Gateway of Web Clients

To implement the SSL proxy, you need to bind a SSL proxy profile to the policy rule. After binding the SSL proxy profile to a policy rule, system will use the SSL proxy profile to deal with the traffic that matches the policy rule. To implement the SSL proxy, take the following steps:

  1. Configure the corresponding parameters of SSL negotiation, including the following items: specify the PKI trust domain of the device certificates, obtain the CN value of the subject field from the website certificate, and import a device certificate to the Web browser.
  2. Configure a SSL proxy profile, including the following items: choose the work mode, set the website list (use the CN value of the Subject field of the website certificate), configure the actions to the HTTPS traffic when its SSL negotiation matches the item in the checklist, enable the audit warning page, and so on.
  3. Bind a SSL proxy profile to a proper policy rule. The device will decrypt the HTTPS traffic that matches the policy rule and is not blocked or bypassed by the device.

Configuring SSL Proxy Parameters

Configuring SSL proxy parameters includes the following items:

  • Specify the PKI trust domain of the device certificate
  • Obtain the CN value of the website certificate
  • Import a device certificate to a Web browser

Specifying the PKI Trust Domain of Device Certificate

By default, the certificate of the default trust domain trust_domain_ssl_proxy_2048 will be used to generate the SSL proxy certificate with the Web server certificate together, and then system will issue the generated SSL proxy certificate to the client. You can specify another PKI trust domain in system as the trust domain of the device certificate. The specified trust domain must have a CA certificate, local certificate, and the private key of the local certificate. To specify a trust domain, take the following steps:

  1. Click Policy > SSL Proxy.
  2. At the top-right corner of the page, click Trust Domain Configuration.
  3. Select a trust domain from the Trust domain drop-down list.
    • The trust domain of trust_domain_ssl_proxy uses RSA and the modulus size is 1024 bits.
    • The trust domain of trust_domain_ssl_proxy_2048 uses RSA and the modulus size is 2048 bits.
  4. Click OK to save the settings.

Obtaining the CN Value

To get the CN value in the Subject field of the website certificate, take the following steps (take www.gmail.com as the example):

  1. Open the IE Web browser, and visit https://www.gmail.com.
  2. Click the Security Report button ( ) next to the URL.
  3. In the pop-up dialog box, click View certificates.
  4. In the Details tab, click Subject. You can view the CN value in the text box.

Importing Device Certificate to Client Browser

In the proxy process, the SSL proxy certificate will be used to replace the website certificate. However, there is no SSL proxy certificate's root certificate in the client browser, and the client cannot visit the proxy website properly. To address this problem, you have to import the root certificate (certificate of the device) to the browser.

To export the device certificate to local PC firstly, take the following steps:

  1. Export the device certificate to local PC. Select System > PKI.
  2. In the Management tab in the PKI Management dialog box, configure the options as below:
    • Trust domain: trust_domain_ssl_proxy or trust_domain_ssl_proxy_2048
    • Content: CA certificate
    • Action: Export
  3. Click OK and select the path to save the certificate. The certificate will be saved to the specified location.

Then, import the device certificate to the client browser. Take Internet Explorer as an example:

  1. Open IE.
  2. From the toolbar, select Tools > Internet Options.
  3. In the Content tab, click Certificates.
  4. In the Certificates dialog box, click the Trusted Root Certification Authorities tab.
  5. Click Import. Import the certificate following the Certificate Import Wizard.

Configuring a SSL Proxy Profile

Configuring a SSL proxy profile includes the following items: choose the work mode, set the website list (use the CN value of the Subject field of the website certificate), configure the actions to the HTTPS traffic when its SSL negotiation matches the item in the checklist, enable the audit warning page, and so on. System supports up to 32 SSL proxy profiles and each profile supports up to 10,000 statistic website entries.

To configure a SSL proxy profile, take the following steps:

  1. Click Policy > SSL Proxy.
  1. At the top-left corner, click New to create a new SSL proxy profile.

  2. Click OK to save the settings.

Working as Gateway of Web Servers

To implement SSL proxy, you need to bind a SSL proxy profile to the policy rule. After binding the SSL proxy profile to a policy rule, system will use the SSL proxy profile to deal with the traffic that matches the policy rule. To implement SSL proxy, take the following steps:

  1. Configure a SSL proxy profile includes the following items: choose the work mode, specify the trust domain of the Web server certificate and the HTTP port number of the Web server.
  1. Bind a SSL proxy profile to a proper policy rule. The device will decrypt the HTTPS traffic that matches the policy rule.

Configuring a SSL Proxy Profile

Configuring a SSL proxy profile includes the following items: choose the work mode, specify the trust domain of the Web server certificate and the HTTP port number of the Web server.

To configure a SSL proxy profile, take the following steps:

  1. Click Policy > SSL Proxy.
  1. At the top-left corner, click New to create a new SSL proxy profile.

  2. Click OK to save the settings.

Binding a SSL Proxy Profile to a Policy Rule

After binding the SSL proxy profile to a policy rule, system will process the traffic that is matched to the rule according to the profile configuration. To bind the SSL proxy profile to a policy rule, see Security Policy.