Ensure that the ProxySG’s time and date are set up correctly.
The recommendation is to set up the ProxySG to get it’s time from a reputable and reliable time source.
- To review your NTP settings on the ProxySG, please log in to the Management Console (https://<proxy ip>:8082/) and select Configuration > General > Clock
Note: any discrepancies between the date and time in certificates created by the ProxySG and the actual time can cause unexpected behavior, as such it is important that the time on the ProxySG be set up correctly before proceeding
Create the keyring on the ProxySG
- Select Configuration > SSL > Keyrings. Click on Create to create a new keyring for the ProxySG.
- Give the keyring a meaningful name in this example we will use SSL-Interception-KR,
- Select Show Keypair.
- Set the size as required, the default is 2048 bits.
- Click OK and Apply to save your changes.
- Edit the keyring created above.
- Click Create under Certificate Signing Request at the bottom.
- Fill in appropriate information into the request.
Note: for SSL interception the common name chosen is not important, however short names are easier to set up than FQDN, if you do chose to use a FQDN you will need to make changes on the browser.
- Click OK, then Close, then Apply.
- Edit the Keyring. At the bottom you will now see a certificate signing request (CSR). Copy this text to the clipboard. Click Close
- Save the CSR that you copied to the clipboard to a text file and give it a meaningful name such as ssl-interception.csr.
- Login to your Microsoft Active Directory Certificate Services server, the default URL is http:/</windows server ip>/certsrv/
- Click Request a certificate
- Click on Advance certificate request
- Paste the csr into the Base-64-encoded certificate request *CMC or PKCS#10 or PKCS#7)
- Select “Subordinate Certificate Authority” in “Certificate Template” then click on Submit
- Select Base 64 encoded then click on Download certificate
Note: when you download the certificate, make sure to rename it to something meaningful, in this example it is ssl-interception.cer
- Click Home in the top right corner of the page.
- Click Download a CA certificate, certificate chain, or CRL
- Select the appropriate CA Certificate from the list at the top, select Base 64 as the encoding method and click Download CA certificate.
- Again make sure to rename the CA certificate to something meaningful in this example it is madlab CA certificate.csr
Finalize the configuration on the ProxySG
- In the Management Console on the ProxySG, select Configuration > SSL > Keyrings. Select the SSL-Interception-KR created earlier and click Edit.
- Click Import, under Certificate.
- Open the ssl-interception.cer file in a text editor and copy the contents to the clipboard, then paste in the Import Certificate dialog box. Click Close and then Apply to save your changes.
Note: if you happen to import the contents of the wrong certificate into this dialog box, when you hit apply you will get an error message similar to
“The private key in the certificate "SSL-Interception-KR" does not match the one in the keyring”
- Next, it will be necessary to add the Root CA (madlab Root CA certificate.cer) and the ProxySG CA certificate (ssl-interception.cer) to the list of CA certificates on the ProxySG. In the Management Console, go to the CA Certificates tab.(Select Configuration > SSL > CA Certificates)
- Click Import. Name the CA certificate (hint the ProxySG will order the CA Certificates in alphabetical order, however lower case names are append to the end of the list making them easier to find) and paste in the base 64 version of the ProxySG's subordinate CA certificate and click OK and then Apply.
- Repeat this procedure to import the Root CA
- You should now have two new CA certificates in the list
- Next we will add the Root CA, and ProxySG certificates as browser trusted CAs. Select CA Certificate Lists tab at the top.
- Then select browser-trusted and click Edit.
- Select the newly added CA certificate and ProxySG certificate on the left and click Add to move it to the right column. Click OK and then Apply.
Now we need to make sure the final pieces are in place
- Modify the default HTTPS service, if needed, to intercept traffic on port 443.
- To do this, select Configuration > Services > Proxy Services > Standard Service Group > HTTPS > Edit Service.
- Set the service to Intercept
Finally we need to create policy to intercept SSL traffic.
Note: The intention of the following policy is simply to verify that SSL traffic is being intercepted correctly and is not intended to for production purposes.
- Select Configuration > Policy > Visual Policy Manager
- In the Visual Policy Manger Select Policy > Add SSL Intercept Layer
- Right Click Action > Set > New > Enable SSL Interception
- Give the object a meaningful name, click on Issuer Keyring and select the keyring created earlier, click on OK and then Install policy, If your default proxy policy is set to deny, you will also need to create a webaccess policy to allow traffic