SSL Forward Proxy implementation in production environment

Reply
Highlighted
L0 Member

SSL Forward Proxy implementation in production environment

Hello friends,

 

I would like to know expected issues if we enable ssl forward proxy to a production environment. There are services allowed with different ports , web services and  all working fine now.  As this is first time am planning to enable forward proxy ,not sure which are the user side issues they may face.

Queries are like 1.Whether user may experience any certificate based issues or existing services will be affected . 2,Whether the CA signed certificate uploaded in the firewall should be kept in source machine's certificate repository

 

As of now only AV , Anti-Spyware and Vulnerability protection are applied for egress connection (in Alert mode) so complaints from the users yet.

 

Please share your thoughts and experience .It will be really helpful.

 

Thanks in advance.

 

Sajith

Tags (1)
Highlighted
Cyber Elite

Great questions and am glad you asked.

 

First, you must create a self-signed certificate (or create a cert signing request to be signed by your INTERNAL enterprise cert authority).  To be clear, you CANNOT use a publicly signed cert for decryption.

But you are correct on putting the self signed, or the enterprise signed cert into the computer Trusted Cert Authority/Store.

There is documentation on how to deploy, so I am not going into how to deploy.

 

My suggest is to start small (your own PC) and work outward towards other teammates, and then to other groups.

 

First Decrypt rule is a NO Decrypt for (financial, health and medicine, and shopping).  By law, not allowed to disable this traffic.

Make a custom url category (No Decrypt) and populate it with sites you do NOT wanted decrypted.

 

Examples could be *.paloaltonetworks.com, *, apple.com, *.microsoftlogin.com, *.azure.com

 

You next rule could be another NO decrypt rule, with the url category of NO-Default, as described above.

 

From there, you should set up rules to decrypt traffic from ONLY your computer, to the Internet, on port 443 (as a start)

 

Test all sites you would want to, put any troublesome sites into the No Decrypt policy (and now, they will not be decrypted.)

 

I have been running decryption for 5 years, and only have about 20 sites (from the thousands I visited) that gave me problems.

The SSL fwd proxy works well, if it is configured properly.  That is the challenge, just being careful, and create correct policies.

 

After you feel comfortable with only your computer, branch out to co-workers, test.  Rinse, Wash, Repeat.    

 

Then roll out to groups (IT, HR, Marketing, Accounting, Sales) and continue to refine.

 

Once you get better, you can then start to include different ports beside 443 if they are still using TLS 1.2 (the current)

And then, eventually you need to create a Decryption Profile (object tab) to block expired certs, untrusted certs, etc....

 

Let me know what other questions we can assist with.

 

Help the community: Like helpful comments and mark solutions
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!