Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Navigation
Guide That Contains This Content
[+] Expand All
[-] Collapse All

    Creating SSL Reverse Proxy Profiles

    Use the SSL Reverse Proxy Profiles page to configure the SSL reverse proxy to protect your SSL-enabled web servers against client-to-server attacks from malicious clients. This functions by loading the SSL private key onto the SRX Series device to protect your clients against threats from web servers that you do not control. For example, if an external user on the internet is trying to access a corporate web server, they initiate the HTTPS connection to the web server. The IPS policy which has the private key of the web server intercepts the traffic, inspects it for attacks, and if no attacks are present, it forwards it onto the destination web server.

    To create an SSL reverse proxy profile:

    1. Select Configure > SSL Profiles> SSL Proxy Profiles.

      The SSL Proxy Profiles page appears.

    2. Select Reverse Proxy from the Create list.
    3. Complete the configuration according to the guidelines provide in Table 1.
    4. Click OK.

    An SSL reverse proxy profile is created that can be assigned to a firewall policy for advanced security options.

    Table 1: Fields on the Create SSL Reverse Proxy Profile Page

    Field

    Description

    General Information

    Name

    Enter a unique string of alphanumeric characters, colons, periods, dashes, and underscores. No spaces are allowed; maximum length is 63 characters.

    Description

    Enter a description for the SSL forward proxy profile; maximum length is 1024 characters.

    Preferred Cipher

    Select a preferred cipher. Ciphers are divided into the following categories depending on their key strength.

    • Custom—Configure custom cipher suite and order of preference.
    • Medium—Use ciphers with key strength of 128 bits or greater.
    • Strong—Use ciphers with key strength of 168 bits or greater.
    • Weak—Use ciphers with key strength of 40 bits or greater.

    Custom Ciphers

    Select the set of ciphers the SSH server can use to perform encryption and decryption functions. If this option is not configured, the server accepts any supported suite that is available.

    The available custom ciphers are:

    • rsa-with-RC4-128-md5—RSA, 128- bit RC4, MD5 hash
    • rsa-with-RC4-128-sha—RSA, 128-bit RC4, SHA hash
    • rsa-with-des-cbc-sha—RSA, DES/CBC, SHA hash
    • rsa-with-3DES-ede-cbc-sha—RSA, 3DES EDE/CBC, SHA hash
    • rsa-with-aes-128-cbc-sha—RSA, 128-bit AES/CBC, SHA hash
    • rsa-with-aes-256-cbc-sha—RSA, 256 bit AES/CBC, SHA hash
    • rsa-export-with-rc4-40-md5—RSA-export, 40 bit RC4, MD5 hash
    • rsa-export-with-des40-cbc-sha—RSA-export, 40 bit DES/CBC, SHA hash
    • rsa-export1024-with-des-cbc-sha—RSA 1024 bit export, DES/CBC, SHA hash
    • rsa-export1024-with-rc4-56-md5—RSA 1024 bit export, 56 bit RC4, MD5 hash
    • rsa-export1024-with-rc4-56-sha—RSA 1024 bit export, 56 bit RC4, SHA hash
    • rsa-with-aes-256-gcm-sha384—RSA, 256 bit AES/GCM, SHA384 hash
    • rsa-with-aes-256-cbc-sha256—RSA, 256 bit AES/CBC, SHA256 hash
    • rsa-with-aes-128-gcm-sha256—RSA, 128 bit AES/GCM, SHA256 hash
    • rsa-with-aes-128-cbc-sha256—RSA, 256 bit AES/CBC, SHA256 hash
    • ecdhe-rsa-with-aes-256-gcm-sha384—ECDHE, RSA, 256 bit AES/GCM, SHA384 hash
    • ecdhe-rsa-with-aes-256-cbc-sha384—ECDHE, RSA, 256 bit AES/CBC, SHA384 hash
    • ecdhe-rsa-with-aes-256-cbc-sha—ECDHE, RSA, 256 bit AES/CBC, SHA hash
    • ecdhe-rsa-with-aes-3des-ede-cbc-sha—ECDHE, RSA, 3DES, EDE/CBC, SHA hash
    • ecdhe-rsa-with-aes-128-gcm-sha256—ECDHE, RSA, 128 bit AES/GCM, SHA256 hash
    • ecdhe-rsa-with-aes-128-cbc-sha256—ECDHE, RSA, 128 bit AES/CBC, SHA256 hash
    • ecdhe-rsa-with-aes-128-cbc-sha—ECDHE, RSA, 128 bit AES/CBC, SHA hash

    Flow Trace

    Select this option to enable flow trace for troubleshooting policy-related issues.

    Server Certificate

    Specify the server certificate identifier.

    Select the required SRX Series device from the list and assign the server certificate identifier.

    Exempted Address

    Select addresses to create whitelists that bypass SSL forward proxy processing.

    Because SSL encryption and decryption are complicated and expensive procedures, network administrators can selectively bypass SSL proxy processing for some sessions. Such sessions mostly include connections and transactions with trusted servers or domains with which network administrators are very familiar. There are also legal requirements to exempt financial and banking sites. Such exemptions are achieved by configuring the IP addresses or domain names of the servers under whitelists.

    Exempted URL Categories

    Starting in Junos Space Security Director Release 16.2, you can select URL categories to create whitelists that bypass SSL forward proxy processing.

    These URL categories are exempted during SSL inspection. Only the predefined URL categories can be selected for the exemption.

    Actions

    Session Resumption

    Select the Disable Session Resumption option if you do not want session resumption.

    To improve throughput and still maintain an appropriate level of security, SSL session resumption provides a session caching mechanism so that session information, such as the pre-master secret key and agreed-upon ciphers, can be cached for both the client and server.

    Log

    Select this option to generate logs. You can choose to log all events, warnings, general information, errors, or different sessions (whitelisted, allowed, dropped, or ignored).

    Renegotiation

    After a session is created and SSL tunnel transport has been established, a change in SSL parameters requires renegotiation. SSL forward proxy supports both secure (RFC 5746) and nonsecure (TLS v1.0 and SSL v3) renegotiation.

    Select one of the following options if a change in SSL parameters requires renegotiation:

    • None (selected by default)
    • Allow
    • Allow-secure
    • Drop

    When session resumption is enabled, session renegotiation is useful in the following situations:

    • Cipher keys need to be refreshed after a prolonged SSL session.
    • Stronger ciphers need to be applied for a more secure connection.

    Release History Table

    Release
    Description
    Starting in Junos Space Security Director Release 16.2, you can select URL categories to create whitelists that bypass SSL forward proxy processing.

    Modified: 2017-07-19