Configuring HTTPS Content Inspection

The HTTPS Content Inspection window allows you to perform basic setup required to use HTTPS inspection in WebMarshal. You can generate a HTTPS Root Certificate and enable the HTTPS Content Inspection functionality.

9.1.22.1 HTTPS Content Inspection Concepts

HTTPS or “secure HTTP” is a protocol that allows Web applications to communicate over a secured channel (Secure Socket Layer, or SSL). HTTPS is designed to guarantee the identity of the remote web server, and to protect the data by sending it through an encrypted channel. This design makes it very difficult for intermediate devices (such as a proxy server) to view or change the data being communicated.

HTTPS guarantees the identity of a server by using a “certificate” that is issued to the server. The certificate is in turn guaranteed by an issuing authority. Web browser software typically hold a number of

“root” certificates that it can use to determine whether the issuing authority for a server certificate is trusted.

HTTPS encrypts the data channel using a public-private key process. Data that is encrypted with the private key can be decrypted using the matching public key. The public key for a server is included in the server certificate. A web browser visiting a HTTPS site first requests the server certificate, and then negotiates the secure channel to the server based on this key.

WebMarshal can inspect HTTPS content as follows:

1. WebMarshal creates a unique Root Certificate for each installation. The Root Certificate guarantees the authenticity of other certificates that this WebMarshal installation creates.

2. You install the Root Certificate in each browser application on every workstation that will browse through WebMarshal.

3. When a user browses to a HTTPS site through WebMarshal, the WebMarshal server creates a certificate for that site, and returns it to the browser. The SSL connection between WebMarshal and the browser is based on this certificate.

4. WebMarshal connects to the requested site and retrieves the server certificate provided by the site.

The SSL connection between WebMarshal and the server is based on this certificate.

5. All communications are encrypted and secured, but WebMarshal can inspect the content.

6. By default, WebMarshal does not allow connections that use SSLv2 and SSLv3 which are considered insecure protocols. For more information, see Trustwave Knowledge Base article Q20067.

9.1.22.2 Generating and deploying a HTTPS Root Certificate

Before you enable HTTPS Content Inspection, you should ensure that the WebMarshal Root Certificate is available to all clients. Any client browser that does not have the Root Certificate installed will raise an

Caution: Although this method secures data in transmission, it raises a number of potential technical and legal issues for data privacy. You should carefully consider any applicable privacy laws and regulations before implementing this functionality. You should review the security of the WebMarshal processing servers. You should inform users about HTTPS content inspection as part of the terms and conditions of their web access.

WebMarshal access policy allows you to apply HTTPS content inspection selectively by user and by site.

You may choose not to inspect the content of certain trusted and sensitive connections, such as online banking.

Content inspection significantly increases the CPU load on processing servers (due to decryption and encryption of content). Depending on the amount of HTTPS traffic that is inspected, you may need to improve the CPU specification of processing servers, or use more processing servers.

Managing WebMarshal Configuration

Copyright © 2014 Trustwave Holdings, Inc. All rights reserved. 150

To generate a Root Certificate:

1. On the HTTPS Content Inspection window, click Generate Certificate.

Figure 40: WebMarshal Properties, HTTPS Content Inspection window

2. On the Generate Certificate window, enter information in the fields, and then click Generate Certificate. If you have already generated a certificate you will be asked if you want to overwrite it.

Most of the fields on this window are optional and all required fields are populated by default. You can enter additional information to further identify the certificate. The information you entered displays on the Global Settings page.

To deploy a Root Certificate:

1. To export the certificate (for instance, if you want to push the certificate to workstations using Group Policy), click Export Certificate. Select a location and name for the certificate file, and then click Save.

2. Ensure that all client browsers on all workstations have this certificate installed. You can install the certificate for Internet Explorer using Group Policy. You can install the certificate for other browsers using a link on the WebMarshal Home page. If Windows services also require Internet access, you may need to install the certificate in a special location. For more information, see Trustwave

Knowledge Base articles Q12014 and Q12015.

Caution: If you have deployed HTTPS Content Inspection, you should normally not generate a new certificate unless the old one has expired. When you generate a new certificate and commit configuration changes, the new certificate is immediately used by WebMarshal. You must ensure that the new certificate is installed on all client workstations.

To view the properties of the existing certificate, export it to a file and then double-click to view the details in Windows certificate management.

9.1.22.3 Enabling HTTPS Content Inspection

To enable HTTPS Rule processing, check the box on this window.

To disable HTTPS Rule processing, clear the box.

For more information about including HTTPS Rules in your Access Policy, see Chapter 6, “Understanding Web Access Policy, Rule Containers, and Rules.”