About Scanning Encrypted Traffic
By default the Symantec Web Security Service does not intercept inbound HTTPS traffic from destination web locations and applications. With the default configuration, the WSS applies content filtering policy to the furthest extent possible; however, it cannot apply policies to transactions that require deeper inspection, such as web application controls or malware scanning. Enabling SSL interception allows the WSS to decrypt HTTPS connections, examine the contents, and perform policy checks.
To retain the security of personal private information, Symantec recommends excluding some content filtering categories from termination and inspection. By default, the WSS does not intercept HTTPS traffic categorized as Brokerage/Trading, Financial Services, and Health, because this content usually involves private, sensitive personal account information. Additionally, for mobile devices, the WSS does not intercept traffic from a list of specific applications as these applications are known to break when intercepted on mobile devices.
To view which applications the WSS bypasses, see: KB Article
Tip: If your policy allows uploading and downloading attachments in Gmail, you must enable SSL Interception. See Define a User-Based Web Applications Policy.
Tip: All Intermediate CAs used for certificate emulate are signed with SHA-2 (SHA256).
Some users configure their Facebook accounts for secure connections (https://www.facebook.com/...). With SSL interception enabled, the WSS intercepts the inbound SSL connections and applies a policy check, such as Block Games.
Without SSL interception enabled, your acceptable web-use policies might not be fully enforced.
Another benefit of SSL interception is the detection of malware embedded in secure connection. No further configuration is required as the WSS provides malware scanning by default.
Without SSL intercept enabled, your network might still be at risk if the WSS cannot intercept and inspect inbound SSL connections.
The WSS allows you to selectively intercept HTTPS requests from specific network elements, such a single users, user groups, locations, and access method. Consider the following use cases.
- You know that not all browsers in specific locations or user groups have the root certificate installed and you want to exempt those elements until configuration completes.
- A single user is having SSL connection problems and you want to exempt that user while you investigate.
In the following diagram, SSL interception is enabled in the WSS.
A—An employee located at the corporate Location performs an HTTPS request to Facebook.
B—An employee connecting through the Proxy Forwarding connectivity method performs an HTTPS request to Facebook.
C—There is no SSL Interception policy based on location or the Proxy Forward Access Method, so the interception occurs; the WSS examines the returned HTTPS connection from Facebook.
D—A remote user with the WSS Agent installed on his client performs an HTTPS request to Facebook.
E—The WSS is configured to exempt all HTTPS traffic from WSS Agent from SSL interception.
- If you do not want to enable SSL, Symantec still strongly recommends that you download and install the root certificate to client systems. For more information, proceed to Install Encrypted Traffic Certificates.
- Define granular SSL Policy. Create SSL Policy
- Want to manage your own certificates? See Deploy a Self Managed Certificate for SSL Interception.