Generating an appliance certificate

Deploying an I Series Appliance | Forcepoint Web Security Cloud

Each appliance should have a valid X.509 version 3 identity certificate in PEM format with an unencrypted key. This certificate can be generated using a variety of tools. Below is a simple procedure using OpenSSL to generate a private key and CA that can be used for your appliance.

This section assumes that you are familiar with OpenSSL and have a working OpenSSL installation.

The following OpenSSL statement creates a 2048-bit RSA private key with a password of 1234:

openssl genrsa -passout pass:1234 -des3 -out CA_key_password.pem 2048

You must supply a password, as OpenSSL does not allow the creation of a private key without one. You can then strip the password from the key as follows:

openssl rsa -in CA_key_password.pem -passin pass:1234 -out CA_key.pem

This also renames the private key file from CA_key_password.pem to CA_key.pem.

Finally, use the following statement to create the CA:

openssl req -x509 -days 11000 -new -sha1 -key CA_key.pem -out CA_cert.pem

Note that this command prompts you to input information about different parameters, such as country, state, locality, or your organization's name.

Once you have created the private key (CA_key.pem) and public certificate (CA_cert.pem), import the certificate to all relevant browsers, and upload the certificate to each appliance using the Certificates tab.

Define internal network settings

The Internal Networks section of the page is used to optionally:

Assign different policies to different internal networks.

Identify trusted networks for which incoming or outgoing traffic, or both, should not be analyzed.

Configure session-based authentication for specific networks.

To begin:

Select the Policy Assignment tab and click Add to identify a network to which you want to assign a policy other than the appliance default. In the Add Policy Assignment dialog box:

Enter a unique Name for the network.

Use the Type list to indicate how you want to identify the network (IP address, Subnet, or IP range).

Enter the subnet, address, or range.

Select a Policy from the drop-down list.

Click Add.

Repeat these steps for each internal network to which you want to assign a policy.

Note that networks (IP address ranges and subnets) may not overlap, and you can assign only one policy to each network.

Select the Trusted Networks tab and click Add to identify IP addresses or address ranges whose traffic should not be analyzed. In the Add Trusted Network dialog box:

Enter a unique Name for the network.

Use the Type list to indicate how you want to identify the network (IP address, Subnet, or IP range).

Enter the subnet, address, or range.

Indicate whether to Bypass analysis for traffic from this network, Bypass analysis for traffic to this network, or both.

Click Add.

Repeat these steps for each internal network whose incoming or outgoing traffic, or both, should not be analyzed.

Select the Session-Based Authentication tab and click Add to define network addresses and IP address ranges that should use session-based authentication. The defined addresses will be authenticated based on a cookie sent to the browser on the local machine.

This authentication is valid for the length of time defined in the Session timeout drop-down list (under General).

Enter a unique Name for the network.

Use the Type list to indicate how you want to identify the network (IP address, Subnet, or IP range).

Enter the subnet, address, or range.

Click Add.

Repeat these steps for each internal network that will use session-based authentication.


	Note When session-based authentication is enabled, policy SSL decryption rules that apply to sites or categories with the Confirm action are not currently supported.