About Scanning Encrypted Traffic
By default the Symantec Web Security Service does not intercept inbound HTTPS traffic from destination web locations and applications. With the default configuration, the Web Security Service applies content filtering policy to the furthest extent possible; however, it cannot apply policies to transactions that require deeper inspection, such as web application controls or malware scanning. Enabling SSL interception allows the Web Security Service to decrypt HTTPS connections, examine the contents, and perform policy checks.
To retain the security of personal private information, Symantec recommends excluding some content filtering categories from termination and inspection. By default, the Web Security Service does not intercept HTTPS traffic categorized as Brokerage/Trading, Financial Services, and Health, because this content usually involves private, sensitive personal account information. Additionally, for mobile devices, the Web Security Service does not intercept traffic from a list of specific applications as these applications are known to break when intercepted on mobile devices.
To view which applications the Web Security Service bypasses, see: KB Article
Tip: If your policy allows uploading and downloading attachments in Gmail, you must enable SSL Interception. See Define a User-Based Web Applications Policy.
Tip: All Intermediate CAs used for certificate emulate are signed with SHA-2 (SHA256).
See Also: About the All Ports License.
Some users configure their Facebook accounts for secure connections (https://www.facebook.com/...). With SSL interception enabled, the Web Security Service intercepts the inbound SSL connections and applies a policy check, such as Block Games.
Without SSL interception enabled, your acceptable web-use policies might not be fully enforced.
Another benefit of SSL interception is the detection of malware embedded in secure connection. No further configuration is required as the Web Security Service provides malware scanning by default.
Without SSL intercept enabled, your network might still be at risk if the Web Security Service cannot intercept and inspect inbound SSL connections.
The Web Security Service allows you to selectively intercept HTTPS requests from specific network elements, such a single users, user groups, locations, and access method. Consider the following use cases.
- You know that not all browsers in specific locations or user groups have the root certificate installed and you want to exempt those elements until configuration completes.
- A single user is having SSL connection problems and you want to exempt that user while you investigate.
In the following diagram, SSL interception is enabled in the Web Security Service
A—An employee located at the corporate Location performs an HTTPS request to Facebook.
B—An employee connecting through the Proxy Forwarding Access Method performs an HTTPS request to Facebook.
C—There is no SSL Interception policy based on location or the Proxy Forward Access Method, so the interception occurs; the Web Security Service examines the returned HTTPS connection from Facebook.
D—A remote user with the Unified Agent installed on his client performs an HTTPS request to Facebook.
E—The Web Security Service is configured to exempt all HTTPS traffic from Unified Agents from SSL interception.
- If you do not want to enable SSL, Symantec still strongly recommends that you download and install the root certificate to client systems. For more information, proceed to Install Encrypted Traffic Certificates.
- Define granular SLL Policy. Create SSL Policy
- Want to manage your own certificates? See Deploy a Self Managed Certificate for SSL Interception.