Bluecoat: SSL Proxy for the Proxy SG

This article describes functionality of SSL Proxy and SSL traffic interception.

Benefits of SSL Forwarding  Proxy

Security is increased by Server cert validation , including CRLs and Virus scanning and Url filtering. There is also an increase in log visibility and in addition, intercepted data can be cached.

The Proxy SG will act as a man in the middle. The client will get a digital cert that appears to be from the server but will really be from the Proxy SG, as follows:

  1. Client sends HELLO to ProxySG
  2. ProxySG sends HELLO to server
  3. Server sends server cert to ProxySG
  4. ProxySG sends its own certificate to client(either its own ca or self signed)

 

  • The cert from the ProxySG will look like a server cert but it will not be signed by Verisign or another  CA.
  • The proxy cannot handle client certs (bidirectional certs). Therefore sites that require client certs cannot be intercepted.
  • The default policy behavior is not to intercept SSL traffic.
  • You can selectively intercept traffic . For example, you may not want to intercept banking sites.
  • There is an ssl coprocessor that handles most of the work and does not add a lot of overhead.
  • The ssl proxy has the ability to distinguish between SSL and non-SSL on the same port.
  • Determining what HTTPS traffic to intercept:
  • The Proxy SG has the ability to make intercept decisions based on the certificate host name or site categorization.


Bluecoat Recommendations for Traffic Interception

  • Intercept Intranet Traffic
  • Intercept suspicious Internet sites, especially those categorized as NONE.
  • Intercept web mail based sites.

You can notify users of SSL intercepted traffic by using  the HTML Notify User object after the interception.


SSL Proxy detects the following certificate errors
:

  • Expired certificates
  • Untrusted issuer
  • Certificate has been revoked

Selectively Intercepting SSL Traffic

  1. Launch VPM
  2. Add a new SSL Intercept Layer
  3. Right click on the destination and select New.
  4. Select the Certificate Category then choose your content filter (Bluecoat, Websense, etc).
  5. Select the categories you want to intercept.
  6. Click OK, then OK
  7. Right click on the ACTION field and select NEW.
  8. Select SSL Forward Proxy Object and then check the Intercept as HTTPS and Issuer Keyring.
  9. Select Ok then OK
  10. Apply the policy.