ssl decryption best practices?

Showing results for 
Show  only  | Search instead for 
Did you mean: 

ssl decryption best practices?

L4 Transporter

I'd like to look at implementing it but I'm wary of all the potential caveats i.e. applications that don't play nice, and machines that are non-windows or non-domain so wouldn't get a trusted CA via Group Policy.

I've read the guides so know how to do it and what the suggested categories are to exclude, but I'd be grateful for any real-world feedback from those of you who have done this.

Also if you have custom URL categories and have a site in one of those, which takes preference in the SSL decryption rules i.e. if is in both "auctions" and "corp whitelist" and a decryption policy is defined to exclude "auctions" what happens?



L3 Networker

The categories decrypted would depend on your local preference. As far as the example with the, it would depend on the orfer of the rule. Rules are looked at from top to bottom.

Thanks, but that isn't really what I was getting at.  I wondered from other peoples experimentation if there were any "definitely don't try and decrypt XYZ" scenarios.  For example I read about Microsoft Update not working.


Cases where SSL decrypt may cause issues:

The example in "Dual ISP Branch Office Configuration" does not work well together with SSl decrypt.

Applications outside the  web browser may not read trusted CA's the same way as your web browser.
Bloomberg is one example.

BlackBerry  /BES  server may also require additional configuration steps.

If you use the web categories from Brightcloud in your SSL Decrypt rules and your users go to a lot of non-US web sites,

expect to get to know BrightClods "Suggest a new category".

Regards Paul M.

  • 3 replies
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!