Configuring HTTPS Inspection
When you activate HTTPS Inspection, SSL-encrypted web traffic is routed through the Web Security infrastructure.
Before you turn on HTTPS Inspection for your Web Security service, you must download the Symantec Web Security.cloud Root CA and install it on all users' web browsers. If you do not install the certificate on each browser, users receive a certificate error when they access a website that uses HTTPS.
- After you install the certificate on all browsers, use the following procedure to configure HTTPS Inspection and activate the service.
- SelectServices>Web Security Services>HTTPS.
- (Optional) Select URL categories that you want to exclude from HTTPS Inspection.In theIgnore SSL encrypted web traffic - by URL categorysection, clickEdit URL Categories. Select the URL categories that you want to exclude from HTTPS exception and clickOK.You can select from the complete list of URL categories. For example, you can decide to inspect all sites with a URL category ofWebmail, but choose not to inspectFinance and Investmentsites.SSL-encrypted web traffic for the sites that belong to an excluded category is not scanned for malware or included in your URL filtering rules. Non-encrypted (HTTP) web traffic for the sites also continues to pass through our infrastructure.You can change your selected categories even after you activate HTTPS Inspection.
- (Optional) Create a list of websites that you want to exclude from HTTPS Inspection.In theIgnore SSL encrypted web traffic - by website or IP addresssection, clickNew. Enter the URL or IP address of any site that you want to exclude from HTTPS inspection. Enter a description (optional) and clickOK.You can add the site as a web address or as an IP address, without https://. You can use the asterisk (*) wildcard in the web address. The wildcard must appear before the domain name and you can use only one wildcard in the address. For example, type*.example.comto specify all the sites for theexample.comdomain.You might use this feature to exclude sites that hold personal or sensitive information, to comply with data privacy regulations in your country. SSL encrypted web traffic from excluded sites does not pass through our infrastructure. The SSL encrypted traffic is not scanned for malware or included in your URL filtering rules. Non-encrypted web traffic for theses sites continues to pass through our infrastructure.You can continue to update the exclusion list as needed, even after you activate HTTPS Inspection. The maximum number of sites that you can add is 1000.
- (Optional) Customize the message that users see when they access websites that have certificate errors.In theAllow access to sites with certificate errorssection, clickEdit User Alert. You can preview the default alert that users see when a site is blocked due to a certificate error, or create a custom alert.
- (Optional) Create a list of websites that your users can access, even if the website has a certificate error.In theAllow access to sites with certificate errorssection, selectEnable site bypass listand add websites to the list.Users can access sites on the bypass list even if there is a certificate error. When you bypass certificate errors, however, there are security implications.
- (Required) Turn on HTTPS Inspection.At the top of theHTTPS Inspectionpage, next toScanning of SSL encrypted web traffic is currently OffclickOffto turn on HTTPS inspection. TheOffcontrol turns toOnwhen HTTPS inspection is on.