Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Secure Web Proxy

SUMMARY You can use a Juniper Networks SRX Series device to configure secure Web proxy to selectively bypass the external proxy server for the traffic based on application types. Read this topic to understand how secure Web proxy works and how you can configure it on your SRX Series device.

Secure Web Proxy Overview

You can use secure Web proxy to send traffic to an external proxy server and bypass the proxy server for the selected application traffic. Bypassed application traffic will be sent directly to the target webserver.

To use secure Web proxy on an SRX Series device, you must configure a secure Web proxy profile with external proxy server details and dynamic application that you want to bypass the external proxy server. When the security device receives a request from a client, the device examines the HTTP header for the application. The device applies Web proxy profile for the traffic that matches the security policy rules. Permitted application traffic that matches the dynamic-application specified in the Web proxy profile, is directed to the webserver. Otherwise, the permitted traffic is re-directed to the configured external proxy server.

As a result, your security device performs transparent proxy between the client and the webserver for the specified applications and provides better quality of service for the application traffic.

Starting in Junos OS Release 19.2R1, you can configure secure Web proxy on the following SRX Series devices—SRX300, SRX320, SRX340, SRX345, SRX550, SRX1500, SRX4100, SRX4200, and vSRX.

Benefit

  • Secure Web proxy provides better quality of service for the selected application traffic by providing direct connections to the webserver

Limitation

  • An SRX Series device operating in chassis cluster mode does not support the secure Web proxy functionality.

  • Secure Web proxy feature works only with ABPR services, other Layer 7 services might not work as expected.

  • Secure Web proxy feature is not supported when device is operating in transparent-bridge mode.
  • Secure Web Proxy feature does not work when the client device and its proxy server are deployed in the same network segment.

How Secure Web Proxy Works on SRX Series Devices

Figure 1 and Figure 3 show how an SRX Series device provides the secure Web proxy service.

Figure 1: Secure Web Proxy on SRX Series Device Secure Web Proxy on SRX Series Device
Figure 2: Secure Web Proxy on SRX Series Device—Workflow Secure Web Proxy on SRX Series Device—Workflow
Figure 3: Workflow - Secure Web Proxy on SRX Series Device

To use secure Web proxy on your SRX Series device, you must:

  1. Create a secure Web proxy profile, which includes the details about the external proxy server and the dynamic application or application group that can bypass the external proxy server.

  2. Create a security policy to manage the traffic passing through the device.

  3. Attach the secure Web proxy profile to the security policy and apply the profile as an application service for the permitted traffic.

When a client initiates a request, the SRX Series device examines the application traffic and identifies which traffic can bypass the external proxy server based on the secure Web proxy profile and security policy rules.

For example, if you use Microsoft Office 365, you can specify an Office 365 application group, such as junos:OUTLOOK or junos:OFFICE365-CREATE-CONVERSATION, in the secure Web proxy profile. The SRX Series device forwards the Office 365 application traffic directly to the Office 365 server, bypassing the external proxy server. Connections that do not match the applications are routed to the external proxy server.

The SRX Series device performs secure Web proxy through the following steps:

  1. The client's browser sends an HTTP connect request to the external proxy server.

  2. The SRX Series device intercepts the TCP connections. The device identifies the application in the HTTP header and does a DNS resolution.

  3. If the traffic parameters match the security policy rules and the secure Web proxy profile specifications, the SRX Series device operates in transparent mode. The device uses the client's IP address in transparent mode to initiate a new connection with the web server, bypassing the external proxy server.

  4. The SRX Series device sends the connect response from the web server to the client.

  5. For the remaining traffic, the SRX Series device operates in pass-through mode and allows the HTTP connect request to go to the external proxy server.

Example—Configure Secure Web Proxy on an SRX Series Device

This example shows how to configure secure Web proxy on SRX Series devices.

Hardware and Software Requirements

This example uses the following hardware and software components:

  • A Juniper Networks SRX Series device (SRX300, SRX320, SRX340, SRX345, SRX550, SRX1500, SRX4100, SRX4200, or vSRX).

  • Junos OS Release 19.2R1 or later. We’ve tested this example using Junos OS Release 19.2R1.

  • IP address and port number of the external proxy server.

Topology

#overview198__TopologyForSecureWebProxyConfigurat-4A804809 shows the topology used in this example.

Figure 4: Topology For Configuring Secure Web Proxy Topology For Configuring Secure Web Proxy

In this example, the interfaces ge-0/0/1 and ge-0/0/2 are in the trust zone and are connected to the client and external proxy server, respectively. The interface ge-0/0/0 is in the untrust zone and is connected to the webserver through the Internet gateway. You configure a secure Web proxy profile, specifying Office 365 applications and external proxy details.

After you complete the configuration, the SRX Series device will forward the Office 365 traffic directly to the webserver, bypassing the external proxy server for Office 365 traffic.

Configuration

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the CLI User guide.

In this procedure you configure interfaces and security zones.

  1. Configure the interfaces.

  2. Assign the interfaces to the security zones and configure the inbound traffic for all system services.

  3. Configure a custom application group for Office 365.

  4. Create a security proxy profile by specifying the Office 365 application details and the IP address and port details of the external proxy server.

  5. Define the security policy for the traffic originating from the client to the Internet gateway device.

  6. Define the policy action to apply the secure Web proxy profile on the permitted traffic.

The SRX Series device forwards the Office 365 application traffic directly to the Office 365 server, bypassing the external proxy server. Other sessions that do not match the Office 365 application are routed to the external proxy server.

Results

From configuration mode, confirm your configuration by entering the show services web-proxy secure-proxy, show security policies, and show security zones commands. If the output does not display the intended configuration, repeat the instructions in this example to correct the configuration.

Requirements

Overview

Verification

Verify Session Details

Purpose

Verify the details of the session in which the secure Web proxy is applied.

Action

From operational mode, enter the show security flow session command.

Meaning

In the sample output, the ID-477 is the client session and the ID-478 is the proxy session. In the second session, notice that the traffic from client 6.0.0.1 is directly going to the webserver 13.107.7.190.

Display Secure Web Proxy Session Statistics

Purpose

Display the details of the session in which the secure Web proxy is applied.

Action

From operational mode, enter the show services web-proxy session detail and show services web-proxy session summary commands.

Meaning

In these samples, notice the details of the client session and the proxy session. You can also see proxy requests and dynamic web applications.