If the HTTPS proxy is activated in a connection line, the HTTPS (encrypted) connection is managed by the transpar- ent proxy on the firewall. This means that the user does not have to make any proxy settings in his web browser.
The HTTPS proxy operates as "man in the middle"; this means it makes its own connections to the web browser and to the web server. Operating in this way, it can check contents, use web blocking, content filtering and scan- ning for viruses. The settings for this were inherited from the HTTP proxy.
Only pages which have been signed by a listed CA can be visited through the HTTPS proxy. However, it is possible to import its own CA. The most com- mon CA certificates for checking the web server certificates are installed; others can be added (and also deleted) by the firewall administrator. The HTTPS proxy operates with "forged" web server certificates issued from an own CA on the firewall which is provided to the web browser.
This CA should be imported into the web browser as trusted. For this purpose, it can be exported or replaced by a self-created CA.
Requests from web browser to new web servers will initially be rejected. All new requests were presented in a list from which the administrator only has to select the desired ones.
This request has to be unlocked by creating of a "forged" web server certificate.
The validity period of these certificates can be freely selected (365 days by default).
If the firewall administrator does not want his users to connect to this web server via HTTPS, he is able to add the domain of the web server to a blacklist.
59 Proxies
Clarity Perfection Security Workflow of the HTTPS Proxy:
Step 1
The browser calls a https:// page. An empty page will be displayed, but a request is written to the Administration Client.
Step 2
The Administrator opens the Proxy dialogue in the Administration Client. a. He authorizes the page. A replacement certificate is created. b. He does not authorize the page. The page remains blocked.
Step 3
The browser calls the https:// page again.
a. It receives the page with a "forged" certificate.
b. It cannot see the page and a request is never made to the Administration Client again. NOTE
IF A PAGE IS REQUESTED WHOSE CERTIFICATE HAS NOT BEEN SIGNED BY ONE OF THE SUPPLIED CAS, THE CA OF THE CERTIFICATE HAS TO BE IMPORTED INTO THE HTTPS PROXY DIALOGUE IN ADVANCE.IF THE CERTIFICATE OF THE HTTPS PAGE IS SELF-SIGNED, THIS CERTIFICATE MUST PREVIOUSLY BE IMPORTED INTO THE HTTPS PROXY DIALOGUE AS A CA.
4.4
FTP Proxy
The open source program frox acts as FTP Proxy in the gateprotect firewall server. This proxy acts as an interface for the antivirus solution and supports active FTP.
ATTENTION !
THE FTP PROXY MUST ONLY BE USED AS AN OUTBOUND FILTER AND MUST NEVER BE USED IN A DMZ.
4.5
SMTP Proxy
The SMTP Proxy pimp has been developed by the gateprotect AG. It acts as an interface for the antivirus solution and for the spam filter. It is the only proxy which is to configure in the DMZ with its own mail server.
4.6
POP3 Proxy
The POP3 Proxy pimp has also been developed by the gateprotect AG. It also acts as an interface for the antivirus solution and for the spam filter.
ATTENTION !
60 Proxies
Clarity Perfection Security
4.7
VoIP Proxy
With the VoIP Proxy, you can use the gateprotect firewall server as a proxy for the SIP protocol. You find the settings of the VoIP Proxy in the Administration Client via Options > Proxy > VoIP proxy tab.
4.7.1 General settings
This dialogue provides following options:
Option Description
Internal network Here you can select your local network, which is to be used for telephone calls, from the drop-down list of available networks.
Internet connection Here you select the Internet connection, which the Firewall Server uses to forward the VoIP connections, from the drop-down list of available networks.
NOTE
TO BE ABLE TO USE THE VOIPPROXY, YOU HAVE TO ENTER THE IP ADDRESS OF THE GATEPROTECT FIREWALL SERVER WITH PORT 5060 IN YOUR VOIP DEVICES.YOU WILL FIND FUR- THER INFORMATION ON THIS IN THE DOCUMENTATION OF YOUR VOIP EQUIPMENT.
4.7.2 SIP Proxy
In this dialogue, you can activate the VoIP proxy and set following options:
Option Description
Activate SIP Proxy If you tick this box, the firewall server acts as a VoIP Proxy for the SIP protocol and can be addressed on port 5060.
Forward data to an external SIP Proxy
If you tick this box VoIP data in the SIP protocol are forwarded to an external SIP proxy. Enter the IP address and the port of the external SIP proxy in the appropriate fields.
61 User Authentication
Clarity Perfection Security