How to use the TLS ALG

Security Gateway Articles and How to's
Post Reply
TobiasE
Posts: 5
Joined: 13 Sep 2016, 12:01

How to use the TLS ALG

Post by TobiasE » 27 Nov 2017, 10:33

This How-to applies to:
  • Clavister Security Gateway 11.x and up.
Scenario
Internal and external clients need to reach a web site hosted on the DMZ network. The web server itself is using the HTTP protocol so transferring user data between the client and the server is considered insecure, the communication between the server and the client is in plain text. In order to protect the user information the data needs to be encrypted, the HTTPS protocol allows us to do this . This how-to will go through how to secure the web server using the TLS ALG, for a clearer view the network topology is attached below under image1.

TLS_ALG.png
image1: Network Topology
TLS_ALG.png (23.63 KiB) Viewed 1078 times
Pre-requisities Firewall configuration
1. The clients will connect to the web server using port 443 and since the firewall will handle these requests the remote management port for HTTPS needs to be changed, in this example the port for remote management will be changed from port 443 to 8443. Go to "System - Remote Management - Advanced settings" and under "WebUI HTTPS port:" change the port to 8443. Keep in mind that to apply these changes the new socket needs to be entered after the "save and activate" button has been pressed.

2. Next the certificate and the private key needs to be uploaded to the firewall, go to "Objects - Key Ring - Add - Certificates" and name it something convenient, in this example it'll be named "WebSrvCrt". Both the key and certificate must be uploaded, once done press OK. Enter the newly created key ring and it should look similar to image2
Crt.png
image2: Certificate object
Crt.png (39.31 KiB) Viewed 1341 times
3. Next create a new service object under "Objetcs - Services" with the parameters below, leave the rest of the values at their default.
Name: HTTPS_Webserver
Type: TCP
Destination: 443
Protocol: TLS

4. For the internal AND external network to be able to reach the webserver using HTTPS 2 new IPPolicies needs to be created. Policy one "Websrv_LAN" needs to be above the second policy.

The first policy says that the devices connected to the LAN should hide the source IP and translate the destination towards the webserver. The second policy says that everything arriving on WAN should be SAT'et to the webserver, notice that the address translation is set to none.

Policy 1:
Name: Websrv_LAN
Source interface: LAN
Source network: LAN_net
Destination interface: Core
Destination Network: WAN_IP
Services: HTTPS_Webserver

Source Translation
Address Translation: NAT
Address action: Outgoing Interface IP

Destination Translation
Address Translation: SAT
Address Action: Single IP
New IP address: Internal_webserver_IP
Port Action: Single port
New Port: 80
TLS TAB
Under ‘Host certificates’ add the ‘WebSrvCrt’ and leave ‘Root certificates’ empty.
Press OK and add the next policy accordingly.

Policy 2:
Name: Websrv_WAN
Source interface: WAN
Source Network: all-nets
Destination interface: Core
Destination Network: WAN_IP
Service: HTTPS_Webserver

Source Translation
Address Translation: None

Destination Translation
Address Translation: SAT
Address Action: Single IP
New IP address: Internal_webserver_IP
Port Action: Single port
New Port: 80
TLS TAB
Under ‘Host certificates’ add the ‘WebSrvCrt’ and leave ‘Root certificates’ empty.

5. Once done activate and commit. Verify that the clients can reach the webserver using HTTPS, once connected the green padlock should appear, image3 illustrates this.
HTTPS.png
image3: Certified website.
HTTPS.png (12.04 KiB) Viewed 1341 times

Post Reply