08-29-2014 12:29 AM
Hi,
We have a requirement to block sites with certificate errors, self-signed/out of date/unrecognised authority etc., which makes sense from a security perspective.
The business, however, want to whitelist certain third-party sites that we must access, just in case they mess up and let a certificate expire for instance - we've all seen it happen.
As far as I can see the HTTPS proxy, where the certificate inspection decision is made, is a global setting - I'm hoping I'm wrong.
Is it possible set a general drop policy for cert errors while whitelisting certain domains, possibly in a custom URL list, so that any certificate errors from the whitelist are not dropped?
Or maybe set up a second HTTPS proxy policy for specific URLs?
thanks for any help,
Ed
08-29-2014 01:23 AM
Hi,
If you create a custom URL category which is configured to "pass though" you might be able to avoid the certificate errors on these sites.
Here are the steps you can try:
- Go to WSA, HTTPS proxy and make sure WSA is decrypting the sites with Expired certificates.
- Now go to WebSecurityManger, custom URL category and add the websites who should be bypassed the Cert check.
- Now go to Decryption Policy, URL filtering. Add the Custom URL category created above and set it to "Passthrough".
Thanks & Regards,
Kush Srivastava
Cisco PDI Helpdesk
http://www.cisco.com/go/pdihelpdesk
08-29-2014 03:25 AM
hi Kush,
Thanks for the input, we'll give it a go.
Regards,
Ed
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide