Configure SSL interception with Microsoft PKI for Explicit proxy

book

Article ID: 168284

calendar_today

Updated On:

Products

Advanced Secure Gateway Software - ASG ProxySG Software - SGOS

Issue/Introduction

Learn how to perform SSL interception using a Microsoft PKI infrastructure in an Explicit proxy environment.

Resolution

Step 1: Create a keyring and CSR on the ProxySG appliance

Create a keyring

  1. In the ProxySG Management Console, navigate to Configuration > SSL > Keyrings > Create.
  2. Enter the keyring settings.


     
  3. Click OK, and then click Apply to save your changes.

Create a Certificate Signing Request (CSR)

  1. Select the keyring you just created, and click Edit.
  2. Under Certificate Signing Request, click Create.
  3. Enter the details to be used in the certificate.


     
  4. Click OK, and then click Apply to save your changes.
  5. Select the keyring again and click Edit.
  6. Under Certificate Signing Request, copy the text.


     
  7. Open a text editor such as Notepad, and paste the contents from the Certificate Signing Request box.

Step 2: Create a signed certificate using your corporate PKI system and import the certificate into the keyring

Create a signed certificate

  1. In a browser, go to the Microsoft Active Directory Certificate Services at http://x.x.x.x/certsrv/ (replace x.x.x.x with the IP address of your Microsoft CA server).
  2. Click Request a certificate.
  3. Click Advanced certificate request.
  4. Click either Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or Submit a renewal request by using a base-64-encoded PKCS #7 file.
  5. Under Certificate Template, select Subordinate Certificate Authority, and then click Next.
  6. Select Base 64 encoded.
  7. Click Download Certificate.
  8. Open the certificate you downloaded in a text editor, and copy its contents. You will need to install it to ProxySG.

Import the certificate into the keyring

  1. In the ProxySG Management Console, navigate to Configuration > SSL > Keyrings.
  2. Select the keyring you created earlier, and click Edit.
  3. In the Edit Keyring window, click Import.
  4. Paste the contents of the copied certificate, and click OK.


     
  5. Click Close, and then click Apply.

Step 3: Import the certificate signed by the PKI system to be used with SSL interception

  1. In the ProxySG Management Console, navigate to Configuration > SSL CA Certificates > Import.
  2. Paste the certificate that you created in Step 2, as well as the Intermediate CA Certificates from the Internal PKI chain if applicable.
  3. Click OK, and then click Apply to save your changes.
  4. Navigate to Configuration > SSL CA CertificatesCA Certificate Lists > Browser Trusted, and click Edit.
  5. Select the new certificate that you created in Step 2, as well as the Intermediate CA Certificates from the Internal PKI chain if applicable, and move them to the column on the right.
  6. Click OK, and then click Apply to save your changes.

Note: If the proxy is configured to have a different CCL than the default one of "<All CA Certificates>" (found under WebUI > Configuration > Proxy Settings > SSL Proxy), also add the certificate signed by the PKI for the proxy to the selected CCL. This ensures that the proxy will provide the new certificate, along with the emulated certificates to the clients.

Step 4: Configure the ProxySG appliance to perform SSL interception

Confirm that the HTTP service on the ProxySG appliance is properly configured

  1. In the ProxySG Management Console, navigate to Configuration > Services > Proxy Services.

    In this example, the ProxySG appliance is set to use the default Explicit HTTP service. It is also configured to intercept HTTP traffic on ports 80 and 8080, with the Detect Protocol enabled (this must be enabled for SSL interception to work).

Configure policy rules and layers in the Visual Policy Manager (VPM)

  1. Navigate to Configuration > Policy > Visual Policy Manager > Launch.

    In the following example, the VPM policy only contains two layers:
    • The Web Access Layer Action is set to allow "Any" Source and Destination to access the Internet.
    • The SSL Interception Layer contains one rule, which is set to SSL intercept "Any" Source and Destination.

  2. Create the SSL intercept policy. The SSL Interception Layer might look like this at first:


     
  3. Under Action, click None, and select Set.
  4. Click New.
  5. Select Enable SSL Interception.
  6. Select Enable HTTPS Interception.
  7. Check Issuer Keyring, and select the keyring that you created earlier.


     
  8. Click OK.
  9. Click Install Policy.

Step 5: Check the certificate in a browser

You can now run a test using a computer that is a member of the domain of which the Microsoft Certificate Server is also a member.

To do this, check the certificate that ProxySG is providing to the browser. The Common Name (CN) should match what you used when creating the CSR.

Attachments