Cisco Cisco Web Security Appliance S170 사용자 가이드
28-7
Cisco IronPort AsyncOS 7.7.5 for Web User Guide
Chapter 28 Common Tasks
Bypassing Decryption for specific HTTPS Websites
Bypassing Decryption for specific HTTPS Websites
In this task, you will pass through traffic to specific HTTPS websites. You might want to do this to allow
users to access the HTTPS website, while still inspecting traffic to other websites.
users to access the HTTPS website, while still inspecting traffic to other websites.
Some websites and web-based applications that use HTTPS do not work when the Web Security
appliance decrypts the traffic between the client and the server. If you trust these HTTPS websites, you
can configure the appliance to pass through traffic from clients to the HTTPS servers instead of
decrypting the traffic to inspect for malware and to enforce acceptable use policies.
appliance decrypts the traffic between the client and the server. If you trust these HTTPS websites, you
can configure the appliance to pass through traffic from clients to the HTTPS servers instead of
decrypting the traffic to inspect for malware and to enforce acceptable use policies.
For example, users have been complaining about not being able to access a partner website that uses
HTTPS while connected to the local network. IT has learned from reading the Web Security appliance
access logs that the partner’s HTTPS server is not fully RFC compliant with HTTPS and cannot
communicate properly with the HTTPS Proxy when it decrypts traffic between clients and the HTTPS
server. By bypassing all HTTPS traffic to the partner’s website, you can still allow access while
decrypting traffic to other HTTPS servers.
HTTPS while connected to the local network. IT has learned from reading the Web Security appliance
access logs that the partner’s HTTPS server is not fully RFC compliant with HTTPS and cannot
communicate properly with the HTTPS Proxy when it decrypts traffic between clients and the HTTPS
server. By bypassing all HTTPS traffic to the partner’s website, you can still allow access while
decrypting traffic to other HTTPS servers.
This task assumes that the HTTPS Proxy is enabled and decrypts traffic by default.
Step 1
Navigate to the Web Security Manager > Custom URL Categories page.
Step 2
On the Customer URL Categories page, click Add Custom Category.
Step 3
In the Category Name field, enter a name for this category, such as
HTTPSPassThru
.
Step 4
In the Sites field, enter the addresses for the websites you want to bypass decryption, such as
mypartnersite.com
Step 5
Click Submit.
Step 6
Navigate to the Web Security Manager > Identities page.
Step 7
Click Add Identity.
Step 8
In the Name field, enter a name for this policy, such as
WebsitesToBypassDecryption
.
Step 9
Under Membership Definition, click Advanced to expand the advanced policy options.
Step 10
Click the link next to URL Categories.
Step 11
On the Identities: Policy “WebsitesToBypassDecryption”: Membership by URL Categories page, in the
Custom URL Categories section, click in the Add column for the custom URL category created in
Custom URL Categories section, click in the Add column for the custom URL category created in
.
Step 12
Click Done.
Step 13
Click Submit.
Step 14
Navigate to the Web Security Manager > Decryption Policies page.
Step 15
Click Add Policy.
Step 16
In the Name field, enter a name for this policy, such as
DPPassThrough
.
Step 17
In the Identities and Users field, choose “Select One or More Identities.”
Step 18
In the Identity field, select the Identity created in
Step 19
Submit and Commit your changes.
Now, when users try to access the websites listed in
, they are able to view sites with no problem
while still decrypting traffic for other sites.