04-27-2014 06:05 AM
Right now we have a policy to never decrypt shopping and finance/banking sites, and we decrypt web based email and social networking.
I know there are issues with certain applications (Windows Update I believe?) if you try to decrypt so I wondered what your decryption/inspection policies are?
04-29-2014 12:00 AM - last edited on 06-26-2023 08:55 AM by mgordon
The tech note on configuring SSL decryption Controlling SSL Decryption lists the default categories you should use as a start and some you should not.
You will always stumble on certain applications that don't cope well with SSL decryption, so you'll have to exclude those. Typical example is bank transaction software, they probably do extra checks on the certificate chain. Another very specific one is Java. Not because it's Java, but because it has its own certificate store (you'd have to import your intermediate CA separately if you have Java applications that use ssl).
But I wouldn't do exclusion on category level (you'll exclude way too much). Just do it per application, like the tech note says. We use a "decryption exception" rule that uses an address group (containing fqdn as well as ip address objects). Good application vendors will be able to supply you with a list of ip's and/or url's their application needs. If they don't you'll have to find out yourself (disable ssl decryption and monitor the logs).
Only way to find out is enabling SSL decryption, so be ready to take some time troubleshooting.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
