Learn how to perform SSL interception using a Microsoft PKI infrastructure in an Explicit proxy environment.
Resolution
Step 1: Create a keyring and CSR on the ProxySG appliance
Create a keyring
In the ProxySG Management Console, navigate to Configuration > SSL > Keyrings > Create.
Enter the keyring settings.
Click OK,and then click Apply to save your changes.
Create a Certificate Signing Request (CSR)
Select the keyring you just created, and click Edit.
Under Certificate Signing Request, click Create.
Enter the details to be used in the certificate.
Click OK,and then click Apply to save your changes.
Select the keyring again and click Edit.
Under Certificate Signing Request, copy the text.
Open a text editor such as Notepad, and paste the contents from the Certificate Signing Request box.
Step 2: Create a signed certificate using your corporate PKI system and import the certificate into the keyring
Create a signed certificate
In a browser, go to the Microsoft Active Directory Certificate Services at http://x.x.x.x/certsrv/ (replace x.x.x.x with the IP address of your Microsoft CA server).
Click Request a certificate.
Click Advanced certificate request.
Click either Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or Submit a renewal request by using a base-64-encoded PKCS #7 file.
Under Certificate Template, select Subordinate Certificate Authority, and then click Next.
Select Base 64 encoded.
Click Download Certificate.
Open the certificate you downloaded in a text editor, and copy its contents. You will need to install it to ProxySG.
Import the certificate into the keyring
In the ProxySG Management Console, navigate to Configuration > SSL > Keyrings.
Select the keyring you created earlier, and click Edit.
In the Edit Keyring window, click Import.
Paste the contents of the copied certificate, and click OK.
Click Close, and then click Apply.
Step 3: Import the certificate signed by the PKI system to be used with SSL interception
In the ProxySG Management Console, navigate to Configuration > SSL > CA Certificates > Import.
Paste the certificate that you created in Step 2, as well as the Intermediate CA Certificates from the Internal PKI chain if applicable.
Click OK,and then click Apply to save your changes.
Navigate to Configuration > SSL > CA Certificates > CA Certificate Lists > Browser Trusted, and click Edit.
Select the new certificate that you created in Step 2, as well as the Intermediate CA Certificates from the Internal PKI chain if applicable, and move them to the column on the right.
Click OK,and then click Apply to save your changes.
Note: If the proxy is configured to have a different CCL than the default one of "<All CA Certificates>" (found under WebUI > Configuration > Proxy Settings > SSL Proxy), also add the certificate signed by the PKI for the proxy to the selected CCL. This ensures that the proxy will provide the new certificate, along with the emulated certificates to the clients.
Step 4: Configure the ProxySG appliance to perform SSL interception
Confirm that the HTTP service on the ProxySG appliance is properly configured
In the ProxySG Management Console, navigate to Configuration > Services > Proxy Services.
In this example, the ProxySG appliance is set to use the default Explicit HTTP service. It is also configured to intercept HTTP traffic on ports 80 and 8080, with the Detect Protocol enabled (this must be enabled for SSL interception to work).
Configure policy rules and layers in the Visual Policy Manager (VPM)