Cisco Cisco Web Security Appliance S170 Guía Del Usuario
12-14
Cisco IronPort AsyncOS 7.5.7 for Web User Guide
Chapter 12 Decryption Policies
Decrypting HTTPS Traffic
However, to ensure that all applications work properly when HTTPS connections are decrypted, you
must add the root certificate for signing to all client machines on the network as a trusted root certificate
authority. For example, on Windows machines, you must install the root certificate into Internet Explorer
for many instant messaging client applications to work, such as Yahoo Instant Messenger, MSN
Messenger, and Google Talk.
must add the root certificate for signing to all client machines on the network as a trusted root certificate
authority. For example, on Windows machines, you must install the root certificate into Internet Explorer
for many instant messaging client applications to work, such as Yahoo Instant Messenger, MSN
Messenger, and Google Talk.
Using Decryption with AOL Instant Messenger
Most AOL Instant Messenger (AIM) client applications do not allow you to add root certificates to their
list of trusted certificates. Because you cannot add the appliance root certificate for signing to AIM client
applications, AIM users are unable to log into AIM when the HTTPS connection to the AIM server is
decrypted. Decryption to AIM servers might occur if the web reputation filters are configured to decrypt
traffic to servers with the reputation score equal to the AIM server, or if a Decryption Policy is
configured to decrypt all traffic.
list of trusted certificates. Because you cannot add the appliance root certificate for signing to AIM client
applications, AIM users are unable to log into AIM when the HTTPS connection to the AIM server is
decrypted. Decryption to AIM servers might occur if the web reputation filters are configured to decrypt
traffic to servers with the reputation score equal to the AIM server, or if a Decryption Policy is
configured to decrypt all traffic.
To allow users to log into AIM, you must ensure that HTTPS traffic to the AIM servers are never
decrypted and instead are passed through.
decrypted and instead are passed through.
Note
Once users are logged into AIM, all instant messenger traffic uses HTTP and is subject to the configured
Access Policies.
Access Policies.
To pass through HTTPS traffic to AIM servers:
Step 1
Create a custom URL category in the first position of custom URL categories and enter the following
addresses:
addresses:
•
aimpro.premiumservices.aol.com
•
bos.oscar.aol.com
•
kdc.uas.aol.com
•
buddyart-d03c-sr1.blue.aol.com
•
205.188.8.207
•
205.188.248.133
•
205.188.13.36
•
64.12.29.131
Step 2
Create a Decryption Policy and use the custom URL category created in
as part of the policy
group membership. Depending on the other Decryption Policies configured, you might want to place this
Decryption Policy at the top of the list.
Decryption Policy at the top of the list.
Step 3
Configure the Decryption Policy to pass through all traffic to the custom URL category.
Step 4
Choose pass through as the default action for the Decryption Policy.
Step 5
Submit and commit your changes.
Converting Certificate and Key Formats
The root certificate and private key files you upload to the appliance must be in PEM format. DER format
is not supported. However, you can convert certificates and keys in DER format into the PEM format
before uploading them. For example, you can use OpenSSL to convert the format.
is not supported. However, you can convert certificates and keys in DER format into the PEM format
before uploading them. For example, you can use OpenSSL to convert the format.