Cisco Cisco Web Security Appliance S380 User Guide
11-6
Cisco IronPort AsyncOS 7.7 for Web User Guide
Chapter 11 Processing HTTPS Traffic
Decryption with the AVC Engine
•
transparent requests with
–
IP-based surrogate, decryption for authentication enabled or
–
IP-based surrogate, client previously authenticated using an HTTP request
Decryption with the AVC Engine
The HTTPS Proxy can decrypt HTTPS connections to web applications. This allows the AVC engine to
more accurately detect and block web applications that use HTTPS. These web applications may use web
browsers or other client applications, such as instant messaging applications.
more accurately detect and block web applications that use HTTPS. These web applications may use web
browsers or other client applications, such as instant messaging applications.
However, to ensure that all applications work properly when HTTPS connections are decrypted, you
must add the root certificate for signing to all client machines on the network as a trusted root certificate
authority. For example, on Windows machines, you must install the root certificate into Internet Explorer
for many instant messaging client applications to work, such as Yahoo Instant Messenger, MSN
Messenger, and Google Talk.
must add the root certificate for signing to all client machines on the network as a trusted root certificate
authority. For example, on Windows machines, you must install the root certificate into Internet Explorer
for many instant messaging client applications to work, such as Yahoo Instant Messenger, MSN
Messenger, and Google Talk.
Decryption with AOL Instant Messenger
Most AOL Instant Messenger (AIM) client applications do not allow you to add root certificates to their
list of trusted certificates. Because you cannot add the appliance root certificate for signing to AIM client
applications, AIM users are unable to log into AIM when the HTTPS connection to the AIM server is
decrypted. Decryption to AIM servers might occur if the web reputation filters are configured to decrypt
traffic to servers with the reputation score equal to the AIM server, or if a Decryption Policy is
configured to decrypt all traffic.
list of trusted certificates. Because you cannot add the appliance root certificate for signing to AIM client
applications, AIM users are unable to log into AIM when the HTTPS connection to the AIM server is
decrypted. Decryption to AIM servers might occur if the web reputation filters are configured to decrypt
traffic to servers with the reputation score equal to the AIM server, or if a Decryption Policy is
configured to decrypt all traffic.
To allow users to log into AIM, you must ensure that HTTPS traffic to the AIM servers are never
decrypted and instead are passed through.
decrypted and instead are passed through.
Note
Once users are logged into AIM, all instant messenger traffic uses HTTP and is subject to the configured
Access Policies.
Access Policies.
To pass through HTTPS traffic to AIM servers:
Step 1
Create a custom URL category in the first position of custom URL categories and enter the following
addresses:
addresses:
•
aimpro.premiumservices.aol.com
•
bos.oscar.aol.com
•
kdc.uas.aol.com
•
buddyart-d03c-sr1.blue.aol.com
•
205.188.8.207
•
205.188.248.133
•
205.188.13.36
•
64.12.29.131