SSL proxy and Reverse Proxy

Owned by Jean-luc KRIKER
Last updated: Sept 11, 2022
2 min read

SSL proxy

SSL forward proxy- Protect the client  ( Outgoing traffic to the Internet )

Reverse Proxy- Protect the web server ( Incoming traffic from the Internet )


Document:   https://www.juniper.net/documentation/us/en/software/junos/application-identification/topics/topic-map/security-ssl-proxy.html


provides a gateway between users and the internet

web filtering, DNS filtering, data loss prevention, antivirus, intrusion prevention, and advanced threat protection


Types of Proxy Servershttps://www.fortinet.com/resources/cyberglossary/proxy-server#:~:text=A%20proxy%20server%20is%20a,web%20pages%20they%20visit%20online.





SSL relies on certificates and private-public key exchange pairs to provide the secure communication


https://www.juniper.net/documentation/en_US/junos/topics/concept/idp-ssl-overview.html


https://www.juniper.net/documentation/en_US/junos/topics/concept/ssl-proxy-overview.html



 we should support Reverse Proxy on this platform:

https://www.juniper.net/documentation/en_US/release-independent/sky-atp/topics/task/configuration/sky-atp-reverse-proxy.html



SRX300/320

SSL VPN (NCP client) = already supported
SSL Forward Proxy = 18.1
SSL Reverse Proxy = not supported (what is the use case?)
Sky ATP = 18.2 (likely be TRD)

  • SSL Proxy is not supported on SRX300 and SRX320 series devices.  ( 4.0.2 )
  • **Note: On SRX300 and SRX320 devices, SSL forward proxy is supported from Junos 18.1R1
  • However when TLS V1.3 becomes popular this feature won’t work anymore by design.


Selective SSL-proxy basen on custom URL is supported since Junos 17.4

https://www.juniper.net/documentation/en_US/junos/information-products/topic-collections/release-notes/17.4/topic-122351.html#cbbu-rn-junos-srx-j-new-features


Custom URL category support for SSL forward proxy (SRX Series)—Starting with Junos OS Release 17.4R1, the whitelisting feature is extended to include custom URL categories supported by UTM in the whitelist configuration of SSL forward proxy. In this implementation, the Server Name Indication (SNI) field is extracted by the UTM module from client hello messages to determine the URL category. SNI is an extension of the SSL/TLS protocol. Each URL category has a unique ID. The list of URL categories in the whitelist is parsed and the corresponding category IDs are pushed to the Packet Forwarding Engine for each SSL forward proxy profile. The SSL forward proxy then determines through APIs whether to accept the proxy or to ignore the session.