About Scanning Encrypted Traffic

By default the
Web Security Service
does not intercept inbound HTTPS traffic from destination web locations and applications. With the default configuration,
WSS
applies content filtering policy to the furthest extent possible; however, it cannot apply policies to transactions that require deeper inspection, such as web application controls or malware scanning. Enabling SSL interception allows
WSS
to decrypt HTTPS connections, examine the contents, and perform policy checks.
To retain the security of personal private information,
Symantec
recommends excluding some content filtering categories from termination and inspection. By default,
WSS
does not intercept HTTPS traffic categorized as
Brokerage/Trading
,
Financial Services
, and
Health
, because this content usually involves private, sensitive personal account information. For mobile devices,
WSS
does not intercept traffic from a list of specific applications as these applications are known to break when intercepted on mobile devices.
To view which applications the
WSS
bypasses, see: KB Article
Additional Information

Content Filtering Use Case

Some users configure their Facebook accounts for secure connections (
https://www.facebook.com/...
). With SSL interception enabled,
WSS
intercepts the inbound SSL connections and applies a policy check, such as
Block Games
.
SSL Policy
Without SSL interception enabled, your acceptable web-use policies might not be fully enforced.

Malware Prevention Use Case

Another benefit of SSL interception is the detection of malware embedded in secure connection. No further configuration is required as
WSS
provides malware scanning by default.
SSL Interncept Malware Concept
Without SSL intercept enabled, your network might still be at risk if
WSS
cannot intercept and inspect inbound SSL connections.

Granular SSL Policy

WSS
allows you to selectively intercept HTTPS requests from specific network elements, such a single users, user groups, locations, and access method. Consider the following use cases.
  • You know that not all browsers in specific locations or user groups have the root certificate installed and you want to exempt those elements until configuration completes.
  • A single user is having SSL connection problems and you want to exempt that user while you investigate.
In the following diagram, SSL interception is enabled in
WSS
.
SSL Granular Policy
A
—An employee located at the corporate
Location
performs an HTTPS request to Facebook.
B
—An employee connecting through the
Proxy Forwarding
connectivity method performs an HTTPS request to Facebook.
C
—There is no SSL Interception policy based on location or the Proxy Forward connectivity method, so the interception occurs; the
WSS
examines the returned HTTPS connection from Facebook.
D
—A remote user with the
WSS Agent
installed on his client performs an HTTPS request to Facebook.
E
WSS
is configured to exempt all HTTPS traffic from
WSS Agent
from SSL interception.

Next Step