In order to be able to use the UTM functions of the LANCOM R&S®Unified Firewall (e.g. URL/Content Filter, antivirus), the HTTP(S) proxy in the device must be configured and activated. This document describes the configuration steps necessary for this.
The Application Filter does not require the HTTP(S) proxy. It analyzes all traffic that passes through the firewall, regardless of which port is used. How you configure the application filter is described in this Knowledge Base article.
The HTTP(S) proxy serves as a middleman. It connects to the web server, uses its own HTTP(S) proxy CA to generate a pseudo-certificate for the website and uses this to connect to the browser. This allows the proxy to analyze traffic, apply URL and content filters, and scan for viruses.
Make sure that the DNS server of your LANCOM R&S®Unified Firewall correctly resolves the domains it accesses when the HTTP(S) proxy is active.
The DNS server of the Unified Firewall has to be entered on the network devices (static or dynamic via DHCP). As an alternative a separate local DNS server can be used. This DNS server has to forward the DNS requests to the DNS server of the Unified Firewall.
Furthermore a DNS cache must not be usedon used on the end devices or a local DNS server.
In order for the connection to be established the IP addresses resolved by the end device and the Unified Firewall must match. If there is a discrepancy the error message "Host header forgery detected" is displayed in the Unified Firewall log. Access to the requested website is not possible in this case! This can also lead to performance issues when accessing a website!
When the Google DNS servers are used (220.127.116.11 and 18.104.22.168), "Host header forgery" messages can occur even if the DNS configuration in your scenario is correct. In this case please use another DNS server.
Always make sure that when using the HTTP(S) proxy, no firewall rule(s) are used with one or more custom services that include TCP port 443.
This would result in the HTTP(S) proxy being bypassed.
- LANCOM R&S®Unified Firewall with firmware as of version 10 and an activated full license
- A configured and functional Internet connection on the Unified Firewall
- Functional packet filter on the Unified Firewall
- Web browser for configuring the Unified Firewall. The following web browsers are supported:
- Google Chrome
- Mozilla Firefox
- All DNS requests have to be conducted via the Unified Firewall. The following scenarios can be used:
- End device → Unified Firewall → DNS server of the Internet provider
- End device → Local DNS server → Unified Firewall → DNS server of the Internet provider
- End device → Unified Firewall → Local DNS server → DNS server of the Internet provider
- A DNS cache must not be used on the end devices or a local DNS server!
If you use the LANCOM R&S ®Unified Firewall via LANCOM Management Cloud (LMC) in the context of cloud managed security, you do not need to perform configuration steps 1 and 2, as this is handled by the LMC.
1) Enabling the HTTP(S) proxy:
1.1) Enable the HTTP(S) proxy in the menu UTM -> → Proxy -> → HTTP proxy settings.
1.2) For this example proxy operations should be transparent. With this setting, the Unified Firewall automatically forwards all requests that arrive on port 80 (HTTP) or port 443 (HTTPS) via the proxy.
If you select intransparent, the HTTP proxy of your Unified Firewalls must be explicitly set to port 10080 (HTTP) or 10443 (HTTPS).
1.3) In this example, the default certificate of the LCOS FX Default HTTPS Proxy CA is used as the proxy CA. The CA (certificate authority) is used by the HTTP(S) proxy to issue pseudo-certificates.
1,4) The Private Key Password field must be left blank when using the LCOS FX Default HTTPS Proxy CA certificate.
- The certificate authority is only displayed if the HTTPS proxy is set to transparent or intransparent.
- You can also use your own CA certificate instead of the LCOS FX Default HTTPS Proxy CA certificate.
1.5) In this example, no client authentication is performed. With this feature enabled, HTTP(S) client authentication is based on the Unified Firewall user administration.
1.6) Optionally you can whitelist domains that should be excluded from SSL inspection, virus scanning and URL filtering. Whitelisted domains are accepted by the HTTP(S) proxy without inspection and can be accessed directly with the user's browser.
No certificates are created. This setting is required by services that use strict certificate pinning, such as Windows Update at windowsupdate.com. You can add any number of domains. Type in a domain and click “+” to add it to the list.
You can edit or delete any entry in the list by clicking on the appropriate icon.
The domains can include the following placeholders: * and . for whole words, ? for single characters.
1.7) Click on the Save button to accept your settings.
2) Configure usage of the HTTP(S) proxy:
In this example, the LAN contains Windows PCs that can access the Internet. Throughout the LAN, access to web pages is forced to go via the HTTP(S) proxy of the Unified Firewall.
2.1) In the host/network groups desktop object for the LAN, click the connection icon and then click the WAN network object.
2.2) The dialog with the settings for this connection is opened. Now you have to click on the NAT option for the HTTP and/or HTTPS service.
2.3) Set a checkmark for the option Enable proxy for this service and click Save.
2.4) The entries in the list of services for HTTP and/or HTTPS should look like this.Click on Save again.
2.5) Finally, implement the configuration changes by clicking Activate in the firewall.
3) Export certificate and import it on a Windows PC:
In this example, the LAN contains numerous Windows PCs that can access the Internet. Access should be directed via the HTTP(S) proxy of the Unified Firewall.
3.1) Go to the menu Certificate management → Certificates.
3.2)For the certificate of the LCOS FX Default Root CA, click the export icon.
Exporting the LCOS FX Default HTTPS Proxy CA is not sufficient in this case, as it doesn't represent the parent CA.
In LCOS FX up to and including version 10.6 as well as for existing installations the HTTPS Proxy CA can be exported, as it represents the parent CA.
In general it is also possible to create a separate CA for the HTTPS Proxy and export it.
3.3) The certificate has to be exported in PEM/CRT format. Click the Export button to start the process. The certificate is saved in *.crt file format.
In LCOS FX up to and including version 10.6 the certificate is saved in *.pem format. In this case the file extension has bo be changed manually to *.crt.
3.4) On your computer, go to the folder where you exported the certificate.
3.5) Click the certificate file and acknowledge the subsequent security warning with OK.
Please note that you must have administrator rights to install the certificate on a Windows system.
3.6) In the Certificate dialog, select the option Install certificate.
3.7) In this example, the certificate installed on the local computer is to be used by all users of this computer.
3.8) Select the option Place all certificates in the following store, click Browse and select the Trusted root certification authorities store.
3.9) Click Next and continue until the Certificate Import Wizard is finished.
3.10) This concludes the certificate import. Any popular browser will be able to use the certificate after the computer is restarted.
Repeat the certificate import procedure (steps 3.7 to 3.10) on all of the other computers in the LAN.
Note on using the certificate in Mozilla Firefox:
Do the following to use the certificate in Mozilla Firefox:
- Enter the following into the address bar of the browser: about:config.
- Search for the value security.enterprise_roots.enabled.
- Change the value from false to true.
- Restart the browser.
Information on the use of a pre-created and superordinate CA:
If an end device trusts a pre-created and superordinate CA, it can be moved between sites without further effort This case is described in more detail below:
1) Creating the parent CA: This CA can be created on any LANCOM R&S®Unified Firewall. Ideally, this is done on a central firewall without Internet access. If a dedicated public-key infrastructure already exists, it is recommended to use it.
|We recommend that the parent CA is valid for at least 5 years.|
2) Rolling out the CA: This parent CA must be imported to all endpoints and renewed and replaced on all endpoints before expiration.
3) Creating and signing the proxy CAs on the individual LANCOM R&S®Unified Firewall:
- A certificate signing request (CSR) for an intermediate CA is created locally on the individual LANCOM R&S®Unified Firewalls.
- The CSR must be signed centrally by the parent CA.
- The signed intermediate CA is imported into the local LANCOM R&S®Unified Firewall and selected as the CA for the HTTPS proxy.