Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Creating SSL Forward Proxy Profiles

Before You Begin

Use the SSL Forward Proxy Profile page to view and manage SSL proxy profile details. SSL proxy is enabled as an application service within a security policy. You specify the traffic that you want the SSL proxy enabled on as match criteria and then specify the SSL proxy profile to be applied to the traffic.

Note:

Starting in Junos Space Security Director Release 21.2, SSL Forward Proxy is supported for Logical Systems (LSYS) devices also.

To create an SSL forward proxy profile:

  1. Select Configure > SSL Profiles> SSL Proxy Profiles.

    The SSL Proxy Profiles page appears.

  2. Select Forward Proxy from the Create list.
  3. Complete the configuration according to the guidelines provided in Table 1.
  4. Click OK.

An SSL forward proxy profile is created that can be assigned to a firewall policy for advanced security options.

Note:

If none of the services (AppFW, IDP, or AppTrack) are configured, then SSL proxy services are bypassed even if an SSL proxy profile is attached to a firewall policy.

Table 1: SSL Forward Proxy Profile Settings

Setting

Guideline

General Information

Name

Enter a unique string of alphanumeric characters, colons, periods, dashes, and underscores. No spaces are allowed; maximum length is 63 characters.

Description

Enter a description for the SSL forward proxy profile; maximum length is 1024 characters.

Preferred Cipher

Select a preferred cipher. Ciphers are divided into the following categories depending on their key strength.

  • Custom—Configure custom cipher suite and order of preference.

  • Medium—Use ciphers with key strength of 128 bits or greater.

  • Strong—Use ciphers with key strength of 168 bits or greater.

  • Weak—Use ciphers with key strength of 40 bits or greater.

Custom Ciphers

Select the set of ciphers the SSH server can use to perform encryption and decryption functions. If this option is not configured, the server accepts any supported suite that is available.

The available custom ciphers are:

  • rsa-with-RC4-128-md5—RSA, 128- bit RC4, MD5 hash

  • rsa-with-RC4-128-sha—RSA, 128-bit RC4, SHA hash

  • rsa-with-des-cbc-sha—RSA, DES/CBC, SHA hash

  • rsa-with-3DES-ede-cbc-sha—RSA, 3DES EDE/CBC, SHA hash

  • rsa-with-aes-128-cbc-sha—RSA, 128-bit AES/CBC, SHA hash

  • rsa-with-aes-256-cbc-sha—RSA, 256 bit AES/CBC, SHA hash

  • rsa-export-with-rc4-40-md5—RSA-export, 40 bit RC4, MD5 hash

  • rsa-export-with-des40-cbc-sha—RSA-export, 40 bit DES/CBC, SHA hash

  • rsa-export1024-with-des-cbc-sha—RSA 1024 bit export, DES/CBC, SHA hash

  • rsa-export1024-with-rc4-56-md5—RSA 1024 bit export, 56 bit RC4, MD5 hash

  • rsa-export1024-with-rc4-56-sha—RSA 1024 bit export, 56 bit RC4, SHA hash

  • rsa-with-aes-256-gcm-sha384—RSA, 256 bit AES/GCM, SHA384 hash

  • rsa-with-aes-256-cbc-sha256—RSA, 256 bit AES/CBC, SHA256 hash

  • rsa-with-aes-128-gcm-sha256—RSA, 128 bit AES/GCM, SHA256 hash

  • rsa-with-aes-128-cbc-sha256—RSA, 256 bit AES/CBC, SHA256 hash

  • ecdhe-rsa-with-aes-256-gcm-sha384—ECDHE, RSA, 256 bit AES/GCM, SHA384 hash

  • ecdhe-rsa-with-aes-256-cbc-sha384—ECDHE, RSA, 256 bit AES/CBC, SHA384 hash

  • ecdhe-rsa-with-aes-256-cbc-sha—ECDHE, RSA, 256 bit AES/CBC, SHA hash

  • ecdhe-rsa-with-aes-3des-ede-cbc-sha—ECDHE, RSA, 3DES, EDE/CBC, SHA hash

  • ecdhe-rsa-with-aes-128-gcm-sha256—ECDHE, RSA, 128 bit AES/GCM, SHA256 hash

  • ecdhe-rsa-with-aes-128-cbc-sha256—ECDHE, RSA, 128 bit AES/CBC, SHA256 hash

  • ecdhe-rsa-with-aes-128-cbc-sha—ECDHE, RSA, 128 bit AES/CBC, SHA hash

Flow Trace

Select this option to enable flow trace for troubleshooting policy-related issues.

Root Certificate

Select or add a root certificate. You can select one or more root certificates. In a public key infrastructure (PKI) hierarchy, the root CA is at the top of the trust path. The root CA identifies the server certificate as a trusted certificate.

Click Add for a new root certificate. On the Add page, select a device and the trusted CAs to associate to the root certificate.

Note:

To view the SSL certificates in Security Director, select Devices>Security Devices, choose the relevant device, right-click the device or select Refresh Certificate from the More menu. Once the refresh certificate job is completed, you can see SSL certificates.

Make sure the device configuration is in sync with Security Director. If the device configuration is out of sync in security devices, resynchronize network and then proceed with refresh certificates.

Exempted Address

Select addresses to create allowlists that bypass SSL forward proxy processing.

Because SSL encryption and decryption are complicated and expensive procedures, network administrators can selectively bypass SSL proxy processing for some sessions. Such sessions mostly include connections and transactions with trusted servers or domains with which network administrators are very familiar. There are also legal requirements to exempt financial and banking sites. Such exemptions are achieved by configuring the IP addresses or domain names of the servers under allowlists.

Exempted URL Categories

Starting in Junos Space Security Director Release 16.2, you can select URL categories to create allowlists that bypass SSL forward proxy processing.

These URL categories are exempted during SSL inspection. Only the predefined URL categories can be selected for the exemption.

Note:

Ensure to filter with Enhanced when you select exempted URL categories in the SSL profile.

Actions

Server Authentication Failure

Select this option to ignore server authentication completely.

In this case, SSL forward proxy ignores errors encountered during the server certificate verification process (such as CA signature verification failure, self-signed certificates, and certificate expiry).

We do not recommend this option for authentication, because configuring it results in websites not being authenticated at all. However, you can use this option to effectively identify the root cause for dropped SSL sessions.

Session Resumption

Select the Disable Session Resumption option if you do not want session resumption.

To improve throughput and still maintain an appropriate level of security, SSL session resumption provides a session caching mechanism so that session information, such as the pre-primary secret key and agreed-upon ciphers, can be cached for both the client and server.

Log

Select this option to generate logs. You can choose to log all events, warnings, general information, errors, or different sessions (allowlisted, allowed, dropped, or ignored).

Renegotiation

After a session is created and SSL tunnel transport has been established, a change in SSL parameters requires renegotiation. SSL forward proxy supports both secure (RFC 5746) and nonsecure (TLS v1.0 and SSL v3) renegotiation.

Select one of the following options if a change in SSL parameters requires renegotiation:

  • None (selected by default)

  • Allow

  • Allow-secure

  • Drop

When session resumption is enabled, session renegotiation is useful in the following situations:

  • Cipher keys need to be refreshed after a prolonged SSL session.

  • Stronger ciphers need to be applied for a more secure connection.

Change History Table

Feature support is determined by the platform and release you are using. Use Feature Explorer to determine if a feature is supported on your platform.

Release
Description
16.2
Starting in Junos Space Security Director Release 16.2, you can select URL categories to create allowlists that bypass SSL forward proxy processing.