The HTTPS Proxy is a powerful tool on the Web Security Appliance (WSA) that can be used for filtering HTTPS traffic. In order to utilize this feature, it must be configured correctly. In this article, I will review the steps required to configure the HTTPS Proxy.
The WSA does not filter HTTPS traffic by default. In order to filter HTTPS traffic, you must enable the HTTPS Proxy. This article discusses the steps required to configure the HTTPS Proxy.
1) To enable the HTTPS Proxy, access the WSA GUI and go to Security Services > HTTPS Proxy.
2) Click on Enable and Edit Settings and click the box next to "Enable HTTPS Proxy".
3) The WSA must have a root or intermediate certificate in order for the HTTPS Proxy to work. There are a few options for getting that certificate on the box, which are listed below:
Generate the Certificate and Key on the WSA
- Click on the "Generate New Certificate and Key" button
- Fill out the fields for the new Certificate and Key
- Click "Generate" when done
Generate a Certificate and Key and download a CSR to have signed by a CA
- Follow the steps for "Generate the Certificate and Key on the WSA" above
- Click on the link for "Download Certificate Signing Request" and save the file in PEM format
- Take the file to your CA and have it signed
- Click "Browse" under the section "Signed Certificate" to upload the signed certificate
The CA cannot be a third party trusted CA, such as Verisign or Thawte, as they will not sign an intermediate or root certificate.
Upload an existing Certificate and Key
- Click on the box next to "Use Uploaded Certificate and Key"
- Select "Browse" to search for the Certificate and Key (as stated, Private key must be unencrypted)
- Click "Upload Files" to upload the certificate and key
4) (Optional) Configure the other settings for the HTTPS Proxy
Version 7.5 and earlier
HTTPS Transparent Request
- This is to determine how to handle HTTPS traffic in regards to unauthenticated users that require authentication. This is almost always set to the default setting of "Decrypt the HTTPS request and redirect for authentication".
Applications that Use HTTPS
- This settings is enabled by default and allows the WSA to decrypt HTTPS requests that may be subject to the Application Visibility and Control feature. This setting only takes affect if the web category decision is "Monitor" in the decryption policies.
Invalid Certificate Handling
- These settings determine how the WSA will handle HTTPS sites that present a certificate that is not valid for the reasons listed in this section. These settings are applied prior to the web category decision in the Decryption policies except for Custom Categories that are set to Passthrough.
Version 7.7 and later
- These options include decryption for Authentication, End User Notification, End User Acknowledgement, and Application Detection. In order to use these features for HTTPS requests, the WSA must decrypt these transactions.
Online Certificate Status Protocol Options
- These settings deal with how the WSA handles Online Certificate Status Protocol (OCSP) checks. The WSA only uses the OCSP feature if the certificate is valid.
- This section allows configuration and management of the trusted Certificate Authorities on the WSA. The "Manage Trusted Root Certificates" allows for importing custom Root Certificate Authorities to be trusted by the WSA as well as overriding existing Certificate Authorities from being trusted.
5) Submit and Commit the changes!!!
The HTTPS Proxy has now been configured. Below are some items to consider, now that the HTTPS Proxy has been enabled, that are not covered in this guide:
Configuring the Decryption policies
Re-directing the HTTPS traffic via WCCP
Uploading the Certificate used for the HTTPS Proxy to users' browsers