SECURE Web Gateway. HTTPS/SSL Technical FAQ. Version 1.1. Date 04/10/12



Similar documents
CLEARSWIFT SECURE Web Gateway HTTPS/SSL decryption

Generating and Installing SSL Certificates on the Cisco ISA500

Using Internet or Windows Explorer to Upload Your Site

SSL Decryption Certificates

Setting Up SSL on IIS6 for MEGA Advisor

SSL Intercept Mode. Certificate Installation Guide. Revision Warning and Disclaimer

Secure Web Appliance. SSL Intercept

F-Secure Messaging Security Gateway. Deployment Guide

Clearswift Information Governance

Websense Web Security Gateway: Integrating the Content Gateway component with Third Party Data Loss Prevention Applications

Creating and Managing Certificates for My webmethods Server. Version 8.2 and Later

Quick Note 026. Using the firewall of a Digi TransPort to redirect HTTP Traffic to a proxy server. Digi International Technical Support December 2011

GFI Product Manual. Web security, monitoring and Internet access control. Administrator Guide

LAB :: Secure HTTP traffic using Secure Sockets Layer (SSL) Certificate

SECURE ICAP Gateway. Blue Coat Implementation Guide. Technical note. Version /12/13. Product Information. Version & Platform SGOS 6.

Decryption. Palo Alto Networks. PAN-OS Administrator s Guide Version 6.0. Copyright Palo Alto Networks

REQUIREMENTS AND INSTALLATION OF THE NEFSIS DEDICATED SERVER

SSL Interception on Proxy SG

ez Agent Administrator s Guide

F-Secure Internet Gatekeeper

McAfee Web Gateway Administration Intel Security Education Services Administration Course Training

Using a custom certificate for SSL inspection

Secure Traffic Inspection

Quick Start Guide. Cerberus FTP is distributed in Canada through C&C Software. Visit us today at

DESLock+ Basic Setup Guide Version 1.20, rev: June 9th 2014

Introduction to Mobile Access Gateway Installation

Semantic based Web Application Firewall (SWAF - V 1.6)

PRODUCT VERSION: LYNC SERVER 2010, LYNC SERVER 2013, WINDOWS SERVER 2008

LAB :: Secure HTTP traffic using Secure Sockets Layer (SSL) Certificate

Yealink Technical White Paper. Contents. About VPN Types of VPN Access VPN Technology... 3 Example Use of a VPN Tunnel...

fåíéêåéí=péêîéê=^çãáåáëíê~íçêûë=dìáçé

App Orchestration 2.0

Aspera Connect User Guide

Zscaler. How to enable SSL scanning. on your school s. Zscaler web filter

Cyclope Internet Filtering Proxy. - Installation Guide -

Filter Avoidance and Anonymous Proxy Guard

NETASQ MIGRATING FROM V8 TO V9

How to Configure edgebox as a Web Server

SSL Insight Certificate Installation Guide

Citrix Receiver for Mobile Devices Troubleshooting Guide

Preventing credit card numbers from escaping your network

Configuring SonicWALL TSA on Citrix and Terminal Services Servers

Cisco Expressway Certificate Creation and Use

Aspera Connect User Guide

Controlling Risk, Conserving Bandwidth, and Monitoring Productivity with Websense Web Security and Websense Content Gateway

Wavecrest Certificate

Websense Web Security Gateway: What to do when a Web site does not load as expected

App Orchestration 2.5

Installing Virtual Coordinator (VC) in Linux Systems that use RPM (Red Hat, Fedora, CentOS) Document # 15807A1-103 Date: Aug 06, 2012

User Manual. Onsight Management Suite Version 5.1. Another Innovation by Librestream

Aspera Connect User Guide

Quick Note 040. Create an SSL Tunnel with Certificates on a Digi TransPort WR router using Protocol Switch.

Ciphermail Gateway PDF Encryption Setup Guide

Virtual Web Appliance Setup Guide

Collax Web Security. Howto. This howto describes the setup of a Web proxy server as Web content filter.

Customer Tips. Xerox Network Scanning HTTP/HTTPS Configuration using Microsoft IIS. for the user. Purpose. Background

Using Protection Engine for Cloud Services for URL Filtering, Malware Protection and Proxy Integration Hands-On Lab

Cyclope Internet Filtering Proxy

Upgrading Client Security and Policy Manager in 4 easy steps

CHAPTER 7 SSL CONFIGURATION AND TESTING

Product Manual. Administration and Configuration Manual

StreamServe Encryption and Authentication

+27O.557+! RM Auditor Additions - Web Monitor. Contents

SSL User Authentication with the HTTP Security Server

Installing and Configuring Websense Content Gateway

Configuring Apache HTTP Server as a Reverse Proxy Server for SAS 9.3 Web Applications Deployed on Oracle WebLogic Server

Unifying Information Security. Implementing TLS on the CLEARSWIFT SECURE Gateway

Quick Start 5: Introducing and configuring Websense Cloud Web Security solution

WebMarshal User Guide

NEFSIS DEDICATED SERVER

Astaro Security Gateway V8. Remote Access via SSL Configuring ASG and Client

Inspection of Encrypted HTTPS Traffic

Secure Part II Due Date: Sept 27 Points: 25 Points

Copyright 2012 Trend Micro Incorporated. All rights reserved.

Adobe Marketing Cloud Using FTP and sftp with the Adobe Marketing Cloud

Trend Micro Worry- Free Business Security st time setup Tips & Tricks


SSL SSL VPN

Virtual Managment Appliance Setup Guide

Owner of the content within this article is Written by Marc Grote

Deployment Guide Microsoft IIS 7.0

Lecture 31 SSL. SSL: Secure Socket Layer. History SSL SSL. Security April 13, 2005

Configuring MailArchiva with Insight Server

F-Secure Anti-Virus for Windows Servers. Administrator's Guide

Integrated SSL Scanning

CTERA Portal Datacenter Edition

HTTPS Inspection with Cisco CWS

Apache JMeter HTTP(S) Test Script Recorder

Sophos Mobile Control SaaS startup guide. Product version: 6

Requirements Collax Security Gateway Collax Business Server or Collax Platform Server including Collax SSL VPN module


Aspera Connect Linux 32/64-bit. Document Version: 1

WatchGuard Training. Introduction to WatchGuard Dimension

isupplier PORTAL ACCESS SYSTEM REQUIREMENTS

Sophos UTM. Remote Access via PPTP. Configuring UTM and Client

Comodo MyDLP Software Version 2.0. Installation Guide Guide Version Comodo Security Solutions 1255 Broad Street Clifton, NJ 07013

Clearswift SECURE Exchange Gateway Installation & Setup Guide. Version 1.0

User Manual. User Manual Version

Integrated SSL Scanning

Configuring Security for FTP Traffic

Transcription:

SECURE Web Gateway HTTPS/SSL Technical FAQ Version 1.1 Date 04/10/12

Introduction This Technical FAQ explains the operation of the HTTPS/SSL scanning and how it is deployed. How does the SECURE Web Gateway inspect encrypted HTTPS traffic? When a user s browser requests a connection to an HTTPS site the Web Gateway will automatically create and sign an HTTPS web server certificate for the site being requested. This process of automatic certificate creation occurs for each new HTTPS website requested. The sequence of events: 1. The user requests an HTTPS URL via their browser i.e. https://www.clearswift.com. 2. The Web Gateway automatically creates and signs an HTTPS web server certificate for the site being requested and returns the certificate to the browser. Note: Users browsers must be configured to trust the website certificates created and signed by the Web Gateway - as a trusted certificate authority. Failure to import the web gateway root signing certificate into the users browser certificate store (see next section below) will cause the user s browser to display a certificate warning, because certificates signed by the Web Gateway will not be trusted. 3. The encrypted session is then established between the browser and the Web Gateway using the details provided by the certificate provided from the Web Gateway. 4. The Web Gateway also connects to the remote web server requested (https://www.clearswift.com) and inspects that server s certificate to ensure it is valid and can be trusted 5. If the certificate is valid then an encrypted session is established between the Web Gateway and the remote server. 6. The data that passes between a user s browser and the Web Gateway is encrypted. 7. The data that passes between the Web Gateway and the remote web server is encrypted. 8. The data passing within the Web Gateway s own analysis engine is not encrypted, and according to policy may be content checked against an acceptable use policy (AUP) as well as being automatically scanned for web malware. Importing the Clearswift Web Gateway MIMEsweeper root CA into users browsers As detailed above it is essential that the users browsers trust the certificates signed by the Web Gateway. To enable the browser to trust the Web Gateway s certificate authority (CA) you will need to export the Web Gateway root CA certificate and import it into each user s browser certificate store. After first exporting the root certificate from the Web Gateway (see below) it is then imported into Internet Explorer and Firefox via the browser s certificate import option as follows: Internet Explorer: Tools > Internet Options > Content tab > Certificates > Trusted Root Certification Authorities > Import Page 2 of 6 2

Firefox: Tools > Option > Advanced > Encryption tab > View Certificates > Authorities > Import and select to trust this certificate to identify web sites. The certificate will appear in the browser certificate store and will be shown under the name MIMEsweeper Web Gateway Root CA as shown below. Fig 1: Imported SECURE Web Gateway Root CA certificate as seen in Internet Explorer Note: Active Directory Group Policy may be used to import the certificates into all users browsers. Exporting the root certificate from the SECURE Web Gateway The Root CA certificate is exported from the following location: System Center > Proxy Settings > Proxy Mode & Listening Port > Download HTTPS Certificate. Figure 2: Downloading the HTTPS certificate Page 3 of 6 3

The certificate exported from the location above must then be imported into all your users browsers as described above, and before the HTTPS decryption option is enabled. Enabling the HTTPS decryption option The HTTPS decryption option is enabled in the following location: Policy Center > Global Web Policy > HTTPS Content Scanning. Figure 3: Enabling HTTP decryption When enabling the decryption option you are also able to stop users from accessing sites with certificate failures, or by selecting the Allow access to sites with certificate failures as shown above, users will be warned of the certificate failure reason but still permitted to Visit Site Anyway as shown in Figure 4 below. Figure 4: User certificate failure notification & override page. Page 4 of 6 4

Creating your own signing certificate and importing it into the Web Gateway 1. Create a folder where certificates will be created, e.g. mkdir /root/certs 2. Change to that folder, e.g. cd /root/certs 3. Copy one files: cp /etc/ssl/misc/ca.sh. cp /etc/ssl/openssl.cnf. 4. Edit the openssl.cnf file to set the number of DAYS higher than the default 365 to increase the time the certificate remains valid. E.g. vi openssl.cnf. Look for default_days and set this higher, e.g. 3650 5. Run./CA.sh newca 6. Hit enter for default file name 7. Enter the passphrase and confirm it 8. Enter all of the details asked which are required to create your certificate. It is very important that all these are set otherwise the Web Gateway GUI may accept the certificate when imported but it may fail to work. What you are about to enter is called a Distinguished Name or a DN Country Name (2 Letter code) [GB] State or Province Name (Full name) [Berkshire] Locality Name (e.g., City) [Theale] Cd democaorganization Name (e.g., Company) [Clearswift Limited] Organizational Unit Name (e.g., Section) [IT Support] Common Name (e.g., YOUR name) [webgateway3.ocean.tld] Email Address e.g., [admin@gateway3.ocean.tld] 9. This will create a folder called democa. Change to this folder, e.g. cd democa 10. In this folder will be found the root CA certificate called 'cacert.pem' and in the private folder will be the key which is called 'cakey.pem'. FTP both these files off the system 11. Edit the cacert.pem file and remove all the top text until -----BEGIN CERTIFICATE----- These two files may then be imported into the Web Gateway GUI and the certificate may also be used in users browsers so that they trust it. System Center > Proxy Settings > Proxy Mode & Listening Port > HTTPS Certificate and Private Key. Page 5 of 6 5

Figure 5: Importing your own certificate Notes: 1. This certificate will need to be imported into the browser so that it is trusted 2. When importing the certificate the file filter must be set to '*' see the file with Internet Explorer 3. When importing the certificate into the Web Gateway the following log can be checked to see if any errors occurred: /tmp/.csmds.log. To view this just: cat /tmp/.csmds.log - END - Page 6 of 6 6

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information