Example: Configure Explicit Web Proxy
SUMMARY Use this example to configure the explicit web proxy feature and to verify the configuration on your device.
Readability score |
Flesch-Kincaid reading grade level: 11.3 |
Reading time |
30 minutes |
Configuration time |
1 hour |
Example Prerequisites
Hardware requirements |
Juniper Networks® SRX Series Firewall or vSRX Virtual Firewall |
Software requirements |
Junos OS Release 23.4R1 or later |
Before You Begin
Benefits |
|
Know more |
Explicit Web Proxy, Pass-Through Authentication, and User Firewall |
Hands-on experience |
|
Learn more |
Functional Overview
Technologies used |
SSL proxy The SSL proxy profile |
User identification The SRX Series Firewall searches for the user source identity in the user identification table (UIT) and retrieves user and role information, if available. The device creates an authentication entry with the IP address and the username of the user in the UIT. |
|
Security policies Two security policies,
|
|
Access profile Configure the Lightweight Directory Access Protocol (LDAP)
profile |
|
Explicit web proxy profile Configure the explicit web proxy profile
|
|
Primary verification tasks |
|
Topology Overview
We've developed this example using user authentication. We configure users through
firewall authentication using the [edit access profile]
hierarchy.
An external LDAP server maintains the user information.
In this example, a client initiates a user authentication request to a webserver through the SRX Series Firewall. When the SRX Series Firewall (henceforth also referred to as the firewall) receives the request, it checks whether it has the authentication entry for the given IP address. If the firewall doesn't have the entry, then it sends an IP-based query to the Juniper Identity Management Service (JIMS) identity manager to obtain the user's identity information.
For the firewall to query JIMS, you must establish an HTTPS connection between the firewall and JIMS. JIMS uses the populated identity management authentication table to authenticate a user that is requesting access to a protected resource. If the user entry is available in that table, JIMS responds to the firewall's query with the IP address of the user's device. If the user information is not available, JIMS responds with an appropriate error message.
In the deployments where JIMS (through Active Directory/Domain Controller) is unable
to provide user authentication information, the firewall sends the user
authentication event to JIMS using the push-to-identity-management
statement. With this statement, the firewall pushes the authentication entries to
the JIMS server for those users that have no entries in JIMS but have successfully
authenticated to the firewall.
Component |
Role |
Function |
---|---|---|
Client |
Requests Web service |
Initiates an HTTPS session with the webserver through the SRX Series Firewall. |
SRX Series Firewall |
Juniper Networks' firewall |
Works as the HTTPS client and sends HTTPS requests to JIMS on port 443. The advanced query feature queries JIMS for user identification information that the firewall stores in its authentication table and uses to authenticate users. The SRX Series Firewall initiates an HTTPS session with the LDAP server to authenticate the entries. If the LDAP server doesn't have the authentication entry, the LDAP server sends an IP-based authentication query to the JIMS server. |
LDAP server |
External server to manage a number of firewall users. |
LDAP is the Active Directory server. |
JIMS |
A standalone Windows service application that collects and maintains a large database of user, device, and group information from Active Directory domains. |
JIMS obtains users' account attributes and login sessions from an Active Directory and provides the information to the firewall. JIMS collects user identity information from different authentication sources for SRX Series Firewalls. |
Webserver |
Web service provider |
The webserver responds to the client's request. |
Topology Illustration
Configure Explicit Proxy on the SRX Series Firewall
For complete sample configurations on the SRX Series Firewall, see:
See Also
Verification
List of show
commands used to verify the feature in this
example.
Command | Verification Task |
---|---|
show services user-identification authentication-table |
Display the user identity information authentication table entries for the specified authentication source. |
show services web-proxy |
Display information about the secure Web proxy session. |
show services ssl proxy profile |
Display information about the SSL proxy profile details. |
Explicit Web Proxy Verification
Purpose
Verify information about the secure explicit web proxy session.
Action
From operational mode, enter show security policies explicit-proxy explicit-proxy-profile exp1 to view the explicit web proxy details.
user@host> show security policies explicit-proxy explicit-proxy-profile exp1 Explicit Proxy Profile: exp1 Pre ID default policy: permit-all Default policy: deny-all Policy: expp1, State: enabled, Index: 7, Scope Policy: 0, Sequence number: 1, Log Profile ID: 0 Source vrf group: any Destination vrf group: any Source addresses: any Destination addresses: any Applications: any Dynamic Applications: any Source identities: unauthenticated-user Source identity feeds: any Destination identity feeds: any Action: permit, firewall authentication Policy: expp2, State: enabled, Index: 8, Scope Policy: 0, Sequence number: 2, Log Profile ID: 0 Source vrf group: any Destination vrf group: any Source addresses: any Destination addresses: any Applications: any Dynamic Applications: any Source identities: any Source identity feeds: any Destination identity feeds: any Action: permit
user@host> show services web-proxy explicit-proxy statistics Explicit Proxy : Active Explicit HTTPS proxy sessions 0 Active Explicit HTTP proxy sessions 0 Total Explicit HTTPS proxy sessions 0 Total Explicit HTTP proxy sessions 0 Sessions Dropped due to rate limit 0 Listen port conflicts with system port 0
user@host> show security policies explicit-proxy hit-count Logical system: root-logical-system Index Explicit Proxy Profile Name Policy count Action 1 exp1 expp1 0 Permit 2 exp1 expp2 0 Permit Number of policy: 2
Meaning
The sample output shows the traffic allowed to the explicit proxy service session.
Identity Management Verification
Purpose
Verify the statistical data about the batch queries sent to the JIMS server and the responses received from JIMS.
Action
From operational mode, enter show services user-identification identity-management counters session and show services user-identification identity-management status.
user@host> show services user-identification identity-management counters session Primary server : Address : 10.209.96.248 Batch queries sent : 1316 Batch queries returned : 1316 Batch query error received : 1 Auth entry lookup queries sent : 1 Auth entry lookup queries returned : 1 Auth entry lookup query errors encountered : 0 Auth entry lookup time, average(ms) : 10 Auth entry lookup time, max(ms) : 20 Certificate revocation requests sent : 0 Certificate revocation responses received : 0 Certificates revoked : 0 Secondary server : Address : Not configured
user@host> show services user-identification identity-management status Primary server : Address : 10.209.96.248* Port : 443 Source : Automatic Interface : Automatic Routing-instance : Automatic Connection method : HTTPS Connection status : Online Last received status message : OK (200) Access token : 053d2b80-e264-46e8-8469-2da9f51d8b2f Token expire time : 2023-12-13 15:07:25 Secondary server : Address : Not configured
Meaning
The sample output shows that the JIMS server is online. The output also shows which server is responding to queries from the SRX Series Firewall.
Appendix 1: set
Commands on SRX Series Firewall
set
command output on all devices:
set system services web-management http port 80 set system services web-management http interface ge-0/0/2 set system services web-management https pki-local-certificate server_nodomain set services ssl proxy profile pr1 root-ca MYCERT set services ssl proxy profile pr1 actions ignore-server-auth-failure set services web-proxy explicit-proxy profile exp1 listening-port 9443 set services web-proxy explicit-proxy profile exp1 ssl-proxy profile-name pr1 set services user-identification identity-management authentication-entry-timeout 25 set services user-identification identity-management invalid-authentication-entry-timeout 20 set services user-identification identity-management connection connect-method https set services user-identification identity-management connection port 443 set services user-identification identity-management connection primary address 10.209.96.248 set services user-identification identity-management connection primary client-id test set services user-identification identity-management connection primary client-secret "$9$sUYJD.mT3/t5Q" set services user-identification identity-management batch-query items-per-batch 100 set services user-identification identity-management batch-query query-interval 60 set security policies explicit-proxy profile exp1 policy expp1 match source-address any set security policies explicit-proxy profile exp1 policy expp1 match destination-address any set security policies explicit-proxy profile exp1 policy expp1 match application any set security policies explicit-proxy profile exp1 policy expp1 match source-identity unauthenticated-user set security policies explicit-proxy profile exp1 policy expp1 match dynamic-application any set security policies explicit-proxy profile exp1 policy expp1 then permit firewall-authentication user-firewall access-profile ldap_profile set security policies explicit-proxy profile exp1 policy expp1 then permit firewall-authentication user-firewall web-redirect set security policies explicit-proxy profile exp1 policy expp1 then permit firewall-authentication user-firewall web-redirect-to-https set security policies explicit-proxy profile exp1 policy expp1 then permit firewall-authentication push-to-identity-management set security policies explicit-proxy profile exp1 policy expp2 match source-address any set security policies explicit-proxy profile exp1 policy expp2 match destination-address any set security policies explicit-proxy profile exp1 policy expp2 match application any set security policies explicit-proxy profile exp1 policy expp2 match source-identity any set security policies explicit-proxy profile exp1 policy expp2 match dynamic-application any set security policies explicit-proxy profile exp1 policy expp2 then permit set interfaces ge-0/0/1 unit 0 family inet address 203.0.113.254/24 set interfaces ge-0/0/2 unit 0 family inet address 192.0.3.100/24 web-authentication http set interfaces ge-0/0/2 unit 0 family inet address 192.0.3.100/24 web-authentication https set interfaces ge-0/0/2 unit 0 explicit-proxy profile exp1 set access firewall-authentication web-authentication default-profile ldap_profile set access profile ldap_profile authentication-order ldap set access profile ldap_profile ldap-options base-distinguished-name dc=juniper,dc=com set access profile ldap_profile ldap-options search search-filter CN= set access profile ldap_profile ldap-options search admin-search distinguished-name CN=Administrator,CN=Users,DC=juniper,DC=com set access profile ldap_profile ldap-options search admin-search password "$9$Bmf1hreK8x7Vrl24ZGiHkqmPQ36/t0OR" set access profile ldap_profile ldap-server 192.168.3.10
Appendix 2: show
Configuration Output on SRX Series Firewall
show
command output on the firewall:
From configuration mode, confirm your configuration by entering the show
security policies
, show interfaces
, show
services ssl
, show access
, and show services
user-identification identity-management
commands. If the output does
not display the intended configuration, repeat the configuration instructions in
this example to correct the configuration.
user@host# show access profile ldap_profile { authentication-order ldap; ldap-options { base-distinguished-name dc=juniper,dc=com; search { search-filter CN=; admin-search { distinguished-name CN=Administrator,CN=Users,DC=juniper,DC=com; password "$9$Bmf1hreK8x7Vrl24ZGiHkqmPQ36/t0OR"; ## SECRET-DATA } } } ldap-server { 192.168.3.10; } } firewall-authentication { web-authentication { default-profile ldap_profile; } }
user@host# show system services web-management { http { port 80; interface ge-0/0/2.0; } https { pki-local-certificate server_nodomain; } }
user@host# show services ssl proxy { profile pr1 { root-ca MYCERT; actions { ignore-server-auth-failure; log { all; } } } }
user@host# show services web-proxy explicit-proxy profile exp1 { listening-port 9443; ssl-proxy { profile-name pr1; } }
user@host# show interfaces ge-0/0/2 { unit 0 { family inet { address 192.0.3.100/24 { web-authentication { http; https; } } } explicit-proxy { profile exp1; } } } ge-0/0/1 { unit 0 { family inet { address 203.0.113.254/24; } } }
user@host# show security policies explicit-proxy { profile exp1 { policy expp1 { match { source-address any; destination-address any; application any; source-identity unauthenticated-user; dynamic-application any; } then { permit { firewall-authentication { user-firewall { ## ## Warning: access-profile must be defined or access to profile is disabled for tenants ## Warning: access-profile must be defined or access to profile is disabled for tenants ## access-profile ldap_profile; web-redirect; web-redirect-to-https; } push-to-identity-management; } } } } policy expp2 { match { source-address any; destination-address any; application any; source-identity any; dynamic-application any; } then { permit; } } } }
user@host# show services user-identification identity-management authentication-entry-timeout 25; invalid-authentication-entry-timeout 20; connection { connect-method https; port 443; primary { address 10.209.96.248; client-id test; client-secret "$9$sUYJD.mT3/t5Q"; ## SECRET-DATA } } batch-query { items-per-batch 100; query-interval 60; }