SRX Services Gateway
Highlighted
SRX Services Gateway

SSL Reverse Proxy with Destination NAT

‎09-13-2018 02:43 AM

Our client has a requirement to have SSL reverse proxy configured on their perimeter SRX5400.

 

Requirement is as follows;

 

Source - Any 

destination - Skype for Business Server (10.1.1.50)

Service - TCP443

 

Once the SRX has decrypted the traffic for IPS inspection, we need the traffic to be re-encrypted and sent to the destinaiton server on port TCP4443. 

 

Is it possible to implement this by using destination NAT or os there a better way to implement this requirment?

1 REPLY
SRX Services Gateway

Re: SSL Reverse Proxy with Destination NAT

‎09-13-2018 07:57 AM

Hello, 

 

You should not have any inconvenience configuring destination nat and SSL reverse proxy since they work in different modules of the SRX flow, this means that the destination NAT will occur first and then services SSL will intercept the traffic for further analysis. 

 

Please see https://www.juniper.net/documentation/en_US/junos/topics/topic-map/security-ssl-proxy.html#id-ssl-re...

 

Here is an example configuration:

 

 

destination {

pool TEST {
}
address 192.168.101.240/32 port 443;
}

rule-set SSL {
from zone UNTRUST;
rule rule1 {
match {
destination-address 1.1.1.1/32;
}
then {
destination-nat {
pool {
TEST;
}
}
}
}


from-zone UNTRUST to-zone DMZ {
policy SSL-HTTPS {
match {
source-address any;
destination-address TEST;
application junos-https;
}
then {
permit {
application-services {
ssl-proxy {
profile-name server-protection-profile;
}
}
}
}
}


profile server-protection-profile {
server-certificate JTAC;
actions {
log {
all;
}
}
}
}
}