About the HTTPS-Proxy

HTTPS (Hypertext Transfer Protocol over Secure Socket Layer, or HTTP over SSL) is a request/response protocol between clients and servers used for secure communications and transactions. You can use the HTTPS-proxy to secure a web server protected by your Firebox or Firebox, or to examine HTTPS traffic requested by clients on your network. By default, when an HTTPS client starts a request, it establishes a TCP (Transmission Control Protocol) connection on port 443. Most HTTPS servers listen for requests on port 443.

HTTPS is more secure than HTTP because HTTPS uses a digital certificate to secure a connection, validate the web server identity and exchange the shared key. The Firebox can then encrypt and decrypt the HTTPS traffic. It encrypts and decrypts user page requests as well as the pages that are returned by the web server. The Firebox must decrypt a page it before it can be examined. After it examines the content, the Firebox encrypts the traffic with a certificate and sends it to the intended destination.

You can export the default certificate created by your Firebox for this feature, or import a certificate for the device to use instead. If you use the HTTPS-proxy to examine web traffic requested by users on your network, we recommend that you export the default certificate and distribute it to each user so that they do not receive browser warnings about untrusted certificates. If you use the HTTPS-proxy to secure a web server that accepts requests from an external network, we recommend that you import the current web server certificate for the same reason.

When an HTTPS client or server uses a port other than port 443 in your organization, we recommend that you create a custom policy for the port you need. Use the HTTPS-proxy as a template to create this policy. For more information, see Add a Proxy Policy to Your Configuration.

Which Proxy Action To Use

When you configure a proxy policy, you must select a proxy action appropriate to the policy. For a proxy policy that allows connections from your internal clients to the internet, use the Client proxy action. For a proxy policy that allows connections to your internal servers from the internet, use the Server proxy action.

Predefined proxy actions with Standard appended to the proxy action name include recommended standard settings that reflect the latest Internet network traffic trends.

It is important to select the correct proxy action for incoming or outgoing HTTPS connections so that the proxy uses the appropriate certificate. HTTPS-Client proxy actions use the outbound Proxy Authority CA certificate. HTTPS-Server proxy actions use the Proxy Server web server certificate.

In Fireware v11.12 and higher, the Web Setup Wizard and WSM Quick Setup Wizard automatically adds an HTTPS-proxy policy that uses the Default-HTTPS-Client proxy action. The Default-HTTPS-Client proxy action is based on the HTTPS-Client.Standard proxy action and enables subscription services that were licensed in the feature key when the setup wizard was run. If you add a new HTTPS-proxy policy, the Default-HTTPS-Client proxy action could be a better choice than the HTTPS-Client.Standard proxy action. For more information about the Default-HTTPS-Client proxy action, see Setup Wizard Default Policies and Settings.

Configure the HTTPS-Proxy

If you enable WebBlocker in an HTTPS proxy action, but do not enable content inspection, users do not see a deny message when content is denied by WebBlocker. Without content inspection, protection is less thorough. WebBlocker can only see the common name or server name domain information, not the URL. For more information, see HTTPS-Proxy: WebBlocker.

See Also

About Proxy Policies and ALGs