Web proxy can decrypt HTTPS traffic for TLSv1.0, v1.1, and v1.2 and additionally supports TCP proxying for SSLv3 connections. For web proxy to leverage the HTTP SSL decryption feature, the SSL handshake must include the Server Name Indication (SNI). For more information about SNI, see the SteelHead Deployment Guide - Protocols.

This section describes some aspects that are important to consider regarding certificate management within your environment and its appropriate configuration for proper operation.

The web proxy HTTPS feature is critically dependent on the exchange of signed certificates between the SCC and the branch office SteelHead. Figure: Certificate workflow of the web proxy feature and the following steps show the certificate workflow of the web proxy feature.

The following steps correlate to the numbers in Figure: Certificate workflow of the web proxy feature:

You must enable the CA service feature of the SCC to generate server certificates and decrypt authorized content before accelerating HTTPS traffic with web proxy. The SCC CA service certificates must be trusted by clients using the service.

If you already have an existing private key and CA-signed public certificate, you can import them (in PEM format only) by cutting and pasting the certificate into the SCC CA Service configuration page.

If you do not already own certificates and keys, you can generate a private key and self-signed certificate through the SCC CA Service.

Select the PEM tab to view the certificate.

After you’ve configured the SCC CA service and have an SCC CA certificate created, we recommend that you follow your internal procedures to install the SCC CA certificate on your web client configurations as a trusted root certificate.

After you’ve configured the client-side SteelHead to support HTTPS web proxy, it automatically generates and renews the server certificates that the domain whitelist has allowed. Each client-side SteelHead contains its own secure vault and locally stores the generated keys and certificates within.

You must configure the global HTTPS whitelist to contain the top-level and subdomain names for which the SCC permits the branch offices to proxy HTTPS. Choose Manage > Optimization: Web Proxy.

Be as specific as possible when you enter the whitelist domains; use the fully qualified domain name (FQDN) for each unique site requesting proxy service. In addition to using a specific FQDN, the whitelist accepts:

RiOS 9.5 introduces support for web proxy configurations requiring the integration into environments where additional proxy services reside upstream from the SteelHead—we refer to these upstream proxies as parent proxies. The web proxy service is able to now operate within a hierarchical chain of proxy servers that can pull content from the localized cache of each proxy up the chain—commonly referred to as proxy chaining.

There are two available configuration methods for using the parent proxy service within web proxy:

To enable the manual parent proxy configuration options for HTTP and HTTPS first select Parent Proxy Configuration, then select the Manual radio button. Enter the upstream parent proxy server hostname, FQDN or IP address along with the specific server port in the following format:

The ability to exclude specific domains from a manual mode parent proxy configuration is also available. This parent proxy exception option is only applicable to the manual mode server and not configurable for automatic mode.

The parent proxy used (when multiple are configured) is selected based upon a combination of the traffic scheme, which is limited to five parents per scheme (HTTP as opposed to HTTPS) and the operational mode selected. Failover mode is the configured default and selects the configured parent proxy in order of entry. Load-balanced mode enables parent proxies to be selected round-robin based on client IP hash. For either resiliency mode, if no configured parent is available in the requested scheme then the parent will be marked as down for a five minute interval and traffic for that scheme will be blackholed, that is dropped.

To enable the automatic parent proxy option for HTTP and HTTPS first select Parent Proxy Configuration, then select the Automatic radio button. No additional configuration is required on the web proxy for default operation. Clients need to be configured with a PAC file or explicit browser configurations prior to enabling for correct operation.

The web proxy server caches and proxies all HTTPS cache-enabled traffic by default. For security reasons, the web proxy server does not cache HTTP responses. However, HTTP traffic is still proxied. With RiOS 9.8 and later, you can cache HTTP traffic from trusted sites. To do this, enter the hostnames or IPv4 addresses of trusted parent proxy servers in the HTTP Whitelisted Servers field.

You can also whitelist trusted parent proxy servers by using the web-proxy parent automatic whitelist command. For details on the command, see the Riverbed Command-Line Interface Reference Manual.