How to limit or specify what client ciphers can be used to access management console or reverse proxy services on the ProxySG

Solution

Overview

Restrict clients from accessing the ProxySG using low security or weak ciphers.

Specify which ciphers are allowed or denied for incoming connections to the ProxySG.

Cause
Resolution

There are a several different ways to limit what ciphers the ProxySG will accept. There are many different conceivable combinations, but the principles shown in the examples below should offer the necessary guidance in successfully limiting connections to the ProxySG based on cipher type or strength.


CLI:
Management Console Service:
Enable mode (enable <enter>)
Config t <enter>
management-services<enter>
edit https-console<enter>
attribute cipher-suite <insert the ciphers you want>

Reverse Proxy Service:
Enable mode (enable <enter>)
Config t <enter>
proxy-services<enter>
edit <service_name><enter>
attribute cipher-suite <insert the ciphers you want>

Example:
SGOS#(config HTTPS-Console) attribute cipher-suite rc4-md5 rc4-sha des-cbc3-sha aes128-sha aes256-sha



VPM:
Web Access Layer
Right click in "Source", then Set > New
Client Negotiate Cipher Strengh
Choose the desired strength (Export, High, Medium, Low)
Choose to DENY or ALLOW depending on your need.



CPL:
Example_1: Deny ciphers by security level:
<Proxy>
    DENY client.connection.negotiated_cipher.strength=low

Example_2: Allow based on a specified list of ciphers:
<Proxy>
    ALLOW client.connection.negotiated_cipher=(EXP-RC4-MD5 || EXP1024-RC4-MD5 || EXP1024-RC4-SHA || EXP1024-RC2-CBC-MD5 || EXP1024-DES-CBC-SHA)

Workaround
Additional Information
Bug Number
InQuira Doc IdKB3819
Attachment

Article Feedback

Did this Article solve your issue?
Additional Comments:
 
Предыдущий месяцСледующий месяц
ПнВтСрЧтПтСбВс