Applies to platform: UTM 3.0, UTM 5.0
Last updated: 27th April 2017
This article will illustrate the necessary steps to configure the proxy server for the scan of SSL-encrypted traffic (i.e., traffic through the 443 port).
When enabled, squid will intercept all clients’ requests and forward them to the remote server, like in the case of HTTP proxy. The only difference is that for HTTPS requests, an ‘intermediate’ certificate is needed for the client to connect via HTTPS to the Endian UTM Appliance, which then can deliver the request, retrieve the remote resource, check it, and then send it to the client who requested it.
Enable HTTP Proxy
In the Dashboard go to: Proxy > HTTP and click on Enable HTTP Proxy switch (it will turn green after it has been enabled). Then, set the operational mode for each zone that should be filtered to transparent and Save the configuration.
Apply the changes to proceed.
Choosing the certificate
You have two possibilities for the choice of the certificate:
- To create a new certificate from scratch. Go to Proxy> HTTP> HTTPS Proxy and click on Create a new certificate button. A confirmation dialog box appears, requiring a confirmation. Click on OK to proceed.
- Upload a certificate. Click on Choose file, browse the certificate on the local hard disk, then click on Upload to copy the certificate to the Endian UTM Appliance.
After the certificate has been uploaded or created, a new option in the form of a hyperlink will appear next to the Upload proxy certificate. Click the hyperlink Download to get the certificate, which will be needed by the clients.
Enable HTTPS Proxy
Go to Proxy > HTTP > HTTPS Proxy, tick the checkbox Enable HTTPS proxy to activate the service. The next options appear:
1. Tick the Accept every certificate checkbox. This option allows the Endian UTM Appliance to automatically accept all the certificates from the remote server, even those that are not valid or outdated.
2. The Forward HTTPS connections directly to the Upstream proxy option should not be ticked unless you want the HTTPS traffic to be managed directly by the upstream proxy. When unticked, the traffic is managed by the Endian UTM Appliance.
3. In the Bypass HTTPS proxy for destinations textfield you should write the IP address or domain name of the remote web sites that should be skipped by the HTTPS proxy, one per line (it could also remain blank).
To activate the HTTPS proxy, click on Save and wait a few seconds.
Verify the connection
In order to verify that the HTTPS Proxy is working you should first import the proxy certificate downloaded on your browser. Then, whenever you try to access a domain or an IP that does not appear in the Bypass HTTPS proxy for destinations whitelist, the Not secure warning will appear.