SGOS 6.7.4.5:
Can someone explain the difference between SSL Client and SSL Proxy and its relationship to SSL Interception?
I just installed a new customer MS PKI sub-CA cert and keyring on a SGOS device. The goal right now is to have the proxy use the new customer PKI cert and not the internal Bluecoat self-signed cert.
(New PKI cert for device, Intermediate cert, and root cert have already been installed in Browser-trusted list).
Also at this time SSL intercept is NOT enabled - so this step is NOT configured yet:
Detect Protocol:
Enable Detect Protocol in the explicit HTTP service (Configuration > Services > Proxy Services > Standard > Explicit HTTP > Edit Service)
Check option: Detect Protocol
Disable ADN if enabled.
OK > APPLY
So if I config the following twp steps (SSL Client, SSL Proxy)- what is really happening?
Step#1: SSL Client:
Set TLSv2 only for SSL Client
Config > SSL > SSL Client
Select keyring <new-keyring>
SSL Protocols: De-select all except for TLSv2
Apply
Now if all SSL protocols are disabled except TLSv2 then does that mean that the proxy will only allow access to sites that are TLSv2 enabled?
Or does SSL Interception (protocol-detect enabled) have to be enabled to make this happen (with supporting CPL code)?
Step#2: SSL Proxy:
Set the SSL Proxy to use the new keyring:
Configuration > Proxy Settings > SSL Proxy > General Settings
set Issuer Keyring to <new-keyring>.
Apply.
I would appreciate if someone could enlighten me.
:)
Thanks!
------------------------------
Network Security Engineer
IBM - MSS
------------------------------