Skip to content

Egress / Forward Proxy Service Object

Egress Service Objects are used in the ForwardProxy rules. The object defines a listener port that the Valtix Gateway listens for the traffic it receives and forwards to the address/host that's available in the SNI extension header or HTTP Host Header or Proxy CONNECT statement. The Valtix Gateway can be set as a proxy server on browsers and applications.

Application IDs can be configured as an additional match on traffic. The Application ID can be the Client Application ID (Chrome, Firefox) or the Service Application ID (MySQL, Google etc)

Add Forward Proxy Service

  1. Navigate to Manage -> Security Policies -> Services
  2. Click Create
  3. Click Forward Proxy
  4. Provide a name and description
  5. Optionally select the Application IDs to match
  6. Configure proxy parameters as defined below
Option description
Decryption Profile Assign a Decryption profile, which also includes the certificate. Valtix impersonates the external certificate by signing it with the certificate provided in this profile. The root certificate is assumed to be installed on all the client application instances
Dst Port Assign a destination port. For most web-based services, the destination port will be 443.
Protocol HTTP or HTTPS

Tech Notes

Valtix listens on the Dst Port and waits for the HTTP Host Header or TLS SNI Header packet. Once it receives this packet, it connects to the host using the protocol. If the protocol is HTTPS, the received certificate data from the external host is signed by the certificate in the decryption profile and sent to the client. The root certificate must be installed on the client app instances to avoid a certificate error.

Tech Notes

For a given Dst Port, there can be only one decryption profile (root CA certificate) association in a policy rule set across all service objects.