Procedure

1. Go to Policy → Decryption Rules.
2. Click Add or click the item to edit.
3. Specify a policy name between 1 and 64 characters.
4. Optionally, specify a description between 1 and 128 characters.
5. Enable or disable the rule.
6. Enable or disable auto tunneling.
   When auto tunneling is enabled, Deep Discovery Web Inspector maintains a list of trusted domains or URLs, whose HTTPS traffic will not be subject to HTTPS decryption rules, and will always be accessible by end users without being decrypted and inspected by Deep Discovery Web Inspector.

   See Managing HTTPS Domain Tunnels for information about configuring the auto tunnel list.
7. Enable or disable Intelligent Decryption.
   Intelligent Decryption is designed to bypass HTTPS decryption for application-based HTTPS traffic.

   Note If you disable Intelligent Decryption, Deep Discovery Web Inspector will skip checking what application the client is using, which can impact some applications and affect business continuity. Trend Micro recommends enabling Intelligent Decryption for HTTPS decryption policies. See Managing Intelligent Decryption for information about configuring the Intelligent Decryption list.

8. Configure Decryption sources by selecting one of the following:
   • Any
     The rule to applies to all networks, users/groups, and guest users.
   • Selected users and groups
     The rule applies only to specific Active Directory users or groups
     Search for and select the users/groups to include as decryption sources. You can choose users and groups only if Active Directory Services is configured and only from domains that are included in the Active Directory Services configuration.

     Note Deep Discovery Web Inspector uses CommonName (CN) to perform user/group searches when selecting users/groups as a decryption source.

   • Selected network objects
     The rule applies only to specific network objects.
     Move one or more objects from the available network objects list to the selected network objects list. You can create a new network object to include in the HTTPS decryption rule.
     See Adding/Editing Network Objects.
   • Guest users
     The rule applies to users that authenticate on the network using a designated guest account.

   Note You can configure exceptions if you chose Selected users and groups or Selected network objects as the decryption source. Entries in an exception list will not be decrypted even if they are a match to other criteria in the HTTP decryption rule.

9. Configure Decryption Categories:
   1. Click on the Decryption Categories box to open the list of URL categories.
   2. Select or deselect URL categories on which to apply the HTTPS decryption rule.
      The available categories are predefined and cannot be configured. The categories are organized in a hierarchical structure with main categories and subcategories. Click the arrow by a main category to view the sub-categories. You can choose entire categories or only sub-categories to add to the list.
10. Configure Decryption Domain Objects by moving one or more objects from the available domain objects list to the selected domain objects list.
    You can create a new domain object to include in the HTTPS decryption rule.

    See Adding/Editing Domain Objects.
11. If you do not want to use the default Deep Discovery Web Inspector CA, you can use a private CA by doing one of the following under the certificate section:
    1. If the certificate is not based on the CSR generated by Deep Discovery Web Inspector:
       1. Under Certificate type, make sure that Certificate with CSR generated by Deep Discovery Web Inspector is not selected.
       2. Under Import type, select the appropriate certificate file type:
          Valid options are PEM/DER, PKCS7, and PKCS12.
       3. In Certificate, browse and choose the certificate file.
       4. In Private key, browse and choose the private key file for the certificate file.
       5. Enter the password of the private key and then confirm it.
       6. Click on Verify Certificate to verify that the certificate is valid.
    2. If the certificate is based on the CSR generated by Deep Discovery Web Inspector:
       1. Select Certificate with CSR generated by Deep Discovery Web Inspector.
       2. Under Import type, select the appropriate certificate file type:
          Valid options are PEM/DER, PKCS7, and PKCS12.
       3. In Certificate, browse and choose the certificate file.
       4. Click on Verify Certificate to verify that the certificate is valid.

    Note Deep Discovery Web Inspector uses the certificate to re-sign the website certificate and decrypt the traffic for inspection. You can use your own private CA certificate; however, you cannot use a CA certificate that is signed by a public certificate authority. You can configure Active Directory Services to use the HTTPS decryption rule certificate when creating authentication policies for authenticating Active Directory users. For more information, see Integration with Microsoft Active Directory The imported certificate must be CA certificate that used to sign other certificates, certificates meet one of the following conditions can be imported into https inspection policy: It is a proper X509v3 CA certificate with the basicConstraints extension CA:TRUE. It is a certificate with the keyUsage extension having the bit keyCertSign set, but without the basicConstraints.

12. Click Save.

    Note You can also restore the certificate settings to the default Trend Micro Deep Discovery Web Inspector CA, from the certificate section by clicking on Restore to Default.