HTTPS Tunnels

HTTPS Tunnels can be used to communicate between network locations with restricted connectivity - usually being locations behind NATs, firewalls, or proxy servers. Restricted connectivity is usually the result of blocked TCP/IP ports, blocked traffic initiated from outside the network or from the blocking of most network protocols. It depends on how a network can be locked down to secure it against internal and external threats.

Similar to an Approved URLs list, TMWS allows administrators to maintain a list of trusted domains or URLs, whose HTTPS traffic will not be subject to TMWS policy rules, and always be accessible by end users without being decrypted and inspected by TMWS.

TMWS also provides an exception list to let administrators add specific pages, links, or subdomains they do not want to tunnel within the trusted domains. Subsequent inspection of the matched URLs in the exception list are subject to the configured TMWS policy rules.

Before configuring HTTPS tunnels, ensure that Enable HTTPS tunneling under Global Settings is set to On.

  1. Go to Policies > HTTPS Inspection > HTTPS Tunnels.
  2. Configure the Tunneled Domains tab:
    1. Select to match by a keyword or an entire domain. For the Keyword option, TMWS automatically adds an asterisk (*) at the beginning and end of a keyword.
    2. Type domain names or keywords based on the match mode selected, separating them with spaces.
    3. Click Add to Tunneled Domains List or Add to Exceptions List as necessary.

      The domains or keywords are added in the Tunneled Domains List or Exceptions List, together with the date and time when each domain was added.

      Note:

      All the matched URLs in the exception list are subject to the configured TMWS policy rules for subsequent inspection.

    4. To remove one or several domains or keywords from a list, select them and click Delete.
  3. Configure the Failed HTTPS Accesses tab:

    HTTPS decryption may fail because of unsuccessful SSL handshake or unexpected disconnection from the web server. In this case, choose to add the corresponding domains or URLs to the Tunneled Domains List or Exceptions List to allow their HTTPS traffic to be automatically tunneled and passed to end users or to follow the configured TMWS policy rules for inspection.

    Failed HTTPS access attempts can be tracked and recorded. Logs can be queried by time and domain.

    1. Click On or Off to enable or disable auto tunneling for fatal failures as necessary.
    2. To search for HTTPS access failures to a domain within a specific period, select a time period from the drop-down list, type the domain name, and then click the search icon.

      The domain information appears.

    3. Perform the following:

      Task

      Details

      View details on the failed HTTPS accesses

      Click the domain or URL under Domain Name.

      • User Name: User that initiates the HTTPS request to the domain or URL.

      • Warning: Reason why the HTTPS decryption fails.

      • Generated at: Date and time when the HTTPS decryption failure occurred.

      Add the domain or URL to the Tunneled Domains List or Exceptions List

      If the HTTPS traffic from a domain or URL fails to be decrypted due to TMWS errors, it is automatically added to the Tunneled Domains List for a certain time period, during which the HTTPS traffic will not be decrypted.

      • To always tunnel the HTTPS traffic from the domain or URL, select it and click Add to Tunneled Domains List.

      • To always let the HTTPS traffic from the domain or URL follow the configured TMWS policy rules for inspection, select it and click Add to Exceptions List.

    4. Click Save.