The correct answer is A. It uses AppID services. Juniper SSL proxy does not rely only on TCP/443 or a static destination-port assumption. It uses Application Identification services to dynamically determine whether the session is SSL/TLS encrypted. Juniper states directly that SSL proxy uses application identification services to detect whether a session is SSL encrypted, and SSL proxy is allowed only when the session is identified as encrypted. If the application system cache marks the session as Encrypted=Yes, SSL proxy can transition into proxy processing; if the session is marked Encrypted=No, SSL proxy ignores it.
Option B is wrong because packet length does not reliably identify SSL/TLS encryption. Option C is a common trap: many SSL/TLS sessions use port 443, but SSL/TLS can run on nonstandard ports, and non-SSL applications can also use port 443. Junos uses AppID to avoid that weak assumption. Option D is wrong because a CA is used to sign or validate certificates during SSL forward or reverse proxy operations; it is not the mechanism used to detect whether a session is encrypted. Reference topics: SSL Proxy, AppID, encrypted session detection, application system cache, SSL/TLS inspection.
Contribute your Thoughts:
Chosen Answer:
This is a voting comment (?). You can switch to a simple comment. It is better to Upvote an existing comment if you don't have anything to add.
Submit