Solved

SSL(https)  though Proxy device

Posted on 2010-11-24
5
821 Views
Last Modified: 2012-06-21
Hi ,

My question is
Q1.Can anyone explain me how SSL (HTTPS) connections work through a Proxy device (forward proxy)
Q2.I am confused why  certificate is required on the proxy device in order to pass requested traffic from the browser. how does this whople proccess work ?
Q3. Waht does SSL client mean ... i see this option avialiable on the  Blucoat proxy device
Q4.I recently installed a bluecoat ProxySG510 device in our enviroment but i cannot open any https connections (it already has a default certificate installed on it.) can anyone explainn me why ?

Please advice


0
Comment
Question by:gurkamal01
5 Comments
 
LVL 62

Accepted Solution

by:
gheist earned 250 total points
ID: 34211720
A1 HTTPS connections usually use tcp port 443
A2 probably it re-encrypts all the sites from the web under its own certificate
A3 browsers send HTTP CONNECT request and than attach ssl client to resultant connection
A4 i have no idea... What error you get from https://login.yahoo.com/ ?
0
 
LVL 57

Assisted Solution

by:giltjr
giltjr earned 250 total points
ID: 34212585
There are two types of proxies, forward and reverse.  Are you trying to use the Bluecoat as a forward proxy or a reverse proxy?

Forward proxies are the "norm" and this is where you configure your web browser to use a proxy or you can also install the proxy in-line so that it is transparent.

Reverse proxies are used to front end web/application servers for load balancing.

There are two ways to pass HTTPS traffic through a proxy (either forward or reverse).  

One way is where the proxy just acts as a relay device.  It gets a packet on the ssl'ed port (as gheist stated normally this  is 443 for http traffic) and then relays the packet to the real server.  The proxy can't see inside the packet because it is encrypted.  This is the norm.

Another way is it is the actual end point in the SSL session and it has the key and will decrypt the packet, maybe examine information in the packet to make some decisions, and then forward the packet to the correct destination.    Depending on if you are using a forward or reverse proxy will depend where you may or may not want to do encryption/decyption.  Examples:



  SERVER <-- SSL'ed traffic --> Forward PROXY pass thru <-- SSL'ed traffic --> Client
  SERVER <-- SSL'ed traffic --> Forward PROXY decrypt  <-- clear text traffic --> Client

  SERVER <-- SSL'ed traffic --> Reverse PROXY pass thru <-- SSL'ed traffic --> Client
  SERVER <-- SSL'ed traffic --> Reverse PROXY decrypt <-- SSL'ed traffic --> Client
  SERVER <-- clear text traffic --> Reverse PROXY partial decrypt <-- SSL'ed traffic --> Client


Pass thru means that the proxy just passes the traffic through without doing any encptyion

Decrypt means that the proxy is decrypting the traffic and re-encrypting the traffic.  In this setup the proxy must have a key file.

Partial decrypt is when the connection between the proxy and the client is encrypted, but the session between the proxy and the server is not.
0
 
LVL 69

Expert Comment

by:Qlemo
ID: 34936517
This question has been classified as abandoned and is being closed as part of the Cleanup Program. See my comment at the end of the question for more details.
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Comware OS Simulator and GNS3 5 168
Find computer name from username 9 105
what is mstp 6 60
Cisco 4400 will not take SFP module ? SFP 10 GB module 1 43
Meet the world's only “Transparent Cloud™” from Superb Internet Corporation. Now, you can experience firsthand a cloud platform that consistently outperforms Amazon Web Services (AWS), IBM’s Softlayer, and Microsoft’s Azure when it comes to CPU and …
This article will inform Clients about common and important expectations from the freelancers (Experts) who are looking at your Gig.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Internet Business Fax to Email Made Easy - With  eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, f…

713 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question