Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 6 Next »

SSL proxy

SSL forward proxy


https://www.juniper.net/documentation/en_US/junos/topics/concept/idp-ssl-overview.html


https://www.juniper.net/documentation/en_US/junos/topics/concept/ssl-proxy-overview.html



 we should support Reverse Proxy on this platform:

https://www.juniper.net/documentation/en_US/release-independent/sky-atp/topics/task/configuration/sky-atp-reverse-proxy.html



SRX300/320

SSL VPN (NCP client) = already supported
SSL Forward Proxy = 18.1
SSL Reverse Proxy = not supported (what is the use case?)
Sky ATP = 18.2 (likely be TRD)

  • SSL Proxy is not supported on SRX300 and SRX320 series devices.  ( 4.0.2 )
  • However when TLS V1.3 becomes popular this feature won’t work anymore by design.


Selective SSL-proxy basen on custom URL is supported since Junos 17.4

https://www.juniper.net/documentation/en_US/junos/information-products/topic-collections/release-notes/17.4/topic-122351.html#cbbu-rn-junos-srx-j-new-features


Custom URL category support for SSL forward proxy (SRX Series)—Starting with Junos OS Release 17.4R1, the whitelisting feature is extended to include custom URL categories supported by UTM in the whitelist configuration of SSL forward proxy. In this implementation, the Server Name Indication (SNI) field is extracted by the UTM module from client hello messages to determine the URL category. SNI is an extension of the SSL/TLS protocol. Each URL category has a unique ID. The list of URL categories in the whitelist is parsed and the corresponding category IDs are pushed to the Packet Forwarding Engine for each SSL forward proxy profile. The SSL forward proxy then determines through APIs whether to accept the proxy or to ignore the session.


  • No labels