Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Secure Web Proxy

SUMMARY You can use a Juniper Networks SRX Series Firewall to configure secure Web proxy to selectively bypass the external proxy server for the traffic based on application types. Read this topic to understand how secure Web proxy works and how you can configure it on your SRX Series Firewall.

Secure Web Proxy Overview

You can use secure Web proxy to send traffic to an external proxy server and bypass the proxy server for the selected application traffic. Bypassed application traffic will be sent directly to the target webserver.

To use secure Web proxy on an SRX Series Firewall, you must configure a secure Web proxy profile with external proxy server details and dynamic application that you want to bypass the external proxy server. When the security device receives a request from a client, the device examines the HTTP header for the application. The device applies Web proxy profile for the traffic that matches the security policy rules. Permitted application traffic that matches the dynamic-application specified in the Web proxy profile, is directed to the webserver. Otherwise, the permitted traffic is re-directed to the configured external proxy server.

As a result, your security device performs transparent proxy between the client and the webserver for the specified applications and provides better quality of service for the application traffic.

Starting in Junos OS Release 19.2R1, you can configure secure Web proxy on the following SRX Series Firewalls—SRX300, SRX320, SRX340, SRX345, SRX550, SRX1500, SRX4100, SRX4200, and vSRX Virtual Firewall.

Benefit

  • Secure Web proxy provides better quality of service for the selected application traffic by providing direct connections to the webserver

Limitations

  • An SRX Series Firewall operating in chassis cluster mode does not support the secure Web proxy functionality.

  • Advanced policy-based routing (APBR), when applied along with secure Web proxy, works fine. However, other Layer 7 services might not work along with Secure Web Proxy as expected.

  • If you have configured unified policies (security policies with dynamic applications) on your SRX Series Firewall, the Secure Web Proxy feature may not function properly.

  • Secure Web proxy feature is not supported when device is operating in transparent-bridge mode.
  • Secure Web Proxy feature does not work when the client device and its proxy server are deployed in the same network segment.
  • SRX Series Firewalls operating in Multinode High Availability setup do not support the secure Web proxy functionality.

How Secure Web Proxy Works on SRX Series Firewalls

Following illustrations show how an SRX Series Firewall provides the secure Web proxy service.

Figure 1: Secure Web Proxy on SRX Series FirewallSecure Web Proxy on SRX Series Firewall
Figure 2: Secure Web Proxy on SRX Series Firewall—WorkflowSecure Web Proxy on SRX Series Firewall—Workflow

To use secure Web proxy on your SRX Series Firewall, you must:

  1. Create a secure Web proxy profile, which includes the details about the external proxy server and the dynamic application or application group that can bypass the external proxy server.

  2. Create a security policy to manage the traffic passing through the device.

  3. Attach the secure Web proxy profile to the security policy and apply the profile as an application service for the permitted traffic.

When a client initiates a request, the SRX Series Firewall examines the application traffic and identifies which traffic can bypass the external proxy server based on the secure Web proxy profile and security policy rules.

For example, if you use Microsoft Office 365, you can specify an Office 365 application group, such as junos:OUTLOOK or junos:OFFICE365-CREATE-CONVERSATION, in the secure Web proxy profile. The SRX Series Firewall forwards the Office 365 application traffic directly to the Office 365 server, bypassing the external proxy server. Connections that do not match the applications are routed to the external proxy server.

The SRX Series Firewall performs secure Web proxy through the following steps:

  1. The client's browser sends an HTTP connect request to the external proxy server.

  2. The SRX Series Firewall intercepts the TCP connections. The device identifies the application in the HTTP header and does a DNS resolution.

  3. If the traffic parameters match the security policy rules and the secure Web proxy profile specifications, the SRX Series Firewall operates in transparent mode. The device uses the client's IP address in transparent mode to initiate a new connection with the web server, bypassing the external proxy server.

  4. The SRX Series Firewall sends the connect response from the web server to the client.

  5. For the remaining traffic, the SRX Series Firewall operates in pass-through mode and allows the HTTP connect request to go to the external proxy server.

Example—Configure Secure Web Proxy on an SRX Series Firewall

This example shows how to configure secure Web proxy on SRX Series Firewalls.

Hardware and Software Requirements

This example uses the following hardware and software components:

  • A Juniper Networks SRX Series Firewall (SRX300, SRX320, SRX340, SRX345, SRX550, SRX1500, SRX4100, SRX4200, or vSRX Virtual Firewall).

  • Junos OS Release 19.2R1 or later. We’ve tested this example using Junos OS Release 19.2R1.

  • IP address and port number of the external proxy server.

Topology

The following illustration shows the topology used in this example:

Figure 3: Topology For Configuring Secure Web ProxyTopology For Configuring Secure Web Proxy

In this example, the interfaces ge-0/0/1 and ge-0/0/2 are in the trust zone and are connected to the client and external proxy server, respectively. The interface ge-0/0/0 is in the untrust zone and is connected to the webserver through the Internet gateway. You configure a secure Web proxy profile, specifying Office 365 applications and external proxy details.

After you complete the configuration, the SRX Series Firewall will forward the Office 365 traffic directly to the webserver, bypassing the external proxy server for Office 365 traffic.

Configuration

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the CLI User guide.

In this procedure you configure interfaces and security zones.

  1. Configure the interfaces.

  2. Assign the interfaces to the security zones and configure the inbound traffic for all system services.

  3. Configure a custom application group for Office 365.

  4. Create a security proxy profile by specifying the Office 365 application details and the IP address and port details of the external proxy server.

  5. Define the security policy for the traffic originating from the client to the Internet gateway device.

  6. Define the policy action to apply the secure Web proxy profile on the permitted traffic.

The SRX Series Firewall forwards the Office 365 application traffic directly to the Office 365 server, bypassing the external proxy server. Other sessions that do not match the Office 365 application are routed to the external proxy server.

Results

From configuration mode, confirm your configuration by entering the show services web-proxy secure-proxy, show security policies, and show security zones commands. If the output does not display the intended configuration, repeat the instructions in this example to correct the configuration.

Verification

Verify Session Details

Purpose

Verify the details of the session in which the secure Web proxy is applied.

Action

From operational mode, enter the show security flow session command.

Meaning

In the sample output, the ID-477 is the client session and the ID-478 is the proxy session. In the second session, notice that the traffic from client 6.0.0.1 is directly going to the webserver 13.107.7.190.

Display Secure Web Proxy Session Statistics

Purpose

Display the details of the session in which the secure Web proxy is applied.

Action

From operational mode, enter the show services web-proxy session detail and show services web-proxy session summary commands.

Meaning

In these samples, notice the details of the client session and the proxy session. You can also see proxy requests and dynamic web applications.