Руководство Пользователя для Cisco Cisco Web Security Appliance S670
E N A B L I N G H T T P S S C A N N I N G
C H A P T E R 1 0 : D E C R Y P T I O N P O L I C I E S
197
E N A B L I N G H T T P S S C A N N I N G
To monitor and decrypt HTTPS traffic, you must enable HTTPS scanning on the Security
Services > HTTPS Proxy page. When you enable HTTPS scanning, you must configure what
the appliance uses for a root certificate when it sends self-signed server certificates to the
client applications on the network. You can upload a root certificate and key that your
organization already has, or you can configure the appliance to generate a certificate and key
with information you enter.
Services > HTTPS Proxy page. When you enable HTTPS scanning, you must configure what
the appliance uses for a root certificate when it sends self-signed server certificates to the
client applications on the network. You can upload a root certificate and key that your
organization already has, or you can configure the appliance to generate a certificate and key
with information you enter.
Once HTTPS scanning is enabled, all HTTPS policy decisions are handled by Decryption
Policies. You can no longer define Access and Routing Policy group membership by HTTPS,
nor can you configure Access Policies to block HTTPS transactions. If some Access and
Routing Policy group memberships are defined by HTTPS and if some Access Policies block
HTTPS, then when you enable HTTPS scanning those Access and Routing Policy groups
become disabled. You can choose to enable the policies at any time, but all HTTPS related
configurations are removed.
Policies. You can no longer define Access and Routing Policy group membership by HTTPS,
nor can you configure Access Policies to block HTTPS transactions. If some Access and
Routing Policy group memberships are defined by HTTPS and if some Access Policies block
HTTPS, then when you enable HTTPS scanning those Access and Routing Policy groups
become disabled. You can choose to enable the policies at any time, but all HTTPS related
configurations are removed.
Note — When you upload a certificate to the Web Security appliance, verify it is a signing
certificate and not a server certificate. A server certificate cannot be used as a signing
certificate, so decryption does not work when you upload a server certificate.
certificate and not a server certificate. A server certificate cannot be used as a signing
certificate, so decryption does not work when you upload a server certificate.
For more information about root certificates, see “Working with Root Certificates” on
page 193.
page 193.
Also on this page, you can configure what the appliance does with HTTPS traffic when the
server certificate is invalid.
server certificate is invalid.
Note — For information on importing a custom root authority certificate, see “Importing a
Trusted Root Certificate” on page 211.
Trusted Root Certificate” on page 211.
To enable HTTPS scanning:
1. Navigate to the Security Services > HTTPS Proxy page, and click Enable and Edit Settings.
The HTTPS Proxy License Agreement appears.
2. Read the terms of the HTTPS Proxy License Agreement, and click Accept.
The Edit HTTPS Proxy Settings page appears.