Forward Proxy Service Object (Egress / East-West)¶
Forward Proxy services are specifically used for HTTP based traffic. The object defines a listener port that the Valtix Gateway listens for the traffic it receives and forwards to the address/host that's available in the TLS SNI extension header or HTTP Host Header.
Application IDs can be configured as an additional match on traffic. The Application ID can be the Client Application ID (Chrome, Firefox) or the Service Application ID (MySQL, Google etc)
Add Forward Proxy Service¶
- Navigate to Manage -> Security Policies -> Services
- Click Create
- Click Forward Proxy
- Provide a name and description
- Optionally select the Application IDs to match
- Configure proxy parameters as defined below
Option | description |
---|---|
Decryption Profile | Assign a Decryption profile, which also includes the certificate. Valtix impersonates the external certificate by signing it with the certificate provided in this profile. The root certificate is assumed to be installed on all the client application instances |
Dst Port | Assign a destination port. For most web-based services, the destination port will be 443. |
Protocol | HTTP or HTTPS |
Tech Notes
-
Valtix listens on the Dst Port and waits for the HTTP Host Header or TLS SNI Header packet. Once it receives this packet, it connects to the host using the protocol. If the protocol is HTTPS, the received certificate data from the external host is signed by the certificate in the decryption profile and sent to the client. The root certificate must be installed on the client app instances to avoid a certificate error.
-
For a given Dst Port, there can be only one decryption profile (root CA certificate) association in a policy rule set across all service objects.
-
During a forward proxy session, Valtix Gateway will perform a DNS lookup on the destination with DNS request timeout of 30 seconds and cache age-out of TTL seconds.