Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Biju_Nair
Contributor
Jump to solution

Sandboxing http/https traffics with web proxy(bluecoat) in place

Hi, In a scenario with 3rd party web proxy(bluecoat) in place, how would the https traffic be handled by sandblast appliance. Considering bluecoat itself is doing https inspection first.

1 Solution

Accepted Solutions
Christian_Sandb
Employee
Employee

Hi,

Have a look at sk111306 and install JHF 284 or newer which includes the ICAP server feature.

HTH,

Christian

View solution in original post

8 Replies
Norbert_Bohusch
Advisor

There is not much information, how you want (or have) implemented the Sandblast appliance.

So just to keep it general:

If you want the https traffic to be inspected there has to be ssl-inspection active. Detail configuration for that depends on the implementation (sandblast before proxy or after).

Other way would be to use ICAP-client on proxy to speak with ICAP-server on Sandblast appliance.

0 Kudos
Biju_Nair
Contributor

Hi Norbert,

I wish to implement the sandblast appliance to intercept https traffic for Sandboxing. I would like to deploy the Sandblast appliance after proxy towards internet and using fail open card.

Regards,

Biju Nair

Sent from my iPhone

0 Kudos
Hugo_vd_Kooij
Advisor

Hmmm. So you want two devices to break open SSL traffic independently?

This is the sort of stuff I would advise if you want nightmares.

It will be slow to the users and the likely hood you will get into negotiate trouble is big.

<< We make miracles happen while you wait. The impossible jobs take just a wee bit longer. >>
0 Kudos
Norbert_Bohusch
Advisor

I can only say that Hugo is right here and ICAP is the much better way to move forward!

0 Kudos
Biju_Nair
Contributor

Thanks Hugo.

Hi Norbert,

If we plan for ICAP then the proxy will act as a ICAP client and will send the traffic to sandblast(ICAP server).

But how would the https traffic work in ICAP scenario. Will proxy send the decrypted packet to sandblast and wait for verdict from sandblast by holding the connection.

Regards,

Biju Nair

Sent from my iPhone

0 Kudos
PhoneBoy
Admin
Admin

That's the basic idea.

0 Kudos
Christian_Sandb
Employee
Employee

Hi,

Have a look at sk111306 and install JHF 284 or newer which includes the ICAP server feature.

HTH,

Christian

Thomas_Werner
Employee Alumnus
Employee Alumnus

In addition this helps getting you started on the BC side:

ProxySG ICAP Integration 


Regards Thomas

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events