Go to the table of contents Go to the previous page Go to the next page View or print as PDF
Working With Encrypted Data > Enabling SSL support
Enabling SSL support
Help | Content Gateway | Version 8.0.x
1.
On Configure > My Proxy > Basic > General, click HTTPS On.
 
Note 
2.
Click Apply and then Restart.
3.
Use the Configure > Protocols > HTTPS page to specify:
*
*
*
1.
The HTTPS Proxy Server Port is the port used for client to Content Gateway connections. The default is 8080. If traffic is transparent on 443, a default ARM NAT rule readdresses the requests to 8080. See Configure > Networking > ARM: Network Address Translation.
2.
If Content Gateway is an explicit proxy and you want to allow Skype traffic, enable the Tunnel Skype option. This option is necessary because, although Skype presents an SSL handshake, Skype data flow does not conform to the SSL standard. Unless the traffic is tunneled, the connection is dropped.
To complete the configuration, in the Web module of the TRITON Manager ensure that filtering policies that apply to users of Skype allow "Internet telephony". This is required for users of Skype whether HTTPS support is enabled or not.
Also, if not prevented, after the initial handshake Skype will route traffic over a non-HTTP port. To force Skype traffic to go through Content Gateway, a GPO should be used as described in the Skype IT Administrators Guide.
 
Important 
3.
By default, Content Gateway will not try to tunnel non-ssl traffic. A variable is available that will enable tunneling of non-ssl traffic.
Add the following to the records.config file (in /opt/WCG/config, by default) to turn on tunneling of non-ssl traffic.
CONFIG proxy.config.ssl_decryption_bypass.tunnel_non-ssl_traffic INT 1
Reset the value to 0 to disable the feature and turn off tunneling of non-ssl traffic.
A restart of Content Gateway is required for this setting to take affect.
 
Warning 
TRITON AP-WEB behavior varies based on the type of proxy deployment.
*
When Content Gateway is an explicit proxy, a URL lookup is performed and policy is applied before the SSL connection request is made. Transactions are logged as usual.
*
When Content Gateway is a transparent proxy, if there is an SNI in the request, Content Gateway gets the hostname from the SNI and performs URL filtering based on the hostname. Otherwise, when Content Gateway sends the connect to the server, the unknown protocol error causes the request to be tunneled without the proxy being aware of it; no transaction is logged.

Go to the table of contents Go to the previous page Go to the next page View or print as PDF
Working With Encrypted Data > Enabling SSL support
Copyright 2016 Forcepoint LLC. All rights reserved.