Blue Coat ProxySG First Steps Solution for Controlling HTTPS SGOS 6.7

Similar documents
Blue Coat Security First Steps Solution for Controlling HTTPS

Using Kerberos Authentication in a Reverse Proxy Environment

Blue Coat ProxySG First Steps Transparent Proxy Deployments SGOS 6.7

Office 365 Best Practices: Protocols

Blue Coat ProxySG First Steps Solution for Exception Pages SGOS 6.7

IPv6 Classification. PacketShaper 11.8

VeriSign Managed PKI for SSL and Symantec Protection Center Integration Guide

Multi-Tenant Policy Deployment Guide

Migrating to a New ProxySG Appliance. ProxySG 900/9000 to ProxySG S400/500

Symantec Managed PKI. Integration Guide for ActiveSync

SGOS on KVM Deployment Guide

Blue Coat Security First Steps. Solution for Integrating Authentication using IWA BCAAA

Symantec Managed PKI. Integration Guide for AirWatch MDM Solution

Reverse Proxy Deployment Guide

Partner Information. Integration Overview. Remote Access Integration Architecture

Partner Information. Integration Overview Authentication Methods Supported

Configuration & Management Guide

Cloud Link Configuration Guide. March 2014

Blue Coat Security First Steps Solution for Integrating Authentication Using LDAP

Symantec Encryption Management Server and Symantec Data Loss Prevention. Integration Guide

SGOS on AWS Deployment Guide

Blue Coat Security First Steps Solution for Streaming Media

Blue Coat Security First Steps Solution for Streaming Media

How to Configure SSL Interception in the Firewall

Blue Coat Security First Steps Solution for Exception Pages

Symantec Protection Center Getting Started Guide. Version 2.0

Symantec Validation and ID Protection. VIP Credential Development Kit Release Notes. Version May 2017

Managing Certificates

Symantec ediscovery Platform

Symantec Validation and ID Protection. VIP Credential Development Kit Release Notes. Version January 2017

Create Decryption Policies to Control HTTPS Traffic

Symantec Control Compliance Suite Express Security Content Update for Microsoft Windows Server 2008 R2 (CIS Benchmark 2.1.

PGP NetShare FlexResponse Plug-In for Data Loss Prevention

Symantec Ghost Solution Suite Web Console - Getting Started Guide

Symantec Patch Management Solution for Windows 8.5 powered by Altiris technology User Guide

Symantec Validation & ID Protection Service. Integration Guide for Microsoft Outlook Web App

PGP Viewer for ios. User s Guide 1.0

Symantec pcanywhere 12.5 SP4 Release Notes

Symantec PGP Viewer for ios

Enterprise Vault.cloud CloudLink Google Account Synchronization Guide. CloudLink to 4.0.3

BCCPP Q&As. Blue Coat Certified Proxy Professional. Pass Blue Coat BCCPP Exam with 100% Guarantee

BlueCoat BCCPP. Blue Coat Certified Proxy Professional.

Enterprise Vault Setting up Exchange Server and Office 365 for SMTP Archiving and later

Web Security Service. Near Real-Time Log Sync Solution Brief. Version /OCT

Configure the IM and Presence Service to Integrate with the Microsoft Exchange Server

Enterprise Vault Setting up Exchange Server and Office 365 for SMTP Archiving and later

Symantec Enterprise Security Manager Baseline Policy Manual for CIS Benchmark. For Red Hat Enterprise Linux 5

Novell Access Manager

Symantec Control Compliance Suite Express Security Content Update for JBoss Enterprise Application Platform 6.3. Release Notes

Symantec Workflow 7.1 MP1 Release Notes

Managing the SSL Certificate for the ESRS HTTPS Listener Service Technical Notes P/N Rev 01 July, 2012

Novell Access Manager

Nimsoft Service Desk. Single Sign-On Configuration Guide. [assign the version number for your book]

Secure IIS Web Server with SSL

Nimsoft Monitor Server

Enterprise Vault Requesting and Applying an SSL Certificate and later

Configuring SSL. SSL Overview CHAPTER

SymantecTM Desktop and Laptop Option. Symantec DLO s Storage in Cloud (Amazon Web Services)

Configuring Symantec Protection Engine for Network Attached Storage. Dell FluidFS 5.0

Message Manager Administrator Guide

Configuring SSL CHAPTER

Symantec Drive Encryption Evaluation Guide

Symantec NetBackup Vault Operator's Guide

How to Set Up External CA VPN Certificates

Using Microsoft Certificates with HP-UX IPSec A.03.00

Configuring SSL. SSL Overview CHAPTER

Veritas Desktop and Laptop Option 9.1 Qualification Details with Cloud Service Providers (Microsoft Azure and Amazon Web Services)

Veritas NetBackup Vault Operator s Guide

F5 SSL Orchestrator: Setup. Version

Symantec Enterprise Security Manager Baseline Policy Manual for CIS Benchmark. AIX 5.3 and 6.1

Enterprise Vault.cloud Journaling Guide

CertAgent. Certificate Authority Guide

About DPI-SSL. About DPI-SSL. Functionality. Deployment Scenarios

Comprehensive Setup Guide for TLS on ESA

VMware AirWatch Integration with RSA PKI Guide

Veritas Desktop and Laptop Option Mobile Application Getting Started Guide

Symantec Cloud Workload Protection on AWS Marketplace. Buyer's Guide for Getting Started

Symantec Enterprise Security Manager Baseline Policy Manual for Security Essentials. Solaris 10

PGP Viewer for ios. Administrator s Guide 1.0

Message Manager Administrator Guide for ZA

Symantec Endpoint Protection, Symantec Endpoint Protection Small Business Edition, and Symantec Network Access Control 12.1.

Enterprise Vault Migrating Data Using the Microsoft Azure Blob Storage Migrator or later

One Identity Starling Two-Factor AD FS Adapter 6.0. Administrator Guide

Altiris Symantec Endpoint Protection Integration Component 7.1 SP1 Release Notes

SymantecTM Desktop and Laptop Option. Symantec DLO s Storage in Cloud (Amazon Web Services)

Symantec Desktop and Laptop Option 8.0 SP2. Symantec Desktop Agent for Mac. Getting Started Guide

Creating New MACHINEGUID and Disk UUID Using the PGPWdeUpdateMachineUUID.exe Utility

NetBackup Copilot for Oracle Configuration Guide. Release 2.7.1

Workspace ONE UEM Integration with RSA PKI. VMware Workspace ONE UEM 1810

Symantec Enterprise Vault

Veritas System Recovery 18 Management Solution Administrator's Guide

Veritas NetBackup Appliance Security Guide

This Readme describes the NetIQ Access Manager 3.1 SP5 release.

Precise for BW. User Guide. Version x

Symantec Enterprise Vault

ProxySG Virtual Appliance MACH5 Edition Initial Configuration Guide

VMware Horizon View Deployment

ActivIdentity ActivID Card Management System and Juniper Secure Access. Integration Handbook

Patch Assessment Content Update Getting Started Guide for CCS 11.1.x and CCS 11.5.x

Security Content Update Release Notes for CCS 12.x

Transcription:

Blue Coat ProxySG First Steps Solution for Controlling HTTPS SGOS 6.7

Legal Notice Copyright 2018 Symantec Corp. All rights reserved. Symantec, the Symantec Logo, the Checkmark Logo, Blue Coat, and the Blue Coat logo are trademarks or registered trademarks of Symantec Corp. or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this document, either express or implied, are disclaimed to the maximum extent allowed by law. The information in this document is subject to change without notice. THE DOCUMENTATION IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. SYMANTEC CORPORATION SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE. SYMANTEC CORPORATION PRODUCTS, TECHNICAL SERVICES, AND ANY OTHER TECHNICAL DATA REFERENCED IN THIS DOCUMENT ARE SUBJECT TO U.S. EXPORT CONTROL AND SANCTIONS LAWS, REGULATIONS AND REQUIREMENTS, AND MAY BE SUBJECT TO EXPORT OR IMPORT REGULATIONS IN OTHER COUNTRIES. YOU AGREE TO COMPLY STRICTLY WITH THESE LAWS, REGULATIONS AND REQUIREMENTS, AND ACKNOWLEDGE THAT YOU HAVE THE RESPONSIBILITY TO OBTAIN ANY LICENSES, PERMITS OR OTHER APPROVALS THAT MAY BE REQUIRED IN ORDER TO EXPORT, RE-EXPORT, TRANSFER IN COUNTRY OR IMPORT AFTER DELIVERY TO YOU. Symantec Corporation 350 Ellis Street Mountain View, CA 94043 www.symantec.com 3/12/2018

Blue Coat ProxySG First Steps Contents Solution: Control HTTPS Traffic 4 Verify Your ProxySG Setup for SSL 6 Create a Keyring 6 Create a Self-Signed Certificate 6 Create a CA-Signed Certificate 7 Configure SSL Proxy Services in an Explicit Deployment 10 Configure SSL Proxy Services in a Transparent Deployment 10 Configure Policy for the SSL Proxy 11 Verify SSL Traffic Interception 12 SSL Proxy Troubleshooting 13 Why does the ProxySG not trust allowed sites? 13 3

Controlling HTTPS Solution: Control HTTPS Traffic A large percentage of Internet traffic uses HTTPS to secure client-to-server communication. HTTPS negotiation is based on a trust relationship between the client (such as a web browser) and the server (the web server hosting the HTTPS page). That trust relationship is established when the client first connects to the server. At that point, the server identifies itself with a certificate that has been signed by an entity (a Certificate Authority) that the browser trusts. After the client and server establish a trust relationship, they agree on the level and type of security (typically TLS 1.1 or higher) that will be used to secure the connection. In the context of controlling your users' Internet traffic with a ProxySG appliance, HTTPS traffic presents a few challenges. With a simple set of policies used to control HTTP traffic, the appliance can only identify the unencrypted portions of the exchange between the client and the server in an HTTPS request and response scenario. The unencrypted data includes the client IP address, the port number used to establish the connection, the server's certificate, and some connection details, depending on the type of proxy deployment. In an explicit proxy deployment, policy can identify the server's hostname. In a transparent proxy deployment, policy can only see the server name and IP address. With this limited amount of information, controlling client requests based on elements such as the URL path fail. To affect policy further, the ProxySG appliance decrypts HTTPS traffic in transit, so that it can apply policy to it. This process is known as SSL interception. SSL interception works by having the client establish a trust relationship with the appliance, which can then enforce policy such as simple allow/deny actions based on the entire URL path of a request, or even advanced elements such as authentication, access logging, and user notification. The connection is re-encrypted before the proxy sends the request to the web server requested by the client, then the process happens in reverse for the server's response to the client. Standard HTTPS Communication 1. The client connects to the web server. 2. The server responds with a certificate and its preferred secure connection types (TLS 1.1, 1.2). 3. The client validates the server certificate based on the Certificate Authority certificates stored in the browser. 4. The client establishes a secure connection with the server, and the HTTPS page displays for the user. 4

Blue Coat ProxySG First Steps Intercepted HTTPS Communication 1. The client makes a request to the proxy for an HTTPS website. 2. The proxy validates the request and forwards that request to the web server. 3. The web server responds with a certificate and its preferred secure connection types (TLS 1.1, 1.2). 4. The proxy examines the certificate, decrypts the connection and presents its own server to the client, who validates it based on the Certificate Authority certificates stored in the browser. 5. The client sends a request to the proxy to establish a secure connection with the server. 6. The proxy compares the request with policy for the elements it can see and forwards the secure request to the web server. Steps 1. Make sure your ProxySG is set up properly for SSL. See "Verify Your ProxySG Setup for SSL" on the facing page. 2. Create an issuer keyring that uses either a self-signed or CA-signed certificate for SSL decryption. (The CA-signed page contains an example Microsoft setup; your setup may vary.) 3. Configure the appropriate service for your deployment: "Configure SSL Proxy Services in an Explicit Deployment" on page 10 or "Configure SSL Proxy Services in a Transparent Deployment" on page 10. 4. "Configure Policy for the SSL Proxy" on page 11. 5. "Verify SSL Traffic Interception" on page 12. 6. To ensure authentication works in a transparent deployment, see "Enable IWA Authentication for SSL Traffic in a Transparent Deployment" in the Authentication solution. 5

Controlling HTTPS Verify Your ProxySG Setup for SSL Verify the following before you begin setting up the SSL Proxy to intercept traffic. Verify your ProxySG appliance is functional, and can permit a proxied user to access Internet resources. Determine if your domain uses certificate signing services, This helps you decide whether you will be following the self-signed or CA-signed certificate process. If using a CA-signed certificate, have access to your certificate signing authority for your domain. Determine whether you are in a transparent or explicit setup. Verify the ProxySG is configured with a basic license and an SSL license. Select Maintenance Licensing > View > Licensed Components and verify SGOS 6 Proxy Edition and SSL. Verify the ProxySG to set to get its time from a reputable and reliable time source. To review your NTP settings on the ProxySG, check Configuration > General > Clock. Any discrepancies between the date and time in certificates created by the ProxySG and the actual time can cause unexpected behavior. Create a Keyring In order for the ProxySG appliance to decrypt SSL traffic, a keyring must be created. Keyrings are containers for SSL certificates on the appliance, and can be used to manage self-signed or CA-signed certificates. 1. Select Configuration > SSL > Keyrings > Create. 2. For Keyring name, enter a descriptive name for the keyring. 3. Select Show key pair, based on your security policy. 4. Leave the key size at 2048 bits. 5. Click OK and Apply to save your changes. Next Step: "Create a Self-Signed Certificate" below or "Create a CA-Signed Certificate" on the next page Create a Self-Signed Certificate Create a self-signed certificate if you don't want to use the Default certificate. If you do use the Default, you can skip this step. 1. In the Keyrings tab, Edit the newly created keyring (see "Create a Keyring" above). 2. Under Certificate, click Create. The Create Certificate form displays. 3. Fill in the certificate details. The Common Namemust match the ProxySG name or IP address that the client expects. Make note of the Challenge you create. 4. Click OK and then Close. For the keyring you created, Yes appears in the Certificate column, indicating a certificate is part of the keyring. 5. Apply your changes. Next Step: "Configure SSL Proxy Services in an Explicit Deployment" on page 10 or "Configure SSL Proxy Services in a Transparent Deployment" on page 10 6

Blue Coat ProxySG First Steps Create a CA-Signed Certificate Generate a CA-signed certificate for your SSL interception keyring. Select Configuration > General > Clock to confirm correct time configuration and NTP settings. Because SSL certificates include a date and time component, configure an NTP server to prevent potential problems. The following steps use Microsoft PKI server as an example. Where necessary, refer to your server/administration documentation for steps specific to your environment. 1 - Create a Certificate Signing Request Generate a certificate signing request (CSR) on the ProxySG appliance. You will use the CSR to request the certificate from a certificate signing authority. 1. In the ProxySG Management Console, select Configuration > SSL > Keyrings. 2. Select the interception keyring created in "Create a Keyring" on the previous page. Then, click Edit. 3. Under Certificate Signing Request,click Create. 4. Complete the fields as appropriate. Set the Common Name to the single hostname (resolvable via DNS) of the ProxySG. Click OK, click Close, and then click Apply. If the DNS name of the ProxySG appliance is not specified for Common Name, the web browser will return a not-trusted warning. Although specifying the DNS name of the ProxySG appliance is not a requirement for forward proxy SSL interception, it is a good practice to do so. Note that it is a requirement for reverse proxy HTTPS interception. 7

Controlling HTTPS 5. Edit the keyring. The Certificate Signing Request field displays the contents of the CSR. a. Copy this text to the clipboard (including the BEGIN and END text). b. Save it in a file and give it a meaningful name. c. Click Close. 2 - Request and Download Certificates Use the CSR to request and download the following from a trusted certificate signing authority: a subordinate/intermediate certificate for ProxySG interception (if not already created and downloaded) the root CA certificate This example uses Microsoft PKI as the certificate signing authority. Microsoft PKI services require that the user account is a domain administrator. 1. In Internet Explorer, go to the URL of the Microsoft Active Directory Certificate Services server you use to contact the certificate signing authority (typically http://<windows_server_ip_address>/certsrv/). 2. Click Request a certificate > Advanced Certificate request. Be sure to select Advanced certificate request; User Certificate refers to an individual user certificate. 8

Blue Coat ProxySG First Steps 3. Download the subordinate/intermediate certificate: a. Select Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request using a base-64-encoded PKCS #7 file. b. Copy the contents of the *.csr file you generated in Create a Certificate Signing Request. c. Paste the contents into the Base-64-encoded certificate request (CMC or PKCS#10 or PKCS#7) field. d. Select Certificate Template > Subordinate Certification Authority, and then click Submit. e. Select Base 64 encoded, and then click Download Certificate. Save the certificate with a meaningful name. The subordinate/intermediate certificate is saved. 4. (If needed) Download the root certificate: a. Click Home. b. Click Download a CA certificate, certificate chain, or CRL. c. Select the appropriate CA Certificate from the list at the top, select Base 64 as the encoding method, and click Download CA certificate. Save the certificate with a meaningful name. The CA certificate is saved. 3 - Install Certificates Install the certificate(s) on the ProxySG appliance: 1. In the ProxySG Management Console, select Configuration > SSL > Keyrings. 2. Select the interception keyring created in "Create a Keyring" on page 6. Then, click Edit. 3. In the Certificate section, click Import. 4. Copy and paste the contents of the interception keyring into the Import Certificate dialog. Then, click OK, Close, and Apply to save your changes. If you import an incorrect certificate, clicking Apply displays an error message. Viewing the error details shows the following message in red: The private key in the certificate '<certificate_name>' does not match the one in the keyring. In this case, you should go through the steps again and import the correct certificate. 5. Add the ProxySG interception certificate to the list of CA certificates on the ProxySG: a. Go to Configuration > SSL > CA Certificates. b. Click Import. c. Name the certificate, and then copy and paste the contents of the subordinate/intermediate certificate you downloaded in "2 - Request and Download Certificates" on the previous page. d. Click OK and then Apply. The CA Certificates list displays the certificate. 6. (If you have already imported the root CA certificate, skip this step.) Add the root CA certificate to the list of CA certificates on the ProxySG: a. Click Import on the CA Certificates tab. b. Name the certificate, and then copy and paste the contents of the root CA certificate you downloaded in "2 - Request and Download Certificates" on the previous page. c. Click OK and then Apply. The CA Certificates list displays the certificate. 7. (If you have already added the root CA certificate to the browser-trusted CA, skip this step.) Add the new certificates as browser-trusted CAs: a. Select the CA Certificates Lists tab. b. Select browser-trusted, and then click Edit. c. Select the certificate(s) you imported and click Add to move them to the right column. d. Click OK, and then click Apply. 8. Set the SSL Proxy to use the new keyring: a. Select Configuration > Proxy Settings > SSL Proxy. b. Under General Settings, set Issuer Keyring to the new keyring. 9

Controlling HTTPS c. Click Apply. The SSL Proxy now uses the new keyring. Next Step: "Configure SSL Proxy Services in an Explicit Deployment" below or "Configure SSL Proxy Services in a Transparent Deployment" below Configure SSL Proxy Services in an Explicit Deployment In an explicit deployment, you need to intercept the Explicit HTTP service, and make sure it has Detect Protocol enabled. Follow these steps in an explicit deployment to intercept and manage SSL traffic. 1. Select Configuration > Services > Proxy Services > Standard > Explicit HTTP. 2. Click Edit Service. The Management Console displays the Edit Service window. 3. In the Proxy settings section: Proxy: HTTP Detect Protocol: checked; this allows the service to see the host and path of the request, so the HTTP proxy can detect HTTPS traffic and hand it off to the internal SSL Proxy engine. 6. In the Listeners section: Port range: 8080 Action: Intercept 6. Select OK as required to close the windows. 7. Select Apply to confirm your changes. Next Step: "Configure Policy for the SSL Proxy" on the next page Configure SSL Proxy Services in a Transparent Deployment In a transparent deployment, you need to create a service based on the SSL proxy, and set this service to intercept. Depending on how user traffic reaches your ProxySG, the steps to configure the service listeners vary. If your system already has an HTTPS service, you don't need to create one. Just set port 443 to intercept. 1. Select Configuration > Services > Proxy Services. 2. Click New Service. The New Service dialog opens. 10

Blue Coat ProxySG First Steps 3. For the service name, type HTTPS. 4. Select SSL from the Proxy drop-down list. 5. Create a new listener: a. Click New. The New Listener dialog opens. b. For Port range, use 443 for transparent. c. For Action, choose Intercept. d. Click OK to close the dialogs. 4. Click OK as required to close the windows. 5. Click Apply to confirm your changes. Next Step: "Configure Policy for the SSL Proxy" below Configure Policy for the SSL Proxy SSL interception and access rules, including server certificate validation, are configured through policy, created in the 11

Controlling HTTPS VPM or written in CPL. Use the SSL Intercept Layer to configure SSL interception. With SSL interception in place, all standard Web Access Layer rules and actions will apply to SSL-intercepted requests. For example, the web access layer can be set to match the Destination, and further refined as required. Use the SSL Access Layer to control other aspects of SSL communication, such as server certificate validation, perform actions on non-intercepted sites based on the SSL certificate presented by secure sites, and control the SSL versions to support. Typically, you will want to intercept HTTPS (secure Internet) traffic. Once the traffic has been intercepted, you can perform many additional tasks. The Default proxy policy on Configuration > Policy Options > Default Proxy Policy supersedes all other policy. Typically, you will set this to Allow, then define denials through policy, with a last deny policy as a catch all. Install Basic HTTPS Interception Policy 1. Open the Visual Policy Manager (select Configuration > Policy > Visual Policy Manager > Launch). 2. Select Policy > Add SSL Intercept Layer, name the layer, and click OK. 3. Right-click in the new rule's Action column, and select Set > New > Enable SSL Interception. 4. In the Add SSL Interception Object dialog: a. Verify Enable HTTPS interception is selected. b. Check Issuer Keyring. c. From the drop-down menu, select the SSL keyring you created for SSL interception. d. Click OK to close the dialogs. 5. Click Install policy on the VPM window to save the SSL policy. You will see a confirmation message. Close the window. Make sure you have set up SSL proxy services, for transparent or explicit environments, as required. Verify SSL Traffic Interception Here are a few ways to monitor the performance of the SSL Proxy. Open a browser. Without SSL interception, the browser shows a lock icon in the address or status bar (depending on the browser). Clicking that lock shows who the issuer is, and that they're trusted. With SSL interception in place and working, the ProxySG's DNS name or IP address, depending on the configuration, is listed as the issuer. In your browser, look at the certificate info and verify it matches what you expect, including the IP address of your ProxySG. On the ProxySG, select Statistics > Sessions > Active Sessions, and filter by protocol for the HTTPS Forward Proxy. 12

Blue Coat ProxySG First Steps SSL Proxy Troubleshooting Why does the ProxySG not trust allowed sites? 13 Why does the ProxySG not trust allowed sites? Problem: Users sometimes have connections blocked to allowed sites. Resolution: By default, the ProxySG does not trust invalid certificates. If your users are having connections to allowed sites blocked, you can fix the problem by disabling server certificate validation for specific hosts. 1. In the VPM, add an SSL Access layer (if you don't already have one) or add a rule in the existing SSL Access layer. 2. In the row for the new rule, right-click in the Destination column, and select Set. 3. In the Set Destination Object window, select New > Destination Host/Port, enter the host name you want to set an exception for and select the matching criteria (such as Contains or Domain). Click Add, Close, and OK. 13

Controlling HTTPS 4. Right-click in the Action column, and select Set. 5. In the Set Action Object window, select New > Set Server Certificate Validation. 6. In the Add Server Certificate Validation Object window, check Disable server certificate validation, then click OK. 7. Repeat the above steps, adding a new rule for each exception host. 8. In the VPM window, click Install policy. 14

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback