Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

SSL Proxy for Logical Systems

 

Secure Sockets Layer (SSL) is an application-level protocol that provides encryption technology for the Internet. For more information, see the following topics:

Understanding SSL Forward and Reverse Proxy for Logical Systems

SSL proxy acts as an intermediary, performing SSL encryption and decryption between the client and the server. SSL, also called Transport Layer Security (TLS), ensures the secure transmission of data between a client and a server through a combination of privacy, authentication, confidentiality, and data integrity.

SSL proxy is a transparent proxy that performs SSL encryption and decryption between the client and the server as follows:

  • Reverse proxy is an inbound session, that is, externally initiated SSL sessions from the Internet to the local server.

    The proxy model implementation for server protection (often called reverse proxy) is supported on SRX Series devices to provide improved handshaking and support for more protocol versions.

  • Forward proxy is an outbound session, that is, locally initiated SSL session to the Internet.

SSL proxy works transparently between the client and the server. All requests from a client first go to the proxy server; the proxy server evaluates the request, and if the request is valid, forwards the request to the outbound side. Similarly, inbound requests are also evaluated by the proxy server. Both client and server interpret that they are communicating with each other; however, it is the SSL proxy that functions between the two.

Example: Configuring SSL Forward and Reverse Proxy for Logical Systems

This example shows how to configure SSL proxy to enable server protection. A reverse proxy protects servers by hiding the details of the servers from the clients, there by adding an extra layer of security and the purpose of a forward proxy is to manage traffic to the client systems.

Requirements

To configure an SSL reverse and forward proxy, you must:

  • Load the server certificates and their keys into SRX Series device’s certificate repository.

  • Attach the server certificate identifiers to the SSL proxy profile.

  • Apply SSL proxy profile as application services in a security policy.

Overview

This example shows how to configure reverse proxy to enable server protection and forward proxy is for client protection. It shows how to configure an SSL proxy profile and apply it at the security policy rule level. For server protection, additionally, server certificates with private keys must be configured.

Configuration

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

Configuring the SSL Reverse and Forward Proxy

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the Junos OS CLI User Guide.

To configure the SSL Proxy:

  1. Configure the SSL Reverse Proxy.
  2. Configure the SSL Forward Proxy.

Results

From configuration mode, confirm your configuration by entering the show logical-system LSYS1 services ssl proxy command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

You must configure either root-ca (forward proxy) or server-certificate (reverse proxy) in an SSL proxy profile. Otherwise, the commit check fails.

Verification

Verifying the SSL Proxy Configuration on the Device

Purpose

Viewing the SSL reverse proxy statistics on the SRX Series device.

Action

You can view the SSL proxy statistics by using the show services ssl proxy statistics logical-system command.

user@host> show services ssl proxy statistics logical-system LSYS1