Configure and Deploy SSL Proxy Policy in CSO

SSL proxy is enabled as an application service within a security policy. You specify the traffic that you want the SSL proxy enabled on as match criteria and then specify the SSL proxy profile to be applied to the traffic. For more information, seeSSL Forward Proxy Overview in the CSO Customer Portal User Guide (available on the CSO Documentation page).

Explanation of Procedure

The following is the workflow to configure and deploy an intent-based SSL forward proxy policy in CSO:

Obtain the root certificate and private key from your trusted certificate authority (CA).
Combine the root certificate and private key into a single file.
Import the certificate and private key file. See Import a Certificate
(Optional) Install the imported certificate on one or more sites. See Install a Certificate.
By default, Juniper Networks ships trusted certificates for sites that use HTTPS. These certificates are installed automatically by CSO when the site is successfully provisioned.
If you want to use additional trusted certificates, import and install the certificates as explained in Steps 3 and 4.
Add an SSL proxy profile. See Add SSL Forward Proxy Profiles.
Note
- Use the imported root certificate when you add the SSL proxy profile.
- For trusted certificates, specify that all trusted certificates on the device are used.
Add an SSL proxy policy intent that uses the SSL proxy profile that you added. See Add SSL Proxy Policy Intents.
Deploy the SSL proxy policy. See Deploy an SSL Proxy Policy.
Note
- Understanding How SSL Proxy Policy Intents Are AppliedEnsure that the root and trusted certificates are imported into CSO before the policy is deployed.
- If you have not installed the certificates referenced in the SSL proxy profile, then they are automatically installed when the SSL proxy policy is deployed.
For Internet access from an SRX Series device by using the SSL proxy, ensure that you import the root certificate (obtained in Step 1) into the browsers of the clients accessing the Internet.Note
If you do not import the certificate, the traffic does not go through for clients in the LAN segments.

For examples of how SSL proxy policy intents are applied, see Understanding How SSL Proxy Policy Intents Are Applied in the CSO Customer Portal User Guide (available on the CSO Documentation page).

Import a Certificate

Note

If you want to use the SSL proxy feature in CSO, you must import at least one root certificate for a tenant. The certificate can then be installed in one or more sites.

To import a certificate:

Select Administration > Certificate Management > Certificates in Customer Portal.
The Certificates page appears.
Select More > Import Certificate.
The Import Certificate page appears.
Complete the configuration according to the guidelines provided in Table 1.Note
Fields marked with * are mandatory.
Click OK.
You are returned to the Certificates page. If the certificate content that you imported is validated successfully, a confirmation message is displayed; if not, an error message is displayed.

After importing a certificate, you can use it when you add an SSL proxy profile.

Table 1: Import Certificate Settings

Setting	Guideline
Certificate Name	Enter the certificate name, which must be a unique string of alphanumeric characters and some special characters (_ -). No spaces are allowed and the maximum length is 32 characters.
Certificate Type	Select an option to specify whether the certificate that you are importing is a root certificate (Root CA) or a trusted certificate (Trusted CA).
Passphrase	Enter the passphrase to protect the private key or key pair of the Privacy-Enhanced Mail (PEM) certificate file.
Description	Enter a description for the certificate.
Certificate Content	Select whether you want to import the certificate content from a file or if you want to paste the certificate content. Note: The following certificate file extensions are supported: `.cert`, `.pem`, and `.txt`. The certificate content must be in the X.509 ASCII format. If you’re importing a root certificate, then the both the certificate content and private key must be specified.
File Path for Certificate	To import the certificate content from a file, click Browse. In the File Upload dialog that appears, select the certificate file and click Open. The filename of the file that you uploaded is displayed.
Paste Certificate Content	To paste the certificate content directly from a file, open the certificate file in a text editor, copy the certificate content, and paste it in the text box.

The following is an example of root certificate content.

Install a Certificate

After you import a certificate into CSO, you can install the certificates on one or more sites.

To install a certificate:

Select Administration > Certificate Management > Certificates in Customer Portal.
The Certificates page appears.
Select the certificate that you want to install, and then select More > Install Certificate. Alternatively, right-click a certificate and select Install Certificate.
The Install Certificate page appears, displaying a list of sites.
Select the sites on which you want to install the certificate.
Click Install.
You are returned to the Certificates page. A job is triggered and a confirmation message appears with the ID of the job. Click the job ID to go to the Jobs page, where you can view the status of the job.
(Optional) After the job completes successfully. you can verify that the certificate was installed on the sites. On the Certificates page, select the certificate and select More > View Installed Sites.
The View Installed Sites page appears listing the sites on which the certificate was installed.

Add SSL Forward Proxy Profiles

To add an SSL forward proxy profile:

Note

Ensure that you have a root certificate imported for the tenant before you add an SSL forward proxy profile. You can import SSL certificates (root and trusted) from the Certificates page (Administration > Certificate Management > Certificates) and associate the certificates with SSL forward proxy profiles.

Select Configuration > SSL Proxy > Profiles in Customer Portal.
The SSL Proxy Profiles page appears.
Click the add icon (+).
The Create SSL Proxy Profiles page appears.
Complete the configuration according to the guidelines provided in Table 2.Note
Fields marked with an asterisk (*) are mandatory.
Click OK.
You are returned to the SSL Proxy Profiles page, and a confirmation message is displayed when the SSL proxy profile is added.
The SSL forward proxy profile can be used in an SSL proxy policy intent.

Table 2: Create SSL Proxy Profile Settings

Setting	Guideline
General Information
Name	Enter a unique name for the profile, which can contain alphanumeric characters, hyphens, and underscores. No spaces are allowed and the maximum length is 63 characters.
Description	Enter a description for the profile. The maximum length is 255 characters.
Preferred Cipher	Select a preferred cipher, which enables you to define an SSL cipher that can be used with acceptable key strength: None (Default)—Do not specify a preferred cipher. Medium—Use ciphers with key strength of 128 bits or greater. Strong—Use ciphers with key strength of 168 bits or greater. Weak—Use ciphers with key strength of 40 bits or greater. Custom—Configure a custom cipher suite.
Custom Ciphers	If you specified a custom preferred cipher, you can define a custom cipher list by selecting one or more ciphers that the SSH server can use to perform encryption and decryption functions: None—No encryption. rsa-with-RC4-128-md5—RSA, 128- bit RC4, MD5 hash rsa-with-RC4-128-sha—RSA, 128-bit RC4, SHA hash rsa-with-des-cbc-sha—RSA, DES/CBC, SHA hash rsa-with-3DES-ede-cbc-sha—RSA, 3DES EDE/CBC, SHA hash rsa-with-aes-128-cbc-sha—RSA, 128-bit AES/CBC, SHA hash rsa-with-aes-256-cbc-sha—RSA, 256 bit AES/CBC, SHA hash rsa-export-with-rc4-40-md5—RSA-export, 40 bit RC4, MD5 hash rsa-export-with-des40-cbc-sha—RSA-export, 40 bit DES/CBC, SHA hash rsa-export1024-with-des-cbc-sha—RSA 1024 bit export, DES/CBC, SHA hash rsa-export1024-with-rc4-56-md5—RSA 1024 bit export, 56 bit RC4, MD5 hash rsa-export1024-with-rc4-56-sha—RSA 1024 bit export, 56 bit RC4, SHA hash rsa-with-aes-256-gcm-sha384—RSA, 256 bit AES/GCM, SHA384 hash rsa-with-aes-256-cbc-sha256—RSA, 256 bit AES/CBC, SHA256 hash rsa-with-aes-128-gcm-sha256—RSA, 128 bit AES/GCM, SHA256 hash rsa-with-aes-128-cbc-sha256—RSA, 256 bit AES/CBC, SHA256 hash ecdhe-rsa-with-aes-256-gcm-sha384—ECDHE, RSA, 256 bit AES/GCM, SHA384 hash ecdhe-rsa-with-aes-256-cbc-sha384—ECDHE, RSA, 256 bit AES/CBC, SHA384 hash ecdhe-rsa-with-aes-256-cbc-sha—ECDHE, RSA, 256 bit AES/CBC, SHA hash ecdhe-rsa-with-aes-3des-ede-cbc-sha—ECDHE, RSA, 3DES, EDE/CBC, SHA hash ecdhe-rsa-with-aes-128-gcm-sha256—ECDHE, RSA, 128 bit AES/GCM, SHA256 hash ecdhe-rsa-with-aes-128-cbc-sha256—ECDHE, RSA, 128 bit AES/CBC, SHA256 hash ecdhe-rsa-with-aes-128-cbc-sha—ECDHE, RSA, 128 bit AES/CBC, SHA hash
Flow Trace	Click the toggle button to enable flow tracing to enable the troubleshooting of policy-related issues. Flow tracing is disabled by default.
Root Certificate	Select a root certificate from the list or click Add Root Certificate to import a root certificate. In a public key infrastructure (PKI) hierarchy, the root certificate authority (CA) is at the top of the trust path.
Trusted Certificate Authorities	Choose whether you want to add all trusted certificates present on the device (All) or select specific trusted certificates (Select Specific). Before establishing a secure connection, the SSL proxy checks CA certificates to verify signatures on server certificates. If you chose to add selected trusted certificates, the existing trusted certificates are displayed. Select one or more certificates by clicking the check boxes, and click the > icon. The selected certificates are displayed in the column on the right. Optionally, click Add Trusted Certificates to import a trusted certificate. See Import a Certificate. Note: Specifying that all trusted certificates should be used means that all trusted certificates on a particular device (site) will be used during SSL policy deployment. If you specify that all trusted certificates should be used in an SSL forward proxy profile, you must ensure that at least one trusted certificate is installed on the device.
Exempted Addresses	Exempted addresses include addresses that you want to exempt from undergoing SSL proxy processing. To specify exempted addressees, select one or more addresses in the left column and click the > icon to confirm your selection. The selected addresses are then displayed in the right column. These addresses are used to create allow lists that bypass SSL forward proxy processing. Because SSL encryption and decryption are complicated and expensive procedures, network administrators can selectively bypass SSL proxy processing for some sessions. Such sessions typically include connections and transactions with trusted servers or domains with which network administrators are very familiar. There are also legal requirements to exempt financial and banking sites. Such exemptions are achieved by configuring the IP addresses or domain names of the servers under allow lists. Note: You can also add addresses by clicking Add New Address. For more information, see Creating Addresses or Address Groups in the CSO Customer Portal User Guide (available at the CSO Documentation page).
Exempted URL Categories	Select one or more previously defined URL categories in the left column and click the > icon to confirm your selection. The selected addresses are then displayed in the right column. These URL categories are used to create allow lists that bypass SSL forward proxy processing. The selected URL categories are exempted during SSL inspection.
Actions
Server Auth Failure	Click the toggle button to enable CSO to ignore errors encountered during the server certificate verification process, such as CA signature verification failure, self-signed certificates, and certificate expiry. This toggle button is disabled by default, which means that server authentication errors are not ignored. We do not recommend that you ignore authentication errors because it results in websites not being authenticated at all. However, you can use this option to effectively identify the root cause for dropped SSL sessions.
Session Resumption	Click the toggle button to enable session resumption. Session resumption is disabled by default. To improve throughput and still maintain an appropriate level of security, SSL session resumption provides a session-caching mechanism so that session information, such as the pre-master secret key and agreed-upon ciphers, can be cached for both the client and server.
Logging	Select one or more events to be logged. You can choose to log all events, warnings, general information, errors, or different sessions (allowed, dropped, or ignored). By default, no events are logged.
Renegotiation	Select one of the following options if a change in SSL parameters requires renegotiation: None—Renegotiation is not required. This is the default setting. Allow—Allow secure and nonsecure renegotiation. Allow Secure—Allow secure negotiation only. Drop—Drop session on renegotiation request. After a session is created and SSL tunnel transport has been established, a change in SSL parameters requires renegotiation. SSL forward proxy supports both secure (RFC 5746) and nonsecure (TLS v1.0 and SSL v3) renegotiation. When session resumption is enabled, session renegotiation is useful in the following situations: Cipher keys need to be refreshed after a prolonged SSL session. Stronger ciphers need to be applied for a more secure connection.

Add SSL Proxy Policy Intents

An SSL proxy policy intent enables you to configure an SSL proxy between source and destination endpoints by associating the latter with an SSL proxy profile. You can add an SSL proxy policy intent inline on the SSL Proxy Policy page.

To add an SSL proxy policy intent:

Select Configuration > SSL Proxy > Policy in Customer Portal.
The SSL Proxy Policy page appears.
Click the add icon (+).
The options to add a policy intent appears inline on the SSL Proxy Policy page.
Enter the policy intent information according to the guidelines provided in Table 3
Click Save.
The SSL proxy policy intent is saved and a confirmation message is displayed. When an SSL proxy policy intent is added, the Undeployed field is incremented by one indicating that intents are pending deployment.
Note
After the policy intent is added, you must deploy the policy to ensure that the changes take effect

Table 3: Add SSL Proxy Policy Intent Settings

Setting	Guideline
[Name]	Enter the name of the SSL proxy policy intent in the first text box. If you do not enter a name, the system-generated name is used. The name that you enter must begin with an alphanumeric character and can contain alphanumeric characters and some special characters (- _). The maximum length is 63 characters.
[Description]	Enter the description of the SSL proxy policy intent in the second text box.
Source	Select one or more of the following source endpoints: IP address or IP address group Site Site group Department The default source for an SSL proxy policy intent is All Sites. If you don’t add a source, then the default is used. Note: A source IP address value of Any signifies any IP address from any site.
Destination	Select one or more of the following destination endpoints: IP address or address group Site Site group Department The default destination for an SSL proxy policy intent is Internet. If you don’t add a destination, then the default is used. Note: A destination IP address value of Any signifies traffic going to the Internet (any address). Traffic within sites (internal traffic) is not covered by the destination IP address value of Any. If you want to cover traffic between two sites, ensure that the sites are included in both the source and destination endpoints.
SSL Proxy Profile	Specify an SSL proxy profile to associate with the SSL proxy policy intent in one of the following ways: Click the add icon (+) and select the SSL proxy profile from the list of previously configured profiles. Filter the profiles by entering a search term in the SSL Proxy Profile field and select a profile. Add a SSL proxy profile—Click the Add New Profile link. See Add SSL Forward Proxy Profiles. Click the View more results link to view additional configured profiles. The list of SSL proxy profiles is displayed in the End Points panel on the right. To add a profile, select it and click the check mark icon (✓) that appears when you hover over the profile.

Deploy an SSL Proxy Policy

After you add one or more SSL proxy policy intents, you must deploy the SSL proxy policy.

To deploy an SSL proxy policy:

Select Configuration > SSL Proxy > Policy.
The SSL Proxy Policy page appears
Click Deploy.
The Deploy page appears.
In the Choose Deployment Time field, select:
- Run now to trigger the deployment of the policy immediately.
- Schedule at a later time to schedule the deployment for later.
  If you schedule the deployment for later, enter the date (in MM/DD/YYYY format) and time (in HH:MM:SS 24-hour or AM/PM format) that you want the deployment to occur. You specify the time in the local time zone of the client from which you access the CSO GUI.
Click OK
You are returned to the SSL Proxy Policy page and a job to deploy the policy is triggered. You can check the status of the deployment on the Jobs page (Monitor > Jobs). When the job completes successfully, it means that the SSL proxy policy was deployed. The Undeployed field on the SSL Proxy Policy page should be 0.

WHAT'S NEXT

See CSO Next-Generation Firewall (NFGW) Deployment Workflow.

ON THIS PAGE