Configuring HTTPS Inspection

When you activate HTTPS Inspection, SSL-encrypted web traffic is routed through the Web Security infrastructure.
Before you turn on HTTPS Inspection for your Web Security service, you must download the Symantec Web Security.cloud Root CA and install it on all users' web browsers. If you do not install the certificate on each browser, users receive a certificate error when they access a website that uses HTTPS.
  1. After you install the certificate on all browsers, use the following procedure to configure HTTPS Inspection and activate the service.
  2. Select
    Services
    >
    Web Security Services
    >
    HTTPS
    .
  3. (Optional) Select URL categories that you want to exclude from HTTPS Inspection.
    In the
    Ignore SSL encrypted web traffic - by URL category
    section, click
    Edit URL Categories
    . Select the URL categories that you want to exclude from HTTPS exception and click
    OK
    .
    You can select from the complete list of URL categories. For example, you can decide to inspect all sites with a URL category of
    Webmail
    , but choose not to inspect
    Finance and Investment
    sites.
    SSL-encrypted web traffic for the sites that belong to an excluded category is not scanned for malware or included in your URL filtering rules. Non-encrypted (HTTP) web traffic for the sites also continues to pass through our infrastructure.
    You can change your selected categories even after you activate HTTPS Inspection.
  4. (Optional) Create a list of websites that you want to exclude from HTTPS Inspection.
    In the
    Ignore SSL encrypted web traffic - by website or IP address
    section, click
    New
    . Enter the URL or IP address of any site that you want to exclude from HTTPS inspection. Enter a description (optional) and click
    OK
    .
    You can add the site as a web address or as an IP address, without https://. You can use the asterisk (*) wildcard in the web address. The wildcard must appear before the domain name and you can use only one wildcard in the address. For example, type
    *.example.com
    to specify all the sites for the
    example.com
    domain.
    You might use this feature to exclude sites that hold personal or sensitive information, to comply with data privacy regulations in your country. SSL encrypted web traffic from excluded sites does not pass through our infrastructure. The SSL encrypted traffic is not scanned for malware or included in your URL filtering rules. Non-encrypted web traffic for theses sites continues to pass through our infrastructure.
    You can continue to update the exclusion list as needed, even after you activate HTTPS Inspection. The maximum number of sites that you can add is 1000.
  5. (Optional) Customize the message that users see when they access websites that have certificate errors.
    In the
    Allow access to sites with certificate errors
    section, click
    Edit User Alert
    . You can preview the default alert that users see when a site is blocked due to a certificate error, or create a custom alert.
  6. (Optional) Create a list of websites that your users can access, even if the website has a certificate error.
    In the
    Allow access to sites with certificate errors
    section, select
    Enable site bypass list
    and add websites to the list.
    Users can access sites on the bypass list even if there is a certificate error. When you bypass certificate errors, however, there are security implications.
  7. (Required) Turn on HTTPS Inspection.
    At the top of the
    HTTPS Inspection
    page, next to
    Scanning of SSL encrypted web traffic is currently Off
    click
    Off
    to turn on HTTPS inspection. The
    Off
    control turns to
    On
    when HTTPS inspection is on.