Solved: Wow thanks, and I was unaware

keithsauer507 · ‎03-22-2016

We have some kiosks running SiteKiosk software that are heavily locked down to our website. They are in a restricted internet group with website whitelisting. Our website is secure because we are an FI and it allows people in our branches to go online and check their online banking account and print out statements, etc... basically a self serve station.

Issue we have is we get constant popups about unable to check certificate revocation lists. In S170 web appliance we looked up one of these Kiosk terminal IP addresses and sure enough we see a lot of crl type sites from MANY companies blocked due to web category - restricted internet. Is there an easy way to just allow all CRL checks through the Ironport WSA appliance?

Handy Putra · ‎03-22-2016

If you have HTTPS proxy enable, there is a section called OCSP (Online Certificate Status Protocol) that has option to either drop, decrypt or monitor for Revoked Certificate as the OCSP result.

Another way to allow all CRL is to create a custom URL category with regular expression of \.crl$ and set it to allow and bypass authentication (in case having issue with authentication request from the WSA)

View solution in original post

Handy Putra · ‎03-22-2016

If you have HTTPS proxy enable, there is a section called OCSP (Online Certificate Status Protocol) that has option to either drop, decrypt or monitor for Revoked Certificate as the OCSP result.

Another way to allow all CRL is to create a custom URL category with regular expression of \.crl$ and set it to allow and bypass authentication (in case having issue with authentication request from the WSA)

keithsauer507 · ‎03-25-2016

Wow thanks, and I was unaware of the use of regular expressions in URL categories!

What is the website category for certificate revocation lists?