https://live.paloaltonetworks.com/t5/general-topics/ssl-decryption-best-practices/m-p/48478#M35684 <HTML><HEAD></HEAD><BODY><P>Hello</P><P></P><P>Cases where SSL decrypt may cause issues: <BR /> <BR />The example in "Dual ISP Branch Office Configuration" does not work well together with SSl decrypt.</P><P><BR />Applications outside the&nbsp; web browser may not read trusted CA's the same way as your web browser.<BR />Bloomberg is one example.</P><P><BR />BlackBerry&nbsp; /BES&nbsp; server may also require additional configuration steps.</P><P><BR />If you use the web categories from Brightcloud in your SSL Decrypt rules and your users go to a lot of non-US web sites, </P><P>expect to get to know BrightClods "Suggest a new category".</P><P></P><P>Regards Paul M.</P></BODY></HTML> Wed, 20 Oct 2010 08:28:33 GMT pnotpub 2010-10-20T08:28:33Z https://live.paloaltonetworks.com/t5/general-topics/ssl-decryption-best-practices/m-p/48475#M35681 <HTML><HEAD></HEAD><BODY><P>I'd like to look at implementing it but I'm wary of all the potential caveats i.e. applications that don't play nice, and machines that are non-windows or non-domain so wouldn't get a trusted CA via Group Policy.</P><P></P><P>I've read the guides so know how to do it and what the suggested categories are to exclude, but I'd be grateful for any real-world feedback from those of you who have done this.</P><P></P><P>Also if you have custom URL categories and have a site in one of those, which takes preference in the SSL decryption rules i.e. if www.domain.com is in both "auctions" and "corp whitelist" and a decryption policy is defined to exclude "auctions" what happens?</P><P></P><P>Thanks.</P></BODY></HTML> Fri, 15 Oct 2010 20:01:32 GMT https://live.paloaltonetworks.com/t5/general-topics/ssl-decryption-best-practices/m-p/48475#M35681 networkadmin 2010-10-15T20:01:32Z https://live.paloaltonetworks.com/t5/general-topics/ssl-decryption-best-practices/m-p/48476#M35682 <HTML><HEAD></HEAD><BODY><P>The categories decrypted would depend on your local preference. As far as the example with the <A href="http://www.domain.com">www.domain.com</A>, it would depend on the orfer of the rule. Rules are looked at from top to bottom. </P></BODY></HTML> Mon, 18 Oct 2010 23:53:07 GMT https://live.paloaltonetworks.com/t5/general-topics/ssl-decryption-best-practices/m-p/48476#M35682 ggutierrez 2010-10-18T23:53:07Z https://live.paloaltonetworks.com/t5/general-topics/ssl-decryption-best-practices/m-p/48477#M35683 <HTML><HEAD></HEAD><BODY><P>Thanks, but that isn't really what I was getting at.&nbsp; I wondered from other peoples experimentation if there were any "definitely don't try and decrypt XYZ" scenarios.&nbsp; For example I read about Microsoft Update not working.</P></BODY></HTML> Tue, 19 Oct 2010 17:02:25 GMT https://live.paloaltonetworks.com/t5/general-topics/ssl-decryption-best-practices/m-p/48477#M35683 networkadmin 2010-10-19T17:02:25Z https://live.paloaltonetworks.com/t5/general-topics/ssl-decryption-best-practices/m-p/48478#M35684 <HTML><HEAD></HEAD><BODY><P>Hello</P><P></P><P>Cases where SSL decrypt may cause issues: <BR /> <BR />The example in "Dual ISP Branch Office Configuration" does not work well together with SSl decrypt.</P><P><BR />Applications outside the&nbsp; web browser may not read trusted CA's the same way as your web browser.<BR />Bloomberg is one example.</P><P><BR />BlackBerry&nbsp; /BES&nbsp; server may also require additional configuration steps.</P><P><BR />If you use the web categories from Brightcloud in your SSL Decrypt rules and your users go to a lot of non-US web sites, </P><P>expect to get to know BrightClods "Suggest a new category".</P><P></P><P>Regards Paul M.</P></BODY></HTML> Wed, 20 Oct 2010 08:28:33 GMT https://live.paloaltonetworks.com/t5/general-topics/ssl-decryption-best-practices/m-p/48478#M35684 pnotpub 2010-10-20T08:28:33Z