Solutions

Configure the SSL proxy on the ProxySG for transparent interception and authentication using an SSL certificate issued from a Microsoft PKI server

Solutions ID:    KB3700
Version:    5.0
Status:    Published
Published date:    02/16/2010
Updated:    06/08/2011
 

Problem Description

 

Configuring the SSL proxy on the ProxySG for transparent interception and authentication using an SSL certificate issued from a Microsoft PKI server.

  • This article covers the deployment of the SSL proxy in a transparent deployment (via WCCP, in-line bridge, or L4 switch) and transparent authentication using IWA.
  • This article is based on SGOS 5.4.1.12 and Windows 2003 Enterprise Server SP2 Certificate Services.
  • The document assumes that the organization's Root CA certificate is already deployed as a Trusted CA certificate in the browsers.

Resolution

SETUP

Complete the following steps on the ProxySG:

1.)  Confirm correct time configuration and preferable NTP updates. Because SSL certificates include a date and time component, an incorrect system date and time can cause issues when using SSL.  To review your NTP settings on the ProxySG, please log in to the Management Console (https://<ip.address.of.proxys>:8082/) and select Configuration > General > Clock

2.)  Select Configuration > SSL > Keyrings.  Create a new keyring for the ProxySG. Set the size to 1024 bits.  Select Show Keypair based on your security policy.  Click OK and Apply to save your changes.

3.)  Edit the keyring created above.

4.)  Click Create under Certificate Signing Request at the bottom.

5.)  Fill in appropriate information into the request.  The Common Name needs to be set to the single hostname (resolvable via DNS) of the ProxySG.  Click OK, then Close, then Apply.

6.)  Edit the Keyring.  At the bottom will now be a certificate signing request (CSR).  Copy this text to the clipboard.  Click Close.

7.)  Save this text in a file and give it a name such as proxysg.csr.  Click Close.

 

Complete the following steps using Internet Explorer:

8.)  In Internet Explorer (IE), open the URL of the Mirosoft Certificate Authority server.  Generally, the default URL is http://server/certsrv.

9.)  Click Request a certificate.

10.)  Click advanced certificate request.

11.)  Select Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request using a base-64-encoded PKCS #7 file.

12.)  (Optional)  You may be prompted to install "Microsoft Certificate Enrollment Control ActiveX".  Click Accept and continue.

13.)  In the Saved Request field, copy the CSR created above on the ProxySG.  Select Subordinate Certification Authority for the Certificate Template.  Click Submit.

14.)  Depending on the configuration of the CA, you may be issued a certificate immediately, or it may need to be approved by an admin.  Once approved, select Base 64 encoded and Download certificate.

15.)  Click Home in the rop right corner of the page.

16.)  Click Download a CA certificate, certificate chain, or CRL.

17.)  Select the appropriate CA Certificate from the list at the top, select Base 64 as the encoding method and click Download CA certificate.

 

Complete the following steps on the ProxySG:

18.)  In the Management Console on the ProxySG, select Configuration > SSL > Keyrings.  Select the keyring created above and click Edit.

19.)  Click Import, under Certificate.

20.)  Paste in the base 64 certificate text download above and click Close and then Apply to save your changes.

21.)  Next, it will be necessary to add the Root CA and the ProxySG CA certificate to the list of CA certificates on the ProxySG.  In the Management Console, go to the CA Certificates tab.(Select Configuration > SSL > CA Certificates)

22.)  Click Import.  Name the CA certificate and paste in the base 64 version of the ProxySG's subordinate CA certificate and click OK and then Apply.

23.)  Click import.  Name the CA Certificate and paste in the Base 64 version of the Root CA Certificate downloaded above and click OK.

24.)  Next we will add the Root CA, intermediate CA (if applicable), and proxy certificate as a browser trusted CA.  Select CA Certificate Lists tab at the top.

25.)  Select browser-trusted and click Edit.

26.)  Select the newly added Root CA, intermediate CA (if applicable), and proxy certificate on the left and click Add to move it to the right column.  Click OK and then Apply.

27.)  Change the default SSL proxy Issuer Keyring to the one created above from the default and click Apply  (This is found in the Configuration > Proxy Settings > SSL Proxy section of the Management Console.)

28.)  An HTTPS (SSL) Service already exists on the system by default.  Modify the default HTTPS service, if needed, to intercept traffic on port 443.  To do this, select Configuration > Services > Proxy Services > Encrypted Service Group > HTTPS > Edit Service.

29.)  Create an HTTPS reverse proxy on the ProxySG so that connections to the virtual URL are intercepted by the ProxySG.  Set the Proxy to HTTPS Reverse Proxy, set the Keyring to the keyring created in step 2 above.  Create a new Listener for the ProxySG's IP address on port 444 and set the action to Intercept.  (Configuration > Services > Proxy Services > New Service).

30.)  (Optional)  If you use a TCP-tunnel service on port 443 in transparent mode instead of the SSL service, enable protocol detection on the TCP-tunnel service.  (Configuration > Services > Proxy Services)

31.)  Create an authentication realm, such as IWA or LDAP, based on the environment.  In this example, IWA will be used. (Configuration > Authentication > IWA)

32.)  As part of realm authentication, change the Virtual URL for the realm to https://hostname:444.  The hostname, which must not be a fully qualified domain name, must resolve to the IP address of the ProxySG and should match the common name in the keyring certificate created in steps 2 and 5 above.  The virtual URL can be found at Configuration > Authentication > Realm_name (such as IWA, LDAP, etc.) > Realm_name General.

33.)  Make sure that transparent proxy is set to the session cookie method.  This is the default.  (Configuration > Authentication > Transparent Proxy)

34.)  Install both the CA certificate and the subordinate CA certificate in the proxy's CA certificate store (SSL > CA certificates > import).

35.) Add each of the newly-added CA certificates to the CA Certificate List (CCL) called 'browser-trusted' (SSL > CA Certificates> CCL).

 

Please see KB3716 which describes the steps on how to write policy to enable SSL Proxy functionality using Visual Policy Manager (VPM).


Rate this Page

Please take a moment to complete this form to help us better serve you.

Did this document help answer your question?
 
 
If you are finished providing feedback, please click the RATE CONTENT button. Otherwise, please add more detail in the following text box and then click RATE CONTENT.
 
 

Your response will be used to improve our document content.

Ask a Question