Documentation | Support

Go to the table of contents Go to the previous page Go to the next page View or print as PDF
Working With Encrypted Data
Working With Encrypted Data
Help | Content Gateway | v8.5.x
Related topics:
*
Initial SSL configuration tasks
*
Enabling SSL support
*
Certificates
*
Internal Root CA
*
Managing certificates
*
SSL configuration settings for inbound traffic
*
SSL configuration settings for outbound traffic
*
Validating certificates
*
Managing HTTPS website access
*
Enabling SSL support
*
Client certificates
*
Customizing SSL connection failure messages
*
Custom certificate key
*
SSL decryption port mirroring (appliance deployments)
Secure Sockets Layer (SSL) and Transport Layer Security (TLS) are the industry standards for secure transmission of data on the Internet. They rely on data encryption and a system of trusted certificates issued by certificate authorities (CA) that are recognized by clients and servers. SSL/TLS requests made in a browser are easily identified by the "https" string that leads the URL.
In the topics that follow, for convenience and simplicity, SSL/TLS is referred to simply as SSL.
To establish an SSL connection, the client sends an SSL connection request to the server. If the server consents, the client and server use a standard handshake to negotiate an SSL connection.
Content Gateway offers 2 types of support for HTTPS traffic. Only one can be used at a time.
*
Simple connection management in which Content Gateway performs URL filtering and then allows the client to make the connection with the server.
 
* 
Important 
Even when HTTPS support is not enabled and HTTPS is not decrypted, Content Gateway performs a URL lookup and applies policy. In these circumstances:
*
In explicit proxy mode, Content Gateway performs URL filtering based on the hostname in the request. If the site is blocked, Content Gateway serves a block page. Some browsers do not support display of the block page.
To prevent this URL filtering, configure clients to not send HTTPS requests to the proxy.
*
In transparent proxy mode, if there is an SNI in the request, Content Gateway gets the hostname from the SNI and performs URL filtering based on the hostname. Otherwise, Content Gateway uses the Common Name in the certificate of the destination server. If the Common Name contains a wildcard (*), the lookup is performed on the destination IP address. If the site is blocked, the connection with the client is dropped; no block page is served.
To prevent this URL filtering with WCCP, do not create a service group for HTTPS.
*
Advanced connection management in which Content Gateway:
*
Proxies requests
*
Decrypts content and performs real-time content and security analysis
*
Re-encrypts content for delivery to the client or origin server
 
* 
Note 
Content Gateway does not cache HTTPS content.
When advanced connection management (HTTPS support or SSL support) is enabled, each HTTPS request consists of two separate sessions:
*
One from the client browser to Content Gateway. This is the inbound connection.
*
Another from Content Gateway to the origin server that will receive the secure data. This is the outbound connection.
Different certificates are required for each session.

Go to the table of contents Go to the previous page Go to the next page View or print as PDF
Working With Encrypted Data
Copyright 2023 Forcepoint. All rights reserved.
View all fonts in this project