End-of-Life (EoL)

SSL Forward Proxy

Use an SSL Forward Proxy decryption policy to decrypt and inspect SSL/TLS traffic from internal users to the web. SSL Forward Proxy decryption prevents malware concealed as SSL encrypted traffic from being introduced to your corporate network.
With SSL Forward Proxy decryption, the firewall resides between the internal client and outside server. The firewall uses certificates to establish itself as a trusted third party to the session between the client and the server (For details on certificates, see Keys and Certificates for Decryption Policies). When the client initiates an SSL session with the server, the firewall intercepts the client SSL request and forwards the SSL request to the server. The server returns a certificate intended for the client that is intercepted by the firewall. If the server certificate is signed by a CA that the firewall trusts, the firewall creates a copy of the server certificate signs it with the firewall Forward Trust certificate and sends the certificate to the client. If the server certificate is signed by a CA that the firewall does not trust, the firewall creates a copy of the server certificate, signs it with the Forward Untrust certificate and sends it to the client. In this case, the client sees a block page warning that the site they’re attempting to connect to is not trusted and the client can choose to proceed or terminate the session. When the client authenticates the certificate, the SSL session is established with the firewall functioning as a trusted forward proxy to the site that the client is accessing.
As the firewall continues to receive SSL traffic from the server that is destined for the client, it decrypts the SSL traffic into clear text traffic and applies decryption and security profiles to the traffic. The traffic is then re-encrypted on the firewall and the firewall forwards the encrypted traffic to the client.
Figure 1 shows this process in detail.
SSL Forward Proxy
See Configure SSL Forward Proxy for details on configuring SSL Forward Proxy.

Recommended For You