Solved

SSL(https)  though Proxy device

Posted on 2010-11-24
5
826 Views
Last Modified: 2012-06-21
Hi ,

My question is
Q1.Can anyone explain me how SSL (HTTPS) connections work through a Proxy device (forward proxy)
Q2.I am confused why  certificate is required on the proxy device in order to pass requested traffic from the browser. how does this whople proccess work ?
Q3. Waht does SSL client mean ... i see this option avialiable on the  Blucoat proxy device
Q4.I recently installed a bluecoat ProxySG510 device in our enviroment but i cannot open any https connections (it already has a default certificate installed on it.) can anyone explainn me why ?

Please advice


0
Comment
Question by:gurkamal01
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
5 Comments
 
LVL 62

Accepted Solution

by:
gheist earned 250 total points
ID: 34211720
A1 HTTPS connections usually use tcp port 443
A2 probably it re-encrypts all the sites from the web under its own certificate
A3 browsers send HTTP CONNECT request and than attach ssl client to resultant connection
A4 i have no idea... What error you get from https://login.yahoo.com/ ?
0
 
LVL 57

Assisted Solution

by:giltjr
giltjr earned 250 total points
ID: 34212585
There are two types of proxies, forward and reverse.  Are you trying to use the Bluecoat as a forward proxy or a reverse proxy?

Forward proxies are the "norm" and this is where you configure your web browser to use a proxy or you can also install the proxy in-line so that it is transparent.

Reverse proxies are used to front end web/application servers for load balancing.

There are two ways to pass HTTPS traffic through a proxy (either forward or reverse).  

One way is where the proxy just acts as a relay device.  It gets a packet on the ssl'ed port (as gheist stated normally this  is 443 for http traffic) and then relays the packet to the real server.  The proxy can't see inside the packet because it is encrypted.  This is the norm.

Another way is it is the actual end point in the SSL session and it has the key and will decrypt the packet, maybe examine information in the packet to make some decisions, and then forward the packet to the correct destination.    Depending on if you are using a forward or reverse proxy will depend where you may or may not want to do encryption/decyption.  Examples:



  SERVER <-- SSL'ed traffic --> Forward PROXY pass thru <-- SSL'ed traffic --> Client
  SERVER <-- SSL'ed traffic --> Forward PROXY decrypt  <-- clear text traffic --> Client

  SERVER <-- SSL'ed traffic --> Reverse PROXY pass thru <-- SSL'ed traffic --> Client
  SERVER <-- SSL'ed traffic --> Reverse PROXY decrypt <-- SSL'ed traffic --> Client
  SERVER <-- clear text traffic --> Reverse PROXY partial decrypt <-- SSL'ed traffic --> Client


Pass thru means that the proxy just passes the traffic through without doing any encptyion

Decrypt means that the proxy is decrypting the traffic and re-encrypting the traffic.  In this setup the proxy must have a key file.

Partial decrypt is when the connection between the proxy and the client is encrypted, but the session between the proxy and the server is not.
0
 
LVL 70

Expert Comment

by:Qlemo
ID: 34936517
This question has been classified as abandoned and is being closed as part of the Cleanup Program. See my comment at the end of the question for more details.
0

Featured Post

Easy, flexible multimedia distribution & control

Coming soon!  Ideal for large-scale A/V applications, ATEN's VM3200 Modular Matrix Switch is an all-in-one solution that simplifies video wall integration. Easily customize display layouts to see what you want, how you want it in 4k.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article is a collection of issues that people face from time to time and possible solutions to those issues. I hope you enjoy reading it.
WARNING:   If you follow the instructions here, you will wipe out your VTP and VLAN configurations.  Make sure you have backed up your switch!!! I recently had some issues with a few low-end Cisco routers (RV325) and I opened a case with Cisco TA…
Michael from AdRem Software outlines event notifications and Automatic Corrective Actions in network monitoring. Automatic Corrective Actions are scripts, which can automatically run upon discovery of a certain undesirable condition in your network.…
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…

717 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question