Support

Go to the table of contents Go to the previous page Go to the next page Go to the index View or print as PDF
Working With Encrypted Data > Enabling SSL Manager
Enabling SSL Manager
Help | Content Gateway | Version 7.7.3
1.
On Configure > My Proxy > Basic > General, click HTTPS On.
 
* 
Note 
If you are running with other Websense products that inspect HTTPS traffic, such as Websense Data Security, you must enable HTTPS here.
2.
Click Apply and then click Restart.
3.
It is a recommended best security practice to replace the internal Root CA that is installed by default, with your organization's Root CA. See Internal Root CA.
The SSL Manager user interface is embedded in Content Gateway Manager and communicates on port 8071, by default. If there is a port conflict, you can change the port on the Configure > My Proxy > UI Setup > General. page. The port you specify must be different than the Content Gateway Manager port (default 8081).
Optionally, use the Configure > Protocols > HTTPS page to view and specify:
*
Inbound and outbound ports (view)
*
Skype tunneling (configure; explicit proxy only)
*
Tunneling when a request returns an unknown protocol error (configure)
1.
The HTTPS Proxy Server Port is the port used for client to SSL Manager connections. The default is 8070.
2.
The SSL Outbound Port is the port used for SSL Manager to destination server connections. The default is 8090.
3.
If Content Gateway is an explicit proxy and you want to allow Skype traffic, enable the Tunnel Skype option. The option is necessary because, although Skype presents an SSL handshake, Skype data flow does not conform to the SSL standard. Unless the traffic is tunneled, the connection is dropped.
To complete the configuration, in TRITON – Web Security ensure that filtering policies that apply to users of Skype allow "Internet telephony". This is required for users of Skype whether SSL Manager is enabled or not.
Also, if not prevented, after the initial handshake Skype will route traffic over a non-HTTP port. To force Skype traffic to go through Content Gateway, a GPO should be used as described in the Skype IT Administrators Guide.
 
* 
Important 
There is no need to set this option if SSL Manager is not enabled.
This option is not valid and has no effect when Content Gateway is a transparent proxy.
4.
To tunnel HTTPS requests when the SSL handshake results in an unknown protocol error, enable Tunnel Unknown Protocols.
Tunneled connections are not decrypted or inspected.
TRITON Web Security behavior varies based on the type of proxy deployment.
*
When Content Gateway is an explicit proxy, a URL lookup is performed and policy is applied before the SSL connection request is made. Transactions are logged as usual.
*
When Content Gateway is a transparent proxy the lookup is not possible and tunneled transactions are not logged. This is because an initial connection is required to get the Common Name from the SSL certificate that is used for the URL lookup. If the connection handshake fails, the connection is tunneled without the proxy being aware of it.
Print print article Email email article Font Size: A A

Search

Article Rating:

Do you have any additional feedback?    Email: close

Related Articles

Quick Links

Service Requests

How are we doing?

Provide us feedback on your experience with the Service Request portal.

provide feedback >

Go to the table of contents Go to the previous page Go to the next page Go to the index View or print as PDF
Working With Encrypted Data > Enabling SSL Manager