How to limit or specify what client ciphers can be used to access management console or reverse proxy services on the ProxySG
Last Updated May 13, 2017
Restrict clients from accessing the ProxySG using low security or weak ciphers.
Specify which ciphers are allowed or denied for incoming connections to the ProxySG.
There are a several different ways to limit what ciphers the ProxySG will accept. There are many different conceivable combinations, but the principles shown in the examples below should offer the necessary guidance in successfully limiting connections to the ProxySG based on cipher type or strength.
CLI: Management Console Service: Enable mode (enable <enter>) Config t <enter> management-services<enter> edit https-console<enter> attribute cipher-suite <insert the ciphers you want>
Reverse Proxy Service: Enable mode (enable <enter>) Config t <enter> proxy-services<enter> edit <service_name><enter> attribute cipher-suite <insert the ciphers you want>
VPM: Web Access Layer Right click in "Source", then Set > New Client Negotiate Cipher Strengh Choose the desired strength (Export, High, Medium, Low) Choose to DENY or ALLOW depending on your need.
CPL: Example_1: Deny ciphers by security level: <Proxy> DENY client.connection.negotiated_cipher.strength=low
Example_2: Allow based on a specified list of ciphers: <Proxy> ALLOW client.connection.negotiated_cipher=(EXP-RC4-MD5 || EXP1024-RC4-MD5 || EXP1024-RC4-SHA || EXP1024-RC2-CBC-MD5 || EXP1024-DES-CBC-SHA)
Imported Document ID: 000011203
Subscribing will provide email updates when this Article is updated. Login is required to Subscribe