Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Navigation
Guide That Contains This Content
[+] Expand All
[-] Collapse All

    Using the SSL Forward Proxy Feature to Enable Inspection of HTTPS Traffic

    To inspect the HTTP payload of HTTPS traffic, the IDP Series device must first decrypt it. Your security policy can examine both the SSL session and the decrypted HTTP payload.

    The IDP Series solution supports SSL inspection in two ways:

    • Using server private keys. Use this method when inspecting traffic to internal servers where you have access to the server private key.
    • Using the SSL forward proxy feature. Use this method when the server private key method is not practical (for example, for traffic to servers on the WWW).

    Note: If you enable both methods, the IDP Series device performs SSL inspection using the SSL forward proxy method and does not use the server private keys.

    The following procedure provides the basic steps you take to implement the SSL forward proxy feature.

    To implement the SSL forward proxy feature:

    1. Generate the root certificate authority (CA) that the IDP Series device uses to create and sign new certificates used in SSL proxy operations. The following example creates a root CA:

      [root@defaulthost admin]# scio ssl ca create US CA Sunnyvale 'Juniper Networks Inc.' 'SSL Inspection policy' 'Juniper IT Services' 'admin@juniper.net' 1024
    2. Verify the CA was added:

      [root@defaulthost admin]# scio ssl ca show
      serial=8E0012848A2D7CCD
      subject= /C=US/ST=CA/L=Sunnyvale/O=Juniper Networks Inc./OU=SSL Inspection
      policy/CN=Juniper IT Services/emailAddress=admin@juniper.net
      issuer= /C=US/ST=CA/L=Sunnyvale/O=Juniper Networks Inc./OU=SSL Inspection
      policy/CN=Juniper IT Services/emailAddress=admin@juniper.net
      notBefore=Jun 25 22:13:23 2009 GMT
      notAfter=Jun 23 22:13:23 2019 GMT

    Published: 2011-02-08