Cisco Cisco Web Security Appliance S170 사용자 가이드
12-13
Cisco IronPort AsyncOS 7.5.7 for Web User Guide
Chapter 12 Decryption Policies
Decrypting HTTPS Traffic
Figure 12-6
Certificate Issued by Web Security Appliance
You can choose how to handle the root certificates issued by the Web Security appliance:
•
Inform users to accept the root certificate. You can inform the users in your organization what the
new policies are at the company and tell them to accept the root certificate supplied by the
organization as a trusted source.
new policies are at the company and tell them to accept the root certificate supplied by the
organization as a trusted source.
•
Add the root certificate to client machines. You can add the root certificate to all client machines
on the network as a trusted root certificate authority. This way, the client applications automatically
accept transactions with the root certificate. To verify you distribute the root certificate the appliance
is using, you can download the root certificate from the Security Services > HTTPS Proxy page.
Click Edit Settings, and then click the Download Certificate link for either the generated or
uploaded certificate.
on the network as a trusted root certificate authority. This way, the client applications automatically
accept transactions with the root certificate. To verify you distribute the root certificate the appliance
is using, you can download the root certificate from the Security Services > HTTPS Proxy page.
Click Edit Settings, and then click the Download Certificate link for either the generated or
uploaded certificate.
You might want to download the root certificate from the appliance if a different person uploaded
the root certificate to the appliance and you want to verify you distribute the same root certificate to
the client machines.
the root certificate to the appliance and you want to verify you distribute the same root certificate to
the client machines.
Note
To reduce the possibility of client machines getting a certificate error, submit the changes
after you generate or upload the root certificate to the Web Security appliance, then
distribute the certificate to client machines, and then commit the changes to the appliance.
after you generate or upload the root certificate to the Web Security appliance, then
distribute the certificate to client machines, and then commit the changes to the appliance.
Using Decryption with the AVC Engine
Depending on how the HTTPS Proxy is configured and the configured Decryption Policies, the HTTPS
Proxy may decrypt HTTPS connections to web applications. This allows the AVC engine to more
accurately detect and block web applications that use HTTPS. These web applications may use web
browsers or other client applications, such as instant messaging applications.
Proxy may decrypt HTTPS connections to web applications. This allows the AVC engine to more
accurately detect and block web applications that use HTTPS. These web applications may use web
browsers or other client applications, such as instant messaging applications.
Root certificate information either
generated or uploaded in the Web
Security appliance.
generated or uploaded in the Web
Security appliance.
Validity period specified in either
the generated or uploaded root
certificate.
the generated or uploaded root
certificate.
Requested HTTPS server.