2.3. Pre-existing environment validationΒΆ

  • Start an RDP session to the Windows 10 Desktop (Components > Windows 10 Desktop > ACCESS > RDP)

  • Login in as f5labs\mike (pw: agility)

  • Open the Firefox browser

  • Browse to https://www.example.com/

  • Click on the padlock icon in the address bar

    Connection Padlock

  • Click the arrow to the right of Connection secure

    Site Information

  • Confirm that the connection/certificate is verified by DigiCert Inc

    Verified By: DigiCert Inc

  • Modify the client's proxy settings to point to F5 SSL Orchestrator

    • In Firefox, click on the menu (Firefox Menu) in the top right of the window

    • Select Options on the menu

    • In the Find in Options search field at the top, type proxy

    • Click the Settings... button under Network Settings

    • Select the Manual proxy configuration radio button. Ensure the proxy settings appear as follows:

      Firefox Connection Settings

  • Click the OK button

  • Close and relaunch the Firefox browser

  • Browse to https://www.example.com/ once again

  • Confirm that the connection/certificate is now verified by f5labs.com

    Verified By: f5labs.com

  • Confirm that the explicit proxy service is seeing decrypted traffic:

    • Start a Web Shell to Service - ExpProxy (Components > Service - ExpProxy > ACCESS > Web Shell)

    • Enter the following command in the Web Shell:

      tail -f /var/log/squid3/access.log

    • Visit a few secure (HTTPS) websites (non-banking) using Firefox on the Windows 10 Desktop and confirm that access is being logged even though we are visiting a secure website. You should see log entries of the sites and URLs visited, similar to the example below:

      Proxy Access Log

  • Visit a financial institution (ex. https://www.chase.com) and verify that SSL Orchestrator is not intercepting by confirming that the verification is done by a trusted CA (ex. Entrust, Inc.). If the traffic was intercepted the connection/certificate would have been verified by f5labs.com. Because we are bypassing Financial Institutions in the SSL Orchestrator Security Policy and this website is a financial institution, the origin server's public certificate is presented to the client.

  • Confirm that the explicit proxy service is not seeing the bypassed (encrypted) traffic.