Explicit Web Proxy
Explicit Web Proxy
Explicit Proxy provides a method for steering traffic from any client device to the SRX Series. The SRX Series firewall accepts connections from clients, resolves DNS, forwards connections to the specified destination servers, and then gets the response from the server on behalf of the client. In such configuration, the firewall acts an intermediary between clients and servers. Here, all communication between client and server goes through the firewall that is configured as proxy server.
You can configure your SRX Series Firewall interface as explicit web proxy for applying proxy for IPv4 and IPv6 HTTP and HTTPS traffic.
To deploy explicit proxy, manually configure the browser’s settings on client device to send requests to SRX firewall. In most standard browsers, you can specify the proxy address and port.
SRX Series Firewalls support explicit proxy for on-premises infrastructure method where the active directory, identity-management server, LDAP server, physical SRX Series Firewalls, and users are available on-site.
- How Explicit Proxy Works?
- Benefits
- Steps to Configure Explicit Proxy on SRX Series Firewall
- Security Policy Support for Explicit Web Proxy
- Configuring Explicit Proxy Profile Policy
How Explicit Proxy Works?
Lets consider an example. In Figure 1, a client initiates HTTP connection to reach www.example.com. Client device first connects with SRX Series acting as explicit proxy on (10.4.0.254 and port 8080).
The client network connects to the SRX Series Firewall on ge-0/0/1 interface with IP address 10.4.0.254. SRX Series connects to Internet using the interface ge-0/0/2 with IP address 10.5.0.254.
For each session initiated by the client browser, the SRX Series creates two sessions:
S1: Session originating from client browser to explicit web proxy
S2: Session originating from explicit web proxy to actual destination server.
Table 1 provides details on the explicit web proxy sessions.
| Session Type | Source IP/Port | Destination IP/Port | Policy | Comments |
|---|---|---|---|---|
| Client to SRX Series (S1) | Client IP / dynamic port range | SRX Series interface IP (10.4.0.254) / fixed port (8080) | Security policy/unified policy (explicitly configured on SRX Series) | Client traffic directly comes to the SRX Series interface where explicit proxy profile is configured. |
| SRX Series to actual destination server (S2) | SRX Series egress interface IP (10.5.0.254)/ dynamic port range | End server as resolved by DNS (203.0.113.0) or in explicit proxy request | Implicitly inherited from S1 | SRX Series establishes the connection with actual server (www.example.com). |
Benefits
- Explicit web proxy secures network by controlling and filtering the inbound and outbound traffic.
- Explicit web proxy performs DNS resolution on client's behalf.
Steps to Configure Explicit Proxy on SRX Series Firewall
To manage explicit proxy for connections to your network, you must:
- Enable web-management services and configure web-authentication feature on an interface
- Enforce users to authenticate before they can connect to your network. When you enforce authentication in the explicit proxy, unauthenticated connections are redirected to the Firewall authentication page.
- Configure the explicit proxy profile.
- Configure explicit proxy on an interface. This interface must be connected to client network. The client browsers use this IP address to forward requests to the SRX Series device. You can configure and attach multiple explicit proxy profiles to a particular IP address in the interface. However, you must ensure that there must not be overlapping ports between the explicit proxy profiles.
- Use security policies to control the explicit web proxy traffic.
- Attach SSL proxy service to the explicit proxy policy.
- Configure default-policy for the explicit proxy.
Security Policy Support for Explicit Web Proxy
You must configure and enforce security policies to manage the traffic for the explicit proxy. Explicit proxy profile needs a set of unique security policies or unified policies. The firewall determines which profile to leverage for a policy lookup based on the ingress interface and port combination. Once the firewall identifies the explicit proxy profile for a flow, it performs a policy lookup.
SRX Series Firewall uses the following sequence for the policy lookup:
- Source IP address, source-port, protocol, and source identity
- DNS-based destination IP resolution
- URL category detection
- Dynamic Layer 7 application match
- DNS-based destination resolved IP reputation
- Hardcoded destination IP address or reputation of hardcoded destination IP address
Configuring Explicit Proxy Profile Policy
You can configure the explicit proxy profile rule-base using the following statement:
[edit] user@host# set security policies explicit-proxy profile <profile-name> policy
You can notice that this policy, similar to the global policies, does not need security zones.
To attach a security policy with explicit proxy profile, the profile name
mentioned in policy configuration must match with the name of the explicit proxy
profile configured under web-proxy services (set services web-proxy
explicit-proxy profile <profile-name>).
Example:
Create a policy for the explicit proxy profile named "profile-site-A".
[edit] user@host# set services web-proxy explicit-proxy profile profile-site-A
Ensure that the explicit profile policy also uses the same name:
[edit] user@host# set security policies explicit-proxy profile profile-site-A policy
Limitations
For explicit proxy profile policies, the match condition does not support:
- Source or destination zone
- Source and destination Layer 3 VPN VRF group
Post-match application services do not support:
- Secure web proxy
- GPRS Tunneling protocol
- GPRS stream control transport protocol (SCTP)
- Unified Access control enforcement of policy (UAC)
- WAN acceleration (Legacy WX)
- Legacy Intrusion detection and prevention.
- APBR
Default Policy for Explicit Proxy
In case the traffic matches to any of the explicit proxy profiles but does not match any of the policies under the explicit proxy profile, the firewall applies the default policy action. You can configure the default policy in the explicit proxy profile.
In case no matching explicit proxy profile found for a given traffic, the firewall performs the policy lookup based on configured zonal and global policies.
You can configure only one default policy per explicit proxy profile.