CYAN SECURE WEB HOWTO. SSL Intercept

Similar documents
Secure Web Appliance. SSL Intercept

This document describes the configuration of Secure Sockets Layer (SSL) decryption on the FirePOWER Module using ASDM (On-Box Management).

Using SSL to Secure Client/Server Connections

Managing SSL/TLS Traffic Flows

Create Decryption Policies to Control HTTPS Traffic

File Reputation Filtering and File Analysis

VMware Horizon View Deployment

BIG-IP System: SSL Administration. Version

How to Configure SSL Interception in the Firewall

Managing Certificates

How to Configure SSL Interception in the Firewall

Configuring SSL. SSL Overview CHAPTER

Configuring SSL. SSL Overview CHAPTER

Best Practices for Security Certificates w/ Connect

Configuring SSL CHAPTER

Guide Installation and User Guide - Mac

BROWSER-BASED SUPPORT CONSOLE USER S GUIDE. 31 January 2017

Manage Certificates. Certificates Overview

App Orchestration 2.6

Guide Installation and User Guide - Windows

Configuring Network Composer and workstations for Full SSL Filtering and Inspection

Using Hypertext Transfer Protocol over Secure Sockets Layer (HTTPS)

Cisco Unified Serviceability

Hypertext Transfer Protocol over Secure Sockets Layer (HTTPS)

DPI-SSL. DPI-SSL Overview

Wavecrest Certificate SHA-512

Guide Installation and User Guide - Linux

LAB :: Secure HTTP traffic using Secure Sockets Layer (SSL) Certificate

Hypertext Transfer Protocol Over Secure Sockets Layer (HTTPS)

Certificates for Live Data

UCS Manager Communication Services

Setting up the Sophos Mobile Control External EAS Proxy

Blue Coat ProxySG First Steps Solution for Controlling HTTPS SGOS 6.7

Kerio Control. User Guide. Kerio Technologies

Blue Coat Security First Steps Solution for Controlling HTTPS

Installing and Configuring vcloud Connector

Web Browser Application Troubleshooting Guide. Table of Contents

Viewing System Status, page 404. Backing Up and Restoring a Configuration, page 416. Managing Certificates for Authentication, page 418

Certificates for Live Data Standalone

How to Set Up External CA VPN Certificates

Installing and Configuring vcloud Connector

IceWarp SSL Certificate Process

Troubleshooting Cisco Personal Communications Assistant (PCA)

Configuring F5 for SSL Intercept

DEPLOYMENT GUIDE DEPLOYING THE BIG-IP SYSTEM WITH BEA WEBLOGIC SERVER

How to Configure SSL VPN Portal for Forcepoint NGFW TECHNICAL DOCUMENT

User Manual. Admin Report Kit for IIS 7 (ARKIIS)

Installing an SSL certificate on your server

Registration and Renewal procedure for Belfius Certificate

Blue Coat Security First Steps. Solution for Integrating Authentication using IWA BCAAA

Administrator's Guide

Overview of Web Interface to CenturyLink B2B Gateway

Registration and Renewal procedure for Belfius Certificate

INSTALLATION GUIDE FOR ACPL FM220 RD WINDOWS APPLICATION INDEX

Identity Policies. Identity Policy Overview. Establishing User Identity through Active Authentication

ASA Clientless SSL VPN (WebVPN) Troubleshooting Tech Note

CloudLink SecureVM. Administration Guide. Version 4.0 P/N REV 01

VMware Horizon JMP Server Installation and Setup Guide. 13 DEC 2018 VMware Horizon 7 7.7

Sophos Mobile Control SaaS startup guide. Product version: 6.1

NetExtender for SSL-VPN

Configure the IM and Presence Service to Integrate with the Microsoft Exchange Server

BIG-IP System: SSL Administration. Version

vcenter Support Assistant User's Guide

An Overview of Webmail

Setting Up the Server

Secure Web Appliance. Basic Usage Guide

Table of Contents. Section 1: DocSTAR WebView v1.0 Requirements & Installation CD... 1 Section 2: DocSTAR WebView v1.

Content and Purpose of This Guide... 1 User Management... 2

Replace the Default Self-Signed Certificate with a 3rd Party SSL Certificate on the RV34x Series Router

Sophos Mobile as a Service

Exinda How To Guide: Edge Cache. Exinda ExOS Version Exinda Networks Inc.

Policy Manager for IBM WebSphere DataPower 7.2: Configuration Guide

PAN-OS Integration with SafeNet Luna SA HSM Tech Note PAN-OS 6.0

Sophos Mobile SaaS startup guide. Product version: 7.1

Cisco Next Generation Firewall Services

VMware Horizon JMP Server Installation and Setup Guide. Modified on 19 JUN 2018 VMware Horizon 7 7.5

About DPI-SSL. About DPI-SSL. Functionality. Deployment Scenarios

Managing Security Certificates in Cisco Unified Operating System

S/MIME on Good for Enterprise MS Online Certificate Status Protocol. Installation and Configuration Notes. Updated: November 10, 2011

CSM - How to install Third-Party SSL Certificates for GUI access

VMware AirWatch Integration with RSA PKI Guide

Administrator's Guide

Installation Guide. Mobile Print for Business version 1.0. July 2014 Issue 1.0

Apptix Online Backup by Mozy User Guide

Load Balancing Nginx Web Servers with OWASP Top 10 WAF in AWS

Cisco Threat Intelligence Director (TID)

Key Management and Distribution

DEPLOYMENT GUIDE. Deploying F5 for High Availability and Scalability of Microsoft Dynamics 4.0

Aspera Connect Windows XP, 2003, Vista, 2008, 7. Document Version: 1

How to Configure Mutual Authentication using X.509 Certificate in SMP SAP Mobile Platform (3.X)

Deposit Wizard TellerScan Installation Guide

ConnectUPS-X / -BD /-E How to use and install SSL, SSH

Administrator's Guide

vcloud Director Tenant Portal Guide vcloud Director 8.20

Fireware-Essentials. Number: Fireware Essentials Passing Score: 800 Time Limit: 120 min File Version: 7.

Troubleshooting the Cisco Personal Communications Assistant (PCA) in Cisco Unity Connection 8.x

Exinda How To Guide: SSL Acceleration. Exinda ExOS Version Exinda Networks, Inc.

Session 8. Reading and Reference. en.wikipedia.org/wiki/list_of_http_headers. en.wikipedia.org/wiki/http_status_codes

The Activist Guide to Secure Communication on the Internet. Introduction

mobilefish.com Create self signed certificates with Subject Alternative Names

Transcription:

CYAN SECURE WEB HOWTO January 2009 Applies to: CYAN Secure Web 1.6 and above

allows you to inspect SSL encrypted traffic. Therefore all filter mechanisms can be applied to HTTPS traffic. Without, all data requested via the HTTPS protocol are not discernible by CYAN Secure Web. These data can include unwanted content, data or even viruses. Only the URL of the first request can be checked without SSL intercept. Contents 1 Overview...1 2 Enable SSL intercept...3 3 Set up your CA certificate...4 3.1 Create a CA certificate...4 3.2 Import CA certificate...5 3.3 Export CA certificate...6 4 Supply your CA certificate to the browser...7 4.1 Supply your CA certificate to Internet Explorer...7 4.2 Supply your CA certificate to Firefox...8 5 Browse your certificate store...9 6 SSL intercept settings in profiles...10 7 Cluster Mode...11 8 Troubleshooting...12 1 Overview CYAN Secure Web with HTTP Intercept enabled acts as Man-in-the-middle to a HTTPS connection. It accepts the encrypted connection from the client and opens a second encrypted connection to the server. To accept the client connection, a certificate must be supplied by Secure Web to prove it's identity. This certificate differs from the certificate of the original web site. Today's browsers recognize such behaviour and display a warning message to the user for each connection. To avoid these warnings, CYAN Secure Web signs all certificates with a Certificate Authority (CA) certificate. If the same CA certificate is added to the browser's certificate management system, then the certificate is seen as valid and no warning will be displayed. Every time a client requests a page from an SSL encrypted server, CYAN Secure Web creates the client side certificate for this request. This certificate is then stored and all further requests to the same server will get the same certificate. By default, these certificates are valid for 30 days. After this period has elapsed, a new certificated will be generated. If you need more information, please feel free to contact Cyan Networks Support at support@cyan-networks.com. 2008 CYAN Networks Software GmbH - 1 -

2 Enable SSL intercept Here you will find, how to set up the basic parameters of SSL intercept. Open your Web browser and type in the address of your CYAN Secure Web installation: https://<your IP address>:9992/sweb You can either use the IP address or the host name of the machine. After a successful connection, log into the user interface and change to Server / HTTPS / HTTPS intercept: Enable SSL intercept activates the intercept mode. If this setting is diabled, then all requests to SSL encrypted servers will be supplied without applying filters. CYAN Secure Web can check the incoming SSL requests, if they included protocol is HTTP (i.e. an HTTPS request) or any other protocol. You may want to disable Allow non HTTP to deny all clients that utilize the HTTPS proxy with other protocols than HTTP. Certificate expiration defines, how long (in hours) a generated client certificate is valid. After this time has elapsed, a new certificate will be generated. By default this value is 30 days. If a certificate is expired, it stays in the cache, until a new certificate for the same server is generated. To periodically check for expired certificates and delete them, you need to enable Delete expired certificates and set the interval in minutes, how often the cache should be checked with the Check every setting. The certificate store does not have to be on the same machine as CYAN Secure Web. The SCert daemon host and port settings specify the location of the certificate manager daemon. This is usually localhost (or 127.0.0.1). For cluster installations, this setting needs to be changed. Refer to chapter 6 for more information about the cluster mode. 2008 CYAN Networks Software GmbH - 2 -

3 Set up your CA certificate To avoid warnings by the browser for each HTTPS request, CYAN Secure Web needs a certficate authority (CA) certificate, which is supplied to the browser as well. This CA certificate can be generated directly within the user interface, or you can import your own CA certificate. 3.1 Create a CA certificate Within the user interface change to Server / HTTPS / Certificate Authority: Now click on Edit CA certificate and enter your CA data: Country is your 2 letter country code. (e.g. US) State or Province Locality (e.g. City) Organisation (e.g. your company) Organisational unit (e.g. section name) Common name (e.g. your name or an identifier for the certificate) You need to enter all of this data for the certificate to be valid. After you click on Create CA certificate, the certificate is stored for further use, and you will see your CA certificate data. 2008 CYAN Networks Software GmbH - 3 -

3.2 Import CA certificate To import a CA certificate, you need to supply the certificate and private key in PEM format. Open Server / HTTPS / Import CA Paste your certificate into the Certificate section and your private key into the Private key section and then click on Import certificate. If you change to Server / HTTPS / Certificate Authority, you should see your CA data displayed now. 2008 CYAN Networks Software GmbH - 4 -

3.3 Export CA certificate If you created a CA certificate or need to get the certificate for any reason, open Server / HTTPS / Export CA You can export both the certificate and the private key on this dialog. Both are exported in PEM format. You will need the certificate file to supply it to your clients. Note: If you export the private key, be sure to keep it safe. Anybody holding your private key can adopt your identity. 2008 CYAN Networks Software GmbH - 5 -

4 Supply your CA certificate to the browser You need to import the CA certificate in all browsers to avoid warning messages. Every time you change the CA certificate in CYAN Secure Web, you need to supply them again to your browsers. 4.1 Supply your CA certificate to Internet Explorer Open your Internet Options and select the tab Content. Here you will see a Certificates button. When you click on this button, the browser's certificate manager will open. Go to the tab Trusted Root Certificate Authorities and click on Import there. Now specify the path and filename of your CA certificate and click on Next twice, then Finish. Now you should see your certificate in the trusted root certificates list. Close the certificate manager and your internet settings. 2008 CYAN Networks Software GmbH - 6 -

4.2 Supply your CA certificate to Firefox Open the Preferences and select Advanced. Here you will find a tab Encryption containing the View Certificates button. After you click on this button, the certificate manager will open. Go to the Authorities tab and click on Import there. After you select to CA certificate file, you need to enable the This certificate can identify web sites setting and click on Ok. Now you should see your certificate in the Authorities list. Close the certificate manager and your preferences. 2008 CYAN Networks Software GmbH - 7 -

5 Browse your certificate store If you open Server / HTTPS / Certificates, you will see a list of all certificates created by CYAN Secure Web. After you click on Refresh, the certificates are displayed with the server name (including the target port) and the expiry date of the certificate. You can click on Delete to remove a single certificate, or on Delete All to remove all files from the certificate store. If you removed a certificate, the next request to the certificate's server will generate it again. Note: If you supply a new certificate authority (CA) certificate, you need to delete all certificates signed with the old CA certificate. 2008 CYAN Networks Software GmbH - 8 -

6 SSL intercept settings in profiles Some SSL intercept settings can be modified for each profile. Open Profiles / <Profile name> / SSL: If you disable the SSL intercept enabled setting, no HTTPS requests which have this profile assigned will be intercepted. Enter hosts you want to be excluded from SSL interception into the Exception List. You can add regular expressions here to define multiple hosts with one entry. With the Inherit exception list setting enabled, all entries into the parent profile's exception list will be added here too. Note: If you enable SSL intercept here, it has to be enabled globally to work. 2008 CYAN Networks Software GmbH - 9 -

7 Cluster Mode In cluster mode, only one certificate daemon is running for the whole cluster. Thus all Secure Web nodes will get the same certificates for a target host. Otherwise, the browser would display an error message, if the request is server by two different Secure Web nodes. To point the Secure Web certificate requests to the cluster's certificate daemon, go to Server / HTTPS / Setup and set the Scert daemon host setting to the cluster IP. 2008 CYAN Networks Software GmbH - 10 -

8 Troubleshooting Your browser displays a warning for every HTTPS request Did you supply the CA certificate to your browser? You need to do this for the browser to stop alerting. Did you upload or create a new CA certificate on the Secure Web? If you did, you need to delete all certificates from the certificate store. Since Secure Web is caching the certificates for a few minutes, you need to wait until the cache entry is revalidated. Secure Web does not accept your CA certificate The supplied certificate must be in PEM format. Some services do not work with SSL intercept enabled The service could expect a certain certificate from the web server, and since Secure Web does sent a generated certificate to the client, it does not meet this expectation. You need to exclude the target of this service from SSL interception. 2008 CYAN Networks Software GmbH - 11 -

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback