- play_arrow Administration Portal
- play_arrow Introduction
- Unified Administration and Customer Portal Overview
- Administration Portal Overview
- Logging in to Administration Portal
- Switching the Tenant Scope
- Changing the Administration Portal Password
- Changing the Password on First Login
- Resetting the Password
- Setting Password Duration
- Extending the User Login Session
- Setting Up the Cloud CPE Centralized Deployment Model with Administration Portal
- Setting Up the Cloud CPE Distributed Deployment Model with Administration Portal
- play_arrow Managing Objects
- play_arrow Using the Dashboard
- play_arrow Monitoring Alerts, Alarms, and Device Events
- play_arrow Monitoring Tenants SLA Performance
- Multidepartment CPE Device Support
- About the SLA Performance of All Tenants Page
- About the SLA Performance of a Single Tenant Page
- Monitoring Application-Level SLA Performance for real time-optimized SD-WAN
- Viewing the SLA Performance of a Site
- Viewing the SLA Performance of an Application or Application Group
- Understanding SLA Performance Score for Applications, Links, Sites, and Tenants
- play_arrow Monitoring Jobs
- play_arrow Managing POPs
- About the POPs Page
- Creating a Single POP
- Importing Data for Multiple POPs
- Viewing the History of POP Data Imports
- Viewing the History of POP Data Deletions
- Managing a Single POP
- About the VIMs Page
- Creating a Cloud VIM
- About the EMS Page
- Creating an EMS
- Changing the Junos Space Virtual Appliance Password
- About the Routers Page
- Creating Devices
- Configuring Devices
- View the History of Device Data Deletions
- play_arrow Managing Devices
- About the Tenant Devices Page
- About the Cloud Hub Devices Page
- Managing a Tenant Device
- Managing a Cloud Hub Device
- Device Redundancy Support Overview
- Viewing the History of Tenant Device Activation Logs
- Viewing the History of Cloud Hub Device Activation Logs
- Secure OAM Network Overview
- Adding a Cloud Hub Device
- Upgrading a Cloud Hub Device
- Rebooting a CPE Device
- play_arrow Managing Device Templates
- play_arrow Managing Software Images
- play_arrow Configuring Network Services in a Centralized Deployment
- Network Services Overview
- About the Network Services Page
- About the Service Overview Page
- About the Service Instances Page
- Configuring VNF Properties
- Allocating a Service to Tenants
- Removing a Service from Tenants
- Viewing a Service Configuration
- vSRX VNF Configuration Settings
- LxCIPtable VNF Configuration Settings
- Cisco CSR-1000v VNF Configuration Settings
- Riverbed Steelhead VNF Configuration Settings
- Managing a Single Service
- play_arrow Configuring Application SLA Profiles
- Application Quality of Experience (AppQoE) Overview
- About the Application Traffic Type Profiles Page
- Creating Traffic Type Profiles
- Editing and Deleting Traffic Type Profiles
- SLA Profiles and SD-WAN Policies Overview
- Cost-Based Link Switching
- Local Breakout Overview
- About the Application SLA Profiles Page
- Creating SLA Profiles
- Editing and Deleting SLA Profiles
- play_arrow Configuring Application Signatures
- play_arrow Managing Tenants
- play_arrow Managing Operating Companies
- play_arrow Configuring SP Users
- play_arrow Managing Audit Logs
- play_arrow Managing Roles
- play_arrow Configuring Authentication
- play_arrow Configuring Licenses
- play_arrow Customizing the Unified Portal
- play_arrow Managing Signature Database
-
- play_arrow Designer Tools
- play_arrow Configuration Designer
- Configuration Designer Overview
- Accessing the Configuration Designer
- Using the Configuration Designer
- Changing Your Password
- About the Requests Page for the Configuration Designer
- Creating Requests for Configuration Templates
- Designing Templates with a YANG Configuration
- Designing Templates with a Configuration
- Publishing Configuration Templates
- About the Designs Page for the Configuration Designer
- Cloning Configuration Templates
- Deleting Configuration Template Designs
- play_arrow Resource Designer
- Resource Designer Overview
- Using the Resource Designer
- Accessing the Resource Designer
- About the Requests Page for the Resource Designer
- VNF Overview
- Creating Requests for VNF Packages
- Designing VNF Packages
- Adding VNF Managers
- Publishing VNF Packages
- About the Designs Page for the Resource Designer
- Cloning VNF Packages
- Importing VNF Packages
- Exporting VNF Packages
- Deleting VNF Packages
- play_arrow Network Service Designer introduction
- play_arrow Creating Requests for Network Services
- play_arrow Creating Network Services
- About the Build Page for the Network Service Designer
- Viewing Information About VNFs
- Designing Network Services
- Connecting VNFs in a Service Chain
- Defining Ingress and Egress Points for a Service Chain
- Monitoring Performance Goals
- Configuring Network Services
- vSRX Configuration Settings
- LxCIPtable VNF Configuration Settings
- Cisco CSR-1000v VNF Configuration Settings
- Riverbed Steelhead VNF Configuration Settings
- Fortinet VNF Configuration Settings
- Ubuntu VNF Configuration Settings
- play_arrow Managing Network Services
-
- play_arrow Downloads
SSL Forward Proxy Overview
Secure Sockets Layer (SSL) is an application-level protocol that provides encryption technology for the Internet. SSL, also called Transport Layer Security (TLS), ensures the secure transmission of data between a client and a server through a combination of privacy, authentication, confidentiality, and data integrity. SSL relies on certificates and private–public key exchange pairs for this level of security.
Server authentication guards against fraudulent transmissions by enabling a Web browser to validate the identity of a Web server. Confidentiality mechanisms ensure that communications are private. SSL enforces confidentiality by encrypting data to prevent unauthorized users from eavesdropping on electronic communications. Finally, message integrity ensures that the contents of a communication have not been tampered with.
SSL forward proxy is a transparent proxy; that is, it performs SSL encryption and decryption between the client and the server, but neither the server nor the client can detect its presence. SSL forward proxy ensures that it has the keys to encrypt and decrypt the payload:
For the server, SSL forward proxy acts as a client—Because SSL forward proxy generates the shared pre-master key, it determines the keys to encrypt and decrypt.
For the client, SSL forward proxy acts as a server—SSL forward proxy first authenticates the original server and replaces the public key in the original server certificate with a key that is known to it. It then generates a new certificate by replacing the original issuer of the certificate with its own identity and signs this new certificate with its own public key (provided as a part of the proxy profile configuration). When the client accepts such a certificate, it sends a shared pre-master key encrypted with the public key on the certificate. Because SSL forward proxy replaced the original key with its own key, it is able to receive the shared pre-master key. Decryption and encryption take place in each direction (client and server), and the keys are different for both encryption and decryption.
Figure 1 shows how SSL forward proxy works on an encrypted payload. When application firewall (AppFW) is configured, SSL forward proxy acts as an SSL server terminating the SSL session from the client and a new SSL session is established to the server. The device decrypts and then re-encrypts all SSL forward proxy traffic. SSL forward proxy uses the following services:
SSL-T-SSL terminator on the client side.
SSL-I-SSL initiator on the server side.
Configured AppFW services use the decrypted SSL sessions.
This topic has the following sections:
Supported Ciphers in Proxy Mode
An SSL cipher comprises encryption ciphers, authentication method, and compression. Table 1 displays a list of supported ciphers. NULL ciphers are excluded.
The following SSL protocols are supported:
SSLv3
TLS1
Table 1: Supported Ciphers in Proxy Mode
SSL Cipher | Key Exchange Algorithm | Data Encryption | Message Integrity |
|---|---|---|---|
RSA_WITH_RC4_128_MD5 | RSA key exchange | 128-bit RC4 | Message Digest 5 (MD5) hash |
RSA_WITH_RC4_128_SHA | RSA key exchange | 128-bit RC4 | Secure Hash Algorithm (SHA) hash |
RSA_WITH_DES_CBC_SHA | RSA key exchange | DES CBC | SHA hash |
RSA_WITH_3DES_EDE_CBC_SHA | RSA key exchange | 3DES EDE/CBC | SHA hash |
RSA_WITH_AES_128_CBC_SHA | RSA key exchange | 128-bit AES/CBC | SHA hash |
RSA_WITH_AES_256_CBC_SHA | RSA key exchange | 256-bit AES/CBC | SHA hash |
RSA_EXPORT_WITH_RC4_40_MD5 | RSA-export | 40-bit RC4 | MD5 hash |
RSA_EXPORT_WITH_DES40_CBC_SHA | RSA-export | 40-bit DES/CBC | SHA hash |
RSA_EXPORT1024_WITH_DES_CBC_SHA | RSA 1024 bit export | DES/CBC | SHA hash |
RSA_EXPORT1024_WITH_RC4_56_MD5 | RSA 1024 bit export | 56-bit RC4 | MD5 hash |
RSA_EXPORT1024_WITH_RC4_56_SHA | RSA 1024 bit export | 56-bit RC4 | SHA hash |
RSA-WITH-AES-256-GCM-SHA384 | RSA key exchange | 256-bit AES/GCM | SHA384 hash |
RSA-WITH-AES-256-CBC-SHA256 | RSA key exchange | 256-bit AES/CBC | SHA256 hash |
RSA-WITH-AES-128-GCM-SHA256 | RSA key exchange | 128-bit AES/GCM | SHA256 hash |
RSA-WITH-AES-128-CBC-SHA256 | RSA key exchange | 128-bit AES/CBC | SHA256 hash |
Server Authentication
Implicit trust between the client and the device (because the client accepts the certificate generated by the device) is an important aspect of SSL proxy. It is extremely important that server authentication is not compromised; however, in reality, self-signed certificates and certificates with anomalies are in abundance. Anomalies can include expired certificates, instances of common name not matching a domain name, and so forth.
You can specify that the SSL forward proxy should ignore server authentication completely. In this case, SSL forward proxy ignores errors encountered during the server certificate verification process (such as CA signature verification failure, self-signed certificates, and certificate expiry).
You can specify whether the SSL proxy should ignore server authentication errors or not during the creation of an SSL forward proxy profile.
If you specify that server authentication errors should not be ignored, the following scenarios occur:
If authentication succeeds, a new certificate is generated by replacing the keys and changing the issuer name to the issuer name that is configured in the root CA certificate in the proxy profile.
If authentication fails, the connection is dropped.
If you specify that server authentication errors should be ignored, the following scenarios occur:
NoteWe do not recommend that you configure this option for authentication because configuring it results in websites not being authenticated at all. However, you can use this option to effectively identify the root cause for dropped SSL sessions.
If the certificate is self-signed, a new certificate is generated by replacing the keys only. The issuer name is not changed. This ensures that the client browser displays a warning that the certificate is not valid.
If the certificate has expired or if the common name does not match the domain name, a new certificate is generated by replacing the keys and changing the issuer name to SSL-PROXY: DUMMY_CERT:GENERATED DUE TO SRVR AUTH FAILURE. This ensures that the client browser displays a warning that the certificate is not valid.
Root CA
In a public key infrastructure (PKI) hierarchy, the root CA is at the top of the trust path. The root CA identifies the server certificate as a trusted certificate.
Trusted CA List
SSL forward proxy ensures secure transmission of data between a client and a server. Before establishing a secure connection, SSL forward proxy checks certificate authority (CA) certificates to verify signatures on server certificates. For this reason, a reasonable list of trusted CA certificates is required to effectively authenticate servers.
Session Resumption
An SSL session refers to the set of parameters and encryption keys that are created when a full handshake is performed. A connection is the conversation or active data transfer that occurs within the session. The computational overhead of a complete SSL handshake and generation of master keys is considerable. In short-lived sessions, the time taken for the SSL handshake can be more than the time for data transfer. To improve throughput and still maintain an appropriate level of security, SSL session resumption provides a mechanism for caching sessions so that session information, such as the pre-master secret key and agreed-upon ciphers, can be cached for both the client and the server. The cached information is identified by a session ID. In subsequent connections, both parties agree to use the session ID to retrieve the information rather than create a new pre-master secret key. Session resumption shortens the handshake process and accelerates SSL transactions.
SSL Proxy Logs
When logging is enabled in an SSL proxy profile, the SSL proxy can generate the messages shown in Table 2.
Table 2: SSL Proxy Logs
Log Type | Description |
|---|---|
SSL_PROXY_SSL_SESSION_DROP | Logs generated when a session is dropped by SSL proxy. |
SSL_PROXY_SSL_SESSION_ALLOW | Logs generated when a session is processed by SSL proxy even after encountering some minor errors. |
SSL_PROXY_SESSION_IGNORE | Logs generated if non-SSL sessions are initially mistaken as SSL sessions. |
SSL_PROXY_SESSION_WHITELIST | Logs generated when a session is whitelisted. |
SSL_PROXY_ERROR | Logs used for reporting errors. |
SSL_PROXY_WARNING | Logs used for reporting warnings. |
SSL_PROXY_INFO | Logs used for reporting general information. |
All logs contain similar information; the message field contains the reason for the log generation. One of three prefixes shown in Table 3 identifies the source of the message. Other fields are descriptively labeled.
Table 3: SSL Proxy Log Prefixes
Prefix | Description |
|---|---|
system | Logs generated because of errors related to the device or an action taken as part of the SSL proxy profile. Most logs fall into this category. |
openssl error | Logs generated during the handshake process if an error is detected by the openssl library. |
certificate error | Logs generated during the handshake process if an error is detected in the certificate (X.509 related errors). |
