How to limit or specify what client ciphers can be used to access management console or reverse proxy services on the ProxySG


<< Back to Knowledge Search

Solution

Overview

Restrict clients from accessing the ProxySG using low security or weak ciphers.

Specify which ciphers are allowed or denied for incoming connections to the ProxySG.

Cause
Resolution

There are a several different ways to limit what ciphers the ProxySG will accept. There are many different conceivable combinations, but the principles shown in the examples below should offer the necessary guidance in successfully limiting connections to the ProxySG based on cipher type or strength.


CLI:
Management Console Service:
Enable mode (enable <enter>)
Config t <enter>
management-services<enter>
edit https-console<enter>
attribute cipher-suite <insert the ciphers you want>

Reverse Proxy Service:
Enable mode (enable <enter>)
Config t <enter>
proxy-services<enter>
edit <service_name><enter>
attribute cipher-suite <insert the ciphers you want>

Example:
SGOS#(config HTTPS-Console) attribute cipher-suite rc4-md5 rc4-sha des-cbc3-sha aes128-sha aes256-sha



VPM:
Web Access Layer
Right click in "Source", then Set > New
Client Negotiate Cipher Strengh
Choose the desired strength (Export, High, Medium, Low)
Choose to DENY or ALLOW depending on your need.



CPL:
Example_1: Deny ciphers by security level:
<Proxy>
    DENY client.connection.negotiated_cipher.strength=low

Example_2: Allow based on a specified list of ciphers:
<Proxy>
    ALLOW client.connection.negotiated_cipher=(EXP-RC4-MD5 || EXP1024-RC4-MD5 || EXP1024-RC4-SHA || EXP1024-RC2-CBC-MD5 || EXP1024-DES-CBC-SHA)

Workaround
Additional Information
Bug Number
InQuira Doc IdKB3819
Attachment

Article Feedback

Hide Properties
First Published      10/01/2014
Last Modified      10/01/2014
Last Published      10/01/2014
Article Audience
Product      ProxySG 200, ProxySG 210, ProxySG 510, ProxySG 810, ProxySG 8100, ProxySG 9000
Software      SGOS 5.4
Article Number      000011203
Summary     
Was this helpful?
Comments:
 
Previous MonthNext Month
SunMonTueWedThuFriSat