03-22-2016 10:43 AM
We have some kiosks running SiteKiosk software that are heavily locked down to our website. They are in a restricted internet group with website whitelisting. Our website is secure because we are an FI and it allows people in our branches to go online and check their online banking account and print out statements, etc... basically a self serve station.
Issue we have is we get constant popups about unable to check certificate revocation lists. In S170 web appliance we looked up one of these Kiosk terminal IP addresses and sure enough we see a lot of crl type sites from MANY companies blocked due to web category - restricted internet. Is there an easy way to just allow all CRL checks through the Ironport WSA appliance?
Solved! Go to Solution.
03-22-2016 04:47 PM
If you have HTTPS proxy enable, there is a section called OCSP (Online Certificate Status Protocol) that has option to either drop, decrypt or monitor for Revoked Certificate as the OCSP result.
Another way to allow all CRL is to create a custom URL category with regular expression of \.crl$ and set it to allow and bypass authentication (in case having issue with authentication request from the WSA)
03-22-2016 04:47 PM
If you have HTTPS proxy enable, there is a section called OCSP (Online Certificate Status Protocol) that has option to either drop, decrypt or monitor for Revoked Certificate as the OCSP result.
Another way to allow all CRL is to create a custom URL category with regular expression of \.crl$ and set it to allow and bypass authentication (in case having issue with authentication request from the WSA)
03-25-2016 06:38 AM
Wow thanks, and I was unaware of the use of regular expressions in URL categories!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide