SSL rules and SSL SNI domains Proxy object

SSL Rules allows you to activate or not activate MAN-IN-THE-MIDDLE trough ACLs ( see how to enable SSL on your Proxy )

25-04-2015 12-32-22

This is a dedicated section because you did not needs to include these rules inside the main Access Control list.

The behavior is the same Access Control list behavior: You create rules that allows uncrypt SSL protocol or keep the SSL protocol safe according objects.

In this section you can use a dedicated proxy object called “SSL SNI domains

The SSL SNI domains object

This object is designed to inspect the certificate sended by Web servers in order to retreive the main domain used to establish the HTTPS session.
When it found a domain in a certificate, the object checks if the domain matches the domains listed in order to macthes the rule.

To understand this object we will create a rule according this needs:

We want to uncrypt Youtube and facebook and keep others web sites safe.

  • Click on New Rule
  • Turn on the “Uncrypt SSL” option.
  • Click on Add

25-04-2015 12-40-07

  • Choose your added rule
  • Click on Groups tab.
  • Click on Link proxy object button.
  • Define a group name
  • Select the object “SSL SNI domains” in the drop-down list
  • Click on Add

25-04-2015 12-52-42

25-04-2015 14-01-01

  • Finally, click on the green arrow in order to link this object in your rule

25-04-2015 14-03-50

  • In this case, your first rule will hook 443 port but only decrypt websites that using and inside certificates

25-04-2015 14-47-30

Leave a comment