ssl decryption best practices?

Reply
L4 Transporter

ssl decryption best practices?

I'd like to look at implementing it but I'm wary of all the potential caveats i.e. applications that don't play nice, and machines that are non-windows or non-domain so wouldn't get a trusted CA via Group Policy.

I've read the guides so know how to do it and what the suggested categories are to exclude, but I'd be grateful for any real-world feedback from those of you who have done this.

Also if you have custom URL categories and have a site in one of those, which takes preference in the SSL decryption rules i.e. if www.domain.com is in both "auctions" and "corp whitelist" and a decryption policy is defined to exclude "auctions" what happens?

Thanks.

L3 Networker

Re: ssl decryption best practices?

The categories decrypted would depend on your local preference. As far as the example with the www.domain.com, it would depend on the orfer of the rule. Rules are looked at from top to bottom.

L4 Transporter

Re: ssl decryption best practices?

Thanks, but that isn't really what I was getting at.  I wondered from other peoples experimentation if there were any "definitely don't try and decrypt XYZ" scenarios.  For example I read about Microsoft Update not working.

L1 Bithead

Re: ssl decryption best practices?

Hello

Cases where SSL decrypt may cause issues:

The example in "Dual ISP Branch Office Configuration" does not work well together with SSl decrypt.


Applications outside the  web browser may not read trusted CA's the same way as your web browser.
Bloomberg is one example.


BlackBerry  /BES  server may also require additional configuration steps.


If you use the web categories from Brightcloud in your SSL Decrypt rules and your users go to a lot of non-US web sites,

expect to get to know BrightClods "Suggest a new category".

Regards Paul M.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!