Product Documentation

SSL policy infrastructure for SSL interception

A policy acts like a filter on incoming traffic. Policies on the NetScaler Secure Web Gateway (SWG) appliance help define how to manage proxied connections and requests . The processing is based on the actions that are configured for that policy. That is, data in connection requests is compared to a rule specified in the policy, and the action is applied to connections that match the rule (expression). After defining an action to assign to the policy and create the policy, you must bind it to a proxy server, so that it applies to traffic flowing through that proxy server.

An SSL policy for SSL interception evaluates incoming traffic and applies a predefined action to requests that match a rule (expression). A decision to intercept, bypass, or reset a connection is made on the basis of the defined SSL policy. You can configure one of three actions for a policy—INTERCEPT, BYPASS, or RESET. You must specify an action when you create a policy. To put a policy into effect, you must bind it to a proxy server on the appliance. To specify that a policy is intended for SSL interception, you must specify the type (bind point) as INTERCEPT_REQ when you bind the policy to a proxy server. When unbinding a policy, you must specify the type as INTERCEPT_REQ.

Note:

The proxy server cannot make a decision to intercept unless you specify a policy.

Traffic interception can be based on any SSL handshake attribute. The most commonly used is the SSL domain. The SSL domain is usually indicated by the attributes of the SSL handshake. It could be the Server Name Indicator value extracted from the SSL Client Hello message, if present, or the Server Alternate Name (SAN) value extracted from the origin server certificate. The SSLi policy on NetScaler SWG presents a special attribute named DETECTED_DOMAIN, which makes it easier for the customers to author interception policies based on the SSL domain from the origin server certificate. The customer can match the domain name against a string, URL list (URL set or patset), or a URL category derived from the domain.

Create an SSL policy by using the NetScaler SWG CLI

At the command prompt, type:

add ssl policy <name> -rule <expression> -action <string>

Examples:

The following examples are for policies with expressions that use the detected_domain attribute to check for a domain name.

Do not intercept traffic to a financial institution, such as XYZBANK

add ssl policy pol1 -rule client.ssl.detected_domain.contains("XYZBANK") -action BYPASS

Do not allow a user to connect to YouTube from the corporate network

add ssl policy pol2 -rule client.ssl. client.ssl. detected_domain.url_categorize(0,0).category.eq ("YouTube") -action RESET

Intercept all user traffic

add ssl policy pol3 –rule true –action INTERCEPT

If the customer doesn’t want to use the detected_domain, they can use any of the SSL handshake attributes to extract and infer the domain.

For example, a domain name is not found in the SNI extension of the client hello message. The domain name must be taken from the origin server certificate. The following examples are for policies with expressions that check for a domain name in the subject name of the origin server certificate.

Intercept all user traffic to any Yahoo domain

add ssl policy pol4 -rule client.ssl.origin_server_cert.subject.contains("yahoo") –action INTERCEPT

Intercept all user traffic for the category “Shopping/Retail”

add ssl policy pol_url_category -rule client.ssl. origin_server_cert.subject.URL_CATEGORIZE(0,0).CATEGORY.eq("Shopping/Retail") -action INTERCEPT

Intercept all user traffic to an uncategorized URL

add ssl policy pol_url_category -rule client.ssl.origin_server_cert.subject.url_categorize(0,0).category.eq("Uncategorized") -action INTERCEPT

The following examples are for policies that match the domain against an entry in a URL set.

Intercept all user traffic if the domain name in SNI matches an entry in the URL set “top100”

add ssl policy pol_url_set  -rule client.ssl.client_hello.SNI.URLSET_MATCHES_ANY("top100") -action INTERCEPT

Intercept all user traffic of the domain name if the origin server certificate matches an entry in the URL set “top100”

add ssl policy pol_url_set  -rule client.ssl.origin_server_cert.subject.URLSET_MATCHES_ANY("top100") -action INTERCEPT

Create an SSL policy to a proxy server by using the NetScaler SWG GUI

  1. Navigate to Secure Web Gateway  > SSL > Policies.
  2. On the SSL Policies tab, click Add and specify the following parameters:
    • Policy name
    • Policy action – Select from intercept, bypass or reset.
    • Expresssion
  3. Click Create.

Bind an SSL policy to a proxy server by using the SWG CLI

At the command prompt, type:

bind ssl vserver <vServerName> -policyName <string> -priority <positive_integer> -type  INTERCEPT_REQ

Example:

bind ssl vserver <name> -policyName pol1 -priority 10 -type INTERCEPT_REQ

Bind an SSL policy to a proxy server by using the NetScaler SWG GUI

  1. Navigate to Secure Web Gateway > Proxy Virtual Servers.
  2. Select a virtual server and click Edit.
  3. In Advanced Settings, click SSL Policies.
  4. Click inside the SSL Policy box.
  5. In Select Policy, select a policy to bind.
  6. In Type, select INTERCEPT_REQ.
  7. Click Bind and then click OK.

Unbind an SSL policy to a proxy server by using the command line

At the command prompt, type:

unbind ssl vserver <vServerName> -policyName <string> -type INTERCEPT_REQ

SSL expressions used in SSL policies for SWG

Expression Description
CLIENT.SSL.CLIENT_HELLO.SNI.* Returns the SNI extension in a string format. Evaluate the string to see if it contains the specified text. Example: client.ssl.client_hello.sni.contains(“xyz.com”)
CLIENT.SSL.ORIGIN_SERVER_CERT.* Returns a certificate, received from a back-end server, in a string format. Evaluate the string to see if it contains the specified text. Example: client.ssl.origin_server_cert.subject.contains(“xyz.com”)
CLIENT.SSL.DETECTED_DOMAIN.* Returns a domain, either from the SNI extension or from the origin server certificate, in a string format. Evaluate the string to see if it contains the specified text. Example: client.ssl.detected_domain.contains(“xyz.com”)