topic Re: HTTPS proxy in General Topics

HTTPS proxy

quatloo — Wed, 29 Jul 2020 21:36:01 GMT

Hello,

I am trying to configure my Check Point R80.30 OpenServer gateway to proxy inbound HTTPS connections to a back-end webserver.

My goal is to have the Check Point gateway present/allow inbound TLS 1.1, 1.2 & 1.3 HTTPS connections and then connect to the back-end webserver which only supports TLS 1.0.

I would also like to have a one-to-one IP address mapping (rather than a one-to-many). Basically I would just like to continue using the NAT rules I already have in place.

It would look like this (in this example, the 10.x.x.x addresses would be publicly routable, Internet-facing):

Remote HTTPS client --> Check Point-GW 10.1.1.1 (TLS 1.1,2,3) --> 1.1.1.1 (TLS 1.0)

Remote HTTPS client --> Check Point-GW 10.1.1.2 (TLS 1.1,2,3) --> 1.1.1.2 (TLS 1.0)

Etc.

Currently I am using HTTPS inspection, which will present various TLS/cipher combinations, which is great, but it isn't functionally doing exactly what I need. While it will present the different TLS versions, ultimately, it will only accept and pass the TLS versions supported by the back-end webserver.

It appears as if the connection from the Check Point gateway to the back-end web server isn't a separate, negotiated TLS connection.

I can accomplish my goal with a Netscaler but I would prefer to use Check Point, as it would be administratively tidier to manage given my Netscaler architecture.

Perhaps I'm trying to use the wrong tool for the job, but I thought Check Point should be able to do something like this.

Thanks for any advise you can provide!

Re: HTTPS proxy

PhoneBoy — Thu, 30 Jul 2020 17:32:41 GMT

Generally, we tend to duplicate what the backend server allows/does as closely as possible.
Not sure if you can disable that functionality, but it sounds like expected behavior.

Re: HTTPS proxy

quatloo — Thu, 30 Jul 2020 18:41:30 GMT

Thanks for the reply. Yes, that was my assumption as well. It 's just so close to what I need, it's frustrating. It could be seen as a bandaid, but it would allow for a consistent front-facing set of TLS/ciphers, regardless of the back-end server's capabilities. Interesting, a Netscaler does this by default, and I expect that that too is by design.

Re: HTTPS proxy

FedericoMeiners — Fri, 31 Jul 2020 03:21:29 GMT

I don't think that you can achieve this with a firewall.

Netscaler / F5 / Load Balancers can do this because they don't apply just NAT, they use a full proxy architecture. Basically the connection actually ends on this device, and this device initiate a new connection to the back end server.

Using this method you can do whatever you want with that connection.

Here's an example of how this architecture works.

Re: HTTPS proxy

MartinTzvetanov — Fri, 31 Jul 2020 11:43:02 GMT

Reverse proxy is what you need (F5/Netscaler/A10/nginx). CheckPoint provides some kind of functionalities of http/s proxy, which means you enter CP's address in the proxy setting of your browser.