Cisco Cisco Web Security Appliance S690 User Guide
10-19
Cisco IronPort AsyncOS 7.0 for Web User Guide
OL-23079-01
Chapter 10 Decryption Policies
Decrypting HTTPS Traffic
using, you can download the root certificate from the Security Services >
HTTPS Proxy page. Click Edit Settings, and then click the Download
Certificate link for either the generated or uploaded certificate.
HTTPS Proxy page. Click Edit Settings, and then click the Download
Certificate link for either the generated or uploaded certificate.
You might want to download the root certificate from the appliance if a
different person uploaded the root certificate to the appliance and you want
to verify you distribute the same root certificate to the client machines.
different person uploaded the root certificate to the appliance and you want
to verify you distribute the same root certificate to the client machines.
Using Decryption with the AVC Engine
Depending on how the HTTPS Proxy is configured and the configured Decryption
Policies, the HTTPS Proxy may decrypt HTTPS connections to web applications.
This allows the AVC engine to more accurately detect and block web applications
that use HTTPS. These web applications may use web browsers or other client
applications, such as instant messaging applications.
Policies, the HTTPS Proxy may decrypt HTTPS connections to web applications.
This allows the AVC engine to more accurately detect and block web applications
that use HTTPS. These web applications may use web browsers or other client
applications, such as instant messaging applications.
However, to ensure that all applications work properly when HTTPS connections
are decrypted, you must add the root certificate for signing to all client machines
on the network as a trusted root certificate authority. For example, on Windows
machines, you must install the root certificate into Internet Explorer for many
instant messaging client applications to work, such as Yahoo Instant Messenger,
MSN Messenger, and Google Talk.
are decrypted, you must add the root certificate for signing to all client machines
on the network as a trusted root certificate authority. For example, on Windows
machines, you must install the root certificate into Internet Explorer for many
instant messaging client applications to work, such as Yahoo Instant Messenger,
MSN Messenger, and Google Talk.
Using Decryption with AOL Instant Messenger
Most AOL Instant Messenger (AIM) client applications do not allow you to add
root certificates to their list of trusted certificates. Because you cannot add the
appliance root certificate for signing to AIM client applications, AIM users are
unable to log into AIM when the HTTPS connection to the AIM server is
decrypted. Decryption to AIM servers might occur if the web reputation filters are
configured to decrypt traffic to servers with the reputation score equal to the AIM
server, or if a Decryption Policy is configured to decrypt all traffic.
root certificates to their list of trusted certificates. Because you cannot add the
appliance root certificate for signing to AIM client applications, AIM users are
unable to log into AIM when the HTTPS connection to the AIM server is
decrypted. Decryption to AIM servers might occur if the web reputation filters are
configured to decrypt traffic to servers with the reputation score equal to the AIM
server, or if a Decryption Policy is configured to decrypt all traffic.
To allow users to log into AIM, you must ensure that HTTPS traffic to the AIM
servers are never decrypted and instead are passed through.
servers are never decrypted and instead are passed through.
Note
Once users are logged into AIM, all instant messenger traffic uses HTTP and is
subject to the configured Access Policies.
subject to the configured Access Policies.
To pass through HTTPS traffic to AIM servers: