ProxySG & Advanced Secure Gateway

  • Private Community
 View Only

  • 1.  SSL-Intercept Extract & Insert Headers CPL

    Posted Apr 13, 2020 02:05 PM
    Hello,

    I'm looking for some help with implementing an SSL intercept, that takes authentication header from a HTTP Connect request, and using CPL on the proxy to add the header details to the HTTPS connection to the webserver.

    Flow of communication from terminal to Web server
    ① Mobile terminal⇒MobileIron Sentry [← VPN connection]
    ② MobileIron Sentry⇒Blue Coat [← HTTP CONNECT with authentication header sent from Sentry to Blue Coat]
    ③ MobileIron Sentry⇒Blue Coat⇒ Web server[← HTTPS communication (I want to add the HTTP CONNECT authentication header to the HTTPS communication header with Blue Coat)]

    Headers to extract/add to HTTPS communication
    X-MobileIron-USER-DN
    X-MobileIron-USER-UPN
    X-MobileIron-DEVICE-UUID
    X-MobileIron-USER-CERT

    What I have so far:

    ;;MobileSites & MobileIronSetHeaders
    define condition MobileSites
    url.domain="dest1.site.com"
    url.domain="dest2.site.com"
    end condition MobileSites

    define action MobileIronSetHeaders
    set(request.x_header.X-MobileIron-USER-DN,"$(request.x_header.X-MobileIron-USER-DN)")
    set(request.x_header.X-MobileIron-USER-UPN,"$(request.x_header.X-MobileIron-USER-UPN)")
    set(request.x_header.X-MobileIron-DEVICE-UUID,"$(request.x_header.X-MobileIron-DEVICE-UUID)")
    set(request.x_header.X-MobileIron-USER-CERT,"$(request.x_header.X-MobileIron-USER-CERT)")
    end action MobileIronSetHeaders

    ;<ssl-intercept>
    ; url.domain="dest1.site.com" ssl.forward_proxy(https) ssl.forward_proxy.server_keyring(OurCA)
    ; url.domain="dest2.site.com" ssl.forward_proxy(https) ssl.forward_proxy.server_keyring(OurCA)

    <ssl-intercept>
    condition=MobileSites ssl.forward_proxy(https) ssl.forward_proxy.server_keyring(OurCA)

    <Proxy>
    condition=MobileSites action.MobileIronSetHeaders(yes)

    Output from ISS server - shows 304 response, however, when attempting with commented <ssl-intercept> above, we get a 200 but still with fields missing data.

    #Date: 2020-04-09 05:33:10
    #Fields: time s-sitename cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) cs(Referer) sc-status sc-substatus sc-win32-status time-taken X-FORWARDED-FOR x-ms-distinguishedname X-MobileIron-USER-DN X-MobileIron-USER-UPN X-MobileIron-DEVICE-UUID
    05:33:07 W3SVC1 GET /pac/default.html - 443 - 99.99.99.99 Mozilla/4.0+(compatible;) - 304 0 0 1484 - - - - -

    While the 'set' is being accepted without errors, I feel like I'm not extracting the data correctly.
    Should I use '.encode_base64' in the set?
    set(request.x_header.X-MobileIron-USER-DN,"$(request.x_header.X-MobileIron-USER-DN.encode_base64)")

    Any pointers would be greatly appreciated.

    Regards,

    CR


  • 2.  RE: SSL-Intercept Extract & Insert Headers CPL

    Broadcom Employee
    Posted Apr 14, 2020 03:52 AM
    Hi

    I recall a similar question some time back, can't find the actual post but I do remember that encode_base64 was needed in that particular case,

    having said that I?¡m not sure you will be able to achieve what you are trying to do, hopefully someone else can correct me if I'm wrong.

    the reason for saying this is that in the cpl admin guide it states

    "When used in an<ssl-intercept> layer, only set(url.port) may be used."
    Original Message