Fine-tune Inspecting Traffic on Secure Connections Configured for a Reverse Proxy
When using HTTPS to make connections secure for sending and receiving web traffic between Secure Web Gateway, which acts as a server in this communication, and its clients, you can fine-tune your web policy for this process.
If you have set up Secure Web Gateway to run in reverse proxy mode, you can complete the fine-tuning by configuring settings for the HTTPS Connection - Reverse Proxy feature. Running Secure Web Gateway in this mode is. for example, required to enable clientless access for a Private Access application.
Configuring these settings includes choosing the certificate and certificate chain that Secure Web Gateway sends to a client in its server role as a means of making the connections between them secure. It also includes some other options for the handshake between client and server, which is performed to agree on how connections are secured.
Because Secure Web Gateway is providing the functions of a reverse proxy in this configuration, it can also be referred to as the proxy.
On the user interface, select Policy > Web Policy > Feature Configuration.
From the Feature Config list, select HTTPS Connection - Reverse Proxy, then click New Configuration.
In the name field, type a name for the new configuration, for example, Reverse Proxy Configuration. Optionally, click Add to type a comment.
Click Add Certificate, and in the window that opens, click Browse to browse to a certificate file and select it. Click Browse to browse to a file with a Private Key for the certificate and select it, then click Next.
The selected certificate appears in the Certificate List.
Configure the Handshake Settings.
a. Under Minimum SSL version allowed and Maximum SSL version allowed, select the range of SSL protocol versions that are accepted for the
communication between client and server (proxy).
b. Under SSL session cache TTL, specify the time (in seconds) that handshake information stored in the cache remains valid.
c. Under Handshake, select options to configure how the handshake is performed.
- Perform unsecure negotiations — When selected, it is accepted that negotiations between client and server (proxy) about the handshake are performed using connections that are not secure themselves.
- Send empty plain text fragment — When selected, sending this type of fragment during the negotiations is accepted.
- Allow legacy signatures in the handshake — When selected, legacy signatures are accepted.
- SSL scanner functionality applies only to client connection — When selected, only web traffic on the connections between Secure Web Gateway and its clients is scanned under the SSL protocol.
It is not scanned on the connections between Secure Web Gateway and the web servers that clients request access to. Secure Web Gateway only connects to a web server when triggered after a client request for access to this server has undergone decryption according to the rules of the HTTPS Decryption rule set.
If the decryption is not performed completely under these rules, Secure Web Gateway still connects to the web server. To ensure the certificate that the web server submits is validated, you must configure the decryption process for this.
d. Under Cipher, configure options for the use of ciphers in the encryption process that takes place when connections are secured.
- Select cipher by strength — When selected, you can configure the cipher strength.
- High — High cipher strength
- Medium — Medium cipher strength
- Configure cipher list manually using openSSL cypher list syntax — When selected, a text field appears where you can type in several ciphers to provide a cipher list for use in the encryption process.
6. Click Save.
The new configuration for HTTPS Connection - Reverse Proxy appears below this feature when you expand it in the Feature Config list.
You can now select this configuration when working with the default HTTPS Connection Options rule set or a rule set for HTTPS connections that you have created on your own. To access these rule sets, expand the HTTPS Scanning branch of the rule set tree on a Web Policy page.
Selecting this configuration then allows you to provide a server certificate for communication on secure connections to the clients that differs from the default certificate for this communication.
When you are configuring clientless access for a Private Access application, you can also select this configuration, as Secure Web Gateway must run in reverse proxy mode for this type of access.
To configure clientless access for a Private Access application, place your cursor on the settings icon in the top right corner of the user interface and through the drop-down menus that open, navigate to Infrastructure > Private Access Configuration.