Cisco Cisco Web Security Appliance S670 Mode D'Emploi
11-12
AsyncOS 10.0 for Cisco Web Security Appliances User Guide
Chapter 11 Create Decryption Policies to Control HTTPS Traffic
Root Certificates
Enabling Real-Time Revocation Status Checking
Before You Begin
•
Ensure the HTTPS Proxy is enabled. See
Step 1
Security Services > HTTPS Proxy.
Step 2
Click Edit Settings.
Step 3
Select Enable Online Certificate Status Protocol (OCSP).
Step 4
Configure the OCSP Result Handling properties,
Cisco recommends configuring the OCSP Result Handling options to the same actions as Invalid
Certificate Handling options. For example, if you set Expired Certificate to Monitor, configure Revoked
Certificate to monitor.
Certificate Handling options. For example, if you set Expired Certificate to Monitor, configure Revoked
Certificate to monitor.
Step 5
(Optional) Expand the Advanced configuration section and configure the settings described below.
Step 6
Submit and Commit Changes.
Trusted Root Certificates
The Web Security appliance ships with and maintains a list of trusted root certificates. Web sites with
trusted certificates do not require decryption.
trusted certificates do not require decryption.
Field Name
Description
OCSP Valid
Response Cache
Timeout
Response Cache
Timeout
Time to wait before rechecking a valid OCSP response in seconds (s), minutes
(m), hours (h), or days (d). Default unit is seconds. Valid range is from 1 second
to 7 days.
(m), hours (h), or days (d). Default unit is seconds. Valid range is from 1 second
to 7 days.
OCSP Invalid
Response Cache
Timeout
Response Cache
Timeout
Time to wait before rechecking an invalid OCSP response in seconds (s),
minutes (m), hours (h), or days (d). Default unit is seconds. Valid range is from
1 second to 7 days.
minutes (m), hours (h), or days (d). Default unit is seconds. Valid range is from
1 second to 7 days.
OCSP Network Error
Cache Timeout
Cache Timeout
Time to wait before attempting to contact the OCSP responder again after
failing to get a response in seconds (s), minutes (m), hours (h), or days (d).
Valid range from 1 second to 24 hours.
failing to get a response in seconds (s), minutes (m), hours (h), or days (d).
Valid range from 1 second to 24 hours.
Allowed Clock Skew
Maximum allowed difference in time settings between the Web Security
appliance and the OCSP responder in seconds (s) or minutes (m). Valid range
from 1 second to 60 minutes.
appliance and the OCSP responder in seconds (s) or minutes (m). Valid range
from 1 second to 60 minutes.
Maximum Time to
Wait for OCSP
Response
Wait for OCSP
Response
Maximum time to wait for a response from the OCSP responder. Valid range is
from 1 second to 10 minutes. Specify a shorter duration to reduce delays in end
user access to HTTPS requests in the event that the OCSP responder is
unavailable.
from 1 second to 10 minutes. Specify a shorter duration to reduce delays in end
user access to HTTPS requests in the event that the OCSP responder is
unavailable.
Use upstream proxy
for OCSP checking
for OCSP checking
Group Name of the upstream proxies.
Servers exempt from
upstream proxy
upstream proxy
IP addresses or hostnames of the servers to exempt. May be left blank.