How to integrate the ProxySG with devices requiring Encrypted Tap
search cancel

How to integrate the ProxySG with devices requiring Encrypted Tap

book

Article ID: 166424

calendar_today

Updated On:

Products

Advanced Secure Gateway Software - ASG ProxySG Software - SGOS

Issue/Introduction

Integrating FireEye malware scanner with ProxySG appliance (using Encrypted Tap).

Integrating Ixia Network Security Appliance with ProxySG appliance (using Encrypted Tap).

Environment

 
 

Resolution

Requirements

  • SGOS 6.5.2.1: this feature was introduced in 6.5.2.1
  • SSL proxy configuration (Article ID: 165599)
  • Licensing: “Encrypted Tap” is a separate component that needs to be added

 Configuration Steps

Proxy Configuration:

  1. Connect the proxy port directly to the tapping device.
  2. Enable SSL Interception.
  3. Forward the tapped traffic to the interface id (second layer in policy shown below).

 

Policy Configuration:

  1. Browse to Configuration > Policy > Policy Files.
  2. Select Install Local File from:
  3. Select Text Editor.
  4. Click Install.
  5. Select the Append CPL Code (below).
  6. Click Install.
  7. Click Close.

<ssl-intercept>

ssl.forward_proxy(yes)

 <ssl>

client.connection.encrypted_tap(0:0)

 <ssl>

server.certificate.validate(no)

Verification:

  • Connect a PC directly to a free port on the ProxySG appliance, and start capturing the traffic forwarded from the proxy.
  • Initiate an encrypted traffic toward the ProxySG appliance using a different machine by going to any HTTPS site (https://www.bluecoat.com, in this example).
  • If all works fine, a decrypted version of the traffic can be observed on the capture:

 

Powered by Wolken Software