SRX Services Gateway
Highlighted
SRX Services Gateway

SRX SSL Reverse Proxy

[ Edited ]
‎07-07-2020 02:17 AM

Hi

 

I am having issues with the reverse proxy functionality.

Model: SRX5400
Junos: 18.3R2.7

 

The SSL certificate was requested via CSR generated on Digicert tool, this was exported, with the key and imported onto SRX, this certificate imported fine :

JF_1.jpg

 

We have a load balancer on the back end, but regardless of wheter the NAT is to the LB VIP (pass through) or one of the back end servers directly (servers have a local domain certificate installed) we ge the same issues.

 

initially we received the error "certificate error: authority and issuer serial number mismatch":

JF_2.jpg

 

But after removing certificate / re-adding, removing config etc, the only error we seem to getting is "non ssl session ignored":JF_3.jpg

 

And then we are served with the internal domian certificate to the browser from the server directly when testing externally.

 

The configuration is:
jf_4.jpg

As above, the certificate looks fine and the key checks out, parity in SSL cert/key/csr is proven in openSSL and other methods.

I have followed all the configuration information :
https://www.juniper.net/documentation/en_US/release-independent/sky-atp/topics/task/configuration/sk...

 

And as I understand it, this should be working in this manner:

"Terminates client SSL on the SRX Series device and initiates a new SSL connection with a server. Decrypts SSL traffic from the client/server and encrypts again (after inspection) before sending to the server/client."

 

I have done the following in order to try and make this work:

- Added internal CA root certificate to ca-profile.
- tried configuring an SSL initiation profile using the internal CA profile in case the issue is the SRX not trusting the certificate on the back end servers.

- Tried adding the Digicert Root CA as a seperate profile to the exiting one (Jweb_40)
- removed, re-added certificate and key (local-certificate certificate id) , proxy profile, all config, re-adding numerous times.

 

It just seems the proxy profile is completey ignored and the traffic just NAT'd to the back end and the back end serves the internal certificate which is not ideal.

 

Any help on this matter would be much apprecitated. Am I missing something fundamental here? Am I missing a pre-requisite that isn't documented anywhere? Are there firewall functions that we maybe using that cannot work in conjuntion with SSL Reverse proxy, and if so what are they?

 

Regards and thanks in advance 🙂

 

DJC

2 REPLIES 2
Highlighted
SRX Services Gateway

Re: SRX SSL Reverse Proxy

‎07-07-2020 08:25 AM

Hi DJ,

 

Can you send us the entire device configuration for verification?

 

At the moment, the issue which you are seeing is SSL profile is being ignored in the policy and you are seeing SSL_PROXY_SESSION_IGNORE log message. Isn't it?

 

I will give you some pointers in order to identify the issue.

  1. Setup a security flow trace options in order to determine what is happening in the flow.
  2. Provide us the output of security flow session - show security flow session source-prefix <x.x.x.x> destination-prefix <y.y.y.y>
  3. Outputs of  "show security pki local-certificate detail" and "show security ssl proxy statistics"(this particular output has to be taken around 3 times while initiating the connection)
  4. Provide us with the SSL trace options while initiating the connection:

                    set services ssl traceoptions file filename SSL-TRACE files 5 size 50m
                    set services ssl traceoptions level extensive

 

It would be better to configure the flow trace and ssl trace together.

 

Note: Do check the RE CPU values before configuring the above trace and if the Idle value is below 40, don't configure the trace.



Thanks,
π00bm@$t€®.
Please, Mark My Solution Accepted if it Helped, Kudos are Appreciated too!!!
Highlighted
SRX Services Gateway

Re: SRX SSL Reverse Proxy

‎07-14-2020 05:07 AM

Hello DJ,

 

We need to first make sure the session that's established in the firewall is identified as an SSL session, for which the application-identification service has to up and running. If possible please provide the output of the following:

 

show services application-identification status

show services application-identification application-system-cache (match with the source-ip address from where the connection is initiated and make sure it is identified as SSL session)

 

Regards,

Prakash

Feedback