Technical Library | Support

Go to the table of contents Go to the previous page Go to the next page View or print as PDF
Working With Encrypted Data > Enabling SSL support
Enabling SSL support
Help | Content Gateway | Version 7.8.x
1.
On Configure > My Proxy > Basic > General, click HTTPS On.
 
* 
Note 
If you are running with other Websense products that inspect HTTPS traffic, such as Data Security, you must enable HTTPS.
2.
Click Apply and then Restart.
3.
Enter the name of the SSL certificate file. See Creating a subordinate CA.
Use the Configure > Protocols > HTTPS page to specify:
*
The HTTPS port (default is 8080)
*
Skype tunneling (explicit proxy only)
*
Tunneling when a request returns an Unknown protocol error
1.
The HTTPS Proxy Server Port is the port used for client to Content Gateway connections. The default is 8080. If traffic is transparent on 443, a default ARM NAT rule readdresses the requests to 8080. See Configure > Networking > ARM: Network Address Translation.
2.
If Content Gateway is an explicit proxy and you want to allow Skype traffic, enable the Tunnel Skype option. This option is necessary because, although Skype presents an SSL handshake, Skype data flow does not conform to the SSL standard. Unless the traffic is tunneled, the connection is dropped.
To complete the configuration, in the Web Security manager ensure that filtering policies that apply to users of Skype allow "Internet telephony". This is required for users of Skype whether HTTPS support is enabled or not.
Also, if not prevented, after the initial handshake Skype will route traffic over a non-HTTP port. To force Skype traffic to go through Content Gateway, a GPO should be used as described in the Skype IT Administrators Guide.
 
* 
Important 
There is no need to set this option if HTTPS support is not enabled.
This option is not valid and has no effect when Content Gateway is a transparent proxy.
3.
To tunnel HTTPS requests when the SSL handshake results in an unknown protocol error, enable Tunnel Unknown Protocols.
By default, Content Gateway will not try to tunnel non-ssl traffic. Beginning with 7.8.3, a new variable is available that will enable tunneling of non-ssl traffic when Content Gateway is an explicit proxy. Beginning with 7.8.4, the same variable is used for transparent proxy as well.
Add the following to the records.config file (in /opt/WCG/config, by default) to turn on tunneling of non-ssl traffic.
CONFIG proxy.config.ssl_decryption_bypass.tunnel_non-ssl_traffic INT 1
Reset the value to 0 to disable the feature and turn off tunneling of non-ssl traffic.
A restart of Content Gateway is required for this setting to take affect.
 
* 
Warning 
Tunneled connections are not decrypted or inspected.
Also, for 7.8.1 only, the setting of this option persists even when the HTTPS feature is disabled on Configure > My Proxy > Basic > General. Because this page is only displayed when HTTPS is enabled, you should disable this option before disabling HTTPS.
Web Security behavior varies based on the type of proxy deployment.
*
When Content Gateway is an explicit proxy, a URL lookup is performed and policy is applied before the SSL connection request is made. Transactions are logged as usual.
*
When Content Gateway is a transparent proxy, if there is an SNI in the request, Content Gateway gets the hostname from the SNI and performs URL filtering based on the hostname. Otherwise, when Content Gateway sends the connect to the server, the unknown protocol error causes the request to be tunneled without the proxy being aware of it; no transaction is logged.

Go to the table of contents Go to the previous page Go to the next page View or print as PDF
Working With Encrypted Data > Enabling SSL support
Copyright 2016 Forcepoint LLC. All rights reserved.