Managing HTTPS Inspection Parent topic

Secure Socket Layer (SSL) and Transport Layer Security (TLS) are cryptographic protocols widely adopted and deployed in network communication today. The traffic over SSL/TLS is encrypted and signed using digital certificates to ensure security.
Digital certificates are electronic documents that are used to create secure connections between clients and servers or websites. A valid and trusted certificate ensures clients that they are connecting to a trusted server or website, and helps protect against man-in-the-middle attacks. Certificates become trusted by going through a validation process of a Certificate Authority (CA). Certificate Authorities themselves are usually third-party companies that are trusted by both the client and server or website.
On first installation, Deep Discovery Web Inspector creates a self-signed certificate that will be used to resign decrypted HTTPS traffic. In doing so, Deep Discovery Web Inspector also acts as its own CA. Users who wish to adopt their own organizations' CA can import a certificate signed by that CA to Deep Discovery Web Inspector.
Manage HTTPS Inspection by performing any of the following tasks:

Procedure

  • HTTPS Inspection Rules: Configure HTTPS Inspection rules and optionally import a certificate that is used when resigning decrypted traffic.
    Before Deep Discovery Web Inspector can apply scanning and filtering policies on encrypted content, you must configure HTTPS decryption rules that define what to decrypt.
    Managing HTTPS Decryption Rules
  • Digital Certificates: Maintain the lists of trusted, untrusted, and invalid digital certificates and configure digital certificate exceptions.
    Managing Digital Certificates
  • Auto-tunneling: Maintain a list of trusted domains or URLs used by Deep Discovery Web Inspector to determine which traffic to auto-tunnel.
    Auto-tunneled traffic will not be subject to decryption.
    You can also maintain the auto-tunnel exception list, which means that when decryption failed the domain is not added into the auto-tunnel list. If it is already in the tunnel list, the tunnel list has higher priority than the tunnel exception list.
    The auto-tunnel exception has a precondition that the traffic from the client must first match the HTTPS decryption rule policy. And for traffic that matches a decryption rule but something wrong happened during the decryption, Deep Discovery Web Inspector would not tunneled the traffic.
    And for the situation where the domain has not been added into the tunnel exception list and something wrong happens during the decryption, the traffic might be auto-tunneled by Deep Discovery Web Inspector to ensure continuity. This is used for the following scenario: A customer has a higher security requirement for specific domain and traffic from that domain must be decrypted even if it will block the normal network behavior.
    Managing HTTPS Domain Tunnels
  • Intelligent Decryption: Manage fingerprint patterns to customize which application traffic will be auto-tunneled.
    Managing Intelligent Decryption
Related information