Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Help Understanding Proxy Servers

    Scheduled Pinned Locked Moved General pfSense Questions
    3 Posts 3 Posters 1.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • U
      unmode
      last edited by

      I wonder if someone can help me understand this.

      I understand that proxy servers such as Squid cannot proxy HTTPS traffic without complex configuration which appears as a man in the middle attack to the end user. But we are able to successfully proxy HTTPS traffic with full logging with TMG 2010, why the difference? Also, I am confused how Squid and similar software has become so popular if HTTPS traffic is not supported.

      I'm sure I'm misunderstanding this somehow, could someone please explain?

      Thanks.

      1 Reply Last reply Reply Quote 0
      • F
        firewalluser
        last edited by

        Isnt TMG2010 the old isa server?

        ISA used to automatically allow the https from the workstation through to the web it never proxied or cached https, but if you set isa to force https through the proxy which it allowed you to do then https would not work.

        Are you certain the https is passing through the TMG and its not being allowed to just tunnel through to the web ignoring the proxy.

        What does IE have in the connection settings or are you using a firewall client app as ISA used to come with a firewall client app which allowed for further configuration of some apps like allowed protocols and ports.

        Capitalism, currently The World's best Entertainment Control System and YOU cant buy it! But you can buy this, or some of this or some of these

        Asch Conformity, mainly the blind leading the blind.

        1 Reply Last reply Reply Quote 0
        • stephenw10S
          stephenw10 Netgate Administrator
          last edited by

          To fully proxy https traffic you need to run a man-in-the-middle like you said. If you have the correct certificates in place though your users won't see any warnings and hence probably won't know anything about it.
          Perhaps tmg inserts the correct certs without you doing anything?

          Steve

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.