About Scanning Encrypted Traffic
By default the
Web Security Servicedoes not intercept inbound HTTPS traffic from destination web locations and applications. With the default configuration,
WSSapplies content filtering policy to the furthest extent possible; however, it cannot apply policies to transactions that require deeper inspection, such as web application controls or malware scanning. Enabling SSL interception allows
WSSto decrypt HTTPS connections, examine the contents, and perform policy checks.
To retain the security of personal private information,
Symantecrecommends excluding some content filtering categories from termination and inspection. By default,
WSSdoes not intercept HTTPS traffic categorized as
Financial Services, and
Health, because this content usually involves private, sensitive personal account information. For mobile devices,
WSSdoes not intercept traffic from a list of specific applications as these applications are known to break when intercepted on mobile devices.
To view which applications the
WSSbypasses, see: KB Article
- If your policy allows uploading and downloading attachments in Gmail, youmustenable SSL Interception. See Define a User-Based Web Applications Policy.
- All Intermediate CAs used for certificate emulate are signed with SHA-2 (SHA256).
- For more details about the WSS/TLS negotiation behavior, see https://knowledge.broadcom.com/external/article/203825.
Content Filtering Use Case
Some users configure their Facebook accounts for secure connections (
https://www.facebook.com/...). With SSL interception enabled,
WSSintercepts the inbound SSL connections and applies a policy check, such as
Without SSL interception enabled, your acceptable web-use policies might not be fully enforced.
Malware Prevention Use Case
Another benefit of SSL interception is the detection of malware embedded in secure connection. No further configuration is required as
WSSprovides malware scanning by default.
Without SSL intercept enabled, your network might still be at risk if
WSScannot intercept and inspect inbound SSL connections.
Granular SSL Policy
WSSallows you to selectively intercept HTTPS requests from specific network elements, such a single users, user groups, locations, and access method. Consider the following use cases.
- You know that not all browsers in specific locations or user groups have the root certificate installed and you want to exempt those elements until configuration completes.
- A single user is having SSL connection problems and you want to exempt that user while you investigate.
In the following diagram, SSL interception is enabled in
A—An employee located at the corporate
Locationperforms an HTTPS request to Facebook.
B—An employee connecting through the
Proxy Forwardingconnectivity method performs an HTTPS request to Facebook.
C—There is no SSL Interception policy based on location or the Proxy Forward connectivity method, so the interception occurs; the
WSSexamines the returned HTTPS connection from Facebook.
D—A remote user with the
WSSis configured to exempt all HTTPS traffic from
WSS Agentfrom SSL interception.
- If you do not want to enable SSL,Symantecstill strongly recommends that you download and install the root certificate to client systems. For more information, proceed to Install Encrypted Traffic Certificates.
- Define granular SSL Policy. Create SSL Policy
- Want to manage your own certificates? See Deploy a Self Managed Certificate for SSL Interception.