Cisco Cisco Web Security Appliance S170 사용자 가이드
11-13
Cisco IronPort AsyncOS 7.7 for Web User Guide
Chapter 11 Processing HTTPS Traffic
Enabling the HTTPS Proxy
Enabling the HTTPS Proxy
To monitor and decrypt HTTPS traffic, you must enable the HTTPS Proxy on the Security Services >
HTTPS Proxy page. When you enable the HTTPS Proxy, you must configure what the appliance uses
for a root certificate when it sends self-signed server certificates to the client applications on the
network. You can upload a root certificate and key that your organization already has, or you can
configure the appliance to generate a certificate and key with information you enter.
HTTPS Proxy page. When you enable the HTTPS Proxy, you must configure what the appliance uses
for a root certificate when it sends self-signed server certificates to the client applications on the
network. You can upload a root certificate and key that your organization already has, or you can
configure the appliance to generate a certificate and key with information you enter.
Once the HTTPS Proxy is enabled, all HTTPS policy decisions are handled by Decryption Policies. You
can no longer define Access and Routing Policy group membership by HTTPS, nor can you configure
Access Policies to block HTTPS transactions. If some Access and Routing Policy group memberships
are defined by HTTPS and if some Access Policies block HTTPS, then when you enable the HTTPS
Proxy those Access and Routing Policy groups become disabled. You can choose to enable the policies
at any time, but all HTTPS related configurations are removed.
can no longer define Access and Routing Policy group membership by HTTPS, nor can you configure
Access Policies to block HTTPS transactions. If some Access and Routing Policy group memberships
are defined by HTTPS and if some Access Policies block HTTPS, then when you enable the HTTPS
Proxy those Access and Routing Policy groups become disabled. You can choose to enable the policies
at any time, but all HTTPS related configurations are removed.
Also on this page, you can configure what the appliance does with HTTPS traffic when the server
certificate is invalid.
certificate is invalid.
Note
For information on importing a custom root authority certificate, see
To enable the HTTPS Proxy:
Step 1
Navigate to the Security Services > HTTPS Proxy page, and click Enable and Edit Settings.
The HTTPS Proxy License Agreement appears.
Step 2
Read the terms of the HTTPS Proxy License Agreement, and click Accept.
Step 3
Verify the Enable HTTPS Proxy field is enabled.
Step 4
In the HTTPS Ports to Proxy field, enter the ports the appliance should check for HTTPS traffic. Port
443 is the default port.
443 is the default port.
Note
In deployments using WCCP, the maximum number of port entries is 30 for HTTP, HTTPS , and
FTP ports combined.
FTP ports combined.
Allowed Clock Skew
Maximum allowed difference in time settings between the
Web Security appliance and the OCSP responder in seconds
(s) or minutes (m). Valid range from 1 second to 60 minutes.
Web Security appliance and the OCSP responder in seconds
(s) or minutes (m). Valid range from 1 second to 60 minutes.
Maximum Time to Wait for OCSP Response
Maximum time to wait for a response from the OCSP
responder. Valid range is from 1 second to 10 minutes.
Specify a shorter duration to reduce delays in end user access
to HTTPS requests in the event that the OCSP responder is
unavailable.
responder. Valid range is from 1 second to 10 minutes.
Specify a shorter duration to reduce delays in end user access
to HTTPS requests in the event that the OCSP responder is
unavailable.
Use upstream proxy for OCSP checking
Group Name of the upstream proxies.
Servers exempt from upstream proxy
IP addresses or hostnames of the servers to exempt. May be
left blank.
left blank.
Field Name
Description