How to set up Explicit SSL Forward Proxy with Authentication

book

Article ID: 166494

calendar_today

Updated On:

Products

Advanced Secure Gateway Software - ASG ProxySG Software - SGOS

Issue/Introduction

Configure SSL forward proxy with authentication in an explicit deployment. (For a transparent deployment, see How to Set Up Transparent SSL Forward Proxy with Authentication.)

This solution requires SGOS 4.2 or higher.

 

Resolution

Follow the high-level steps below to set up SSL forward proxy in an explicit deployment. For step-by-step instructions, please see the attached document.

  1. Create a keyring and define your certificate.
  2. Use VPM to create SSL policy:
    • Add an SSL Intercept Layer, specify an SSL Forward Proxy action, and select the keyring created in step 1 (optional). Instead you can leave this rule out if you only want the SG to "intercept on exception" (default action) such as when the request will be denied.
    •  Add an SSL Access Layer, set the Action to Disable Server Certificate Validation (optional). This rule is optional but mentioned here because many customers prefer to disable server certificate validation on the proxy since browsers also perform certificate validation and allow users to proceed if desired.
    • Install the policy.
  3. Import the certificate on all computers.
  4. Enable SSL detection for HTTP connection.
  5. Create a realm for the authentication protocol.
  6. Use VPM to create Web Authentication policy:
    •  Add a Web Authentication Layer. Enforce authentication by creating an Authenticate/Force Authenticate Action.  Mode=Proxy-IP or Proxy
    • Install policy.
  7. Import the ProxySG self-signed certificate into IE.

 

Attachments

SSL Forward Proxy with Authentication.pd get_app