1 2 Previous Next 13 Replies Latest reply on Oct 2, 2012 1:56 PM by danob

    Non-transparent HTTPS in Sidewinder 8

    PhilM

      In version 7 it was possible to create an HTTP proxy service and within the definition of the service configure it to be non-transparent.

       

      We used this with a number of our customers who had been running Sidewinder from the 5.x/6.x days when it contained an implementation of the Squid web proxy service. We created a custom HTTP service running on TCP/3128. This allowed browser configurations to remain as they were or for an existing internal web proxy service to continue upstreaming it's connections to Sidewinder.

       

      In the version 7 HTTP application defense definition (connections tab) there was a single check box called Allow non-transparent HTTPS traffic through the HTTP proxy.

       

      However, in v8 this check-box no longer exists.

       

      So, how does v8 deal with non-transparent HTTPS? Can it deal with non-transparent HTTPS?

        • 1. Re: Non-transparent HTTPS in Sidewinder 8

          Hello Phil,

           

          I can understand the confusion with non-transparent https in version 8. We have written a KB article that may help, please take a look at KB70020. Let us know if you have any further questions.

           

          -Matt

          1 of 1 people found this helpful
          • 2. Re: Non-transparent HTTPS in Sidewinder 8
            PhilM

            Thanks for sending me in the direction of the KB article, Matt, though I believe that this covers what we had essentially worked out for ourselves. Alas it doesn't seem to work.

             

            I've created an application called "Squid". The parent application is HTTP and I have specified TCP port 3128.

             

            I've then created a rule for this service called "Non-Trans_WebBrowsing" and, as per the KB, selected "Override Ports" and added "SSL/3128" to the existing TCP/3128 entry.

             

            In addition to this, the rule is using an Application Defense group consisting of an HTTP defense in order to apply a SmartFilter policy and a Generic defense which has the HTTP connection settings set to non-transparent.

             

            When I try to save the rule, it comes up with the error:-

             

            Error encountered while modifying rule data:

            rule:Non-Trans_WebBrowsing: ssl_ports may not be specified with the applications in this rule.

             

            For your reference, I am running 8.1.1.

             

            Phil.

            • 3. Re: Non-transparent HTTPS in Sidewinder 8

              Hello Phil,

               

              I think that you also need the "SSL/TLS" application in that rule. If you add it, does it get you past this error and allow the traffic?

               

              -Matt

              • 4. Re: Non-transparent HTTPS in Sidewinder 8
                PhilM

                OK - I hear you.

                 

                So, my rule now has two applications - my custom "Squid" application and SSL/TLS.


                Then, as per the KB, I've overridden the ports and the entry now reads as follows:-

                 

                TCP/3128 SSL/443 SSL/3128

                 

                Selected Application Defense group as per previous post.

                 

                I am now able to save the rule without it throwing up an error.

                 

                With my client browser now configured to proxy to the Firewall's internal IP address on 3128 (for HTTP and HTTPS) and a real-time audit view of the rule running on my admin machine, I am able to access HTTPS sites (and see the connection coming through this rule), but HTTP access comes back with "Access Denied".

                 

                It's almost as if the SSL/TLS service takes over port 3128 and doesn't allow the HTTP service a look-in. As soon as I remove the "SSL/3128" entry from the port field, I then have the opposite problem. Non-transparent HTTP over 3128 works fine but HTTPS does not - you just get a standard issue "page cannot be displayed" error in Internet Explorer.

                 

                My colleague has just run through the same scenario on his own Sidewinder 8 installation and has the exact same results.

                 

                Phil.

                • 5. Re: Non-transparent HTTPS in Sidewinder 8

                  Interesting...

                   

                  Well, I plan on doing some testing this afternoon, but in the meantime, I am curious what happens when you add "TCP/80" to the ports? What about using the standard "HTTP" application instead of the "Squid" (I know, shouldn't make a difference because you created "Squid" with a parent application of HTTP, but would be nice to try anyway).

                   

                  -Matt

                  • 6. Re: Non-transparent HTTPS in Sidewinder 8

                    I have done some testing, and no matter what I do, I cannot reproduce the problems you are having. I have tried using different override ports, but it seems like the only requirement for me is to use TCP/3128 SSL/3128. I can remove the rest of the ports. Also, I have tried a custom application based on HTTP and it works fine for me.

                     

                    Have you had any luck with testing?

                     

                    -Matt

                    • 7. Re: Non-transparent HTTPS in Sidewinder 8
                      PhilM

                      I'll happily send you the config I have been playing with. PM me if that's OK with you.

                       

                      Interestingly while both my colleague and I are both getting the same results, mine is a brand new v8.1.1 installation and his was upgraded from 7.0.1.02.

                      • 8. Re: Non-transparent HTTPS in Sidewinder 8

                        >I'll happily send you the config I have been playing with

                        I think that makes sense at this point, but I would like to open a ticket for tracking purposes. Can you open a ticket on the portal?

                         

                        -Matt

                        • 9. Re: Non-transparent HTTPS in Sidewinder 8
                          PhilM

                          Will do. I am in the middle of a pre-configuration task at the moment - something which has raised a new v8 question, which I shall be posting shortly so keep an eye open for it as I'd appreciate your input (or anyone else's for that matter)

                           

                          I might be able to get the ticket logged today, otherwise I will do it when I've finished what I'm doing right now.

                           

                          Phil.

                          1 2 Previous Next