Versionen im Vergleich

Schlüssel

  • Diese Zeile wurde hinzugefügt.
  • Diese Zeile wurde entfernt.
  • Formatierung wurde geändert.
Seiteneigenschaften


Description:

In order to be able to use the UTM functions of the LANCOM R&S®Unified Firewall (e.g. URL/Content Filter, antivirus), the HTTP(S) proxy in the device must be configured and activated. This document describes the configuration steps necessary for this.
Important notice:
      The
Hinweis

The Application Filter does not require the HTTP(S) proxy

. It analyzes all traffic that passes through the firewall, regardless of which port is used. How

you

you configure the application

filterImage Removed

filter is described in

the following document

this Knowledge Base article.

  • How you configure the URL/Content Filter is described in
the following document Image Removed
the following document Image Removed

The HTTP(S) proxy serves as a middleman. It connects to the web server, uses its own HTTP(S) proxy CA to generate a pseudo-certificate for the website and uses this to connect to the browser. This allows the proxy to analyze traffic, apply URL and content filters, and scan for viruses.

Hinweis

Make sure that the DNS server of your LANCOM R&S®Unified Firewall correctly resolves the domains it accesses when the HTTP(S) proxy is active.

The DNS server of the Unified Firewall has to be entered on the network devices (static or dynamic via DHCP). As an alternative a separate local DNS server can be used. This DNS server has to forward the DNS requests to the DNS server of the Unified Firewall.

Furthermore a DNS cache must not be used on the end devices or a local DNS server.

In order for the connection to be established the IP addresses resolved by the end device and the Unified Firewall must match. If there is a discrepancy the error message "Host header forgery detected" is displayed in the Unified Firewall log. Access to the requested website is not possible in this case! This can also lead to performance issues when accessing a website!

When the Google DNS servers are used (8.8.8.8 and 8.8.4.4), "Host header forgery" messages can occur even if the DNS configuration in your scenario is correct. In this case please use another DNS server.

Warnung

Always make sure that when using the HTTP(S) proxy, no firewall rule(s) are used with one or more custom services that include TCP port 443.

This would result in the HTTP(S) proxy being bypassed.

Requirements:

  • LANCOM R&S®Unified Firewall with firmware as of version 10 and an activated full license
  • A configured and functional Internet connection on the Unified Firewall
  • Functional packet filter on the Unified
Firewall (see Image Removed)
  • Any web browser for access to the web interface of the Unified Firewall
    • Firewall 
    • Web browser for configuring the Unified Firewall. The following web browsers are supported:
      • Google Chrome
      • Chromium
      • Mozilla Firefox
    • All DNS requests have to be conducted via the Unified Firewall. The following scenarios can be used:
      • End device → Unified Firewall → DNS server of the Internet provider
      • End device → Local DNS server → Unified Firewall → DNS server of the Internet provider
      • End device → Unified Firewall → Local DNS server → DNS server of the Internet provider
    • A DNS cache must not be used on the end devices or a local DNS server!

    Procedure:

    Info

    If you use the LANCOM R&S ®Unified Firewall via LANCOM Management Cloud (LMC) in the context of cloud managed security, you do not need to perform configuration steps 1 and 2, as this is handled by the LMC.

    Procedure:

    1) Enabling the HTTP(S) proxy:

    1.1) Enable the HTTP(S) proxy in the menu UTM
    ->
    Proxy
    ->
    HTTP proxy settings.
    1.2) For this example proxy operations should be transparent. With this setting, the Unified Firewall automatically forwards all requests that arrive on port 80 (HTTP) or port 443 (HTTPS) via the proxy.
    Info

    If you select intransparent, the HTTP proxy of your Unified Firewalls must be explicitly set to port 10080 (HTTP) or 10443 (HTTPS).

    1.3) In this example, the default certificate of the LCOS FX Default HTTPS

    proxy

    Proxy CA is used as the proxy CA. The CA (certificate authority) is used by the HTTP(S) proxy to issue pseudo-certificates.

    1,4) The Private Key Password field must be left blank when using the LCOS FX Default HTTPS Proxy CA certificate.

    Info
    • The certificate authority is only displayed if the HTTPS proxy is set to transparent or intransparent.
    • You can also use your own CA certificate instead of the LCOS FX Default HTTPS Proxy CA certificate.

    1.

    4

    5) In this example, no client authentication is performed. With this feature enabled, HTTP(S) client authentication is based on the Unified Firewall user administration.

    1.
    5
    6) Optionally you can whitelist domains that should be excluded from SSL inspection, virus scanning and URL filtering. Whitelisted domains are accepted by the HTTP(S) proxy without inspection and can be accessed directly with the user's browser.
    No certificates are created. This setting is required by services that use strict certificate pinning, such as Windows Update at windowsupdate.com. You can add any number of domains. Type in a domain and click “+” to add it to the list.
    You can edit or delete any entry in the list by clicking on the appropriate icon.
    Info
    Tip:
    The domains can include the following placeholders: * and . for whole words, ? for single characters.

    1.

    6

    7) Click on the Save button to accept your settings.

    Image Removed
    Image Added


    2) Configure usage of the HTTP(S) proxy:

    In this example, the LAN contains Windows PCs that can access the Internet. Throughout the LAN, access to web pages is forced to go via the HTTP(S) proxy of the Unified Firewall.
    2.1) In the host/network groups desktop object for the LAN, click the connection icon and then click the WAN network object.
    Image Modified
    2.2) The dialog with the settings for this connection is opened. Now you have to click on the NAT option for the HTTP and/or HTTPS service.
    2.3) Set a checkmark for the option Enable proxy for this service and click Save.
    Image Modified
    2.4) The entries in the list of services for HTTP and/or HTTPS should look like this.Click on Save again.
    Image Modified
    2.5) Finally, implement the configuration changes by clicking Activate in the firewall.
    Image Removed
    Image Added


    3) Export certificate and import it on a Windows PC:

    In this example, the LAN contains numerous Windows PCs that can access the Internet. Access should be directed via the HTTP(S) proxy of the Unified Firewall.
    3.1) Go to the menu Certificate management → Certificates.
    3.2)
    Expand the Certificates menu and, for the certificate of the default HTTPS Proxy CA, click the export icon.
    For the certificate of the LCOS FX Default Root CA, click the export icon.
    Hinweis

    Exporting  the LCOS FX Default HTTPS Proxy CA is not sufficient in this case, as it doesn't represent the parent CA.

    Info

    In LCOS FX up to and including version 10.6 as well as for existing installations the HTTPS Proxy CA can be exported, as it represents the parent CA. 

    In general it is also possible to create a separate CA for the HTTPS Proxy and export it. 

    Image Added

    3.3) The certificate has to be exported in PEM/CRT format. Click the Export button to start the process
    .
    . The certificate is saved in *.crt file format.
    Info

    In LCOS FX up to and including version 10.6 the certificate is saved in *.pem format. In this case the file extension has bo be changed manually to *.crt.

    Image Added

    Image Removed

    3.4) On your computer, go to the folder where you exported the certificate.

    3.5)

    In order to install

    Click the certificate

    under Windows, change the file extension from *.pem to *.crt

    file and acknowledge the subsequent security warning with OK.

    Please note that you must have administrator rights to install the certificate on a Windows system.

    3.6
    ) Click the certificate file and acknowledge the subsequent security warning with OK.3.7
    ) In the Certificate dialog, select the option Install certificate.
    3.
    8
    7) In this example, the certificate installed on the local computer is to be used by all users of this computer.
    3.
    9
    8) Select the option Place all certificates in the following store, click Browse and select the Trusted root certification authorities store.
    3.
    10
    9) Click Next and continue until the Certificate Import Wizard is finished.
    3.
    11
    10) This concludes the certificate import. Any popular browser will be able to use the certificate after the computer is restarted.
    Repeat the certificate import procedure (steps 3.7 to 3.
    11
    10) on all of the other computers in the LAN.
    Info
    Note on using the certificate in Mozilla Firefox:
    Do the following to use the certificate in Mozilla Firefox: 
    • Enter the following into the address bar of the browser: about:config.
    • Search for the value security.enterprise_roots.enabled.
    • Change the value from false to true.
    • Restart the browser.

    Information on the use of a pre-created and superordinate CA:

    If an end device trusts a pre-created and superordinate CA, it can be moved between sites without further effort This case is described in more detail below:

    1) Creating the parent CA: This CA can be created on any LANCOM R&S®Unified Firewall. Ideally, this is done on a central firewall without Internet access. If a dedicated public-key infrastructure already exists, it is recommended to use it.

    Info
    We recommend that the parent CA is valid for at least 5 years.

    2) Rolling out the CA: This parent CA must be imported to all endpoints and renewed and replaced on all endpoints before expiration.

    3) Creating and signing the proxy CAs on the individual LANCOM R&S®Unified Firewall:

    • A certificate signing request (CSR) for an intermediate CA is created locally on the individual LANCOM R&S®Unified Firewalls.
    • The CSR must be signed centrally by the parent CA.
    • The signed intermediate CA is imported into the local LANCOM R&S®Unified Firewall and selected as the CA for the HTTPS proxy.