ARTICA v4 Secure Proxy
Version 4. 30 .0 00000
Page 1 Artica v4.x : http://articatech.net | contact: [email protected] | support: http://bugs.articatech.com
T ABLE OF C ONTENT
About the Secure Proxy ...... 3
Create a Root Certificate and Server Certificate...... 4
Create t he Secure Proxy port ...... 5
Install the certificate ...... 7 Download the Root Certificate from Artica ...... 7 Install the Root certificate on your Workstation...... 8
Test the connection with Chrome browser...... 9
Test the connection with Firefox browser...... 9 Merge the Firefox certificate with the Windows certificate ...... 9 Simulate the ¨PAC file ...... 9 ERR_PROXY_CERTIFICATE_INVALID ...... 10
Authenticate users using a client certificate ...... 11 Enable Authentication on the Secure proxy port...... 11 ERR_PROXY_ CONNECTION_FAILED ...... 12 Create Clients Certificates ...... 13 Import the Client certificate (IE/Chrome ) ...... 15 Using the client certificate ...... 16
Secure Proxy deployment ...... 17
Browsers Support ...... 17
Page 2 Artica v4.x : http://articatech.net | contact: [email protected] | support: http://bugs.articatech.com
About the Secure Proxy
A secure web proxy is a web proxy that the browser communicates with via SSL, as opposed to clear text. In insecure public networks, such as airports or cafes, browsing over HTTP may leave the user vulnerable to cookie stealing, session hijacking or worse.
A secure web proxy can add a significant layer of defense in these cases. .
Secure Web Proxy can auth enticate users using the SSL Client certificate method, where the SSL client certificate is checked again the SSL Root Certificate used by the proxy.
Page 3 Artica v4.x : http://articatech.net | contact: [email protected] | support: http://bugs.articatech.com
Create a Root Certificate and Server Certificate .
Before enable the Secure Proxy, you need at least a Root Certificate and a server Certificate. We can use a self - signed Root Certificate because in all cases, we need to import certificates in each browser that will using the Secure Proxy service.
On the left menu, choose “ Your System ” / “ Certifica te s center ” Click on the button “ Self - signed root certificate ” Fill the form and pay attention of the “Common Name ” and “ Subject Alternative Name ”. It must reflect the hostname that you will add in browsers settings or in the WPAD ( Proxy.pac) file.
Root certificates have a special label called “ Root Certificate ” Click on the generated certificate in order to display settings.
Click on the “ Certificates ” tab. You should see the “Server Certificate ” created using the button Self - signed root certifi cate.
Page 4 Artica v4.x : http://articatech.net | contact: [email protected] | support: http://bugs.articatech.com
This server certificate will be using in the proxy ports section
Create the Secure Proxy port
On the left menu, choose Your Proxy and Listen ports Click on the New port button
Page 5 Artica v4.x : http://articatech.net | contact: [email protected] | support: http://bugs.articatech.com
Set the port number that will be used by browsers on the “ Listen port ” field. Turn on the “ Explicit HTTPS Port ” checkbox. Choose the Server certificate that will be used to generate the SSL protocol.
Note: If you have not created server certificates, you will not be able to see these options.
Click on Add button. The port will be added in the main table and will be flagged by 2 labels : The first one explain this port is a Secure Proxy The second in red explains that the configuration is not applied. Click on Apply configuration to make ports available on production.
Page 6 Artica v4.x : http://articatech.net | contact: [email protected] | support: http://bugs.articatech.com
Install the certificate
You need to install the Root certificate into the Trusted Root Certification Authorities container of all your browsers.
D OWNLOAD THE R OOT C ERTIFICATE FROM A RTICA
On the left menu, choose Your System / Certificates center Retrieve in the main table the generated Root certificate Locate the PFX column and download the pfx file
Place the pfx file on a directory in a test workstation (Windows 7,8,10 )
Page 7 Artica v4.x : http://articatech.net | contact: [email protected] | support: http://bugs.articatech.com
I NSTALL THE R OOT CERTIFICATE ON YOUR W ORKSTATION .
Select the download ed pfx and with the right click, choose Install PFX
Select “ Current User ” and type on “ Next ” On the File import section, click on Next button Button”
On the private key protection section, leave the On the certificate store section, click on browse password empty and click on Next button button and choose “Trusted Root Certification Authorities”
Importation wizard is completed, click on finish Click on “Yes” butt on to confirm the CA importation
Page 8 Artica v4.x : http://articatech.net | contact: [email protected] | support: http://bugs.articatech.com
Test the connection with Chrome browser.
On the workstation where the root certificate is installed, open an MS - DOS console. Navigate to the Chrome application directory : C: \ Program Files (x86) \ Google \ Chrome \ Application Or C: \ Users \ [user] \ AppData \ Local \ Google \ Chrome \ Application \ chrome.exe Run the command
chrome.exe -- proxy - server=https://[server]:[ port ]
You should navigate trough Internet without any issue but using only SSL between browser and the proxy . In Linux/MacOS you can call
google - chrome -- proxy - server=" https://[server]:[ port ] "
Do not use the IP address, always give the fqdn of your proxy defined in the certificate ! Test the connection with Fir efox browser.
Firefox did not have any command line switch but there is a workaround.
M ERGE THE F IREFOX CERTIFICATE WITH THE W INDOWS CERTIFICATE
Create a file named root - trust - microsoft.js in o Firefox's C: \ Program Files (x86) \ Mozilla Firefox \ defaults \ pref directory. In the . root - trust - microsoft.js file add this line
pref("security.enterprise_roots.enabled", true);
S IMULATE THE ¨PAC FILE
Restart the Firefox application On the address bar, type about:preferences In the search filed, type proxy and open the settings button for the proxy configuration
On the Automatic configuration url, type: data:text/plain,function%20FindProxyForURL(){return%20"HTTPS%20 [proxy]:[port] ";}
Restart the Firefox application, you sh ould browse with the proxy without any issue but using only SSL between browser and the proxy Do not use the IP address, always give the fqdn of your proxy defined in the certificate ! Page 9 Artica v4.x : http://articatech.net | contact: [email protected] | support: http://bugs.articatech.com
ERR_PROXY_CERTIFICATE_INVALID
If you encounter this error, this means you have : 1. Installed the wrong Root Certificate that did not correspond to the used certificate by the proxy service. 2. Used and incorrect address of the proxy that is not stored in certificate ( IP address of the proxy instead FQDN )
Page 10 Artica v4.x : http://articatech.net | contact: [email protected] | support: http://bugs.articatech.com
Authenticate users using a client certificate
This method force the proxy to verify the client certificate, after verified the client certificate, Artica will checks the CN value in the certificate and define it as the username.
E NABLE A UTHENTICATION ON THE S ECURE PROXY PORT .
On the left menu, go to Your Proxy / L isten ports section. Choose your port enabled as Secure Proxy .
Turn on the “ Authenticate SSL Clients ” check box. Click on Apply button Click on Apply configuration button on the main table.
Page 11 Artica v4.x : http://articatech.net | contact: [email protected] | support: http://bugs.articatech.com
ERR_PROXY_CONNECTION_FAILED
This error occurs when you have enabled the Authenticate SSL Clients and browser s did not have the Client certificate installed or have the wrong client certificate.
Page 12 Artica v4.x : http://articatech.net | contact: [email protected] | support: http://bugs.articatech.com
C REATE C LIENTS C ERTIFICATES
Return to the Certificates Center and choose your Root Certificate used
Select Certificates tab. Click on “ New Client Certificate ”
Page 13 Artica v4.x : http://articatech.net | contact: [email protected] | support: http://bugs.articatech.com
The most important field is the “User Name”. This user name will be observed by the proxy in order to detect the user. Fill the form. You can set a password in order to force user to put a password for installing the PFX certificate.
Download the generated PFX and save it on the target workstation.
Page 14 Artica v4.x : http://articatech.net | contact: [email protected] | support: http://bugs.articatech.com
I MPORT THE C LIENT CERTIFICATE (IE/C HROME )
Download the Client Certificate and with the right - click, On the Certificate import Wizard, select current user choose Install PFX and click on Next button
You did not have the set the path on the next screen, click If you have defined a password in the client certificate on Next button inside the Artica Web console, set the password and click on Next button, if not, leave the password field blank.
Cho ose the “ Personal ” store using the “Browse…” button Click on “ Finish ” button in order to import your and click on “Next” button certificate
Page 15 Artica v4.x : http://articatech.net | contact: [email protected] | support: http://bugs.articatech.com
U SING THE CLIENT CERTIFICATE
When running the browser and just after establish the SSL session with the proxy the user will be asked to select the client certificate that matches your secure Proxy.
If the certificate matches the secure proxy server certificate, user is allowed to browse.
In the real - time proxy access events you will be able to see the user n ame inside the client certificate.
Page 16 Artica v4.x : http://articatech.net | contact: [email protected] | support: http://bugs.articatech.com
Secure Proxy deployment
The best method to deploy the secure proxy addresses in browsers settings is to use a WPAD script (Proxy.pac ) Artica provides the proxy PAC capability in order to deploy the Secure proxy parameters.
Download the documentation here http://articatech.net/about - proxy - pac.php in order to see how the Proxy PAC feature can be used.
Browsers Support
The following browsers are supporting Secure Proxy: FireFox Chrome Chromium Vivaldi Opera ( Only MAC Os ) Safari ( Only MAC Os ) Brave
The following browsers does not support Secure Proxy: Microsoft Edge Internet Explorer Opera Saf ari ( On Windows)
Page 17 Artica v4.x : http://articatech.net | contact: [email protected] | support: http://bugs.articatech.com