Configuring SSL Proxy
Secure Sockets Layer (SSL) is an application-level protocol that provides encryption and decryption technology for the Internet by residing between the server and the client. SSL, also called Transport Layer Security (TLS), ensures the secure transmission of data between a client and a server through a combination of privacy, authentication, confidentiality, and data integrity. SSL relies on certificates and private-public key exchange pairs for this level of security.
J-Web supports both forward proxy and reverse proxy profiles.
SSL proxy is supported in SRX340, SRX345, SRX550m, SRX1500, SRX4100, SRX4200, and vSRX2.0 platforms.
- Select Configure>Security>SSL Proxy.
The SSL Proxy Profiles page appears. Table 241 explains the contents of this page.
- Click one:
Global Config—Configures the session cache timeout and applies it globally to all the policies.
Add icon (+)—Adds a new SSL proxy or global policy configuration. Enter information as specified in Table 242.
Edit icon (/)—Edits the selected SSL proxy configuration. Enter information as specified in Table 242.
Delete(X)—Deletes the selected SSL proxy configuration.
More— Enables you to clone an SSL proxy from the selected SSL proxy configuration, display a detailed view of the selected SSL proxy, and clear all selections in the grid.
Search icon—Enables you to search a SSL proxy in the grid.
Show Hide Column Filter icon—Enables you to show or hide a column in the grid.
Click Commit icon at the top of the J-Web page. The following commit options are displayed.
Commit—Commits the configuration and returns to the main configuration page.
Compare—Enables you to see the configuration changes that you have performed in the Show Pending Changes.
Discard—Discards the configuration changes you performed in the J-Web.
Preferences—There are two tab:
Commit preferences—You can choose to just validate or validate and commit the changes.
Startup page upon login—You can choose what page should be displayed as soon as you login to J-Web. The options are: Configuration, Monitoring, Dashboard, and Last accessed.
Table 241: SSL Proxy Profiles Page
Displays the name of the SSL Proxy profile.
Displays the type of protection the profile provides. One is client protection and the other one is server protection. Client protection is for SSL forward proxy and server protection is for reverse proxy.
Displays the category of the profile depending on their key strength.
Displays the custom cipher which the SSH server uses to perform encryption and decryption function.
Displays whether flow trace is enabled or disabled for troubleshooting policy-related issues.
Displays the addresses to whitelists that bypass SSL forward proxy processing.
Server Auth Failure
Displays the action that will be performed if errors are encountered during the server certificate verification process (such as CA signature verification failure, self-signed certificates, and certificate expiry).
Displays whether the session resumption is disabled or not.
Table 242: Create-Update SSL Proxy Profile - Configuration Details
Specified the name of the SSL proxy profile.
Enter a unique string of alphanumeric characters, colons, periods, dashes, and underscores. No spaces are allowed; maximum length is 63 characters.
Specify the cipher depending on their key strength. Ciphers are divided into the following categories.
Select a preferred cipher from the dropdown list.
Specify the set of ciphers the SSH server can use to perform encryption and decryption functions. If this option is not configured, the server accepts any supported suite that is available.
The available custom ciphers are:
Select the set of ciphers from the dropdown list.
Specify this option to enable flow trace for troubleshooting policy-related issues.
Select this option if you want to enable flow trace else leave it blank..
Specifies whether the certificate that you want to associate with this profile is a root CA or server certificate. Server certificate is used for SSL reverse proxy. If you choose server certificate, the trusted CA, CRL, and server auth failure options will not be available. For forward proxy profile, choose the root CA
In a public key infrastructure (PKI) hierarchy, the root CA is at the top of the trust path. The root CA identifies the server certificate as a trusted certificate.
Specifies the certificate that you created in the Administration > Certificate Management page of J-Web. In a public key infrastructure (PKI) hierarchy, the CA is at the top of the trust path. The CA identifies the server certificate as a trusted certificate.
Select the certificate that you want to associate with this SSL proxy profile from the dropdown list.
Trusted Certificate Authorities
Specifies the trusted CA associated with the certificate that you selected.
Select the trusted CA that are available on the device from the following options: All, None, Select specific.
If you choose Select specific, you need to select the Certificate Authorities from the Available window and move it to the Selected window.
Specifies addresses to create whitelists that bypass SSL forward proxy processing.
Because SSL encryption and decryption are complicated and expensive procedures, network administrators can selectively bypass SSL proxy processing for some sessions. Such sessions mostly include connections and transactions with trusted servers or domains with which network administrators are very familiar. There are also legal requirements to exempt financial and banking sites. Such exemptions are achieved by configuring the IP addresses or domain names of the servers under whitelists.
Select the addresses from the from the Available window and move it to the Selected window.
Exempted URL Categories
Specifies URL categories to create whitelists that bypass SSL forward proxy processing.
These URL categories are exempted during SSL inspection. Only the predefined URL categories can be selected for the exemption.
Select URL categories from the from the Available window and move it to the Selected window.
Server Auth Failure
Specifies if you to ignore server authentication completely.
In this case, SSL forward proxy ignores errors encountered during the server certificate verification process (such as CA signature verification failure, self-signed certificates, and certificate expiry).
We do not recommend this option for authentication, because configuring it results in websites not being authenticated at all. However, you can use this option to effectively identify the root cause for dropped SSL sessions.
Select this option to ignore server authentication completely.
To improve throughput and still maintain an appropriate level of security, SSL session resumption provides a session caching mechanism so that session information, such as the pre-master secret key and agreed-upon ciphers, can be cached for both the client and server.
Select the Disable Session Resumption option if you do not want session resumption.
Specifies whether to generate logs.
You can choose to log All events, Warnings, general Information, Errors, or different sessions (whitelisted, Allowed, Dropped, or Ignored).
Select this option to generate logs.
After a session is created and SSL tunnel transport has been established, a change in SSL parameters requires renegotiation. SSL forward proxy supports both secure (RFC 5746) and nonsecure (TLS v1.0 and SSL v3) renegotiation.
You can specify whether to Allow nonsecure renegotiation, Allow-secure renegotiation, or Drop renegotiation.
When session resumption is enabled, session renegotiation is useful in the following situations:
Select if a change in SSL parameters requires renegotiation. The options are: None (selected by default), Allow, Allow-secure, and Drop.
Specifies if you want to revoke the certificate.
Select Disable if you want to revoke the certificate.
If CRL info not present
Specifies if you want to allow or drop if CRL info is not present.
Select the action if CRL info is not present from the options: Allow session, Drop session, or None.
Hold Instruction Code
Specifies if you want to hold the instruction code for this profile.
Select Ignore if you want to keep the instruction code on hold.