Enabling SSL support

On Configure > My Proxy > Basic > General, click HTTPS On.


	Note If you are deployed with Web DLP and it is configured to inspect HTTPS traffic, you must enable HTTPS.

Click Apply and then Restart.

Enter the name of the SSL certificate file. See Creating a subordinate CA.

Use the Configure > Protocols > HTTPS page to specify:

The HTTPS port (default is 8080)

Tunneling when a request returns an Unknown protocol error

The HTTPS Proxy Server Port is the port used for client to Content Gateway connections. The default is 8080. If traffic is transparent on 443, a default ARM redirection rule redirects the requests to 8080. See Configure > Networking > ARM: Redirection Rules.

To tunnel HTTPS requests when the SSL handshake results in an unknown protocol error, enable Tunnel Unknown Protocols.

By default, Content Gateway will not try to tunnel non-ssl traffic. A variable is available that will enable tunneling of non-ssl traffic.

Add the following to the records.config file (in /opt/WCG/config, by default) to turn on tunneling of non-ssl traffic.

CONFIG proxy.config.ssl_decryption_bypass.tunnel_non-ssl_traffic INT 1

Reset the value to 0 to disable the feature and turn off tunneling of non-ssl traffic.

A restart of Content Gateway is required for this setting to take affect.


	Warning Tunneled connections are not decrypted or inspected.

TRITON AP-WEB behavior varies based on the type of proxy deployment.

When Content Gateway is an explicit proxy, a URL lookup is performed and policy is applied before the SSL connection request is made. Transactions are logged as usual.

When Content Gateway is a transparent proxy, if there is an SNI in the request, Content Gateway gets the hostname from the SNI and performs URL filtering based on the hostname. Otherwise, when Content Gateway sends the connect to the server, the unknown protocol error causes the request to be tunneled without the proxy being aware of it; no transaction is logged.