2.2. Procedure – HTTPS and non-transparent proxying

Purpose: 

The method described in Procedure 2.1, Enabling TLS-encryption in the connection can be used when the connections of the clients are proxied transparently. In the non-transparent case, use two HttpProxy classes. (A connection is non-transparent if the clients address the firewall host directly, and Application-level Gateway selects the target.)

Steps: 

  1. Create and configure a transparent Http proxy to handle HTTPS connections as described in Steps 1-4 of Procedure 2.1, Enabling TLS-encryption in the connection. If a transparent HTTPS proxy has already been created and configured, skip this step.

  2. Navigate to Application-level Gateway > Proxies, and create a non-transparent HTTP proxy using the predefined HttpProxyNonTransparent proxy class. Name this new class, for example, HttpSProxyNonTransparent.

  3. Select this newly created proxy (for example, HttpSProxyNonTransparent) and add the self.request attribute to the Changed config attributes panel. To configure the self.request attribute, complete the following steps.

    1. Select the attribute and click Edit.

      • To accept every request types, enter the * (asterisk) character, then click OK.

      • Alternatively, you can add the request types you want to permit. It is recommended to enable the GET, POST, HEAD, and CONNECT requests.

    2. Click on the text in the Type field, then select const_http_req_accept.

  4. Add the self.connect_proxy attribute to the Changed config attributes panel, then click Edit. Select the proxy to be used for the HTTPS connections from the appearing list (for example, StrongHttpsProxy).

    Note

    This proxy is needed to handle the TLS data communicated in the plain-text nontransparent HTTP connection. If you do not want to examine that this traffic is indeed HTTP traffic, use a simple PlugProxy configured to handle TLS connections as well.

    Python:

    class HttpSProxyNonTransparent(HttpProxyNonTransparent):
        def config(self):
            HttpProxyNonTransparent.config(self)
            self.connect_proxy=StrongHttpsProxy
            self.request["*"]=HTTP_REQ_ACCEPT
  5. Create a service that clients can use to access the Internet in a secure channel. This service will use the non-transparent Http proxy class (for example, HttpSProxyNonTransparent) created in Step 2.

    Create a service that clients can use to access the Internet.

    1. Select Services > New, and enter a name for the service (for example, intra_HTTP_inter).

    2. Select Proxy class > HttpSProxyNonTransparent.

    3. Select a Router for the service. Note the following points:

      • When non-transparently proxying HTTP traffic without any parent proxy, the Service must use InbandRouter.

      • If a parent proxy is used (that is, the clients connect to a web proxy like Squid through Application-level Gateway), DirectedRouter or InbandRouter can be used. InbandRouter can only be used if the parent_proxy and parent_proxy_port parameters are properly configured. If the firewall host is located network-transparently in front of the proxy server, even TransparentRouter can be used. For further details on Routers, see Section 6.4.5, Routing — selecting routers and chainers in Proxedo Network Security Suite 2 Administrator Guide.

    4. Configure the other parameters of the service as needed for your environment, then click OK.

    5. Select Firewall Rules > New > Service, and select the service created in the previous step.

      Note
      • If the clients connect directly to the firewall as a proxy, non-transparent service has to be used (using the same IP:port pair that is set on the clients).

      • If the firewall is located in front of the parent proxy used by the clients, a transparent listener has to be used, even though the proxy class used in the service is non-transparent.

    6. Configure the other parameters of the rule as needed for your environment, then click OK.

  6. Commit and upload the changes, then restart Application-level Gateway.