Most applications encrypt outgoing connections with SSL or TLS. SSL Interception decrypts SSL-encrypted traffic to allow Application Control features (such as the Virus Scanner, ATP, URL Filter, Safe Search, or File Content Scan) to inspect encrypted content that would otherwise not be visible to the Firewall service. To avoid certificate errors when the users use SSL-encrypted connections, you must install the SSL Interception root certificate on all client computers. If you are using CRL checks, the CRL/OCSP check is done once per 24h period to reduce the load on the CRL/OCSP server. If an error occurs during the CRL check, it is repeated after 10 minutes. Applications with the application object property not interceptable cannot be intercepted and are automatically excluded from SSL Interception. Open the application object on the Forwarding Rules > Applications page to check if an application is interceptable. You can configure SSL Interception to use a cipher string of your choice. The F-Series uses the following default cipher string: HIGH:!aECDH:!ADH:!3DES:!MD5:!DSS:!RC4:!EXP:!eNULL:!NULL:!aNULL. If necessary, you can also set a custom cipher string using the ciphers from the following list:
Before You Begin
Enable Application Control. For more information, see How to Enable Application Control.
Step 1. Enable SSL Interception
- Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > Firewall > Security Policy.
- Click Lock.
- Select the Enable SSL Interception check box.
In the Root Certificate section, either select Use self signed certificate or add your certificate by clicking the plus sign (+). The root certificate is used to intercept, proxy, and inspect SSL-encrypted connections. For HTTPS, the Barracuda NextGen Firewall F-Series uses the root certificate to present the client with an SSL certificate derived from this root CA.
In the Trusted Root Certificates table, you can extend the default set of trusted root certificates by clicking the plus sign (+). To view the F-Series Firewall's certificate store, click the Show CA Certificates link.
- Select the Enable CRL Checks check box to automatically check for revoked certificates.
- In the Exception Handling section, add domains that should be excluded from SSL Interception. SSL-encrypted traffic to and from these domains is not decrypted, although SSL Interception is globally enabled. Domains automatically include all subdomains. E.g., google.com will also include mail.google.com
- Click Send Changes and Activate.
SSL Interception can now be enabled on a per-access or application rule basis.
Step 2. Configure Advanced SSL Interception Settings
For SSL Interception, you can also configure advanced settings such as the number of working instances that are involved in the SSL decryption process, log verbosity, CRL checks, or the used cipher string.
- Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > Firewall > Security Policies.
Click the Advanced link in the upper right of the Security Policy page. The SSL Interception Advanced window opens.
- Change the advanced SSL Interception settings according to your requirements:
- Number of Workers – The number of working instances to be involved in the SSL decryption and encryption process. Default: auto
- Protocol Error Policy – If the firewall cannot interpret the HTTP or SMTP connection this policy is enforced:
- continue – The invalid HTTP or SMTP traffic is forwarded directly bypassing all further firewall policies such as virus scanner, URL Filter, etc...
- close – The invalid HTTP or SMTP connection is closed.
- RSA Key Size – Select the key size used for the dynamic SSL certificates.
- Log Verbosity – You can select one of the following log granularity options: debug, info, notice, warning, or error.
- CRL Error Policy – Since the clients cannot check the revocation status for server certificates of intercepted SSL connections, you can configure the default validation policy for all intercepted SSL connections for which CRL/OCSP checks could not be performed. Default: Yes
- Ignore – The F-Series creates a valid certificate for the client as long as the content of the server certificate is validated.
- Fail – The F-Series creates an invalid certificate to let the client know that CRL/OCSP checks could not be performed.
- SSL Version Handling
- Allow (obsolete) SSLv2 – Enable if you must support clients, or remote mail servers, that are SSLv2 only.
- Allow (obsolete) SSLv3 – Enable if you must support clients, or remote mail servers, that are SSLv3 only.
- OpenSSL Cipher String – You can set a custom cipher string. The F-Series uses the following default cipher string: HIGH:!aECDH:!ADH:!3DES:!MD5:!DSS:!RC4:!EXP:!eNULL:!NULL:!aNULL.
- Click Send Changes and Activate.
The SSL Interception process breaks the certificate trust chain. To reestablish the trust chain, you must install the security certificate (root certificate) and, if applicable, intermediate certificates that are used by the SSL Interception engine. Install this certificate on every client in your network. To prevent browser warnings and allow transparent SSL interception, install the security certificate into the operating system's or web browser's certificate store.
- On the Security Policy page, click the edit icon next to (Self Signed) Certificate and click Export to file.
- Enter a name, select *.cer as file type, and click Save.
- Deploy this certificate to the computers in your network. Either create a group policy object, or install the certificate manually (MS Certificate Import wizard). Ensure that you deploy the certificate into the MS Windows Trusted Root Certification Authorities certificate store.
Certificate Management with Intermediate Certificate Authorities
Intermediate CAs are not directly delivered from the F-Series to the client. They must be deployed manually from the Microsoft Active Directory PKI.
- Use Microsoft Internet Explorer and connect to your MS Active Directory Certificate Services server. For example,
- Click Request a Certificate and select advanced certificate request.
- Click Create and submit a request to this CA and answer all questions with Yes.
- Select Subordinate Certification Authority from the Certificate Template.
- Fill out the form below.
- Select your key size in the Key Options section and select the Mark keys as exportable check box.
- Click Submit and answer all questions with Yes.
- Click Install this certificate.
After the certificate is installed successfully, start the MS Active Directory's management console.
- Open the Certificates - Current User snap-in.
- Right-click the Intermediate Certification Authorities\Certificates section and select your certificate.
- Select All Tasks > Export in the upcoming window.
- Click Next to proceed.
- In the Export Private Key window, select Yes, export the private key and proceed.
- Enter a password and click Next.
- Select the export destination folder and enter a file name.
- Click Finish.
- After the certificate has been exported, rename the file extension from *.pfx to *.p12 .
Use openssl to extract the private key from your *.p12 file. Enter the following command:
openssl.exe pkcs12 -in <filename>.p12 -nocerts -nodes -out privateKey.pem
- Enter the password entered in step 6.
Use openssl to convert the key file to RSA. Enter the following command:
openssl.exe rsa -in privateKey.pem -out yourPrivateKey.pem
- You can now import the certificate (*.p12) and private key (*.pem) pair to be used for SSL Interception.
- Install the certificate (*.p12) and root CA from which the certificate was derived.
SSL Interception for SMTPS Traffic
The F-Series supports SSL Interception for incoming and outgoing SSL encrypted SMTP connections using the SSL certificate of your mail server.
For more information, see How to Configure Mail Security in the Firewall.
SSL Interception for HTTPS Traffic
The F-Series supports SSL Interception for incoming and outgoing SSL-encrypted HTTP connections.
For more information, see How to Configure Virus Scanning in the Firewall for Web Traffic.
SSL Interception for VPN Traffic
To use SSL Interception for traffic going through a VPN tunnel, you must create a VPN interface and assign an IP address that is covered by the source route of the VPN tunnel.
SSL Interception on Bridged Interfaces
SSL Interception can only be used on routed Layer 2 and Layer 3 bridges. Additionally, a default route is needed to carry out CRL checks.
For more information, see Bridging.