SSL configuration settings for outbound traffic

Use Configure > SSL > Decryption / Encryption > Outbound to configure SSL and TLS settings and ciphers for outbound traffic (Content Gateway to the origin server).

Steps

  1. Under Protocol Settings, indicate which protocols you want Content Gateway to support. Supported protocols are:
    • TLSv1
    • TLSv1.1
    • TLSv1.2 (enabled by default)
    • TLSv1.3 (enabled by default)

    Select the protocols that your organization’s security policy has adopted.

    • You must select at least one protocol.
    • You can select different protocols for inbound traffic.
  2. Under Cipher Settings, select the appropriate Cipherlist for your deployment. The cipher list describes available algorithms and level of encryption between the client and Content Gateway.

    The Content Gateway DEFAULT cipher list matches the OpenSSL Default list, excluding those that Forcepoint experts believe provide the least security or encryption strength.

    The strongest cipher (providing the highest level of encryption) is applied first. This can be set to a different level of encryption than for inbound traffic.

    Additional cipher settings are:

    • HIGH encryption cipher suites are those with key lengths larger than 128 bits, and some cipher suites with 128-bit keys.
    • MEDIUM encryption cipher suites include the high cipher list plus additional cipher suites that use 128-bit encryption algorithms.
    • CUSTOM allows the use of personalized cipher suites.

    For outbound requests, consider using HIGH to improve security.

    Similar to the OpenSSL string, in TLS1.3, the following five cipher suites are enabled for all settings except CUSTOM:
    • TLS_AES_256_GCM_SHA384
    • TLS_CHACHA20_POLY1305_SHA256
    • TLS_AES_128_GCM_SHA256
    • TLS_AES_128_CCM_8_SHA256
    • TLS_AES_128_CCM_SHA256

    Note that regardless of the selected setting, specific insecure ciphers are disabled by default. Control this list via the proxy.config.ssl.client.cipherlist_suffix variable in the records.config file. See the information provided in the SSL Decryption section of Content Gateway Configuration Files for more information.

    You can set the cipher lists to CUSTOM to specify your own cipher suites. If you choose this option, two additional input boxes will be available: one for TLS 1.2 and earlier cipher suites and another one for TLS 1.3 cipher suites. Provide your preferred cipher suites according to the formats recommended in the OpenSSL documentation.

    For more information about ciphers and cipher lists, refer to www.openssl.org/docs.

  3. Click Apply.
  4. Go to the Configure > My Proxy > Basic > General tab and click Restart.