Cisco Cisco Web Security Appliance S170 Guia Do Utilizador
12-18
Cisco IronPort AsyncOS 7.5.7 for Web User Guide
Chapter 12 Decryption Policies
Enabling the HTTPS Proxy
e.
Go to step
Step 9
To generate a certificate and key:
a.
Click the Use Generated Certificate and Key option.
b.
Click Generate New Certificate and Key.
c.
In the Generate Certificate and Key dialog box, enter the information to display in the root
certificate.
certificate.
Note
You can enter any ASCII character except the forward slash ( / ) in the Common Name field.
d.
Click Generate. The Web Security appliance generates the certificate with the data you entered and
generates a key.
generates a key.
The generated certificate information is displayed on the Edit HTTPS Proxy Settings page.
Note
After you generate the certificate and key, you can download the generated certificate to
transfer it to the client applications on the network. Do this using the Download Certificate
link in the generated key area.
transfer it to the client applications on the network. Do this using the Download Certificate
link in the generated key area.
e.
Optionally, you can download the Certificate Signing Request (CSR) using the Download
Certificate Signing Request link so you can submit it to a certificate authority (CA). After you
receive a signed certificate from the CA, click Browse and navigate to the signed certificate
location. Click Upload File. You can do this anytime after generating the certificate on the
appliance.
Certificate Signing Request link so you can submit it to a certificate authority (CA). After you
receive a signed certificate from the CA, click Browse and navigate to the signed certificate
location. Click Upload File. You can do this anytime after generating the certificate on the
appliance.
Step 10
In the Invalid Certificate Handling section, choose how the appliance handle HTTPS traffic when it
encounters invalid server certificates. You can drop, decrypt, or monitor HTTPS traffic for the following
types of invalid server certificates:
encounters invalid server certificates. You can drop, decrypt, or monitor HTTPS traffic for the following
types of invalid server certificates:
•
Expired. The certificate is either not yet valid, or it is currently past its valid to date.
•
Mismatched hostname. The hostname in the certificate does not match the hostname the client was
trying to access. This might happen during a “man in the middle attack,” or when a server redirects
a request to a different URL. For example, http://mail.google.com gets redirected to
http://www.gmail.com.
trying to access. This might happen during a “man in the middle attack,” or when a server redirects
a request to a different URL. For example, http://mail.google.com gets redirected to
http://www.gmail.com.
Note — The Web Proxy can only perform hostname match when it is deployed in explicit forward
mode. When it is deployed in transparent mode, it does not know the hostname of the destination
server (it only knows the IP address), so it cannot compare it to the hostname in the server certificate.
mode. When it is deployed in transparent mode, it does not know the hostname of the destination
server (it only knows the IP address), so it cannot compare it to the hostname in the server certificate.
•
Unrecognized root authority. The root certificate authority for the certificate is not in the set of
trusted root authorities on the appliance.
trusted root authorities on the appliance.