Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Example: Configure Explicit Web Proxy

SUMMARY Use this example to configure the explicit web proxy feature and to verify the configuration on your device.

Tip:
Table 1: Readability Score and Time Estimates

Readability score

Flesch-Kincaid reading grade level: 11.3

Reading time

30 minutes

Configuration time

1 hour

Example Prerequisites

Hardware requirements

Juniper Networks® SRX Series Firewall or vSRX Virtual Firewall

Software requirements

Junos OS Release 23.4R1 or later

Before You Begin

Benefits

  • Secures network: Explicit web proxy configured on an SRX Series Firewall interface controls and filters the inbound and outbound traffic between the client and the destination webserver. The client-webserver traffic comprises HTTP and HTTPS traffic for IPv4 and IPv6 packets.

  • Acts as an intermediary between client and destination webservers: Explicit web proxy performs Domain Name System (DNS) resolution for the client. It establishes two sessions—one between the client and the SRX Series Firewall and the other between the firewall and the actual destination server. This way it steers traffic to the specified destination servers and then gets the response back from the server on behalf of the client.

Know more

Explicit Web Proxy, Pass-Through Authentication, and User Firewall

Hands-on experience

vLab Sandbox: Zones / Policies

Learn more

Juniper Identity Management Service

Functional Overview

Table 2: Explicit Web Proxy Functional Overview

Technologies used

SSL proxy

The SSL proxy profile pr1 supports server authentication by enabling a Web browser to validate the identity of a webserver.

User identification

The SRX Series Firewall searches for the user source identity in the user identification table (UIT) and retrieves user and role information, if available.

The device creates an authentication entry with the IP address and the username of the user in the UIT.

Security policies

Two security policies, expp1 and expp2, enforce user-based and role-based security policies to restrict or permit users individually or in groups. The policies use different methods to authenticate users.

Access profile

Configure the Lightweight Directory Access Protocol (LDAP) profile ldap_profile for external authentication.

Explicit web proxy profile

Configure the explicit web proxy profile exp1 with dynamic application and external proxy server details. Attach this profile to the security policies expp1 and expp2 and then apply the profile on the permitted traffic.

Primary verification tasks

  • Verify the JIMS connection status.

  • Verify that user entries are available after firewall authentication.

Topology Overview

We've developed this example using user authentication. We configure users through firewall authentication using the [edit access profile] hierarchy. An external LDAP server maintains the user information.

In this example, a client initiates a user authentication request to a webserver through the SRX Series Firewall. When the SRX Series Firewall (henceforth also referred to as the firewall) receives the request, it checks whether it has the authentication entry for the given IP address. If the firewall doesn't have the entry, then it sends an IP-based query to the Juniper Identity Management Service (JIMS) identity manager to obtain the user's identity information.

For the firewall to query JIMS, you must establish an HTTPS connection between the firewall and JIMS. JIMS uses the populated identity management authentication table to authenticate a user that is requesting access to a protected resource. If the user entry is available in that table, JIMS responds to the firewall's query with the IP address of the user's device. If the user information is not available, JIMS responds with an appropriate error message.

In the deployments where JIMS (through Active Directory/Domain Controller) is unable to provide user authentication information, the firewall sends the user authentication event to JIMS using the push-to-identity-management statement. With this statement, the firewall pushes the authentication entries to the JIMS server for those users that have no entries in JIMS but have successfully authenticated to the firewall.

Table 3: Topology Components

Component

Role

Function

Client

Requests Web service

Initiates an HTTPS session with the webserver through the SRX Series Firewall.

SRX Series Firewall

Juniper Networks' firewall

Works as the HTTPS client and sends HTTPS requests to JIMS on port 443.

The advanced query feature queries JIMS for user identification information that the firewall stores in its authentication table and uses to authenticate users.

The SRX Series Firewall initiates an HTTPS session with the LDAP server to authenticate the entries. If the LDAP server doesn't have the authentication entry, the LDAP server sends an IP-based authentication query to the JIMS server.

LDAP server

External server to manage a number of firewall users.

LDAP is the Active Directory server.

JIMS

A standalone Windows service application that collects and maintains a large database of user, device, and group information from Active Directory domains.

JIMS obtains users' account attributes and login sessions from an Active Directory and provides the information to the firewall. JIMS collects user identity information from different authentication sources for SRX Series Firewalls.

Webserver

Web service provider

The webserver responds to the client's request.

Topology Illustration

Figure 1: Explicit Web Proxy Explicit Web Proxy

Configure Explicit Proxy on the SRX Series Firewall

Note:

For complete sample configurations on the SRX Series Firewall, see:

  1. Activate the HTTP process (daemon) on the firewall.
  2. Configure a Secure Socket Layer (SSL) support service proxy profile, pr1, to allow browser traffic and to ignore server authentication.
    If you configure the firewall to ignore authentication, then the firewall ignores any errors it encounters during server verifcation at the time of the SSL handshake.
  3. Configure explicit web proxy. Apply the SSL proxy profile, pr1, to the explicit web proxy profile, exp1, to permit the traffic. The firewall decrypts and then reencrypts all SSL proxy traffic.
  4. Configure JIMS as the authentication source for advanced query requests. Use the invalid-authentication-entry-timeout setting to protect invalid user authentication entries in an authentication table from expiring before the user can be validated.
  5. Configure the delay time (in seconds) before the firewall sends the individual user query.
  6. Specify the LDAP server for external authentication, and configure ldap-options within the profile.
  7. Configure the type of firewall and the default profile name where the authentication settings are defined.
  8. Define a security policy, expp1, to control the explicit web proxy traffic and to add user information to JIMS.
  9. Configure a security policy, expp2, and apply it to permit the traffic from any dynamic application.
  10. Configure interfaces to apply explicit web proxy and Web authentication. Enable Web authentication and explicit web proxy at the ge-0/0/2 interface.

Verification

List of show commands used to verify the feature in this example.

Command Verification Task
show services user-identification authentication-table

Display the user identity information authentication table entries for the specified authentication source.

show services web-proxy

Display information about the secure Web proxy session.

show services ssl proxy profile

Display information about the SSL proxy profile details.

Explicit Web Proxy Verification

Purpose

Verify information about the secure explicit web proxy session.

Action

From operational mode, enter show security policies explicit-proxy explicit-proxy-profile exp1 to view the explicit web proxy details.

Meaning

The sample output shows the traffic allowed to the explicit proxy service session.

Identity Management Verification

Purpose

Verify the statistical data about the batch queries sent to the JIMS server and the responses received from JIMS.

Action

From operational mode, enter show services user-identification identity-management counters session and show services user-identification identity-management status.

Meaning

The sample output shows that the JIMS server is online. The output also shows which server is responding to queries from the SRX Series Firewall.

Appendix 1: set Commands on SRX Series Firewall

set command output on all devices:

Appendix 2: show Configuration Output on SRX Series Firewall

show command output on the firewall:

From configuration mode, confirm your configuration by entering the show security policies, show interfaces, show services ssl, show access, and show services user-identification identity-management commands. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct the configuration.