I recently configured the SSL forwarding proxy. My reason for doing so is because I need to be able to identify HTTPS and FTPS dns names that aren't passing their SNI. This is important for sites where IP address is not always the same or changes frequently. I also wanted to be able to incorporate this into my web filtering so I could properly whitelist or blacklist sites that are SSL and do so by the dns name even if there is no SNI available. I have added it to a policy, and when running the command "show services ssl proxy statistics" it shows several thousand matched and several thousand sessions created but I can't find anywhere to show me what dns names it has read. I have the enable-trace option turned on and I am looking at the logs but I can't find anything super helpful.
What's really frustrating is the whole point of this was to be able to inspect HTTPS traffic for web filtering however when I put both the UTM policy and the ssl-proxy on the policy as the instructions int his article shows https://kb.juniper.net/InfoCenter/index?page=content&id=KB31122 then it ignores my UTM policy and allows traffic that should have been blocked by it.
The key is having a local certificate that is Certificate Signing capable. We have a Windows Active Directory and a Certification Authority server. I requested a certificate with the above attributes (Certificate signing) and loaded it on the SRX. I then used that as the "root-ca" on my ssl proxy profile. Because I'm using a computer that is member of our domain, the root CA of the domain is already loaded and trusted, which in turn trust any certificate signed by the SRX.
What I also found out is the "ignore-server-auth-failure" under the "actions" tab causes the SRX to generate an SSL certificate with an "SSL-PROXY: DUMMY" issuer that causes every browser to error out because of "Invalid CA certificate". For this to work, you MUST go through this step to load public CAs
And delete the "ignore-server-auth-failure" for it to work properly.
When all is said and done, all HTTPS website certificates look like they are issued and signed by the SRX
My application-firewall in my policy is also working now so I assume your web filtering should too