ProxySG & Advanced Secure Gateway

 View Only

  • 1.  SGOS - Diff between SSL Client and SSL Proxy

    Posted Jul 23, 2020 01:33 AM
    SGOS 6.7.4.5:
    Can someone explain the difference between SSL Client and SSL Proxy and its relationship to SSL Interception?
    I just installed a new customer MS PKI sub-CA cert and keyring on a SGOS device. The goal right now is to have the proxy use the new customer PKI cert and not the internal Bluecoat self-signed cert.
     (New PKI cert for device, Intermediate cert, and root cert have already been installed in Browser-trusted list).
    Also at this time SSL intercept is NOT enabled - so this step is NOT configured yet:
    Detect Protocol:
    Enable Detect Protocol in the explicit HTTP service (Configuration > Services > Proxy Services > Standard > Explicit HTTP > Edit Service)
    Check option: Detect Protocol
    Disable ADN if enabled.
    OK > APPLY

    So if I config the following twp steps (SSL Client, SSL Proxy)- what is really happening?
    Step#1: SSL Client:
    Set TLSv2 only for SSL Client
    Config > SSL > SSL Client
    Select keyring <new-keyring>
    SSL Protocols: De-select all except for TLSv2
    Apply

    Now if all SSL protocols are disabled except TLSv2 then does that mean that the proxy will only allow access to sites that are TLSv2 enabled?
    Or does SSL Interception (protocol-detect enabled) have to be enabled to make this happen (with supporting CPL code)?

    Step#2: SSL Proxy:
    Set the SSL Proxy to use the new keyring:
    Configuration > Proxy Settings > SSL Proxy > General Settings
    set Issuer Keyring to <new-keyring>.
    Apply.

    I would appreciate if someone could enlighten me.
    :)
    Thanks!

    ------------------------------
    Network Security Engineer
    IBM - MSS
    ------------------------------


  • 2.  RE: SGOS - Diff between SSL Client and SSL Proxy
    Best Answer

    Broadcom Employee
    Posted Jul 23, 2020 01:44 PM

    Hi Keith,

    Great questions!

    SSL Client: This is the keyring used if an upstream server requires a client certificate. Usually this is not applicable when we are talking about SSL decryption.

    SSL Proxy: This is going to be the keyring that you use when the ProxySG is SSL decrypting when returning exception pages and things like that (Sometimes referred to as 'Interception on Exception'). Actually SSL decrypting of normal traffic needs to be configured in policy. This KB is a good resource on how to accomplish that in the VPM.

    Now if all SSL protocols are disabled except TLSv2 then does that mean that the proxy will only allow access to sites that are TLSv2 enabled?

    Mostly - the exception being TLSv1.3. SGOS 7.2.x offers full TLSv1.3 support, but SGOS 6.7.4.x does have the ability to handle those requests and negotiate them down to TLSv1.2. In this case, if the ProxySG receives a Client Hello using any protocol lower than TLSv2 (SSLv3, TLSv1.0), then it will reset the connection.

    Or does SSL Interception (protocol-detect enabled) have to be enabled to make this happen (with supporting CPL code)?

    What Protocol Detection does is listens on the explicit listener, and sends SSL looking traffic off to the SSL processes of the ProxySG. If you Protocol Detection is not enabled, then the traffic is never sent to the SSL processes and so SSL Interception won't work for explicit traffic. 

    Also, a tip I wish I had known earlier: If you navigate to a setting in the Management Console GUI, and then click on "Help", the section of the Admin Guide that explains that setting will pop up in a new tab.

    Thanks!


    Original Message