SSL Forward Proxy implementation in production environment

sajithwipro — Thu, 12 Nov 2020 09:01:26 GMT

Hello friends,

I would like to know expected issues if we enable ssl forward proxy to a production environment. There are services allowed with different ports , web services and all working fine now. As this is first time am planning to enable forward proxy ,not sure which are the user side issues they may face.

Queries are like 1.Whether user may experience any certificate based issues or existing services will be affected . 2,Whether the CA signed certificate uploaded in the firewall should be kept in source machine's certificate repository

As of now only AV , Anti-Spyware and Vulnerability protection are applied for egress connection (in Alert mode) so complaints from the users yet.

Please share your thoughts and experience .It will be really helpful.

Thanks in advance.

Sajith

Re: SSL Forward Proxy implementation in production environment

S.Cantwell — Thu, 12 Nov 2020 17:04:36 GMT

Great questions and am glad you asked.

First, you must create a self-signed certificate (or create a cert signing request to be signed by your INTERNAL enterprise cert authority). To be clear, you CANNOT use a publicly signed cert for decryption.

But you are correct on putting the self signed, or the enterprise signed cert into the computer Trusted Cert Authority/Store.

There is documentation on how to deploy, so I am not going into how to deploy.

My suggest is to start small (your own PC) and work outward towards other teammates, and then to other groups.

First Decrypt rule is a NO Decrypt for (financial, health and medicine, and shopping). By law, not allowed to disable this traffic.

Make a custom url category (No Decrypt) and populate it with sites you do NOT wanted decrypted.

Examples could be *.paloaltonetworks.com, *, apple.com, *.microsoftlogin.com, *.azure.com

You next rule could be another NO decrypt rule, with the url category of NO-Default, as described above.

From there, you should set up rules to decrypt traffic from ONLY your computer, to the Internet, on port 443 (as a start)

Test all sites you would want to, put any troublesome sites into the No Decrypt policy (and now, they will not be decrypted.)

I have been running decryption for 5 years, and only have about 20 sites (from the thousands I visited) that gave me problems.

The SSL fwd proxy works well, if it is configured properly. That is the challenge, just being careful, and create correct policies.

After you feel comfortable with only your computer, branch out to co-workers, test. Rinse, Wash, Repeat. 😛

Then roll out to groups (IT, HR, Marketing, Accounting, Sales) and continue to refine.

Once you get better, you can then start to include different ports beside 443 if they are still using TLS 1.2 (the current)

And then, eventually you need to create a Decryption Profile (object tab) to block expired certs, untrusted certs, etc....

Let me know what other questions we can assist with.

topic SSL Forward Proxy implementation in production environment in General Topics

SSL Forward Proxy implementation in production environment

Re: SSL Forward Proxy implementation in production environment