Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?


Configuring and Deploying an SSL Forward Proxy Policy

The following is the workflow for configuring and deploying an intent-based SSL forward proxy policy in CSO:

  1. Obtain the root certificate and private key from your trusted certificate authority (CA).
  2. Combine the root certificate and private key into a single file.
  3. Import the certificate and private key file (on the Import Certificate page); see Importing a Certificate.
  4. (Optional) Install the imported certificate on one or more sites (on the Install Certificate page); see Installing and Uninstalling Certificates.
  5. By default, Juniper Networks ships trusted certificates for sites that use HTTPS. These certificates are installed automatically by CSO when the site is successfully provisioned.

    If you want to use additional trusted certificates, import and install the certificates as explained in Step 3 and 4.

  6. Create an SSL proxy profile (on the Create SSL Proxy Profiles) page; see Creating SSL Forward Proxy Profiles.
    • Use the imported root certificate when you create the SSL proxy profile.

    • For trusted certificates, specify that all trusted certificates on the device are used (select All in the Trusted Certificate Authorities field).

  7. Create an SSL proxy policy intent that uses the SSL proxy profile that you created (on the SSL Proxy Policy page); see Creating SSL Proxy Policy Intents.
  8. Deploy the SSL proxy policy; see Deploying Policies.
    • Ensure that the root and trusted certificates are imported into CSO before the policy is deployed.

    • If you have not installed the certificates referenced in the SSL proxy profile, then they are automatically installed when the SSL proxy policy is deployed.

  9. For Internet access from an SRX Series Firewall by using the SSL proxy, ensure that you import the root certificate (obtained in Step 1) into the browsers of the clients accessing the Internet.

    If you do not import the certificate, the traffic does not go through for clients in the LAN segments.