Solved

SSL(https)  though Proxy device

Posted on 2010-11-24
5
820 Views
Last Modified: 2012-06-21
Hi ,

My question is
Q1.Can anyone explain me how SSL (HTTPS) connections work through a Proxy device (forward proxy)
Q2.I am confused why  certificate is required on the proxy device in order to pass requested traffic from the browser. how does this whople proccess work ?
Q3. Waht does SSL client mean ... i see this option avialiable on the  Blucoat proxy device
Q4.I recently installed a bluecoat ProxySG510 device in our enviroment but i cannot open any https connections (it already has a default certificate installed on it.) can anyone explainn me why ?

Please advice


0
Comment
Question by:gurkamal01
5 Comments
 
LVL 62

Accepted Solution

by:
gheist earned 250 total points
ID: 34211720
A1 HTTPS connections usually use tcp port 443
A2 probably it re-encrypts all the sites from the web under its own certificate
A3 browsers send HTTP CONNECT request and than attach ssl client to resultant connection
A4 i have no idea... What error you get from https://login.yahoo.com/ ?
0
 
LVL 57

Assisted Solution

by:giltjr
giltjr earned 250 total points
ID: 34212585
There are two types of proxies, forward and reverse.  Are you trying to use the Bluecoat as a forward proxy or a reverse proxy?

Forward proxies are the "norm" and this is where you configure your web browser to use a proxy or you can also install the proxy in-line so that it is transparent.

Reverse proxies are used to front end web/application servers for load balancing.

There are two ways to pass HTTPS traffic through a proxy (either forward or reverse).  

One way is where the proxy just acts as a relay device.  It gets a packet on the ssl'ed port (as gheist stated normally this  is 443 for http traffic) and then relays the packet to the real server.  The proxy can't see inside the packet because it is encrypted.  This is the norm.

Another way is it is the actual end point in the SSL session and it has the key and will decrypt the packet, maybe examine information in the packet to make some decisions, and then forward the packet to the correct destination.    Depending on if you are using a forward or reverse proxy will depend where you may or may not want to do encryption/decyption.  Examples:



  SERVER <-- SSL'ed traffic --> Forward PROXY pass thru <-- SSL'ed traffic --> Client
  SERVER <-- SSL'ed traffic --> Forward PROXY decrypt  <-- clear text traffic --> Client

  SERVER <-- SSL'ed traffic --> Reverse PROXY pass thru <-- SSL'ed traffic --> Client
  SERVER <-- SSL'ed traffic --> Reverse PROXY decrypt <-- SSL'ed traffic --> Client
  SERVER <-- clear text traffic --> Reverse PROXY partial decrypt <-- SSL'ed traffic --> Client


Pass thru means that the proxy just passes the traffic through without doing any encptyion

Decrypt means that the proxy is decrypting the traffic and re-encrypting the traffic.  In this setup the proxy must have a key file.

Partial decrypt is when the connection between the proxy and the client is encrypted, but the session between the proxy and the server is not.
0
 
LVL 69

Expert Comment

by:Qlemo
ID: 34936517
This question has been classified as abandoned and is being closed as part of the Cleanup Program. See my comment at the end of the question for more details.
0

Featured Post

Portable, direct connect server access

The ATEN CV211 connects a laptop directly to any server allowing you instant access to perform data maintenance and local operations, for quick troubleshooting, updating, service and repair.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
VMware ESXi vswitch - performance question 2 76
OSPF - Convergence & Downtime 9 29
Slow Internet Connection 9 54
Dell PowerConnect 2824 w/ two DHCP 6 21
Since pre-biblical times, humans have sought ways to keep secrets, and share the secrets selectively.  This article explores the ways PHP can be used to hide and encrypt information.
This article will inform Clients about common and important expectations from the freelancers (Experts) who are looking at your Gig.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question