6 Replies Latest reply on Jan 7, 2011 12:19 PM by jont717

    Transparent SSL connections - transparent common name

    jont717

      Trying to understand the best settings for my Proxy.

       

      We are using our gateways in Proxy and WCCP mode. What should be the settings under HTTP Proxy for transparent SSL and common name handling.

       

      Here is what we have now:  ( we have had some problems with the Rule set "Allow matching hostname"

       

      proxy.png

      9090 is direct proxy (.pac files)  9099 is WCCP transparent mode.

      What should be True and False??

       

       

      sslscanner.png

      I want to make sure it is setup to work correctly with these rules.  Verify common name (proxy setup)  ....(transparent setup)

        • 1. Re: Transparent SSL connections - transparent common name

          Checking if you have checked the 'Transparent common name handling for proxy requests" in your configuration settings?

           

          This can be found under Configuration > Proxies > edit HTTP Proxy.

           

          Is this something that will help accomplish what you are looking for?

           

          Transparent common name handling for proxy requests:


          When selected, the HTTP proxy does not use the destination IP address of a request to
          create a common name for the certificate it issues. Instead, it copies the common name of
          the certificate that the destination server delivered. This might cause a problem if there is
          a common name mismatch in this certificate.

           

           

          on 1/6/11 1:06:21 PM CST
          • 2. Re: Transparent SSL connections - transparent common name
            jont717

            These screen shots are from my appliance.  I know where all the setting are, I just want to know if they are right.

             

            Should I have "Server transparent SSL"  set to TRUE for direct proxy?

             

            Should I have "Transparent common name handling for  proxy requests" set to TRUE for direct proxy?

             

            How should they be set for my WCCP port 9099?

             

            We have been getting some "Common Name Mismatch errors"....

            • 3. Re: Transparent SSL connections - transparent common name

              Though you may know where these settings are on your appliance, other readers may not be aware and by describing in detail I think will be more helpful.

               

              If you have an explicit port listening on your appliance that accepts the WCCP traffic then yes only enable this here.

               

              Or if you have just the default port 9090 listening for both direct and transparent I don't see why there would be an issue.

               

              However, in your screen shot I can't tell if you have port 9090 listening on the same IP address?

               

              If you do, this appears incorrect because you have one set not to serve transparent requests and the other (with the same IP and port) to serve transparent requests. I don't think you can have both settings on the same IP/port.

              • 4. Re: Transparent SSL connections - transparent common name
                jont717

                Should direct proxy serve transparent SSL connections?  Or should only my WCCP proxy port serve transparent SSL connections?

                 

                Both ports 9090 and 9099 are listening on the same IP address. (They have to be, it is the only IP address the appliance has)

                 

                Port 9099 is the one that accepts WCCP trafic.

                 

                proxy.png

                 

                 

                Message was edited by: jont717 on 1/6/11 2:23:29 PM CST

                 

                 

                Message was edited by: jont717 on 1/6/11 2:26:25 PM CST
                • 5. Re: Transparent SSL connections - transparent common name

                  Sorry for the confusion and your proxy settings are correct.

                   

                  You are serving WCCP requests to proxy port 9099 and this is the location where you want to enable the "Transparent common name handling for proxy requests"

                   

                  This is what you need for the Web Gateway to use the common name in the certificate instead of the destination IP address.

                   

                   

                  on 1/6/11 2:58:56 PM CST

                   

                  jont-

                   

                  I spoke to Jon and he verified the default rule set you have configured is correct.

                   

                  The proxy port settings are also correct. To explain is you check the "Transparent common name handling for proxy requests" this means that it will do the same in Proxy as in transparent set up.

                   

                  You don't need to have this checked since everything is correct.

                   

                  The above would only be needed for special sidewinder setups.

                   

                   

                  on 1/6/11 3:07:38 PM CST
                  • 6. Re: Transparent SSL connections - transparent common name
                    jont717

                    Okay, so I want  "Transparent common name handling for proxy requests" to be TRUE for WCCP port 9099?   What can be done about the Common Name Mismatch errors that we sometimes get?

                     

                    Now what about the "Server Transparent SSL connections"?  Should that be False for direct proxy, port 9090?

                     

                    Thanks!

                     

                     

                    Message was edited by: jont717 on 1/7/11 12:19:07 PM CST