Michael B Posted April 29 Share Posted April 29 I've been asked to test out the SSL forward proxy feature for a specific use case, but I'm getting tripped up by the subpar documentation. Is there a decent how to guide to get this going? Can anyone explain to me how the ssl interception works and how to get an ssl bundle file loaded to use? I think I have the concepts down, and we have an internal CA/PKI to use so I have the root and intermediate certs available to me (But not private keys). My goal is to get a pretty simple forward proxy setup in explicit mode, not so much for filtering but as a sort of secure jump host to the Internet for specific nodes in a restricted firewall zone. Any help would be appreciated. MB Link to comment Share on other sites More sharing options...
Jeff Riechers Posted April 30 Share Posted April 30 What are you looking to forward? An IIS site? An apache web server? If it is a single URL you create an SSL Load balancer with an IP and a certificate bound to it, and a service pointing to your backend server. If it is multiple URLS, you create an SSL Content Swith with an IP and certificate bound to it. They you create policies that will look at the hostname hitting the IP and send it to appropriate load balancer with the backend service. Don't just start with the name of the tech. Give us a run-down on what you are trying to do, and we can help design something for you. Link to comment Share on other sites More sharing options...
Rick Davis Posted April 30 Share Posted April 30 The forward proxy feature is specifically for the filtering of encrypted traffic which is not destined for an endpoint on the NetScaler. The correct way to allow servers to communicate without SSL decrypted filtering is to use R-NAT. Link to comment Share on other sites More sharing options...
Michael B Posted April 30 Author Share Posted April 30 9 hours ago, Jeff Riechers said: What are you looking to forward? An IIS site? An apache web server? If it is a single URL you create an SSL Load balancer with an IP and a certificate bound to it, and a service pointing to your backend server. If it is multiple URLS, you create an SSL Content Swith with an IP and certificate bound to it. They you create policies that will look at the hostname hitting the IP and send it to appropriate load balancer with the backend service. Don't just start with the name of the tech. Give us a run-down on what you are trying to do, and we can help design something for you. I'm not trying to do any of the above, I already know how to setup content switching and LB vips with URL policies. This is to configure SSL Forward Proxy, which I'm guessing is not a frequently used feature and pretty much speaks for itself regarding what I'm trying to accomplish, along with my original post "My goal is to get a pretty simple forward proxy setup in explicit mode, not so much for filtering but as a sort of secure jump host to the Internet for specific nodes in a restricted firewall zone". Link to comment Share on other sites More sharing options...
Michael B Posted April 30 Author Share Posted April 30 4 hours ago, Rick Davis said: The forward proxy feature is specifically for the filtering of encrypted traffic which is not destined for an endpoint on the NetScaler. The correct way to allow servers to communicate without SSL decrypted filtering is to use R-NAT. RNAT is not the right solution for this. The Forward proxy does work without decrypting as well, I'm working on the that part and making some headway. thanks for the reply. Link to comment Share on other sites More sharing options...
Solution Nicola Campaci Posted May 2 Solution Share Posted May 2 (edited) Hi Michael It's very easy because you don't want decrypt proxy traffic. Here the cli script for a fast deploy of simple explicit proxy on port 8080 #Create explixit proxy 192.168.1.200 port 8080 add cs vserver webproxy PROXY 192.168.1.200 8080 -cltTimeout 180 -httpProfileName http_profile_with_CONNECT_enabled -persistenceType NONE #Create custom audit message for logging blocked access on syslog\nslog add audit messageaction MessageAction_HTTP_Proxy_log_deny_policy WARNING "\"Client IP: \"+ CLIENT.IP.SRC + \"; Req. Host: \" + HTTP.REQ.HOSTNAME + \"; Req. URL: \" + HTTP.REQ.URL.PATH_AND_QUERY + \"; Request method: \" + HTTP.REQ.METHOD + \"; ProxyResponse: 403 Forbidden; Policy: pol_url_filtering_BLOCK_ALL_URL; ProxyIP: \" + CLIENT.IP.DST " -logtoNewnslog YES #Create proxy message action for denied url add responder action act_resp_code_403_Forbidden_by_PROXY respondwith q{"HTTP/1.1 403 Forbidden \r\n"+ HTTP.REQ.URL.HTTP_URL_SAFE +" is not an authorized URL. The PROXY blocked the request\r\n"} #Create allowed url list with *google.com and *microsoft.com add policy patset allowed_url_list bind policy patset allowed_url_list google.com bind policy patset allowed_url_list microsoft.com #Create rule for allowed urls add responder policy pol_url_allowed "(HTTP.REQ.HOSTNAME.APPEND(HTTP.REQ.URL).CONTAINS_ANY(\"allowed_url_list\") || HTTP.REQ.URL.CONTAINS_ANY(\"allowed_url_list\"))" NOOP #Create rule for block deny urls add responder policy pol_url_BLOCK_ALL TRUE act_resp_code_403_Forbidden_by_PROXY -logAction MessageAction_HTTP_Proxy_log_deny_policy #add rules to webproxy bind cs vserver webproxy -policyName pol_url_allowed -priority 100 -gotoPriorityExpression END -type REQUEST bind cs vserver webproxy -policyName pol_url_BLOCK_ALL -priority 200 -gotoPriorityExpression END -type REQUEST Remember: 1) netscaler must exit on internet with a SNIP (port 80 - 443 open on FW for SNIP ip) 2) public DNS resulution must works on netscaler 3) in this case, clients browser with proxy configuration http://192.168.1.200:8080 4) in this case I don't use ssl ispections so crt Bundle in not necessary 5) http profile must have method CONNECT enabled Regards Edited May 2 by Nicola Campaci 2 Link to comment Share on other sites More sharing options...
Michael B Posted May 13 Author Share Posted May 13 Thanks Nicola, that is very helpful. Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now