Cisco Cisco Web Security Appliance S170 사용자 가이드
E N A B L I N G T H E H T T P S P R O X Y
C H A P T E R 1 1 : D E C R Y P T I O N P O L I C I E S
217
E N A B L I N G T H E H T T P S P R O X Y
To monitor and decrypt HTTPS traffic, you must enable the HTTPS Proxy on the Security
Services > HTTPS Proxy page. When you enable the HTTPS Proxy, you must configure what
the appliance uses for a root certificate when it sends self-signed server certificates to the
client applications on the network. You can upload a root certificate and key that your
organization already has, or you can configure the appliance to generate a certificate and key
with information you enter.
Services > HTTPS Proxy page. When you enable the HTTPS Proxy, you must configure what
the appliance uses for a root certificate when it sends self-signed server certificates to the
client applications on the network. You can upload a root certificate and key that your
organization already has, or you can configure the appliance to generate a certificate and key
with information you enter.
Note — When AsyncOS for Web runs on a FIPS-compliant Web Security appliance, you must
use the FIPS management console to generate or upload the root certificate and key pair.
When you generate or upload certificates and keys using the FIPS management console, the
keys are protected by the HSM card. For more information on using the FIPS management
console, see “FIPS Management” on page 67.
use the FIPS management console to generate or upload the root certificate and key pair.
When you generate or upload certificates and keys using the FIPS management console, the
keys are protected by the HSM card. For more information on using the FIPS management
console, see “FIPS Management” on page 67.
Once the HTTPS Proxy is enabled, all HTTPS policy decisions are handled by Decryption
Policies. You can no longer define Access and Routing Policy group membership by HTTPS,
nor can you configure Access Policies to block HTTPS transactions. If some Access and
Routing Policy group memberships are defined by HTTPS and if some Access Policies block
HTTPS, then when you enable the HTTPS Proxy those Access and Routing Policy groups
become disabled. You can choose to enable the policies at any time, but all HTTPS related
configurations are removed.
Policies. You can no longer define Access and Routing Policy group membership by HTTPS,
nor can you configure Access Policies to block HTTPS transactions. If some Access and
Routing Policy group memberships are defined by HTTPS and if some Access Policies block
HTTPS, then when you enable the HTTPS Proxy those Access and Routing Policy groups
become disabled. You can choose to enable the policies at any time, but all HTTPS related
configurations are removed.
Note — When you upload a certificate to the Web Security appliance, verify it is a signing
certificate and not a server certificate. A server certificate cannot be used as a signing
certificate, so decryption does not work when you upload a server certificate.
certificate and not a server certificate. A server certificate cannot be used as a signing
certificate, so decryption does not work when you upload a server certificate.
For more information about root certificates, see “Working with Root Certificates” on
page 213.
page 213.
Also on this page, you can configure what the appliance does with HTTPS traffic when the
server certificate is invalid.
server certificate is invalid.
Note — For information on importing a custom root authority certificate, see “Importing a
Trusted Root Certificate” on page 231.
Trusted Root Certificate” on page 231.
To enable the HTTPS Proxy:
1. Navigate to the Security Services > HTTPS Proxy page, and click Enable and Edit Settings.
The HTTPS Proxy License Agreement appears.
2. Read the terms of the HTTPS Proxy License Agreement, and click Accept.
The Edit HTTPS Proxy Settings page appears.