Follow

How to Set Up The HTTPS Proxy

  Version 5.0   Version 6.0

Applies to Platform: UTM 5.x
Last update: 19 Nov 2022

Applies to Platform: UTM 6.x
Last update: 23 Jan 2025

This article will illustrate the necessary steps to configure the web proxy server for the scanning of SSL-encrypted traffic (i.e., traffic through TCP 443 port).

Note

If you have an Endian UTM Appliance equipped with at least version 5.0.5, please refer to this article to use the alternative URL Filtering functionality.

Configuration Example

https-01.png

When enabled, squid will intercept all clients’ requests and forward them to the remote server, like in the case of HTTP proxy. The only difference is that for HTTPS requests, an ‘intermediate’ certificate is needed for the client to connect via HTTPS to the Endian UTM Appliance, which then can deliver the request, retrieve the remote resource, check it, and then send it to the client who requested it.

Enable HTTP Proxy

In the Dashboard go to: Proxy > HTTP and click on Enable HTTP Proxy switch (it will turn green after it has been enabled).

Then, set the operational mode for each zone that should be filtered to transparent and Save the configuration.

https-02.png

Apply the changes to proceed.

Set the zones

Next go to the Zones tab and set the operational mode (by clicking on the edit icon) for each zone that should be filtered to transparent and Save the configuration.

Choosing the certificate

You have two possibilities for the choice of the certificate:

  1. To create a new certificate from scratch. Go to Proxy> HTTP> HTTPS Proxy and click on Create a new certificate button. A confirmation dialog box appears, requiring a confirmation. Click on OK to proceed.
  2. Upload a certificate. Click on Choose file, browse the certificate on the local hard disk, then click on Upload to copy the certificate to the Endian UTM Appliance.

After the certificate has been uploaded or created, a new option in the form of a hyperlink will appear next to the Upload proxy certificate. Click the hyperlink Download to get the certificate, which will be needed by the clients.

https-03.png

Enable HTTPS Proxy

Go to Proxy > HTTP > HTTPS Proxy, tick the checkbox Enable HTTPS proxy to activate the service. The next options appear:

1. Tick the Accept every certificate checkbox. This option allows the Endian UTM Appliance to automatically accept all the certificates from the remote server, even those that are not valid or outdated.

2. The Forward HTTPS connections directly to the Upstream proxy option should not be ticked unless you want the HTTPS traffic to be managed directly by the upstream proxy. When unticked, the traffic is managed by the Endian UTM Appliance.

3. In the Bypass HTTPS proxy for destinations textfield you should add the IP address or domain name of the remote web site that should be skipped by the HTTPS proxy, one entry per line (it could also remain blank).

To activate the HTTPS proxy, click on Save and wait a few seconds.

https-04.png

Enable HTTPS Proxy

Go to Proxy > HTTP > HTTPS Proxy tab, select the box Fullfor the HTTPS proxy operating mode. The next options are also available:

1. Remote certificate acceptance policy. Generally you will want to set this option to Show warning for untrusted certificates. Alternatively you could choose Accept all certificates however this is an insecure mode.

2. The Forward HTTPS connections directly to the Upstream proxy option should not be ticked unless you want the HTTPS traffic to be managed directly by the upstream proxy. When unticked, the traffic is managed by the Endian UTM Appliance.

3. In the Bypass the following destinations textfield you should add the IP address(es) or domain name(s) of the remote web sites that should be skipped by the HTTPS proxy, one entry for each (it could also remain blank).

To activate the HTTPS proxy, click on Save and wait a few seconds.

Downloading the certificate

After setting the operating mode as Full, the system will automatically generate a self-signed certificate which can be downloaded to your local machine using the Download HTTPS proxy certificate button.

Import Proxy Certificate (Windows 10)

In order to have HTTPS Proxy working you should first import the proxy certificate downloaded on your client.

In the following steps, we will show you how to import the certificate issued by Endian UTM Appliance (and downloaded in the previous step) on Windows 10.

1. Double-click on the downloaded Endian certificate to open certificate properties.

2. Click on Install certificate... to start with the certificate installation wizard.

3. Select Local Machine in order to install the certificate for all client users and not only for the current user, then click on Next.

4. If a User Account Control window is issued after the previous step, just click on Yes.

Screenshot_from_2018-08-22_10-07-49.png

5. Click on Place all certificates in the following store and click on Browse...

6. Select Trusted Root Certification Authorities and click on OK.

7.png

7. Click on Next.

8. Confirm the successful certificate import wizard procedure window by clicking on OK.

9.png

Verify the connection

Once the certificate is imported, all HTTPS connection will be issued as Secured connections, and you can check if the certificate issued by the connection is the Endian one instead of the one normally used by the specific site itself.

In the following steps, we will show you how to check on Google Chrome on Windows if the certificate issued for the connection is the one issued by Endian.

1. Click on Secure, then on Certificate (Valid).

2. Click on Details tab, then on Issuer, it has to be Endian.

Screenshot_from_2018-08-22_10-59-06.png

 

Have more questions? Submit a request

Comments