Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
quatloo
Explorer

HTTPS proxy

Hello,

I am trying to configure my Check Point R80.30 OpenServer gateway to proxy inbound HTTPS connections to a back-end webserver.

My goal is to have the Check Point gateway present/allow inbound TLS 1.1, 1.2 & 1.3 HTTPS connections and then connect to the back-end webserver which only supports TLS 1.0.


I would also like to have a one-to-one IP address mapping (rather than a one-to-many). Basically I would just like to continue using the NAT rules I already have in place.


It would look like this (in this example, the 10.x.x.x addresses would be publicly routable, Internet-facing):

Remote HTTPS client --> Check Point-GW 10.1.1.1 (TLS 1.1,2,3) --> 1.1.1.1 (TLS 1.0)

Remote HTTPS client --> Check Point-GW 10.1.1.2 (TLS 1.1,2,3) --> 1.1.1.2 (TLS 1.0)

Etc.


Currently I am using HTTPS inspection, which will present various TLS/cipher combinations, which is great, but it isn't functionally doing exactly what I need. While it will present the different TLS versions, ultimately, it will only accept and pass the TLS versions supported by the back-end webserver.

It appears as if the connection from the Check Point gateway to the back-end web server isn't a separate, negotiated TLS connection.

I can accomplish my goal with a Netscaler but I would prefer to use Check Point, as it would be administratively tidier to manage given my Netscaler architecture.

Perhaps I'm trying to use the wrong tool for the job, but I thought Check Point should be able to do something like this.

Thanks for any advise you can provide!

0 Kudos
Reply
4 Replies
PhoneBoy
Admin
Admin

Generally, we tend to duplicate what the backend server allows/does as closely as possible.
Not sure if you can disable that functionality, but it sounds like expected behavior.

0 Kudos
Reply
quatloo
Explorer

Thanks for the reply.  Yes, that was my assumption as well.  It 's just so close to what I need, it's frustrating.  It could be seen as a bandaid, but it would allow for a consistent front-facing set of TLS/ciphers, regardless of the back-end server's capabilities.  Interesting, a Netscaler does this by default, and I expect that that too is by design.

0 Kudos
Reply
FedericoMeiners
Advisor

I don't think that you can achieve this with a firewall.

Netscaler / F5 / Load Balancers can do this because they don't apply just NAT, they use a full proxy architecture. Basically the connection actually ends on this device, and this device initiate a new connection to the back end server.

Using this method you can do whatever you want with that connection.

Here's an example of how this architecture works.

Full proxy.png

____________
https://www.linkedin.com/in/federicomeiners/
0 Kudos
Reply
MartinTzvetanov
Collaborator

Reverse proxy is what you need (F5/Netscaler/A10/nginx). CheckPoint provides some kind of functionalities of http/s proxy, which means you enter CP's address in the proxy setting of your browser.

0 Kudos
Reply