Technical Library | Support

Go to the table of contents Go to the previous page Go to the next page View or print as PDF
Content Gateway SSL Certificate Verification v7.8 > Frequently Asked Questions
Frequently Asked Questions
*
Why is the CVE turned off by default?
*
Why am I getting so many incidents?
*
How do I know which certificate verification failures are problems that need a response?
*
What are the best troubleshooting techniques for certificate verification failures?
*
How do I view a certificate in my browser?
*
How can I make best use of the Incident List?
*
Why do some HTTPS sites not load properly?
*
What do my users need to know about HTTPS certificate verification?
*
How do I copy a certificate from my browser to the CA tree?
*
How do I check and update a CRL link?
Why is the CVE turned off by default?
CVE is off by default because certificate verification can have a large impact on users and administrators. Educating users and administrators, and preparing the network, are the best practices prior to enabling the CVE. To become familiar with SSL support and the CVE, see this section of Content Gateway Manager Help.
Why am I getting so many incidents?
The answer requires analysis of the SSL Incident List. See Troubleshooting Certificate Verification Failures. Take into consideration that strict verification configurations may generate a significant number of incidents.
How do I know which certificate verification failures are problems that need a response?
You need to become familiar with all of the types of failures that can occur and their causes. See Troubleshooting Certificate Verification Failures to verify certificate verification failures. Should a failure be deemed an error, or the destination server be deemed safe or necessary, see Certificate Verification Failures and Remediation Options for a list of remediation alternatives.
What are the best troubleshooting techniques for certificate verification failures?
See Troubleshooting Certificate Verification Failures.
How do I view a certificate in my browser?
In IE8, on the tool bar click File and select Properties. Then, click Certificates.
In Mozilla Firefox, on the tool bar click Tools and select Page Info. Toggle to the Security tab, and then click View Certificate.
How can I make best use of the Incident List?
1.
Review the section in this paper titled The SSL Incident List. Follow the link to Managing Web HTTPS site access to review information for administrators in the Content Gateway Help system.
2.
The number of incidents automatically created by certificate verification failures depends on the CVE options enabled and peculiarities of the sites your users visit. For more about CVE options, see Validating certificates.
3.
If you have several individual sites on the Incident List and some of those sites have certificates signed by the same new root CA, you could trust the CA that they have in common and delete the individual site entries, thus keeping the Incident List as small as possible.
 
4.
Do not add "*.*" as "Action:Tunnel". This has the effect of tunneling all HTTPS traffic, which subverts the purpose of SSL support and creates a lot of unnecessary overhead.
Why do some HTTPS sites not load properly?
HTTPS pages can fail to load, or only partially load, for a variety of reasons.
Here is a set of frequently accessed HTTP and HTTPS sites that often cause problems with Web proxy servers, including Content Gateway. Affected sites include:
*
Microsoft Update
*
Skype
*
WebEx
*
Real Networks Real Player
*
Citrix collaboration products
*
Firefox Update
*
Yahoo! Messenger with Pidgin messaging client
*
Logitech Messenger Agent and VirtualBox
Here are 2 Websense Technical Library articles that discuss these problem sites:
*
Dropped HTTPS connections
*
Web sites that have difficulty transiting Content Gateway
What do my users need to know about HTTPS certificate verification?
Explain to them that:
*
HTTPS is designed to provide secure connections and transmission of data.
*
HTTPS sites, connections, and transmission of data are vulnerable to attack and compromise.
*
A key element of HTTPS security is the exchange of signed digital certificates.
*
When an HTTPS connection is being established, certificate verification is performed to validate the authenticity of the responding website, and to protect you and your network.
*
Sometimes certificate verification checks fail, usually for valid reasons.
*
Sometimes certificate verification checks fail in error, or for obscure reasons that your administrator will have to investigate.
*
In most cases, certificate verification failure will block you from accessing the site.
*
If your connection request fails due to a certificate verification failure, look carefully at the URL you are requesting to ensure that it does not have any typos.
*
Ask a colleague if she or he is experiencing the same problem. If other colleagues are not, see if you can determine why not (what's different). If other colleagues are, report the problem to your HelpDesk.
How do I copy a certificate from my browser to the CA tree?
1.
From the certificate window in your browser, select and open the desired certificate. Then, select the Details tab.
2.
Select Copy to File to open the Certificate Export Wizard, then select Next.
3.
Select Base-64 encoded x.509 (.CER). Then, select Next.
4.
Choose a file name and location to save the certificate. Then, select Next.
5.
Select Finish.
6.
Import the certificate to the CA tree from its save location by going to Configure > SSL > Certificates > Add Root CA.
How do I check and update a CRL link?
1.
Go to the CA Tree (Configure > SSL > Certificates > Certificate Authorities).
2.
Select the site to view or update the CRL link. To update the CRL link, click Edit.
3.
Click Submit to save your changes.

Go to the table of contents Go to the previous page Go to the next page View or print as PDF
Content Gateway SSL Certificate Verification v7.8 > Frequently Asked Questions
Copyright 2016 Forcepoint LLC. All rights reserved.