HTTPS Proxy

[Raja]

Hello Everyone,

This is Elaiyaraja from Capgemini India

We want to enable internet connectivity for one of our application through proxy. I have tried Wingate proxy,it has very good features.I informed the same to my management and they are happy to purchase Enterprise license but they want the connectivity between application server and Wingate proxy should be in secure way.

We want to specify proxy URL like "https://proxy.xyz.com:999" in application configuration. Does Wingate support Https proxy connectivity ?


Thanks,
Elaiyaraja

[adrien]

Hi

Actually yes, WinGate does support making an SSL/TLS connection to the proxy, then making a request over that secure connection. To do this, edit the binding policy for the WWW proxy, and select to use SSL. Then choose a certificate. It even supports X.509 client certificate authentication to the proxy.

No clients I know of support it, but if you have written your own, then you can do it.

Regards

Adrien de Croy

[Raja]

Thanks Adrien for your quick response.

No clients I know of support it, but if you have written your own, then you can do it

Do we need something else to support HTTPS proxy at client side? Pls explain bit more about this

[adrien]

Hi

a normal http client (e.g. a browser) when it wants to do https through a proxy does the following:

1. connects to the proxy, and issues the a request using the CONNECT method.
2. the proxy connects to the specified server:port, and responds with a 200 OK.
3. The client negotiates TLS/SSL over the tunneled connection. This is as if it were not using a proxy
4. The client issues the http commands over the TLS/SSL channel

So the difference between using a proxy or not for https is simply stage 1 and 2 - the client requesting the proxy to open a tunnel to the end server. The client then does its own TLS and http over that channel.

Are you using a standard library in your client for http/https?

[Raja]

1. Installed wingate 8.2
2. Activated enterprise trail version
3. Created certificate using wingate certificate option
4. Edited the binding policy for the WWW proxy, and select to use SSL ,provided service port 444 and selected certificate which i created above
5. Configured proxy server and port on client IE browser but its not working none of the sites are able to access however if i disable SSL everything is working fine.

is anything I'm missing here pls advise.

Also my actual requirement is to configure HTTPS proxy on IBM Endpoint Manager application like below. IBM confirmed that this application will support HTTPS proxy.

Launch C:\Program Files (x86)\BigFix Enterprise\BES Server>BESAdmin /setproxy /user:AAAA /pass:AAAA and then manually modify the following registry key:
HKLM\SOFTWARE\BigFix\Enterprise Server\Proxy
"Proxy"=""
"ProxyUser"="AAAA"
"ProxyPass"="ecrypted(AAAA)"
to our enterprise proxy values, where proxy is " https://proxy.xyz.com:999"

refer this URL for more info - http://www-01.ibm.com/support/docview.w ... wg21505994

[adrien]

Hi

for that you probably don't run SSL on the www proxy binding, just plain HTTP. The software should deal with the https

http://en.wikipedia.org/wiki/HTTP_tunne ... _Tunneling

Regards

Adrien

[Raja]

I want use only HTTPS proxy. Actually my management wants whatever communication happening in between application server and proxy server should be in secure way because application server in production zone and proxy server will be hosted in DMZ zone.

Do you think its possible?


Thanks
Elaiyaraja

[adrien]

Hi

that will depend entirely on your client software.

WinGate supports https tunneling through CONNECT, it supports reverse proxying with SSL/TLS on either side. It supports TLS connections to the proxy (which no other proxy supports that I know of, and no clients support).

So it comes down to what the client software can do.

Adrien

[Raja]

Even browser(IE,Mozilla) at client side is not working after enabling SSL binding. Does that mean browsers are not supported by SSL proxy?

I know I'm giving more trouble to you by asking these many questions and really sorry for that


Thanks
Raja

[adrien]

Hi Raja

like I keep saying No HTTP clients ever connect to a proxy over an SSL connection.

Turn it off on the binding, I only suggested it because of what you seemed to be asking for in your original post.

The browser will still use SSL over to the site.

Adrien