SSL Proxy for Logical Systems
Secure Sockets Layer (SSL) is an application-level protocol that provides encryption technology for the Internet. For more information, see the following topics:
Understanding SSL Forward and Reverse Proxy for Logical Systems
SSL proxy acts as an intermediary, performing SSL encryption and decryption between the client and the server. SSL, also called Transport Layer Security (TLS), ensures the secure transmission of data between a client and a server through a combination of privacy, authentication, confidentiality, and data integrity.
SSL proxy is a transparent proxy that performs SSL encryption and decryption between the client and the server as follows:
Reverse proxy is an inbound session, that is, externally initiated SSL sessions from the Internet to the local server.
The proxy model implementation for server protection (often called reverse proxy) is supported on SRX Series Firewalls to provide improved handshaking and support for more protocol versions.
Forward proxy is an outbound session, that is, locally initiated SSL session to the Internet.
SSL proxy works transparently between the client and the server. All requests from a client first go to the proxy server; the proxy server evaluates the request, and if the request is valid, forwards the request to the outbound side. Similarly, inbound requests are also evaluated by the proxy server. Both client and server interpret that they are communicating with each other; however, it is the SSL proxy that functions between the two.
Example: Configuring SSL Forward and Reverse Proxy for Logical Systems
This example shows how to configure SSL proxy to enable server protection. A reverse proxy protects servers by hiding the details of the servers from the clients, there by adding an extra layer of security and the purpose of a forward proxy is to manage traffic to the client systems.
Requirements
To configure an SSL reverse and forward proxy, you must:
Load the server certificates and their keys into SRX Series Firewall’s certificate repository.
Attach the server certificate identifiers to the SSL proxy profile.
Apply SSL proxy profile as application services in a security policy.
Overview
This example shows how to configure reverse proxy to enable server protection and forward proxy is for client protection. It shows how to configure an SSL proxy profile and apply it at the security policy rule level. For server protection, additionally, server certificates with private keys must be configured.
Configuration
CLI Quick Configuration
To quickly configure this example, copy the
following commands, paste them into a text file, remove any line breaks,
change any details necessary to match your network configuration,
copy and paste the commands into the CLI at the [edit] hierarchy
level, and then enter commit from configuration mode.
set logical-systems LSYS1 services ssl proxy profile ssl-fp-profile root-ca new-srvr-cert set logical-systems LSYS1 services ssl proxy profile ssl-fp-profile actions ignore-server-auth-failure set logical-systems LSYS1 services ssl proxy profile ssl-rp-profile actions log all set logical-systems LSYS1 security log mode event set logical-systems LSYS1 security policies from-zone trust to-zone untrust policy 1 match source-address any set logical-systems LSYS1 security policies from-zone trust to-zone untrust policy 1 match destination-address any set logical-systems LSYS1 security policies from-zone trust to-zone untrust policy 1 match application any set logical-systems LSYS1 security policies from-zone trust to-zone untrust policy 1 then permit application-services ssl-proxy profile-name ssl-rp-profile set logical-systems LSYS1 security policies from-zone trust to-zone untrust policy 1 then log session-init set logical-systems LSYS1 security policies from-zone trust to-zone untrust policy 1 then log session-close set logical-systems LSYS1 security policies from-zone untrust to-zone trust policy 1 match source-address any set logical-systems LSYS1 security policies from-zone untrust to-zone trust policy 1 match destination-address any set logical-systems LSYS1 security policies from-zone untrust to-zone trust policy 1 match application any set logical-systems LSYS1 security policies from-zone untrust to-zone trust policy 1 then permit application-services ssl-proxy profile-name ssl-rp-profile set logical-systems LSYS1 security policies from-zone untrust to-zone trust policy 1 then log session-init set logical-systems LSYS1 security policies from-zone untrust to-zone trust policy 1 then log session-close
Configuring the SSL Reverse and Forward Proxy
Step-by-Step Procedure
The following example requires you to navigate various
levels in the configuration hierarchy. For instructions on how to
do that, see Using the CLI Editor in Configuration
Mode in the Junos OS CLI User Guide.
To configure the SSL Proxy:
Configure the SSL Reverse Proxy.
[edit logical-systems LSYS1] user@host# set logical-systems LSYS1 services ssl proxy profile ssl-rp-profile actions log all user@host# set logical-systems LSYS1 security policies from-zone untrust to-zone trust policy 1 match source-address any user@host# set logical-systems LSYS1 security policies from-zone untrust to-zone trust policy 1 match destination-address any user@host# set logical-systems LSYS1 security policies from-zone untrust to-zone trust policy 1 match application any user@host# set logical-systems LSYS1 security policies from-zone untrust to-zone trust policy 1 then permit application-services ssl-proxy profile-name ssl-rp-profile
Configure the SSL Forward Proxy.
[edit logical-systems LSYS1] user@host# set logical-systems LSYS1 services ssl proxy profile ssl-fp-profile root-ca new-srvr-cert user@host# set logical-systems LSYS1 services ssl proxy profile ssl-fp-profile actions ignore-server-auth-failure user@host# set logical-systems LSYS1 security log mode event user@host# set logical-systems LSYS1 security policies from-zone trust to-zone untrust policy 1 match source-address any user@host# set logical-systems LSYS1 security policies from-zone trust to-zone untrust policy 1 match destination-address any user@host# set logical-systems LSYS1 security policies from-zone trust to-zone untrust policy 1 match application any user@host# set logical-systems LSYS1 security policies from-zone trust to-zone untrust policy 1 then permit application-services idp user@host# set logical-systems LSYS1 security policies from-zone trust to-zone untrust policy 1 then permit application-services ssl-proxy profile-name ssl-rp-profile user@host# set logical-systems LSYS1 security policies from-zone trust to-zone untrust policy 1 then log session-init user@host# set logical-systems LSYS1 security policies from-zone trust to-zone untrust policy 1 then log session-close user@host# set logical-systems LSYS1 security policies from-zone untrust to-zone trust policy 1 then log session-init user@host# set logical-systems LSYS1 security policies from-zone untrust to-zone trust policy 1 then log session-close
Results
From configuration mode, confirm your configuration
by entering the show logical-system LSYS1 services ssl proxy command. If the output does not display the intended configuration,
repeat the configuration instructions in this example to correct it.
You must configure either root-ca (forward proxy)
or server-certificate (reverse proxy) in an SSL proxy profile.
Otherwise, the commit check fails.
user@host# show logical-systems LSYS1 services ssl proxy
profile ssl-rp-profile {
server-certificate ssl-inspect-sp1; { # For reverse proxy. No root-ca is needed.
actions {
log {
all;
}
}
}
profile ssl-fp-profile { # For forward proxy. No server cert/key is needed.
root-ca new-srvr-cert;
actions {
ignore-server-auth-failure;
log {
all;
}
}
}
Verification
Verifying the SSL Proxy Configuration on the Device
Purpose
Viewing the SSL reverse proxy statistics on the SRX Series Firewall.
Action
You can view the SSL proxy statistics by using the show services ssl proxy statistics logical-system command.
user@host> show services ssl proxy statistics logical-system LSYS1
PIC:spu-3 fpc[0] pic[3] ------
sessions matched 1
sessions bypassed:non-ssl 0
sessions bypassed:mem overflow 0
sessions bypassed:low memory 0
sessions created 1
sessions ignored 0
sessions active 1
sessions dropped 0
sessions whitelisted 0
whitelisted url category match 0
default profile hit 0
session dropped no default profile 0
policy hit no profile configured 0