Configuring SSL Proxy
This section describes how to configure the SSL proxy function.
Configuring SSL Proxy
To configure SSL proxy, take the following steps:
- On the Navigation pane, click Configure > Content > Web Content/Web Posting/Email Filter to visit the corresponding page.
- On the Task tab in the right auxiliary pane, click SSL Proxy.
- In the SSL Proxy dialog, select the Enable check box for HTTPS access audit.
- Under Audit content, configure the audit method and websites.
- Select the audit method from the Method drop-down list. It can be one of the following options: "Only audit websites in the following list" or "Audit all websites, except the one in the following list".
Only audit websites in the following list: Only audit websites in the following list by replacing the website certificates with SSL proxy certificates.
Audit all websites, except the one in the following list: Do not audit websites in the following list.
- Type the CommonName of the website certificates into the Website box. For more information about how to get the CommonName, see How to Get the CommonName.
- Click Add to add the specified websites into the system. The added information will be displayed in the following list. To edit/delete a website, select the website you want to edit/delete from the list, and then click Edit/Delete in the right.
- Select the Enable check box for Audit Warning if necessary.
- Click Set for User to configure the users that will be audited in the Audit User Configuration dialog.
- Select the audit method from the Method drop-down list. It can be one of the following options: "Only audit users in the following list" or "Audit all users, except the one in the following list".
- Select the user type from the Type option. It can be one of the following options: "Src address" or "User". Click the option button of the wanted type and finish the relative settings.
Src address: Specifies users according to the source addresses. The members can be an address entry, IP/netmask, or IP range.
User: Specifies users according to role, user, and user group.
- Click Add to add the specified source addresses or users to the system. To delete a user, select the user you want to delete from the list and then click Delete.
- Click OK to save the settings.
- Click Set for Trusted SSL certificate to configure the trusted SSL certificates in the Trusted SSL Certificate dialog. The trusted SSL certificate list contains the well-known CA certificates in the industry, which are used to verify the validity of site certificates. For the valid certificates, the system will send a SSL proxy certificate to the client browser; while for the invalid certificates, the system will send an internal certificate to the browser to inform you that the certificate of the website is invalid.
- Import: Click this button to import a certificate to the system.
- Delete: Deletes the selected trusted certificate(s).
- Close: Closes the dialog.
- Click Set for Trust domain to configure the PKI trust domain for the device certificate in the Trust Domain Configuration dialog. By default, the certificate of the default trust domain trust_domain_ssl_proxy will be used to generate the SSL proxy certificate with the Web server certificate together, and then the system will issue the generated SSL proxy certificate to the client. You can specify another PKI trust domain in the system as the device certificate trust domain. The specified trust domain must have a CA certificate, local certificate, and the private key of the local certificate.
- Select a trust domain from the Trust domain drop-down list.
- Click OK to save the settings.
- Click OK to save the settings.
In the proxy process, the SSL proxy certificate will be used to replace the website certificate. However, there is no SSL proxy certificate's root certificate in the client browser, and the client cannot visit the proxy website properly. To address this problem, you have to import the root certificate (certificate of the device) to the browser. For more information about importing certificate, see Importing Device Certificate to Client Browser.
How to Get the CommonName
To get the CommonName in the Subject field of the website certificate, take the following steps (take www.gmail.com as an example):
- On the Navigation pane, click Configure > Content > Web Content/Web Posting/Email Filter to visit the corresponding page.
- On the Task tab in the right auxiliary pane, click SSL Proxy.
- In the SSL Proxy dialog, select the Enable check box for HTTPS access audit.
- Select Only audit websites in the following list from the Method drop-down list, but do not add any website.
- Click Set for User to configure the users that will be audited in the Audit User Configuration dialog.
- Click OK to save the changes and return to the previous dialog.
- Visit www.gmail.com with a web browser.
- On the Navigation pane, click Log > Attack Log > Security to visit the security log page. You can get the CommonName field in the security log list.
Importing Device Certificate to Client Browser
In the proxy process, the SSL proxy certificate will be used to replace the website certificate. However, there is no SSL proxy certificate's root certificate in the client browser, and the client cannot visit the proxy website properly. To address this problem, you have to import the root certificate (certificate of the device) to the browser.
To import device certificate to client browser, take the following steps:
- Export the device certificate to local PC. Select Objects > PKI from the menu bar. On the Management tab in the PKI Management dialog, configure the options as below:
- Trust domain: trust_domain_ssl_proxy
- Content: Local certificate
- Action: Export
Click OK and select the path to save the certificate. The certificate will be saved to the specified location.
- Import the certificate to the web browser (take Internet Explore as the example). Open IE, from the toolbar, select Tools > Internet Options. On the Content tab, click Certificates. In the Certificates dialog, click the Trusted Root Certification Authorities tab, and then click Import. Import the certificate following the Certificate Import Wizard.