Solved

SSL(https)  though Proxy device

Posted on 2010-11-24
5
825 Views
Last Modified: 2012-06-21
Hi ,

My question is
Q1.Can anyone explain me how SSL (HTTPS) connections work through a Proxy device (forward proxy)
Q2.I am confused why  certificate is required on the proxy device in order to pass requested traffic from the browser. how does this whople proccess work ?
Q3. Waht does SSL client mean ... i see this option avialiable on the  Blucoat proxy device
Q4.I recently installed a bluecoat ProxySG510 device in our enviroment but i cannot open any https connections (it already has a default certificate installed on it.) can anyone explainn me why ?

Please advice


0
Comment
Question by:gurkamal01
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
5 Comments
 
LVL 62

Accepted Solution

by:
gheist earned 250 total points
ID: 34211720
A1 HTTPS connections usually use tcp port 443
A2 probably it re-encrypts all the sites from the web under its own certificate
A3 browsers send HTTP CONNECT request and than attach ssl client to resultant connection
A4 i have no idea... What error you get from https://login.yahoo.com/ ?
0
 
LVL 57

Assisted Solution

by:giltjr
giltjr earned 250 total points
ID: 34212585
There are two types of proxies, forward and reverse.  Are you trying to use the Bluecoat as a forward proxy or a reverse proxy?

Forward proxies are the "norm" and this is where you configure your web browser to use a proxy or you can also install the proxy in-line so that it is transparent.

Reverse proxies are used to front end web/application servers for load balancing.

There are two ways to pass HTTPS traffic through a proxy (either forward or reverse).  

One way is where the proxy just acts as a relay device.  It gets a packet on the ssl'ed port (as gheist stated normally this  is 443 for http traffic) and then relays the packet to the real server.  The proxy can't see inside the packet because it is encrypted.  This is the norm.

Another way is it is the actual end point in the SSL session and it has the key and will decrypt the packet, maybe examine information in the packet to make some decisions, and then forward the packet to the correct destination.    Depending on if you are using a forward or reverse proxy will depend where you may or may not want to do encryption/decyption.  Examples:



  SERVER <-- SSL'ed traffic --> Forward PROXY pass thru <-- SSL'ed traffic --> Client
  SERVER <-- SSL'ed traffic --> Forward PROXY decrypt  <-- clear text traffic --> Client

  SERVER <-- SSL'ed traffic --> Reverse PROXY pass thru <-- SSL'ed traffic --> Client
  SERVER <-- SSL'ed traffic --> Reverse PROXY decrypt <-- SSL'ed traffic --> Client
  SERVER <-- clear text traffic --> Reverse PROXY partial decrypt <-- SSL'ed traffic --> Client


Pass thru means that the proxy just passes the traffic through without doing any encptyion

Decrypt means that the proxy is decrypting the traffic and re-encrypting the traffic.  In this setup the proxy must have a key file.

Partial decrypt is when the connection between the proxy and the client is encrypted, but the session between the proxy and the server is not.
0
 
LVL 70

Expert Comment

by:Qlemo
ID: 34936517
This question has been classified as abandoned and is being closed as part of the Cleanup Program. See my comment at the end of the question for more details.
0

Featured Post

Flexible connectivity for any environment

The KE6900 series can extend and deploy computers with high definition displays across multiple stations in a variety of applications that suit any environment. Expand computer use to stations across multiple rooms with dynamic access.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

When you try to share a printer , you may receive one of the following error messages. Error message when you use the Add Printer Wizard to share a printer: Windows could not share your printer. Operation could not be completed (Error 0x000006…
I had an issue with InstallShield not being able to use Computer Browser service on Windows Server 2012. Here is the solution I found.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

732 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question