Juniper SRX web filtering issue with additional proxy server
Currently we are using UTM web filtering feature to allow only while list web sites through juniper SRX firewall using “juniper-local”, and it is working fine normally.
If the device is configured to use a proxy server, Juniper UTM does not gets used, i.e. even the sites not allowed through Juniper UTM get accessed.
The expected behaviour that we want: The internal device should use Juniper whitelist feature and if allowed, the request passed to external proxy server to check if requested site is allowed or not, if allowed then web request is successful, and content showed to user. This is kind of double proxy server feature, i.e. if allowed from both then only web content is allowed, else blocked.
If suppose external proxy server in untrust zone with IP 10.123.113.116 and port 3128, then after applying this proxy into a device inside trust zone Internet explorer -> Internet option -> Connections -> LAN Settings -> Proxy server, (given proxy port is allowed through the security policy), all internet gets allowed, i.e. Juniper white list is not checked. According to the “show security flow session” the internet traffic is passed through port 3128 and not by HTTP/HTTPS.
Even though the relevant security policy includes the proxy port (3128) and the action is permit with application-services -> utm-policy <utm-policy-name>
My expectation was, this should apply the utm policy, but it doesn’t.
Please see the configuration file “Juniper-SRX-Local.conf” section Security -> UTM and Security -> policies -> from-zone Treatment_zone to-zone Hospital_zone -> policy Allow-Mosaiq-Internet, where “Hospital_zone” is only untrust zone and rest all are trust zone.
Next, we tried websense-redirect, where we configured the external proxy server as websense-redirect server host. (Configuration file attached )
If we not including this proxy server in web-browser Internet connection LAN setting, we can see that Juniper web filtering works but then it does not check the external proxy server (i.e. sites allowed at UTM but blocked in external proxy server gets allowed). If we include this proxy server in internet option – connection LAN setting, then Juniper web filtering does not get used.
Is this can be done using Enhanced-web filtering (we haven’t tested it as this is a licensed feature) ?