Applies to platform: UTM 3.0, UTM 5.0
This article will illustrate the necessary steps to configure the proxy server for the scan of SSL-encrypted traffic (i.e., traffic through the 443 port).
When enabled, squid will intercept all clients’ requests and forward them to the remote server, like in the case of HTTP proxy. The only difference is that for HTTPS requests, an ‘intermediate’ certificate is needed for the client to connect via HTTPS to the Endian UTM Appliance, which then can deliver the request, retrieve the remote resource, check it, and then send it to the client who requested it.
Enable HTTP Proxy
In the Dashboard go to: Proxy > HTTP and click on Enable HTTP Proxy switch (it will turn green after it has been enabled). Then, set the operational mode for each zone that should be filtered to transparent and Save the configuration.
Apply the changes to proceed.
Choosing the certificate
You have two possibilities for the choice of the certificate:
- To create a new certificate from scratch. Go to Proxy> HTTP> HTTPS Proxy and click on Create a new certificate button. A confirmation dialog box appears, requiring a confirmation. Click on OK to proceed.
- Upload a certificate. Click on Choose file, browse the certificate on the local hard disk, then click on Upload to copy the certificate to the Endian UTM Appliance.
After the certificate has been uploaded or created, a new option in the form of a hyperlink will appear next to the Upload proxy certificate. Click the hyperlink Download to get the certificate, which will be needed by the clients.
Enable HTTPS Proxy
Go to Proxy > HTTP > HTTPS Proxy, tick the checkbox Enable HTTPS proxy to activate the service. The next options appear:
1. Tick the Accept every certificate checkbox. This option allows the Endian UTM Appliance to automatically accept all the certificates from the remote server, even those that are not valid or outdated.
2. The Forward HTTPS connections directly to the Upstream proxy option should not be ticked unless you want the HTTPS traffic to be managed directly by the upstream proxy. When unticked, the traffic is managed by the Endian UTM Appliance.
3. In the Bypass HTTPS proxy for destinations textfield you should write the IP address or domain name of the remote web sites that should be skipped by the HTTPS proxy, one per line (it could also remain blank).
To activate the HTTPS proxy, click on Save and wait a few seconds.
Import Proxy Certificate (Windows 10)
In order to have HTTPS Proxy working you should first import the proxy certificate downloaded on your client.
In the following steps, we will show you how to import the certificate issued by Endian UTM Appliance (and downloaded in the previous step) on Windows 10.
1. Double-click on the downloaded Endian certificate to open certificate properties.
2. Click on Install certificate... to start with the certificate installation wizard.
3. Select Local Machine in order to install the certificate for all client users and not only for the current user, then click on Next.
4. If a User Account Control window is issued after the previous step, just click on Yes.
5. Click on Place all certificates in the following store and click on Browse...
6. Select Trusted Root Certification Authorities and click on OK.
7. Click on Next.
8. Confirm the successful certificate import wizard procedure window by clicking on OK.
Verify the connection
Once the certificate is imported, all HTTPS connection will be issued as Secured connections, and you can check if the certificate issued by the connection is the Endian one instead of the one normally used by the specific site itself.
In the following steps, we will show you how to check on Google Chrome on Windows if the certificate issued for the connection is the one issued by Endian.
1. Click on Secure, then on Certificate (Valid).
2. Click on Details tab, then on Issuer, it has to be Endian.