Technical Library | Support

Go to the table of contents Go to the previous page Go to the next page View or print as PDF
Content Gateway Analysis > SSL decryption bypass
SSL decryption bypass
Administrator Help | TRITON AP-WEB | Version 8.3.x
When SSL support is enabled in Content Gateway to manage encrypted traffic:
*
Category settings can be used to specify categories of websites for which decryption and inspection are bypassed.
*
A list of client IP addresses and IP address ranges can be created to specify trusted clients for which decryption and inspection are bypassed.
*
A list of destination hostnames, IP addresses, and IP address ranges can be created to specify trusted destination servers for which decryption and inspection are bypassed.
 
* 
Note 
There is a known limitation with Internet Explorer version 8 (IE8) that prevents some sites from being bypassed as expected. IE8 does not send a Server Name Indicator (SNI) and when the hostname in the origin server certificate includes a wildcard (*), the common name and the hostname don't match. As a result, the category lookup is performed on the destination IP address.
Category settings
For Category settings, a predefined Privacy Category group includes categories that may be subject to regulatory requirements. These predefined privacy categories are marked with an icon in the category list.
Traffic that involves websites in these categories may include personal identification information that should not be decrypted. In order to avoid liability for inspecting this type of information, you may want to specify some or all of these categories for decryption bypass. End users can determine that the website they are viewing is not decrypted by verifying that the certificate is the original for that site.
Use the Settings > Scanning > SSL Decryption Bypass page to select the default privacy categories for SSL decryption bypass:
1.
Click the Select Privacy Categories button. Check boxes for the website categories that constitute the default group are selected in the Category box.
2.
Click the arrow to the right of the category tree to add the privacy categories to the Categories selected for SSL decryption bypass box.
You can create your own set of categories for SSL decryption bypass. On the SSL Decryption Bypass page, specify individual website categories for which decryption is not performed:
1.
Click a check box to select a category or subcategory for bypass.
2.
Click the arrow to right of the category tree to enter the selected category into the Categories selected for SSL decryption bypass box.
To clear your selections from the category tree, click the Clear All button.
To remove a category or subcategory from the list, select the category and click the Remove button.
Client list
To identify a client IP address or IP address range for SSL decryption bypass:
1.
Click Add and enter the client IP address or IP address range in the Add Client Entry box, one entry per line.
When specifying an IP address range, use a "-" (hyphen) to separate the first address from the last.
2.
To facilitate maintenance of the list, add a description that identifies the entry.
3.
Click OK to add the entries to the list.
To modify an entry, click on the IP address and modify the entry in the Edit Client Entry box. Click OK to save your changes or Cancel to close the dialog box without saving your changes.
To remove an entry from the list, select the check box adjacent to the entry and click Delete. Confirm the action.
When you are finished, click OK to cache your changes.
Changes are not implemented until you click Save and Deploy.
Destination list
To specify a destination hostname, IP address, or IP address range for SSL decryption bypass:
1.
Click Add and enter the hostname, IP address, or IP address range in the Add Destination Entry box, one entry per line. For example: thissite.com.
*
Be sure to enter both the hostname and the TLD (top level domain). For example, thissite.com and thissite.net are distinct hosts.
*
Hosts with subdomains are supported. For example: media.example.com.
*
Include the wild card "*" to match leading subdomains. For example: *.example.com.
*
The protocol (HTTPS://) is not needed.
*
Use a "-" (hyphen) to separate the first and last address in an IP address range.
2.
To facilitate maintenance of the list, add a description that clearly identifies the entry.
3.
Click OK to add the entries to the list.
To modify an entry, click on the hostname or IP address and modify the entry in the Edit Destination Entry dialog box. Click OK to save your changes or Cancel to close the dialog box without saving your changes.
To remove an entry, select the check box adjacent to the entry and click Delete. Confirm the action.
When you are finished, click OK to cache your changes.
Changes are not implemented until you click Save and Deploy.

Go to the table of contents Go to the previous page Go to the next page View or print as PDF
Content Gateway Analysis > SSL decryption bypass
Copyright 2016 Forcepoint LLC. All rights reserved.