Managing HTTPS Inspections
Note: This topic applies to the Edinburgh Release.
What is an HTTPS Inspection Policy?
HTTPS inspection policies enable you to inspect and manage communication between users on your network and web sites which use HTTPS by configuring an inspection method for different user groups, destinations and locations.
The HTTPS inspection feature of Guardian makes use of certificates to sign for HTTPS services, and a warning message displayed to used who attempt to access HTTPS websites.
Managing HTTPS Interception Certificates
You can change the SSL certificate used to sign for certificates within the HTTPS interception feature. You must ensure your client devices trust this certificate.
| 1. | Go to Guardian > HTTPS inspection > Settings. |
| 2. | From the Manage HTTPS interception certificates section, choose the relevant certificate from the Certificate Authority drop-down. |
You can create a new certificate to use for these services. Click Create and manage certificates to go directly to the System > Certificates > Certificates for services page. For a detailed description of how to create and manage these certificates, see Managing Certificate Authorities and Certificates.
| 3. | Click Export. |
Client devices must trust the HTTPS interception certificate. Use Export to download the root Certificate Authority used to sign this certificate. For more information, see Managing Certificate Authorities and Certificates
Using BYOD Devices and HTTPS Interception Certificates
As HTTPS interception certificates cannot be pre-installed or stipulated on Bring Your Own Devices (BYOD), when web requests are made to HTTPS sites, certificate security warnings are displayed to the user.
To prevent this, you can create a redirect to the HTTPS Interception page where the BYOD user can download and install the relevant certificate:
Instructions are included in the HTTPS Interception page advising how to install the certificate depending on the browser used.
The URL to use for the redirect is: http://<IPAddress_or_Hostname>/modules/guardian3/mitm/
where IPAddress_or_Hostname is the IP address or hostname of the Smoothwall System.
Clearing the Generated Certificate Cache
It is possible to clear Guardian’s cache of certificates generated for use with HTTPS inspection policies.
| 1. | Go to Guardian > HTTPS inspection > Settings. |
| 2. | From the Manage HTTPS interception certificates section, click Clear and restart. |
Note: Clearing the cached certificates results in a full restart of the Guardian web filter. All Guardian services are halted for a few minutes so it is recommended you do this during a quiet time.
Managing the Warning Message
When implemented, Guardian displays a warning page informing users who try to access HTTPS web sites that their communication with the site is being decrypted and inspected. Users must actively accept the decryption and inspection in order to continue to the site.
To configure a warning message, do the following:
| 1. | Go to Guardian > HTTPS inspection > Settings. |
| 2. | In the Manage HTTPS interception warning section, configure the following: |
| • | Warning message — Either accept the default message, or enter a custom message informing users that their HTTPS connections are decrypted and filtered if they continue to the site they have requested. |
| • | Confirmation button label — Either accept the default label, or enter new text to display on the button that users must click to confirm that they accept that their HTTPS connections are decrypted and filtered. Once they have clicked on the button, they can continue to the site they requested. |
| • | Warning frequency — Choose how often Guardian displays the warning message to the user: |
|
Warning Frequency |
Description |
|
Daily |
Select to display the warning daily. |
|
Weekly |
Select to display the warning weekly. |
|
Never |
Select to never display a warning. Typically, you would not use this option, however, if you are using the Smoothwall Connect Filter for Windows client, it is recommended you disable the warning message to ensure correct operations. For more information, see About Smoothwall Connect. |
| 3. | Click Save. |
The URL used to present the warning page, refers to the Guardian IP address. However, if a system redirection to hostname setting is in place, you can force the hostname to be used instead. You do this from the System > Preferences > Hostname page. For a detailed description of how to configure this page, see Changing the System Hostname.
