SSL configuration settings for inbound traffic

To configure SSL and TLS settings and ciphers for inbound traffic:

Steps

  1. In the Content Gateway manager, go to the Configure > SSL > Decryption / Encryption > Inbound tab.
  2. Under Protocol Settings, mark the check box next to each protocol that you want Content Gateway to support. Supported protocols are:
    • TLSv1
    • TLSv1.1
    • TLSv1.2 (enabled by default)
    • TLSv1.3 (enabled by default)

    Select the protocols that your organization’s security policy has adopted and that your browsers support.

    • You must select at least one protocol.
    • These settings override the settings for these protocols in the users’ browsers.
    • You can select different protocols for outbound traffic.
  3. Under Cipher Settings, select the appropriate Cipherlist for your deployment. The cipher list describes available algorithms and level of encryption between the client and Content Gateway.

    The Content Gateway DEFAULT cipher list matches the OpenSSL Default list, excluding those that Forcepoint experts believe provide the least security or encryption strength.

    • ADH
    • RC4
    • EXP
    • DES

    Edit the variables defined in the records.config file to change the default list. See SSL Decryption.

    The strongest cipher (providing the highest level of encryption) is applied first. This can be set to a different level of encryption than for outbound traffic.

    Additional cipher settings are:

    • HIGH encryption cipher suites are those with key lengths larger than 128 bits, and some cipher suites with 128-bit keys.
    • MEDIUM encryption cipher suites are the high cipher list plus additional cipher suites that use 128-bit encryption algorithms.
    • CUSTOM allows the use of personalized cipher suites.

    For inbound requests (clients connections to Content Gateway), consider using MEDIUM encryption to improve performance.

    Similar to the OpenSSL string, in TLS1.3, the following five cipher suites are enabled for all settings except CUSTOM:
    • TLS_AES_256_GCM_SHA384
    • TLS_CHACHA20_POLY1305_SHA256
    • TLS_AES_128_GCM_SHA256
    • TLS_AES_128_CCM_8_SHA256
    • TLS_AES_128_CCM_SHA256

    Regardless of the selected setting, specific insecure ciphers are disabled by default. Control this list via the proxy.config.ssl.server.cipherlist_suffix variable in the records.config file. See the information provided in the SSL Decryption section of Content Gateway Configuration Files for more information.

    You can set the cipher lists to CUSTOM to specify your own cipher suites. If you choose this option, two additional input boxes will be available: one for TLS 1.2 and earlier cipher suites and another one for TLS 1.3 cipher suites. Provide your preferred cipher suites according to the formats recommended in the OpenSSL documentation.

    For more information about ciphers, refer to www.openssl.org/docs.

  4. Click Apply.
  5. Go to the Configure > My Proxy > Basic > General tab and click Restart.