Cisco Cisco Web Security Appliance S360 User Guide
10-3
AsyncOS 8.1 for Cisco Web Security User Guide
Chapter 10 Create Decryption Policies to Control HTTPS Traffic
Decryption Policies
Enabling the HTTPS Proxy
To monitor and decrypt HTTPS traffic, you must enable the HTTPS Proxy. When you enable the HTTPS
Proxy, you must configure what the appliance uses for a root certificate when it sends self-signed server
certificates to the client applications on the network. You can upload a root certificate and key that your
organization already has, or you can configure the appliance to generate a certificate and key with
information you enter.
Proxy, you must configure what the appliance uses for a root certificate when it sends self-signed server
certificates to the client applications on the network. You can upload a root certificate and key that your
organization already has, or you can configure the appliance to generate a certificate and key with
information you enter.
Once the HTTPS Proxy is enabled, all HTTPS policy decisions are handled by Decryption Policies. Also
on this page, you can configure what the appliance does with HTTPS traffic when the server certificate
is invalid.
on this page, you can configure what the appliance does with HTTPS traffic when the server certificate
is invalid.
Before You Begin
•
When the HTTPS proxy is enabled, HTTPS-specific rules in access policies are disabled and the
web proxy processes decrypted HTTPS traffic using rules for HTTP.
web proxy processes decrypted HTTPS traffic using rules for HTTP.
Step 1
Security Services > HTTPS Proxy, click Enable and Edit Settings.
The HTTPS Proxy License Agreement appears.
Step 2
Read the terms of the HTTPS Proxy License Agreement, and click Accept.
Step 3
Verify the Enable HTTPS Proxy field is enabled.
Step 4
In the HTTPS Ports to Proxy field, enter the ports the appliance should check for HTTPS traffic. Port
443 is the default port.
443 is the default port.
Note
The maximum number of ports for which the Web Security appliance can serve as proxy is 30, which
includes both HTTP and HTTPS.
includes both HTTP and HTTPS.
Step 5
Upload or generate a root/signing certificate to use for decryption.
Note
If the appliance has both an uploaded certificate and key pair and a generated certificate and key pair, it
only uses the certificate and key pair currently selected in the Root Certificate for Signing section.
only uses the certificate and key pair currently selected in the Root Certificate for Signing section.
Step 6
In the HTTPS Transparent Request section, select one of the following options:
•
Decrypt the HTTPS request and redirect for authentication
•
Deny the HTTPS request
This setting only applies to transactions that use IP address as the authentication surrogate and when the
user has not yet been authenticated.
user has not yet been authenticated.
Note
This field only appears when the appliance is deployed in transparent mode.
Step 7
In the Applications that Use HTTPS section, choose whether to enable decryption for enhanced
application visibility and control.
application visibility and control.
Note
Decryption may cause some applications to fail unless the root certificate for signing is installed
on the client. For more information on the appliance root certificate, see.
on the client. For more information on the appliance root certificate, see.