Cisco Cisco Web Security Appliance S670 User Guide
11-5
AsyncOS 9.1 for Cisco Web Security Appliances User Guide
Chapter 11 Create Decryption Policies to Control HTTPS Traffic
Root Certificates
Step 3
Enable the decryption options.
Authentication and HTTPS Connections
Authentication at the HTTPS connection layer is available for these types of requests:
Root Certificates
The HTTPS proxy uses the root certificates and private key files that you upload to the appliance to
decrypt traffic. The root certificate and private key files you upload to the appliance must be in PEM
format; DER format is not supported.
decrypt traffic. The root certificate and private key files you upload to the appliance must be in PEM
format; DER format is not supported.
You can enter root certificate information in the following ways:
•
Generate. You can enter some basic organization information and then click a button so the
appliance generates the rest of the certificate and a private key.
appliance generates the rest of the certificate and a private key.
•
Upload. You can upload a certificate file and its matching private key file created outside of
the appliance.
the appliance.
Note
You can also upload an intermediate certificate that has been signed by a root certificate authority. When
the Web Proxy mimics the server certificate, it sends the uploaded certificate along with the mimicked
certificate to the client application. That way, as long as the intermediate certificate is signed by a root
certificate authority that the client application trusts, the application will trust the mimicked server
certificate, too. See
the Web Proxy mimics the server certificate, it sends the uploaded certificate along with the mimicked
certificate to the client application. That way, as long as the intermediate certificate is signed by a root
certificate authority that the client application trusts, the application will trust the mimicked server
certificate, too. See
for more information.
Decryption Option
Description
Decrypt for
Authentication
Authentication
For users who have not been authenticated prior to this HTTPS transaction,
allow decryption for authentication.
allow decryption for authentication.
Decrypt for End-User
Notification
Notification
Allow decryption so that AsyncOS can display the end-user notification.
Note
If the certificate is invalid and invalid certificates are set to drop,
when running a policy trace, the first logged action for the transaction
will be “decrypt”.
when running a policy trace, the first logged action for the transaction
will be “decrypt”.
Decrypt for End-User
Acknowledgement
Acknowledgement
For users who have not acknowledged the web proxy prior to this HTTPS
transaction, allow decryption so that AsyncOS can display the end-user
acknowledgement.
transaction, allow decryption so that AsyncOS can display the end-user
acknowledgement.
Decrypt for Application
Detection
Detection
Enhances the ability of AsyncOS to detect HTTPS applications.
Option
Description
Explicit requests
•
secure client authentication disabled or
•
secure client authentication enabled and an IP-based surrogate
Transparent
requests
requests
•
IP-based surrogate, decryption for authentication enabled or
•
IP-based surrogate, client previously authenticated using an HTTP request