Working With Encrypted Data

Technical Library | Support

Go to the table of contents

Go to the previous page

Go to the next page

View or print as PDF

Working With Encrypted Data

Working With Encrypted Data

Help | Content Gateway | Version 8.2.x

Related topics:

Running in explicit proxy mode

Initial SSL configuration tasks

Enabling SSL support

Internal Root CA

Managing certificates

SSL configuration settings for inbound traffic

SSL configuration settings for outbound traffic

Validating certificates

Managing HTTPS website access

Client certificates

Customizing SSL connection failure messages

SSL (Secure Sockets Layer) and TLS (Transport Layer Security) are the industry standards for secure transmission of data on the Internet. They rely on data encryption and a system of trusted certificates issued by certificate authorities (CAs) that are recognized by clients and servers. SSL/TLS requests made in a browser are easily identified by the "https" string that leads the URL.

In the topics that follow, for convenience and simplicity, SSL/TLS is referred to simply as SSL.

To establish an SSL connection, the client sends an SSL connection request to the server. If the server consents, the client and server use a standard handshake to negotiate an SSL connection.

Content Gateway offers 2 types of support for HTTPS traffic. Only one can be used at a time.

Simple connection management in which Content Gateway performs URL filtering and then allows the client to make the connection with the server.

Advanced connection management in which Content Gateway:

Proxies requests

Decrypts content and performs real-time content and security analysis

Re-encrypts content for delivery to the client or origin server

The advanced proxy support is simply called HTTPS support or SSL support. How it works and how it's configured is described in the following sections.

In the Content Gateway manager, SSL support is enabled on the Configure > My Proxy > Basic > General page in the Protocols area with the HTTPS option.


	Important Even when HTTPS support is not enabled and HTTPS is not decrypted, Content Gateway performs URL filtering. This means that for every HTTPS request received from a client, a URL lookup is performed and policy is applied. In explicit proxy mode, when support for HTTPS is disabled, Content Gateway performs URL filtering based on the Host name in the request. If the site is blocked, Content Gateway serves a block page. Note that some browsers do not support display of the block page. To disable this feature, configure clients to not send HTTPS requests to the proxy. In transparent proxy mode, when HTTPS is disabled, if there is an SNI in the request, Content Gateway gets the hostname from the SNI and performs URL filtering based on the hostname. Otherwise, Content Gateway uses the Common Name in the certificate of the destination server. However, if the Common Name contains a wildcard (*), the lookup is performed on the destination IP address. If the site is blocked, the connection with the client is dropped; no block page is served. To disable this feature when used with WCCP, do not create a service group for HTTPS.


	Note Content Gateway does not cache HTTPS content.

When HTTPS is enabled, each HTTPS request consists of two separate sessions:

One from the client browser to Content Gateway. This is the inbound connection.

Another from Content Gateway to the origin server that will receive the secure data. This is the outbound connection.

Different certificates are required for each session.

For additional information on SSL, TLS, and SSL/TLS certificates, search the Internet or consult any of the commercially available books.

Go to the table of contents

Go to the previous page

Go to the next page

View or print as PDF

Working With Encrypted Data

Copyright 2016 Forcepoint LLC. All rights reserved.