Views:
HTTPS Tunnels can be used to communicate between network locations with restricted connectivity - usually being locations behind NATs, firewalls, or proxy servers. Restricted connectivity is usually the result of blocked TCP/IP ports, blocked traffic initiated from outside the network or from the blocking of most network protocols. It depends on how a network can be locked down to secure it against internal and external threats.
TMWS allows administrators to maintain a list of trusted domains or URLs, whose HTTPS traffic is always accessible by end users without being decrypted and inspected by TMWS.
TMWS also provides an exception list to let administrators add specific pages, links, or subdomains they do not want to tunnel within the trusted domains. Subsequent decryption and inspection of the matched URLs in the exception list are subject to the configured TMWS policy rules.
Before configuring HTTPS tunnels, ensure that Enable HTTPS tunneling under Global Settings is set to On.

Procedure

  1. Go to PoliciesHTTPS InspectionHTTPS Tunnels.
  2. Configure the Tunneled Domains tab:
    1. Select to match by an entire domain name or a keyword.
      Match Mode
      Description
      Web
      Match domains by an entire domain name.
      This match mode supports only exact match.
      For example, example.com matches example.com, but it does not match sub.example.com and example2.com.
      Keyword
      Match domains containing a keyword.
      This match mode supports partial match.
      For example, example would be considered a match for example.com, sub.example.com, and example2.com.
      Note
      Note
      TMWS automatically adds an asterisk (*) at the beginning and end of a keyword. As such, exercise caution when adding extra asterisks to the keyword as this increases the chance of false-positives.
    2. Type domain names or keywords based on the match mode selected, separating them with spaces.
    3. Click Add to Tunneled Domains List or Add to Exceptions List as necessary.
      The domains or keywords are added in the Tunneled Domains List or Exceptions List, together with the date and time when each domain was added.
      Note
      Note
      If an HTTPS request to a domain or URL is blocked by the Blocked URLs list or a cloud access rule, TMWS decrypts the request anyway for subsequent inspection. If the request is not blocked by the Blocked URLs list or a cloud access rule, whether TMWS needs to decrypt it depends on whether it is in the Tunneled Domains list.
    4. To remove one or several domains or keywords from a list, select them and click Delete.
  3. Configure the Failed HTTPS Accesses tab:
    HTTPS decryption may fail because of unsuccessful SSL handshake or unexpected disconnection from the web server. In this case, choose to add the corresponding domains or URLs to the Tunneled Domains List or Exceptions List to allow their HTTPS traffic to be automatically tunneled and passed to end users or to follow the configured TMWS policy rules for inspection.
    Failed HTTPS access attempts can be tracked and recorded. Logs can be queried by time and domain.
    1. Click On or Off to enable or disable auto tunneling for fatal failures as necessary.
    2. To search for HTTPS access failures to a domain within a specific period, select a time period from the drop-down list, type the domain name, and then click the search icon.
      For details about what the time periods mean, see Time Measurements.
    3. Perform the following:
      Task
      Details
      View details on the failed HTTPS accesses
      Click the domain or URL under Domain Name.
      • User Name: User that initiates the HTTPS request to the domain or URL.
      • Warning: Reason why the HTTPS decryption fails.
      • Generated at: Date and time when the HTTPS decryption failure occurred.
      Add the domain or URL to the Tunneled Domains List or Exceptions List
      If the HTTPS request fails to be decrypted due to TMWS errors, the corresponding domain or URL is automatically added to the Tunneled Domains List for a certain time period, during which the HTTPS traffic is not decrypted.
      Note
      Note
      If the HTTPS request was blocked by the Blocked URLs list or a cloud access rule, the corresponding domain or URL is not automatically added to the Tunneled Domains List and is not accessible.
      • To always tunnel the HTTPS request to the domain or URL, select it and click Add to Tunneled Domains List.
      • To always let the HTTPS request to the domain or URL follow the configured TMWS policy rules for inspection, select it and click Add to Exceptions List.
    4. Click Save.