SSL fwd proxy getting started

[Michael B]

I've been asked to test out the SSL forward proxy feature for a specific use case, but I'm getting tripped up by the subpar documentation.  Is there a decent how to guide to get this going?  Can anyone explain to me how the ssl interception works and how to get an ssl bundle file loaded to use?  I think I have the concepts down, and we have an internal CA/PKI to use so I have the root and intermediate certs available to me (But not private keys).  My goal is to get a pretty simple forward proxy setup in explicit mode, not so much for filtering but as a sort of secure jump host to the Internet for specific nodes in a restricted firewall zone.

Any help would be appreciated.

MB

[Jeff Riechers]

What are you looking to forward?  An IIS site?  An apache web server?

If it is a single URL you create an SSL Load balancer with an IP and a certificate bound to it, and a service pointing to your backend server.

If it is multiple URLS, you create an SSL Content Swith with an IP and certificate bound to it. They you create policies that will look at the hostname hitting the IP and send it to appropriate load balancer with the backend service.

Don't just start with the name of the tech. Give us a run-down on what you are trying to do, and we can help design something for you.

[Rick Davis]

The forward proxy feature is specifically for the filtering of encrypted traffic which is not destined for an endpoint on the NetScaler.      

The correct way to allow servers to communicate without SSL decrypted filtering is to use R-NAT.  

[Michael B]

9 hours ago, Jeff Riechers said:

What are you looking to forward?  An IIS site?  An apache web server?

If it is a single URL you create an SSL Load balancer with an IP and a certificate bound to it, and a service pointing to your backend server.

If it is multiple URLS, you create an SSL Content Swith with an IP and certificate bound to it. They you create policies that will look at the hostname hitting the IP and send it to appropriate load balancer with the backend service.

Don't just start with the name of the tech. Give us a run-down on what you are trying to do, and we can help design something for you.

I'm not trying to do any of the above, I already know how to setup content switching and LB vips with URL policies.   This is to configure SSL Forward Proxy, which I'm guessing is not a frequently used feature and pretty much speaks for itself regarding what I'm trying to accomplish, along with my original post "My goal is to get a pretty simple forward proxy setup in explicit mode, not so much for filtering but as a sort of secure jump host to the Internet for specific nodes in a restricted firewall zone".

[Michael B]

4 hours ago, Rick Davis said:

The forward proxy feature is specifically for the filtering of encrypted traffic which is not destined for an endpoint on the NetScaler.      

The correct way to allow servers to communicate without SSL decrypted filtering is to use R-NAT.  

RNAT is not the right solution for this.  The Forward proxy does work without decrypting as well, I'm working on the that part and making some headway.  thanks for the reply.

[Nicola Campaci]

Hi Michael

It's very easy because you don't want decrypt proxy traffic. Here the cli script for a fast deploy of simple explicit proxy on port 8080 

#Create explixit proxy 192.168.1.200 port 8080
add cs vserver webproxy PROXY 192.168.1.200 8080 -cltTimeout 180 -httpProfileName http_profile_with_CONNECT_enabled -persistenceType NONE

#Create custom audit message for logging blocked access on syslog\nslog
add audit messageaction MessageAction_HTTP_Proxy_log_deny_policy WARNING "\"Client IP: \"+ CLIENT.IP.SRC + \"; Req. Host: \" + HTTP.REQ.HOSTNAME + \"; Req. URL: \" + HTTP.REQ.URL.PATH_AND_QUERY + \"; Request method: \" + HTTP.REQ.METHOD + \"; ProxyResponse: 403 Forbidden; Policy: pol_url_filtering_BLOCK_ALL_URL; ProxyIP: \" + CLIENT.IP.DST " -logtoNewnslog YES

#Create proxy message action for denied url
add responder action act_resp_code_403_Forbidden_by_PROXY respondwith q{"HTTP/1.1 403 Forbidden \r\n"+ HTTP.REQ.URL.HTTP_URL_SAFE +" is not an authorized URL. The PROXY blocked the request\r\n"} 

#Create allowed url list with *google.com and *microsoft.com
add policy patset allowed_url_list
bind policy patset allowed_url_list google.com
bind policy patset allowed_url_list microsoft.com

#Create rule for allowed urls
add responder policy pol_url_allowed "(HTTP.REQ.HOSTNAME.APPEND(HTTP.REQ.URL).CONTAINS_ANY(\"allowed_url_list\") || HTTP.REQ.URL.CONTAINS_ANY(\"allowed_url_list\"))" NOOP

#Create rule for block deny urls
add responder policy pol_url_BLOCK_ALL TRUE act_resp_code_403_Forbidden_by_PROXY -logAction MessageAction_HTTP_Proxy_log_deny_policy

#add rules to webproxy
bind cs vserver webproxy -policyName pol_url_allowed -priority 100 -gotoPriorityExpression END -type REQUEST
bind cs vserver webproxy -policyName pol_url_BLOCK_ALL -priority 200 -gotoPriorityExpression END -type REQUEST

Remember:

1) netscaler must exit on internet with a SNIP (port 80 - 443 open on FW for SNIP ip)

2) public DNS resulution must works on netscaler

3) in this case, clients browser with proxy configuration http://192.168.1.200:8080 

4) in this case I don't use ssl ispections so crt Bundle in not necessary

5) http profile must have method CONNECT enabled

 

Regards

Edited May 2 by Nicola Campaci

[Michael B]

Thanks Nicola, that is very helpful.