Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

Configuring SSL Proxy

Configuring SSL Forward Proxy

SSL Proxy Configuration Overview

Configuring SSL proxy includes:

  • Configuring the root CA certificate, see Enroll a Certificate

  • Loading a CA profile group, see Enroll a Certificate

  • Configure SSL proxy profile and associate root CA certificate and CA profile group

  • Create a security policy by defining input traffic match criteria

  • Applying an SSL proxy profile to a security policy

  • Optional steps such as creating allowlists and SSL proxy logging

Applying an SSL Proxy Profile to a Security Policy

SSL proxy is enabled as an application service within a security policy. In a security policy, you specify the traffic that you want the SSL proxy enabled on as match criteria and then specify the SSL proxy CA profile to be applied to the traffic.

To enable SSL proxy in a security policy:

This example assumes that you have already creates security zones trust and untrust and creating a security policy for the traffic from trust zone to untrust zone.

  1. Create a security policy and specify the match criteria for the policy. As match criteria, specify the traffic for which you want to enable SSL proxy.

    Example:

  2. Apply the SSL proxy profile to the security policy.

Configuring SSL Proxy Logging

When configuring SSL proxy, you can choose to set the option to receive some or all of the logs. SSL proxy logs contain the logical system name, SSL proxy allowlists, policy information, SSL proxy information, and other information that helps you troubleshoot when there is an error.

You can configure logging of all or specific events, such as error, warning, and information events. You can also configure logging of sessions that are allowlisted, dropped, ignored, or allowed after an error occurs.

You can use enable-flow-tracing option to enable debug tracing.

Ignoring Server Authentication

Junos OS allows you to configure an option to ignore server authentication completely. If you configure your system to ignore authentication, then any errors encountered during server certificate verification at the time of the SSL handshake are ignored. Commonly ignored errors include the inability to verify CA signature, incorrect certificate expiration dates, and so forth. If this option is not set, all the sessions where the server sends self-signed certificates are dropped when errors are encountered.

We do not recommend using this option for authentication because configuring it results in websites not being authenticated at all. However, you can use this option to effectively identify the root cause of dropped SSL sessions.

From configuration mode, specify to ignore server authentication:

SSL Reverse Proxy

Overview

The proxy model implementation (reverse proxy) enhances server protection. It improves handshaking and supports more protocol versions. You can enable Layer 7 services like application security, IPS, Content Security, and ATP Cloud on SSL reverse proxy-decrypted traffic.

We recommend using the SSL reverse proxy and Intrusion Detection and Prevention (IDP) instead of using the IDP SSL inspection functionality. In recent Junos OS releases, IDP SSL Inspection is deprecated—rather than immediately removed—to provide backward compatibility and a chance to bring your configuration into compliance with the new configuration.

Reverse Proxy Features:

  • Terminates client SSL on the firewall and initiates a new SSL connection with a server. Decrypts SSL traffic from the client/server and encrypts again (after inspection) before sending to the server/client.

  • Supports all current protocol versions.

    • Supports RSA

    • Support DHE or ECDHE

  • Uses existing SSL forward proxy with TCP proxy underneath.

  • Just like forward proxy, decrypted SSL traffic is available for all security services.

  • All commonly used ciphers are supported.

You must configure either root-ca or server-certificate in an SSL proxy profile. Otherwise the commit check fails. See the following table for supported configurations details.

Table 1: Supported SSL Proxy Configurations

server-certificate configured

root-ca configured

Profile type

No

No

Commit check fails. You must configure either server-certificate or root-ca.

Yes

Yes

Commit check fails. Configuring both server-certificate and root-ca in the same profile is not supported.

No

Yes

Forward proxy

Yes

No

Reverse proxy

Configuring multiple instances of forward and reverse proxy profiles are supported. But for a given firewall policy, only one profile (either a forward or reverse proxy profile) can be configured. Configuring both forward and reverse proxy on the same device is also supported.

You cannot configure the previous reverse proxy implementation with the new reverse proxy implementation for a given firewall policy. If both are configured, you will receive a commit check failure message.

The following are the minimum steps to configure reverse proxy:

  1. Load the server certificates and their keys into the firewall certificate repository using the CLI command request security pki local-certificate load filename filename key key certificate-id certificate-id passphrase exmample@1234. For example:
  2. Attach the server certificate identifier to the SSL Proxy profile using the CLI command set services ssl proxy profile profile server-certificate certificate-id passphrase exmample@1234. For example

    user@host# set services ssl proxy profile server-protection-profile server-certificate server2_cert_id

  3. Use the show services ssl CLI command to verify your configuration. For example:

The SSL forward proxy and reverse proxy require a profile to be configured at the firewall rule level. In addition, you must also configure server certificates with private keys for reverse proxy. During an SSL handshake, the SSL proxy performs a lookup for a matching server private key in its server private key hash table database. If the lookup is successful, the handshake continues. Otherwise, SSL proxy terminates the hand shake. Reverse proxy does not prohibit server certificates. It forwards the actual server certificate/chain as is to the client without modifying it. Intercepting the server certificate occurs only with forward proxy.

Configuring the SSL Reverse Proxy

This example shows how to configure reverse proxy to enable server protection. For server protection, additionally, server certificate(s) with private key(s) must be configured.

A reverse proxy protects servers by hiding the details of the servers from the clients, there by adding an extra layer of security.

To configure an SSL reverse proxy, you must:

  • Load the server certificate(s) and their key(s) into firewall’s certificate repository.

  • Attach the server certificate identifier(s) to the SSL proxy profile.

  • Apply SSL proxy profile as application services in a security policy.

To configure SSL reverse proxy:

  1. Load the signing certificate and the respective key for the SSL proxy profile in PKI memory.
  2. Attach the server certificate to the SSL proxy profile.
  3. Create a security policy and specify the match criteria for the policy. As match criteria, specify the traffic for which you want to enable SSL proxy.
  4. Apply the SSL proxy profile to the security policy. This example assumes that security zones are created as per requirements.

Verifying the SSL Reverse Proxy Configuration on the Device

Purpose

Viewing the SSL reverse proxy statistics on the firewall.

Action

You can view the SSL proxy statistics by using the show services ssl proxy statistics command.

Configure SSL Forward Proxy with Content Security

In this procedure, you configure an SSL forward proxy profile with Content Security. When you configure Content Security, the SSL proxy acts as an SSL server by terminating the SSL session from the client and establishing a new SSL session to the server. The firewall decrypts and then reencrypts all SSL proxy traffic. Content Security can use the decrypted content from SSL proxy.

Generate local certificate as root-ca.

  1. From operational mode, generate a key pair for a local digital certificate.
  2. Generate local certificate using the key pair generated above.
  3. From configuration mode, apply the loaded certificate as root-ca in the SSL proxy profile.
  4. Attach SSL profile and Content Security policy to security policy.

Configure SSL Reverse Proxy with Content Security

In this procedure, you configure an SSL reverse proxy profile with Content Security.

  1. Load the server certificates and their keys into the firewall certificate repository.
  2. From configuration mode, attach the server certificate identifier to the SSL Proxy profile.
  3. Attach SSL profile and Content Security policy to security policy for the traffic from an untrust zone to the trust zone.

Creating an Allowlist of Exempted Destinations for SSL Proxy

SSL encryption and decryption might consume memory resources on the firewalls. To limit this, you can selectively bypass SSL proxy processing for some sessions such as sessions that transacts with familiar trusted servers or domains. You can also exempt the sessions with financial and banking sites due to legal requirements.

To exempt the sessions from SSL proxy, you can create an allowlist by adding IP addresses or domain names of the servers. Allowlists include addresses that you want to exempt from undergoing SSL proxy processing.

Use the following steps to create allowlist:

  • Specify IP addresses and domain name in your global address book.

  • Refer the global address book in SSL proxy profile.

You can configure the following types of the IP addresses in global address book.

  • IPv4 addresses (plain text). For example:

  • IPv4 address range. For example:

  • IPv4 wildcard. For example:

  • DNS name. For example:

  • IPv6 address. For example:

Allowlists do not support the following types of IP addresses:

  • Translated IP addresses. Sessions are allowlisted based on the actual IP address and not on the translated IP address. Because of this, in the allowlist configuration of the SSL proxy profile, the actual IP address should be provided and not the translated IP address.

  • Noncontiguous netmasks. For example:

    • IP address -203.0.113.0 and mask 255.255.255.0 that is 203.0.113.0/24 is supported.

    • IP address - 203.0.113.9 and mask 255.0.255.0 is not supported.

Following example shows you how to use allowlists in SSL proxy profile.

In this example, you exempt all sessions to www.mycompany.com. For this, you first specify the domain in the address book and then configure the address in the SSL proxy profile.

  1. Configure the domain in the address book.
  2. Specify the global address book address in the SSL proxy profile.

Creating an Allowlist of Exempted URL Categories for SSL Proxy

You can set up URL categories in the Content Security module to skip SSL inspection on the firewall. To do this, SRX links the SSL proxy profile with the Enhanced Web Filtering (EWF) feature. After enabling this, you can add URL categories to an allowlist in the SSL proxy profile, along with address books. You can choose from predefined categories or create custom ones supported by Content Security.

The security device uses the Server Name Indication (SNI) field extracted by the Content Security module to determine the URL category. The SSL proxy uses this information to determines whether to accept, and proxy, or to ignore the session.

SSL proxy allowlisting feature includes URL categories supported by Content Security and SSL proxy allowlisting feature extends support to custom URL categories supported by Content Security.

Following examples show how to configure the URL categories in SSL proxy profile:

Creating an Allowlist of Exempted URL Categories

Use the following steps to configure the predefined URL categories in an SSL proxy profile.

  1. The predefined URL categories depends on Content Security. To enable URL-based allowlisting in SSL proxy, the following basic URL configurations are required:
  2. Specify the predefined URL category in SSL proxy profile. In this example, you are using the URL category Enhanced_Financial_Data_and_Services.
  3. Create the security policy by specifying the match conditions and attach the Content Security policy to the security policy to use URL categories in SSL allowlist.

Creating an Allowlist of Exempted Custom URL Categories

Use the following steps to configure custom URL categories in an SSL proxy profile.

  1. Create a custom URL category.
  2. Configure a Content Security policy for the Web-filtering HTTP protocol and associate the profile you created in previous step to the Content Security policy.
  3. Specify the custom URL category you created in previous step in SSL proxy profile.
  4. Create a security policy by specifying the match conditions and attach the Content Security policy to the security policy to use URL categories in SSL allowlist.

Proxy Authentication Support

You can use proxy profiles to securely route outbound HTTPS traffic through a proxy server with authentication support. You can configure proxy authentication directly within proxy profiles. By setting a username and password, you ensure secure access to external feeds and services. This authentication mechanism supports multiple services to enable secure, authenticated HTTPS communication through a proxy server.

The following connections that support HTTP proxy for server communication now include proxy authentication support:

  • SecIntel connection to ATP cloud to download and upload the feeds.
  • IDP and Application Identification connection for signature database download.
  • Content security (formerly known as Unified Threat Management) for following functionalities:
    • Avira AV virus database and engine update connections.
    • Sophos AV scan queries to the cloud.
    • Web Filtering URL category queries to the cloud.
    • Web Filtering category updates.
    • Web Filtering URL feed downloads.

  • ATP clouds connection for:

    • Enrollment processes
    • File submission connections
    • Antivirus signature updates from Juniper CDN.
    • Dynamic address group feeds
  • Public Key Infrastructure daemon for:
    • SCEP enrollment via HTTP and HTTPS.
    • CRL downloads via HTTP and HTTPS.

Benefits of Proxy Authentication Support

Provide secure access to external feeds and services, improving the overall security posture by preventing unverified data sources from interacting with protected network environments.

Configuration Samples

For establishing secure and authenticated connections, you need to configure following settings:

Configure Autrhentication Credentials in Proxy Profile

Set up proxy authentication by configuring a username and a password in the proxy profile:

Specify Proxy Profile in Security Services

Examples:

Proxy Profile for Application Identification and IDP

Create a proxy profile and use it for downloading the application signature package or IDP signature package through a proxy server:

See Install Application Signatures Package and Junos OS IDP Signature Package through an Explicit Proxy Server.

Proxy Profile for Content Security

Configure the proxy profile to Avira and Sophos antivirus engines for updates, and to Juniper Web Filtering for secure server communication

See Example: Configure Avira Antivirus, Configure Sophos Antivirus Live Protection Version 2.0 with Web Proxy and Configuring Next-Generation Web Filtering .

Proxy Profile for Juniper ATP Cloud

To enable HTTP(S) outbound access through a web proxy on SRX Series Firewalls, configure Juniper ATP Cloud to use proxy profiles. These profiles are applied in anti-malware and SecIntel policies.

See Explicit Web Proxy for Juniper ATP Cloud for details.

PKI

Configure the proxy profile in the CA profile. The device connects to the proxy host instead of the CA server during certificate enrollment, verification, or revocation

See Certificate Authority

Note:
  • Support is available for only basic authentication. You’ll need to provide a username and password, which are sent in the Proxy-Authorization header in a Base64-encoded format.
  • Ensure you configure both username and password simultaneously.
  • Regularly update passwords and monitor for unauthorized access attempts to maintain robust security.