SSL policy infrastructure for SSL interception

A policy acts like a filter on incoming traffic. Policies on the Citrix Secure Web Gateway (SWG) appliance help define how to manage proxied connections and requests. The processing is based on the actions that are configured for that policy. That is, data in connection requests is compared to a rule specified in the policy, and the action is applied to connections that match the rule (expression). After defining an action for the policy and creating the policy, bind it to a proxy server, so that it applies to traffic flowing through that proxy server.

An SSL policy for SSL interception evaluates incoming traffic and applies a predefined action to requests that match a rule (expression). A decision to intercept, bypass, or reset a connection is made based on the defined SSL policy. You can configure one of three actions for a policy—INTERCEPT, BYPASS, or RESET. Specify an action when you create a policy. To put a policy into effect, you must bind it to a proxy server on the appliance. To specify that a policy is intended for SSL interception, you must specify the type (bind point) as INTERCEPT_REQ when you bind the policy to a proxy server. When unbinding a policy, you must specify the type as INTERCEPT_REQ.

Note:

The proxy server can decide to intercept only if you specify a policy.

Traffic interception can be based on any SSL handshake attribute. The most commonly used is the SSL domain. The SSL domain is usually indicated by the attributes of the SSL handshake. It can be the Server Name Indicator value extracted from the SSL Client Hello message, if present, or the Server Alternate Name (SAN) value extracted from the origin server certificate. The SSLi policy on Citrix SWG presents a special attribute named DETECTED_DOMAIN, which makes it easier for the customers to author interception policies based on the SSL domain from the origin server certificate. The customer can match the domain name against a string, URL list (URL set or patset), or a URL category derived from the domain.

Create an SSL policy by using the Citrix SWG CLI

At the command prompt, type:

add ssl policy <name> -rule <expression> -action <string>
<!--NeedCopy-->

Examples:

The following examples are for policies with expressions that use the detected_domain attribute to check for a domain name.

Do not intercept traffic to a financial institution, such as XYZBANK

add ssl policy pol1 -rule client.ssl.detected_domain.contains("XYZBANK") -action BYPASS
<!--NeedCopy-->

Do not allow a user to connect to YouTube from the corporate network.

add ssl policy pol2 -rule client.ssl.client.ssl.detected_domain.url_categorize(0,0).category.eq ("YouTube") -action RESET
<!--NeedCopy-->

Intercept all user traffic.

add ssl policy pol3 –rule true –action INTERCEPT
<!--NeedCopy-->

If the customer doesn’t want to use the detected_domain, they can use any of the SSL handshake attributes to extract and infer the domain.

For example, a domain name is not found in the SNI extension of the client hello message. The domain name must be taken from the origin server certificate. The following examples are for policies with expressions that check for a domain name in the subject name of the origin server certificate.

Intercept all user traffic to any Yahoo domain.

add ssl policy pol4 -rule client.ssl.origin_server_cert.subject.contains("yahoo") –action INTERCEPT
<!--NeedCopy-->

Intercept all user traffic for the category “Shopping/Retail”.

add ssl policy pol_url_category -rule client.ssl.origin_server_cert.subject.URL_CATEGORIZE(0,0).CATEGORY.eq("Shopping/Retail") -action INTERCEPT
<!--NeedCopy-->

Intercept all user traffic to an uncategorized URL.

add ssl policy pol_url_category -rule client.ssl.origin_server_cert.subject.url_categorize(0,0).category.eq("Uncategorized") -action INTERCEPT
<!--NeedCopy-->

The following examples are for policies that match the domain against an entry in a URL set.

Intercept all user traffic if the domain name in SNI matches an entry in the URL set “top100”.

add ssl policy pol_url_set  -rule client.ssl.client_hello.SNI.URLSET_MATCHES_ANY("top100") -action INTERCEPT
<!--NeedCopy-->

Intercept all user traffic of the domain name if the origin server certificate matches an entry in the URL set “top100”.

add ssl policy pol_url_set  -rule client.ssl.origin_server_cert.subject.URLSET_MATCHES_ANY("top100") -action INTERCEPT
<!--NeedCopy-->

Create an SSL policy to a proxy server by using the SWG GUI

1. Navigate to Secure Web Gateway > SSL > Policies.
2. On the SSL Policies tab, click Add and specify the following parameters:
   • Policy name
   • Policy action – Select from intercept, bypass, or reset.
   • Expression
3. Click Create.

Bind an SSL policy to a proxy server by using the SWG CLI

At the command prompt, type:

bind ssl vserver <vServerName> -policyName <string> -priority <positive_integer> -type  INTERCEPT_REQ
<!--NeedCopy-->

Example:

bind ssl vserver <name> -policyName pol1 -priority 10 -type INTERCEPT_REQ
<!--NeedCopy-->

Bind an SSL policy to a proxy server by using the Citrix SWG GUI

1. Navigate to Secure Web Gateway > Proxy Virtual Servers.
2. Select a virtual server and click Edit.
3. In Advanced Settings, click SSL Policies.
4. Click inside the SSL Policy box.
5. In Select Policy, select a policy to bind.
6. In Type, select INTERCEPT_REQ.
7. Click Bind and then click OK.

Unbind an SSL policy to a proxy server by using the command line

At the command prompt, type:

unbind ssl vserver <vServerName> -policyName <string> -type INTERCEPT_REQ
<!--NeedCopy-->

SSL expressions used in SSL policies for SWG