Configure the SSL proxy on the ProxySG for transparent interception and authentication using an SSL certificate issued from a Microsoft PKI server


<< Back to Knowledge Search

Solution

Overview

Configuring the SSL proxy on the ProxySG for transparent interception and authentication using an SSL certificate issued from a Microsoft PKI server.

  • This article covers the deployment of the SSL proxy in a transparent deployment (via WCCP, in-line bridge, or L4 switch) and transparent authentication using IWA.
  • This article is based on SGOS 5.4.1.12 and Windows 2003 Enterprise Server SP2 Certificate Services.
  • The document assumes that the organization's Root CA certificate is already deployed as a Trusted CA certificate in the browsers.
Cause
Resolution
SETUP

Complete the following steps on the ProxySG:

1.)  Confirm correct time configuration and preferable NTP updates. Because SSL certificates include a date and time component, an incorrect system date and time can cause issues when using SSL.  To review your NTP settings on the ProxySG, please log in to the Management Console (https://<ip.address.of.proxys>:8082/) and select Configuration > General > Clock

User-added image

 

2.)  Select Configuration > SSL > Keyrings.  Create a new keyring for the ProxySG. Set the size to 1024 bits.  Select Show Keypair based on your security policy.  Click OK and Apply to save your changes.

User-added image

 

3.)  Edit the keyring created above.

4.)  Click Create under Certificate Signing Request at the bottom.

5.)  Fill in appropriate information into the request.  The Common Name needs to be set to the single hostname (resolvable via DNS) of the ProxySG.  Click OK, then Close, then Apply.

User-added image

 

6.)  Edit the Keyring.  At the bottom will now be a certificate signing request (CSR).  Copy this text to the clipboard.  Click Close.

User-added image

 

7.)  Save this text in a file and give it a name such as proxysg.csr.  Click Close.

 

Complete the following steps using Internet Explorer:

8.)  In Internet Explorer (IE), open the URL of the Mirosoft Certificate Authority server.  Generally, the default URL is http://server/certsrv.

9.)  Click Request a certificate.

User-added image

 

10.)  Click advanced certificate request.

User-added image

 

11.)  Select Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request using a base-64-encoded PKCS #7 file.

User-added image

 

12.)  (Optional)  You may be prompted to install "Microsoft Certificate Enrollment Control ActiveX".  Click Accept and continue.

13.)  In the Saved Request field, copy the CSR created above on the ProxySG.  Select Subordinate Certification Authority for the Certificate Template.  Click Submit.

User-added image

 

14.)  Depending on the configuration of the CA, you may be issued a certificate immediately, or it may need to be approved by an admin.  Once approved, select Base 64 encoded and Download certificate.

User-added image

 

15.)  Click Home in the rop right corner of the page.

16.)  Click Download a CA certificate, certificate chain, or CRL.

User-added image

 

17.)  Select the appropriate CA Certificate from the list at the top, select Base 64 as the encoding method and click Download CA certificate.

User-added image

Complete the following steps on the ProxySG:

18.)  In the Management Console on the ProxySG, select Configuration > SSL > Keyrings.  Select the keyring created above and click Edit.

19.)  Click Import, under Certificate.

User-added image

 

20.)  Paste in the base 64 certificate text download above and click Close and then Apply to save your changes.

User-added image

 

21.)  Next, it will be necessary to add the Root CA and the ProxySG CA certificate to the list of CA certificates on the ProxySG.  In the Management Console, go to the CA Certificates tab.(Select Configuration > SSL > CA Certificates)

22.)  Click Import.  Name the CA certificate and paste in the base 64 version of the ProxySG's subordinate CA certificate and click OK and then Apply.

User-added image

 

23.)  Click import.  Name the CA Certificate and paste in the Base 64 version of the Root CA Certificate downloaded above and click OK.

User-added image

 

24.)  Next we will add the Root CA, intermediate CA (if applicable), and proxy certificate as a browser trusted CA.  Select CA Certificate Lists tab at the top.

User-added image

 

25.)  Select browser-trusted and click Edit.

26.)  Select the newly added Root CA, intermediate CA (if applicable), and proxy certificate on the left and click Add to move it to the right column.  Click OK and then Apply.

User-added image

 

27.)  Change the default SSL proxy Issuer Keyring to the one created above from the default and click Apply  (This is found in the Configuration > Proxy Settings > SSL Proxy section of the Management Console.)

User-added image

 

28.)  An HTTPS (SSL) Service already exists on the system by default.  Modify the default HTTPS service, if needed, to intercept traffic on port 443.  To do this, select Configuration > Services > Proxy Services > Encrypted Service Group > HTTPS > Edit Service.

User-added image

 

29.)  Create an HTTPS reverse proxy on the ProxySG so that connections to the virtual URL are intercepted by the ProxySG.  Set the Proxy to HTTPS Reverse Proxy, set the Keyring to the keyring created in step 2 above.  Create a new Listener for the ProxySG's IP address on port 444 and set the action to Intercept.  (Configuration > Services > Proxy Services > New Service).

User-added image

 

30.)  (Optional)  If you use a TCP-tunnel service on port 443 in transparent mode instead of the SSL service, enable protocol detection on the TCP-tunnel service.  (Configuration > Services > Proxy Services)

31.)  Create an authentication realm, such as IWA or LDAP, based on the environment.  In this example, IWA will be used. (Configuration > Authentication > IWA)

32.)  As part of realm authentication, change the Virtual URL for the realm to https://hostname:444.  The hostname, which must not be a fully qualified domain name, must resolve to the IP address of the ProxySG and should match the common name in the keyring certificate created in steps 2 and 5 above.  The virtual URL can be found at Configuration > Authentication > Realm_name (such as IWA, LDAP, etc.) > Realm_name General.

User-added image

 

33.)  Make sure that transparent proxy is set to the session cookie method.  This is the default.  (Configuration > Authentication > Transparent Proxy)

User-added image

 

34.)  Install both the CA certificate and the subordinate CA certificate in the proxy's CA certificate store (SSL > CA certificates > import).

35.) Add each of the newly-added CA certificates to the CA Certificate List (CCL) called 'browser-trusted' (SSL > CA Certificates> CCL).

Please see 000016796 which describes the steps on how to write policy to enable SSL Proxy functionality using Visual Policy Manager (VPM).

Workaround
Additional Information
Bug Number
InQuira Doc IdKB3700
Attachment

Article Feedback

Hide Properties
First Published      10/01/2014
Last Modified      10/06/2014
Last Published      10/06/2014
Article Audience
Product      ProxySG
Software      SGOS 5
Topic      Authentication, Configuration / WUI / CLI, SSL / HTTPS
Article Number      000008716
Summary     
Was this helpful?
Comments:
 
Previous MonthNext Month
SunMonTueWedThuFriSat