hi Kush,Thanks for the input,

ed.sherratt · ‎08-29-2014

Hi,

We have a requirement to block sites with certificate errors, self-signed/out of date/unrecognised authority etc., which makes sense from a security perspective.

The business, however, want to whitelist certain third-party sites that we must access, just in case they mess up and let a certificate expire for instance - we've all seen it happen.

As far as I can see the HTTPS proxy, where the certificate inspection decision is made, is a global setting - I'm hoping I'm wrong.

Is it possible set a general drop policy for cert errors while whitelisting certain domains, possibly in a custom URL list, so that any certificate errors from the whitelist are not dropped?

Or maybe set up a second HTTPS proxy policy for specific URLs?

thanks for any help,

Ed

kushsriva · ‎08-29-2014

Hi,

If you create a custom URL category which is configured to "pass though" you might be able to avoid the certificate errors on these sites.

Here are the steps you can try:

- Go to WSA, HTTPS proxy and make sure WSA is decrypting the sites with Expired certificates.

- Now go to WebSecurityManger, custom URL category and add the websites who should be bypassed the Cert check.

- Now go to Decryption Policy, URL filtering. Add the Custom URL category created above and set it to "Passthrough".

Thanks & Regards,

Kush Srivastava
Cisco PDI Helpdesk
http://www.cisco.com/go/pdihelpdesk

ed.sherratt · ‎08-29-2014

hi Kush,

Thanks for the input, we'll give it a go.

Regards,
Ed

Is it possble to whitelist some sites for Certificate errors on WSA?