How to configure the SSL proxy on the ProxySG for transparent interception using an SSL certificate issued from a Microsoft PKI server


<< Back to Knowledge Search

Solution

Overview
The following article will step you through the process of configuring a transparent ProxySG to successfully intercept SSL traffic.

This article was written with the use of the following software
  • SGOS 6.5.7.7, (however it should work with earlier versions of SGOS) and
  • Windows 2008 Enterprise Server R2 SP1 Enterprise PKI.
  • Tested with the following browser
    • Internet Explorer 11
    • Firefox 40.0.3
    • Chrome 45.0.2454.99 m

The document assumes that the organization's Root CA certificate is already deployed as a Trusted CA certificate in the browsers.
Cause
Resolution

Part 1

Ensure that the ProxySG’s time and date are set up correctly.
The recommendation is to set up the ProxySG to get it’s time from a reputable and reliable time source.
  1. To review your NTP settings on the ProxySG, please log in to the Management Console (https://<proxy ip>:8082/) and select Configuration > General > Clock
Note: any discrepancies between the date and time in certificates created by the ProxySG and the actual time can cause unexpected behavior, as such it is important that the time on the ProxySG be set up correctly before proceeding
 
User-added image
 

Part 2

Create the keyring on the ProxySG
  1. Select Configuration > SSL Keyrings.  Click on Create to create a new keyring for the ProxySG.
  2. Give the keyring a meaningful name in this example we will use SSL-Interception-KR,
  3. Select Show Keypair.
  4. Set the size as required, the default is 2048 bits.
  5. Click OK and Apply to save your changes.
User-added image
  1. Edit the keyring created above.
  2. Click Create under Certificate Signing Request at the bottom.
  3. Fill in appropriate information into the request. 
Note: for SSL interception the common name chosen is not important, however short names are easier to set up than FQDN, if you do chose to use a FQDN you will need to make changes on the browser.
  1. Click OK, then Close, then Apply.
User-added image
  1. Edit the Keyring.  At the bottom you will now see a certificate signing request (CSR).  Copy this text to the clipboard.  Click Close
User-added image
 
  1. Save the CSR that you copied to the clipboard to a text file and give it a meaningful name such as ssl-interception.csr.

Part 3

  1. Login to your Microsoft Active Directory Certificate Services server, the default URL is http:/</windows server ip>/certsrv/

User-added image

  1. Click Request a certificate
User-added image
  1. Click on Advance certificate request
  2. Paste the csr into the Base-64-encoded certificate request *CMC or PKCS#10 or PKCS#7)
  3. Select “Subordinate Certificate Authority” in “Certificate Template” then click on Submit
 

User-added image

  1. Select Base 64 encoded then click on Download certificate
Note: when you download the certificate, make sure to rename it to something meaningful, in this example it is ssl-interception.cer
 
User-added image
  1.  Click Home in the top right corner of the page.
  2. Click Download a CA certificate, certificate chain, or CRL
User-added image
  1. Select the appropriate CA Certificate from the list at the top, select Base 64 as the encoding method and click Download CA certificate.
User-added image
  1. Again make sure to rename the CA certificate to something meaningful in this example it is madlab CA certificate.csr

Part 4

Finalize the configuration on the ProxySG
  1. In the Management Console on the ProxySG, select Configuration > SSL > Keyrings.  Select the SSL-Interception-KR created earlier and click Edit.
  2. Click Import, under Certificate.
  3. Open the ssl-interception.cer file in a text editor and copy the contents to the clipboard, then paste in the Import Certificate dialog box. Click Close and then Apply to save your changes.
Note: if you happen to import the contents of the wrong certificate into this dialog box, when you hit apply you will get an error message similar to
The private key in the certificate "SSL-Interception-KR" does not match the one in the keyring
 
User-added image
  1. Next, it will be necessary to add the Root CA (madlab Root CA certificate.cer) and the ProxySG CA certificate (ssl-interception.cer) to the list of CA certificates on the ProxySG.  In the Management Console, go to the CA Certificates tab.(Select Configuration > SSL > CA Certificates)
  2.  Click Import.  Name the CA certificate (hint the ProxySG will order the CA Certificates in alphabetical order, however lower case names are append to the end of the list making them easier to find) and paste in the base 64 version of the ProxySG's subordinate CA certificate and click OK and then Apply
  3. Repeat this procedure to import the Root CA
  4. You should now have two new CA certificates in the list
User-added image
  1. Next we will add the Root CA, and ProxySG certificates as browser trusted CAs.  Select CA Certificate Lists tab at the top.
  2. Then select browser-trusted and click Edit.
  3. Select the newly added CA certificate and ProxySG certificate on the left and click Add to move it to the right column. Click OK and then Apply.
User-added image

Part 5

Now we need to make sure the final pieces are in place
  1. Modify the default HTTPS service, if needed, to intercept traffic on port 443. 
  2. To do this, select Configuration > Services > Proxy Services > Standard Service Group > HTTPS > Edit Service.
  3. Set the service to Intercept
User-added image
 

Part 6


Finally we need to create policy to intercept SSL traffic.
Note: The intention of the following policy is simply to verify that SSL traffic is being intercepted correctly and is not intended to for production purposes.
  1. Select Configuration > Policy > Visual Policy Manager
  2. In the Visual Policy Manger Select Policy > Add SSL Intercept Layer
  3. Right Click Action > Set > New > Enable SSL Interception
  4. Give the object a meaningful name, click on Issuer Keyring and select the keyring created earlier, click on OK and then Install policy, If your default proxy policy is set to deny, you will also need to create a webaccess policy to allow traffic
User-added image


 
Workaround
Additional Information
There are two checks you can perform to ensure that interception is working as expected.
  1. Browse to a HTTPS site such as https://www.google.com
  2. The next step will vary from browser to browser but in Internet Explorer 11 you will see a padlock in the right hand side of the browser bar, if you click on this you will see the following
 
User-added image

Note: that we are being told that it is our windows certificate server that is verifying this site as www.google.com, if you click on View certificates you will see that the certificate was issued by our BCProxySG, this is the name used as the common name when you created the CSR
 
User-added image
  1. Finally if you click on Certification Path you will see the complete certificate chain.
 
User-added image

The second test you can run to show that SSL is being intercepted is from the ProxySG management console
  1. Select Statistics > Active Sessions > Show
  2. You should see HTTPS FWD under Protocol for the intercepted site.
User-added image
 
Please see 000016796 which describes the steps on how to write policy to enable SSL Proxy functionality using Visual Policy Manager (VPM).
Bug Number
InQuira Doc Id
Attachment

Article Feedback

Hide Properties
First Published      10/08/2015
Last Modified      10/08/2015
Last Published      10/08/2015
Article Audience
Product      ProxySG
Software      SGOS 5, SGOS 6
Topic      Configuration / WUI / CLI, SSL / HTTPS
Article Number      000027760
Summary     
Was this helpful?
Comments:
 
Previous MonthNext Month
SunMonTueWedThuFriSat