Explicit Proxy: HTTP CONNECT Tunneling
The Explicit Proxy on your Firebox supports HTTP CONNECT Tunneling for HTTPS traffic. When you use CONNECT tunneling, a client sends requests to the Firebox through the Explicit Proxy over port 3128. These HTTP requests use the CONNECT method to contact the port configured in the Explicit Proxy settings (HTTPS port number 443 by default). You can also configure other ports for customized HTTPS web servers. The Explicit Proxy then establishes a TCP connection to the specified destination. When the connection is made, the Explicit Proxy responds to the original HTTP request with an HTTP response to the client, and then the client can send the data to the destination.
With the Explicit Proxy, you can allow, deny, or block a request based on the specified ports, or configure an HTTPS proxy action for HTTP CONNECT tunnel traffic.
Configure the Explicit Proxy for HTTP CONNECT Tunneling
- Select Firewall > Firewall Policies.
The Policies page appears. - Click Add Policy.
The Add Firewall Policy page appears. - Select Proxies.
- From the Proxies drop-down list, select Explicit-proxy.
- Click Add Policy.
- Select Edit > Add Policy.
The Add Policy dialog box appears. - Expand the Proxies list.
- Select Explicit-proxy.
- Click Add.
Configure the Proxy Action for the Explicit Proxy
When you add the Explicit-proxy policy, the predefined proxy action Explicit-Web.Standard is automatically selected. Because you cannot edit a predefined proxy action, you must clone the proxy action and then configure the settings for the cloned proxy action.
- On the Explicit Proxy Add Policy page, select the Proxy Action tab.
The Proxy Action page appears, with all the category settings tabs.
If (predefined) appears adjacent to the Proxy Action drop-down list, you must clone the proxy action before you can configure the proxy action settings. - From the Proxy Action drop-down list, select Clone the current proxy action.
The page refreshes and the cloned proxy action appears, with all the options available. By default, the name of the cloned proxy action is Explicit-Web.Standard.1. - To change the name of the cloned proxy action, in the Name text box, type a new descriptive name for the proxy action.
- From the Explicit Web Proxy drop-down list, select CONNECT Tunneling.
The CONNECT Tunneling list appears, with the default rule that allows HTTPS traffic on port 443 with logging enabled.
The CONNECT Tunneling option
The CONNECT Tunneling list with the default HTTPS traffic rule
- To add a new rule, click Add. Tip!
The Add Rule dialog box appears.
- In the Rule Name text box, type a descriptive name for the rule.
- From the Type drop-down list, select Single Port or Port Range.
- If you selected Single Port, in the Port text box, type the port number
If you selected Port Range, in the Start Port and End Port text boxes, type the start and end port numbers for the port range. - From the Action drop-down list, select an action for this rule:
- Allow — Allows the connection.
- Deny — Denies a specific request but keeps the connection if possible. Sends a response to the client.
- Drop — Denies the specific request and drops the connection. Does not send a response to the sender.
- Block
— Denies the request, drops the connection, and blocks the site. All traffic from the IP address for this site is denied for the amount of time you specify in the Blocked Sites configuration.
For more information on blocked sites, see About Blocked Sites. - HTTPS Proxy Action — When you select this option, a drop-down list appears with the HTTPS proxy actions that are available in your Firebox configuration. Select the HTTPS proxy action to apply to this traffic.
- Click OK to save the rule.
- From the Action to take if no rule above is matched drop-down list, select an action to take for traffic that does not match a rule in the CONNECTION Tunneling list.
- Allow — Allows the connection.
- Deny — Denies a specific request but keeps the connection if possible. Sends a response to the client.
- Drop — Denies the specific request and drops the connection. Does not send a response to the sender.
- Block
— Denies the request, drops the connection, and blocks the site. All traffic from the IP address for this site is denied for the amount of time you specify in the Blocked Sites configuration.
For more information about blocked sites, see About Blocked Sites. - HTTPS Proxy Action — When you select this option, a drop-down list appears with the HTTPS proxy actions that are available in your Firebox configuration. Select the HTTPS proxy action to apply to this traffic.
- Click Save.
- Select Setup > Actions > Proxies, select the Explicit-Web.Standard proxy action, and click Clone.
Or, in the New Policy Properties dialog box for the Explicit-proxy policy, adjacent to the Proxy-action drop-down list, click .
The Clone Explicit Web Proxy Action Configuration dialog box appears. By default, the name of the cloned proxy action is Explicit-Web.Standard.1. - To change the name of the cloned proxy action, in the Name text box, type a new descriptive name for the proxy action.
- From the Categories tree, expand Explicit Web Proxy and select CONNECT Tunneling.
The CONNECT Tunneling list appears, with the default rule that allows HTTPS traffic on port 443 with logging enabled.
- To add a new rule, click Add. Tip!
The new CONNECT Tunneling Rule dialog box appears.
- In the Rule Name text box, type a descriptive name for the rule.
- From the Type drop-down list, select Single Port or Port Range.
- If you selected Single Port, in the Port text box, type the port number
If you selected Port Range, in the Start Port and End Port text boxes, type the start and end port numbers for the port range. - From the Action drop-down list, select an action for this rule:
- Allow — Allows the connection.
- Deny — Denies a specific request but keeps the connection if possible. Sends a response to the client.
- Drop — Denies the specific request and drops the connection. Does not send a response to the sender.
- Block
— Denies the request, drops the connection, and blocks the site. All traffic from the IP address for this site is denied for the amount of time you specify in the Blocked Sites configuration.
For more information on blocked sites, see About Blocked Sites. - HTTPS Proxy Action — When you select this option, a drop-down list appears with the HTTPS proxy actions that are available in your Firebox configuration. Select the HTTPS proxy action to apply to this traffic.
- Click OK to save the rule.
- From the Action to take if no rule above is matched drop-down list, select an action to take for traffic that does not match a rule in the CONNECTION Tunneling list.
- Allow — Allows the connection.
- Deny — Denies a specific request but keeps the connection if possible. Sends a response to the client.
- Drop — Denies the specific request and drops the connection. Does not send a response to the sender.
- Block
— Denies the request, drops the connection, and blocks the site. All traffic from the IP address for this site is denied for the amount of time you specify in the Blocked Sites configuration.
For more information about blocked sites, see About Blocked Sites. - HTTPS Proxy Action — When you select this option, a drop-down list appears with the HTTPS proxy actions that are available in your Firebox configuration. Select the HTTPS proxy action to apply to this traffic.
- Save the configuration to the Firebox.