Cisco Cisco Web Security Appliance S360 User Guide

Create a Decryption Policy and use the custom URL category created in 

 as part of the policy 

group membership. Depending on the other Decryption Policies configured, you might want to place this 
Decryption Policy at the top of the list.

Configure the Decryption Policy to pass through all traffic to the custom URL category.

Choose pass through as the default action for the Decryption Policy.

Submit and commit your changes.

The Web Security appliance validates certificates before inspecting and decrypting content. 

Qualities of a valid certificate:

Not expired. The certificate’s validity period includes the current date.

Recognized certificate authority. The issuing certificate authority is included in the list of trusted 
certificate authorities stored on the Web Security appliance.

Valid signature. The digital signature was properly implemented based on cryptographic standards.

Consistent naming. The common name matches the hostname specified in the HTTP header. 

Not revoked. The issuing certificate authority has not revoked the certificate.

The appliance can perform one of the following actions for invalid server certificates:

Drop. The appliance drops the connection and does not notify the client. This is the most restrictive 
option.

Decrypt. The appliance allows the connection, but inspects the traffic content. It decrypts the traffic 
and applies Access Policies to the decrypted traffic as if it were a plaintext HTTP connection. 

Monitor. The appliance does not drop the connection, and instead it continues comparing the server 
request with the Decryption Policy groups. When an invalid server certificate is monitored, the 
errors in the certificate are maintained and passed along to the end-user. This is the least restrictive 
option.