Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

Configuring SSL Proxy

 

Secure Sockets Layer (SSL) is an application-level protocol that provides encryption and decryption technology for the Internet by residing between the server and the client. SSL, also called Transport Layer Security (TLS), ensures the secure transmission of data between a client and a server through a combination of privacy, authentication, confidentiality, and data integrity. SSL relies on certificates and private-public key exchange pairs for this level of security.

J-Web supports both forward proxy and reverse proxy profiles.

Note

SSL proxy is supported in SRX340, SRX345, SRX550m, SRX1500, SRX4100, SRX4200, and vSRX2.0 platforms.

  1. Select Configure>Security>SSL Proxy.

    The SSL Proxy Profiles page appears. Table 241 explains the contents of this page.

  2. Click one:
    • Global Config—Configures the session cache timeout and applies it globally to all the policies.

    • Add icon (+)—Adds a new SSL proxy or global policy configuration. Enter information as specified in Table 242.

    • Edit icon (/)—Edits the selected SSL proxy configuration. Enter information as specified in Table 242.

    • Delete(X)—Deletes the selected SSL proxy configuration.

    • More— Enables you to clone an SSL proxy from the selected SSL proxy configuration, display a detailed view of the selected SSL proxy, and clear all selections in the grid.

    • Search icon—Enables you to search a SSL proxy in the grid.

    • Show Hide Column Filter icon—Enables you to show or hide a column in the grid.

  3. Click Commit icon at the top of the J-Web page. The following commit options are displayed.

    • Commit—Commits the configuration and returns to the main configuration page.

    • Compare—Enables you to see the configuration changes that you have performed in the Show Pending Changes.

    • Discard—Discards the configuration changes you performed in the J-Web.

    • Preferences—There are two tab:

      Commit preferences—You can choose to just validate or validate and commit the changes.

      Startup page upon login—You can choose what page should be displayed as soon as you login to J-Web. The options are: Configuration, Monitoring, Dashboard, and Last accessed.

Table 241: SSL Proxy Profiles Page

Field

Function

Name

Displays the name of the SSL Proxy profile.

Protection Type

Displays the type of protection the profile provides. One is client protection and the other one is server protection. Client protection is for SSL forward proxy and server protection is for reverse proxy.

Preferred Cipher

Displays the category of the profile depending on their key strength.

Custom Cipher

Displays the custom cipher which the SSH server uses to perform encryption and decryption function.

Flow Tracing

Displays whether flow trace is enabled or disabled for troubleshooting policy-related issues.

Exempted Addresses

Displays the addresses to whitelists that bypass SSL forward proxy processing.

Server Auth Failure

Displays the action that will be performed if errors are encountered during the server certificate verification process (such as CA signature verification failure, self-signed certificates, and certificate expiry).

Session Resumption

Displays whether the session resumption is disabled or not.

Table 242: Create-Update SSL Proxy Profile - Configuration Details

Field FunctionAction
Policy Options

Name

Specified the name of the SSL proxy profile.

Enter a unique string of alphanumeric characters, colons, periods, dashes, and underscores. No spaces are allowed; maximum length is 63 characters.

Preferred Cipher

Specify the cipher depending on their key strength. Ciphers are divided into the following categories.

  • Medium—Use ciphers with key strength of 128 bits or greater.

  • Strong—Use ciphers with key strength of 168 bits or greater.

  • Weak—Use ciphers with key strength of 40 bits or greater.

  • Custom—Configure custom cipher suite and order of preference.

Select a preferred cipher from the dropdown list.

Custom Ciphers

Specify the set of ciphers the SSH server can use to perform encryption and decryption functions. If this option is not configured, the server accepts any supported suite that is available.

The available custom ciphers are:

  1. rsa-with-RC4-128-md5—RSA, 128- bit RC4, MD5 hash

  2. rsa-with-RC4-128-sha—RSA, 128-bit RC4, SHA hash

  3. rsa-with-des-cbc-sha—RSA, DES/CBC, SHA hash

  4. rsa-with-3DES-ede-cbc-sha—RSA, 3DES EDE/CBC, SHA hash

  5. rsa-with-aes-128-cbc-sha—RSA, 128-bit AES/CBC, SHA hash

  6. rsa-with-aes-256-cbc-sha—RSA, 256 bit AES/CBC, SHA hash

  7. rsa-export-with-rc4-40-md5—RSA-export, 40 bit RC4, MD5 hash

  8. rsa-export-with-des40-cbc-sha—RSA-export, 40 bit DES/CBC, SHA hash

  9. rsa-with-aes-256-gcm-sha384—RSA, 256 bit AES/GCM, SHA384 hash

  10. rsa-with-aes-256-cbc-sha256—RSA, 256 bit AES/CBC, SHA256 hash

  11. rsa-with-aes-128-gcm-sha256—RSA, 128 bit AES/GCM, SHA256 hash

  12. rsa-with-aes-128-cbc-sha256—RSA, 256 bit AES/CBC, SHA256 hash

  13. ecdhe-rsa-with-aes-256-gcm-sha384—ECDHE, RSA, 256 bit AES/GCM, SHA384 hash

  14. ecdhe-rsa-with-aes-256-cbc-sha—ECDHE, RSA, 256 bit AES/CBC, SHA hash

  15. ecdhe-rsa-with-aes-256-cbc-sha384—ECDHE, RSA, 256 bit AES/CBC, SHA384 hash

  16. ecdhe-rsa-with-aes-3des-ede-cbc-sha—ECDHE, RSA, 3DES, EDE/CBC, SHA hash

  17. ecdhe-rsa-with-aes-128-gcm-sha256—ECDHE, RSA, 128 bit AES/GCM, SHA256 hash

  18. ecdhe-rsa-with-aes-128-cbc-sha—ECDHE, RSA, 128 bit AES/CBC, SHA hash

  19. ecdhe-rsa-with-aes-128-cbc-sha256—ECDHE, RSA, 128 bit AES/CBC, SHA256 hash

Select the set of ciphers from the dropdown list.

Flow Trace

Specify this option to enable flow trace for troubleshooting policy-related issues.

Select this option if you want to enable flow trace else leave it blank..

Certificate Type

Specifies whether the certificate that you want to associate with this profile is a root CA or server certificate. Server certificate is used for SSL reverse proxy. If you choose server certificate, the trusted CA, CRL, and server auth failure options will not be available. For forward proxy profile, choose the root CA

In a public key infrastructure (PKI) hierarchy, the root CA is at the top of the trust path. The root CA identifies the server certificate as a trusted certificate.

Note:

Certificate

Specifies the certificate that you created in the Administration > Certificate Management page of J-Web. In a public key infrastructure (PKI) hierarchy, the CA is at the top of the trust path. The CA identifies the server certificate as a trusted certificate.

Select the certificate that you want to associate with this SSL proxy profile from the dropdown list.

Trusted Certificate Authorities

Specifies the trusted CA associated with the certificate that you selected.

Select the trusted CA that are available on the device from the following options: All, None, Select specific.

If you choose Select specific, you need to select the Certificate Authorities from the Available window and move it to the Selected window.

Exempted Addresses

Specifies addresses to create whitelists that bypass SSL forward proxy processing.

Because SSL encryption and decryption are complicated and expensive procedures, network administrators can selectively bypass SSL proxy processing for some sessions. Such sessions mostly include connections and transactions with trusted servers or domains with which network administrators are very familiar. There are also legal requirements to exempt financial and banking sites. Such exemptions are achieved by configuring the IP addresses or domain names of the servers under whitelists.

Select the addresses from the from the Available window and move it to the Selected window.

Exempted URL Categories

Specifies URL categories to create whitelists that bypass SSL forward proxy processing.

These URL categories are exempted during SSL inspection. Only the predefined URL categories can be selected for the exemption.

Select URL categories from the from the Available window and move it to the Selected window.

Actions

Server Auth Failure

Specifies if you to ignore server authentication completely.

In this case, SSL forward proxy ignores errors encountered during the server certificate verification process (such as CA signature verification failure, self-signed certificates, and certificate expiry).

We do not recommend this option for authentication, because configuring it results in websites not being authenticated at all. However, you can use this option to effectively identify the root cause for dropped SSL sessions.

Select this option to ignore server authentication completely.

Session Resumption

To improve throughput and still maintain an appropriate level of security, SSL session resumption provides a session caching mechanism so that session information, such as the pre-master secret key and agreed-upon ciphers, can be cached for both the client and server.

Select the Disable Session Resumption option if you do not want session resumption.

Logging

Specifies whether to generate logs.

You can choose to log All events, Warnings, general Information, Errors, or different sessions (whitelisted, Allowed, Dropped, or Ignored).

Select this option to generate logs.

Renegotiation

After a session is created and SSL tunnel transport has been established, a change in SSL parameters requires renegotiation. SSL forward proxy supports both secure (RFC 5746) and nonsecure (TLS v1.0 and SSL v3) renegotiation.

You can specify whether to Allow nonsecure renegotiation, Allow-secure renegotiation, or Drop renegotiation.

When session resumption is enabled, session renegotiation is useful in the following situations:

  • Cipher keys need to be refreshed after a prolonged SSL session.

  • Stronger ciphers need to be applied for a more secure connection.

Select if a change in SSL parameters requires renegotiation. The options are: None (selected by default), Allow, Allow-secure, and Drop.

Certificate Revocation

Specifies if you want to revoke the certificate.

Select Disable if you want to revoke the certificate.

If CRL info not present

Specifies if you want to allow or drop if CRL info is not present.

Select the action if CRL info is not present from the options: Allow session, Drop session, or None.

Hold Instruction Code

Specifies if you want to hold the instruction code for this profile.

Select Ignore if you want to keep the instruction code on hold.