Barracuda NextGen Firewall F
How to Configure Secure Web Proxy Before configuring the Secure Web Proxy service, make sure that you have correctly created it . For more information, see link. if you are using HTTP Proxy and Secure Web Proxy on the same virtual server, you must edit the listening port for the Secure Web Proxy because both proxies use port 3128 as their default listening port. Using Secure Web Proxy requires additional software packages which are not part of the installation USB flash drive because of import and export regulations. Please contact your local Barracuda Networks Partner in order to request these specific packages. To configure Secure Web Proxy, complete the steps in the following sections:
Configure SSL 1. Log into the Barracuda NG Firewall. 2. Open the Secure Web Proxy Settings page (Config > Full Config > Box > Virtual Servers > your virtual server > Assigned Services > Secure-Web-Proxy). 3. From the Configuration menu in the left navigation pane, click SSL Settings. 4. Click Lock. 5. Configure the SSL settings. For more information on the settings, expand the following Settings Overview section: Settings Overview Click here to see more Setting Enable SSL Decryption
Description To allow SSL decryption for data inspection, select Yes.
To validate certificates, select Yes. When this setting is disabled, server certificates are not validated. Enable Certificate Verification Clients can potentially be exposed to malicious sites (such as phishing sites) without any warning. It is recommended that this option only be disabled by someone who knows what they are doing. Use Self-Signed Certificate
To use self-signed certificates, select Yes. To use external certificates, select No.
Root CA Private Key | Root CA Certificate
Generates the issuing root certificate. The root CA certificate must be exported and added to all client CA databases. When establishing an HTTPS connection, all SSL client connections receive a temporary certificate that is signed by the configured CA instead of the real certificate. The certificate and the corresponding private key are used for SSL/TLS encryption and decryption. If this root certificate is not installed on the client computers, users receive certificate error warnings in the browser for each new HTTPS connection.
How to Configure Secure Web Proxy 1/5
Barracuda NextGen Firewall F In these sections, you can import an external root certificate and its corresponding private key instead of using a self-signed certificate. The root certificate must be signed by the private key. When establishing an HTTPS connection, all SSL client connections External Root CA Private Key | receive a temporary certificate that is signed by the configured CA External Root CA Certificate instead of the real certificate. The certificate and the corresponding private key are used for SSL/TLS encryption and decryption. If this root certificate is not installed on the client computers, users receive certificate error warnings in the browser for each new HTTPS connection. To notify users whenever SSL connections are decrypted, logged, or inspected, select Yes. This notification is displayed in the interval specified by the following Notify Again After (min) setting. When you enable the Notify User setting, HTTPS-based resources embedded in HTTP-based documents will not display until the following notification for the HTTPS domain is confirmed:
Notify User
Barracuda Networks does not recommend that you enable the Notify User setting because the missing HTTPS-based resources may be confusing to users. The following screenshot displays an Amazon webpage with the missing data highlighted. The header is missing javascript and CSS while two images are missing from the main content area:
The following screenshot displays the same web page after the proxy’s notification has been confirmed. The header area is now properly rendered and the images in the main content area are accurately displayed:
Notify Again After (min)
If you enabled the Notify User setting, specify how often the notification is displayed. The default value is 60 minutes.
6. Click Send Changes and then click Activate. Manually Import the Root CA If required, you can also manually import missing root CAs for the SSL proxy via the command line interface. You can only import RSA root certificates (no PGP certificates, etc) The file extension must be .pem. 1. Export the root certificate from your browser. Export it in the bvase-64 encoded format and change it from a .crt file to a .pem file. The file name must NOT contain blanks or special characters. 2. Create the rootcaimport directory on the Barracuda NG Firewall: mkdir /opt/microdasys/conf/rootcaimport 3. Use SCP to copy the RSA root certificate to the /opt/microdasys/conf/rootcaimport directory. You do not need to change the file or directory ownership and permissions. 4. On the Barracuda NG Firewall, go to the Control > Server page and restart SSL Proxy. 5. Verify that a *.pem.import file has been created in /opt/microdasys/conf/rootcaimport. The RSA root certificate is also displayed in the certificate list at SSL Proxy > Certificates. How to Configure Secure Web Proxy 2/5
Barracuda NextGen Firewall F Configure SSL Certificates 1. Log into the Barracuda NG Firewall. 2. Open the Secure Web Proxy Settings page (Config > Full Config > Box > Virtual Servers > your virtual server > Assigned Services > Secure-Web-Proxy). 3. From the Configuration menu in the left navigation pane, click SSL Certificates. 4. Click Lock. 5. Configure the SSL certificate settings. For more information on the settings, expand the following Settings Overview section: Settings Overview Click here to see more Setting
Description
Allow CommonName Wildcards
To accept wildcard characters in the CommonName, select Yes. For example, *.domain.com. Browsers such as Internet Explorer or Firefox allow wildcard characters and regular expressions. Disabling this setting provides more security.
Deny Expired Certificates
To deny expired certificates, select Yes.
If a certificate is not valid, an information page displays in the browser. ⚬ To let users connect to the site after clicking Allow to confirm, select Yes. Allow Visit After Confirm ⚬ To deny access to the site and generate an incident ticket, select No. It is recommended that you select No, because it provides the same override mechanism as web browsers. Enable Revocation Check
To check every certificate against the revocation list of the issuing CA (if available), select Yes.
Download CRLs at Hour (0..23)
Specifies when to retrieve Certificate Revocation Lists (CRLs) from the CAs.
Use Real-Time Check (OCSP)
To enable the Online Certificate Status Protocol (OCSP) to check the validity of each certificate in real time, select Yes. If a CA supports OCSP, the certificate's validity is checked in real time and the result is cached for one day.
Block Unknown State
To deny certificates when their revocation status cannot be determined (either via CRLs or OCSP), select Yes. This setting is usually enabled in high-security environments. However, it generates many incident reports.
Specifies if a connection is tunneled (without decryption) or denied when a client certificate is requested by a server. Client-Certificate Action Because private details of the client certificate are known only to the client, the SSL proxy is not able to interact as it would with other SSL connections. 6. Click Send Changes and then click Activate. Configure SSL Exceptions In the SSL exceptions, you can specify which hosts should always be prohibited or allowed. 1. Log into the Barracuda NG Firewall. 2. Open the Secure Web Proxy Settings page (Config > Full Config > Box > Virtual Servers > your virtual server > Assigned Services > Secure-Web-Proxy). How to Configure Secure Web Proxy 3/5
Barracuda NextGen Firewall F 3. From the Configuration menu in the left navigation pane, click SSL Exceptions. 4. Click Lock. 5. In the Blacklist table, add the server name (without the leading https://) or IP address of hosts that should always be blocked. Clients are prohibited from accessing the servers and websites that are listed in this table. Restriction is based on the site's certificate rather than on the actual server name or IP address. 6. In the Whiteslist table, add the server name (without the leading https://) or IP address of hosts that should always be allowed, even if there is something wrong with the certificate. Clients can always access the servers and websites that are listed in this table. 7. In the Tunnellist table, add the servers and website connections that should be tunneled (neither intercepted nor decrypted). A virus scan is not possible with entries configured in the tunnel list. The secure web proxy breaks open the initial request from the client and the SSL handshake request to the web server. Then the proxy sends a renegotiate request to the server in order to initiate a new SSL handshake so that all traffic arriving from the client gets tunnelled through the proxy. Some web servers, such as special versions of Apache, cannot process a renegotiate request. Add these websites to the Tunnellist table. The first SSL handshake is not broken open but tunneled to the web server. 8. Click Send Changes and then click Activate. Configure Advanced Secure Web Proxy Settings 1. Log into the Barracuda NG Firewall. 2. Open the Secure Web Proxy Settings page (Config > Full Config > Box > Virtual Servers > your virtual server > Assigned Services > Secure-Web-Proxy). 3. From the Configuration menu in the left navigation pane, click Advanced. 4. Click Lock. 5. In the Read Timeout (sec.) field, enter the read timeout of the Secure Web Proxy in seconds. 6. From the Log Level list, select the log level. 7. If the Secure Web Proxy should extract HTTP 1.1 header lines, select Yes from the Strip HTTP1.1 Enc. Header Lines list. 8. Click Send Changes and then click Activate.
How to Configure Secure Web Proxy 4/5
Barracuda NextGen Firewall F
How to Configure Secure Web Proxy 5/5
