Without a proxy server, if a user accesses a secure HTTPS site only the domain name (subject) in the SSL certificate will be visible to the Web Filter. Block or allow decisions can only be made based on this domain rather than the full URL. Thus, URL patterns for HTTPS sites may not operate correctly.
If you configure a Rocket appliance as a trusted man in the middle (TMITM / MITM) proxy server then all HTTPS requests can be examined just like HTTP requests. When a user requests a secure website, such as banking site, the encrypted request will be sent to the proxy server. The proxy server will then decrypt it in order to read the full URL.
(Learn more about this in our whitepaper, SSL Explained.)
Learn more about authentication with the proxy here.
If it is determined to be an allowed request, the proxy server will then carry out the request on the client’s behalf over SSL as expected. If the site is a blocked site, then the request will be denied and the user will see a block page.
Mobile devices may also be configured to use the proxy server. It is not recommended that you use the proxy server in conjunction with the Lightspeed Systems Mobile Filter on laptops. Make sure you configure mobile devices with a proxy server hostname that will resolve both on the inside and outside of your network.
The proxy server listens on TCP port 8080 on Rocket appliances where the Proxy Server role is enabled.
The following diagram shows a Rocket appliance that has been configured as a proxy server.
To configure a Rocket appliance as a proxy server, follow the steps below.
NOTE: T-Mobile 4G and LTE Devices Are Not Supported
T-Mobile’s implementation caching servers are not compatible with the proxy module in the Lightspeed Systems Rocket. T-Mobile redirects lookup requests to their caching servers in most instances using a 301 redirect. Basically, this allows users to retrieve cached versions of web pages that would normally be blocked by the Rocket appliance. T-Mobile is aware of the issue but as of this time has not taken any steps to resolve. Refer to the “How to make internet settings in T-Mobile U8150-A?” and “Proxy servers disrupting service” discussions on the T-Mobile Support forum for more information.
- 1. Configure your network
- – In an Active Directory environment, use Group Policy Objects (GPOs) to enforce the use of the proxy server
- – In a Novell environment, use ZENworks to enforce the use of the proxy server
- 2. Configure your Rocket or Bottle Rocket appliance as a proxy server
- – Connect the Management port on the Rocket appliance to a port on your LAN switch
- – Log into this appliance
- – Click Administration and then click Server Roles
- – Check (select) Proxy Server
- – Click Save
- 3. RECOMMENDED: Install the SSL certificate from the Rocket appliance since some SSL sites will not work if the certificate is not installed as a trusted root authority.
- Download the SSL certificate from the Rocket appliance by going to the fully qualified domain name (fqdn) at http://(fqdn)/lsaccess/proxycert URL. You will need to use the FQDN of the proxy to access the URL and download the certificate.
- Install the SSL certificate on any of your proxy clients. You can push it out through a GPO (Microsoft Exchange) or ZENworks (Novell) at the same time that you push out the proxy settings.
For iOS devices running iOS 6.0 and above, you can use Lightspeed Systems Mobile Manager to push a forward proxy configuration that requires no user intervention to use the Rocket appliance proxy server. This is an alternative Web Filter solution that does not require Lightspeed Systems Mobile Browser app. See the Mobile Manager Global Proxy page in the Mobile Manager documentation for more information.
Tags: Man in the middle, MITM, trusted man in the middle, SSL decryption