January 20, 2011 Author: Audience: SWAT Team Evaluator Product: Cymphonix Network Composer EX Series, XLi OS version 9 Configuring Network Composer and workstations for Full SSL Filtering and Inspection Network Composer utilizes HTTPS/SSL Filtering to allow you to view and restrict Web traffic for secure web sites and also prohibit users from viewing unauthorized content within a SSL tunnel. Implementing the full SSL mode consists of two processes. First you will configure Network Composer which consists of creating and saving the Network Composer SSL Certificate, followed by configuring the Network Composer to inspect SSL traffic through Internet Usage Rules. Secondly, you will deploy out the newly created SSL certificate to the workstation(s). After completing the configuration of your Network Composer and workstation(s) you will test SSL filtering by category and reporting of SSL traffic. Configuring Network Composer for SSL inspection Creating and saving the Network Composer s SSL Certificate To save the SSL certificate within Network Composer 1. Log in to Network Composer. 2. Click the Admin tab. 3. Select Configuration > SSL Certificate Settings. 4. Enter your company information in the text boxes on the page. Click Apply.
2 A message dialog appears. Click OK. Configure Network Composer to inspect SSL traffic through the Internet Usage Rule. 1. Navigate to Manage > Policies & Rules > Internet Usage Rules > Test Group 1. Note: If you re performing this test case from a network node or with a directory user that is not a member of test Group1, make sure you edit the Internet Usage Rule that is associated to your current group membership in Policy Manager. a) Change the Traffic Flow Rule Set to App + Web Filter + Anonymous Proxy Guard + SSL Filter. Go to the HTTPS/SSL Filtering tab and choose the radial button next to Enable full SSL content filtering and then click Save. 2
3 Configuring Workstation(s) - Download and Deploy SSL Certificate to workstation(s) You will install the certificate, cacert.cer, manually on the workstation(s) for these test cases, but when you deploy the SSL Certificate within your corporate network you will utilize a GPO to automate the process to eliminate a manual installation on every workstation. 1. Go to Admin > Downloads > SSL Authority Certificate. 2. Click Download SSL Signing-Authority Certificate. a. Click the download link. b. Click Save. c. The Save As dialog appears. Browse to a directory folder, and save the cacert.cer file. d. From the Download complete dialog, click Close. e. Close the File Download page. 2. Close the Network Composer page. 3. You are now going to install this certificate file on the workstation so that users can browse SSL sites successfully and Network Composer can decrypt/re-crypt any SSL sessions for inspection. The end result is that the certificate file is imported into a Trusted Root Authority store location. a) From the directory where you saved the SSL certificate cacert.cer file, double-click on the certificate. 3
4 The Open File Security Warning dialog appears. Click Open b) From the Certificate dialog, click Install Certificate. 4
5 c) From the Certificate Import Wizard, click Next. This wizard walks you through each step of importing your cacert.cert file, so that you can create a Group Policy Object to apply throughout your network. d) Create a Certificate Store. The Network Composer Trusted Authority Certificate will be stored in the store location you select. Windows lets you select the certificate store location you want from a list. Select Place all certificates in the following store. Click Browse. 5
6 The following dialog appears. Select Trusted Root Certification Authorities. Click OK. e) Confirm that the Certificate Store you selected from the Select Certificate Store dialog displays correctly in the text box. Click Next. 6
7 f) Confirm the Certificate Store settings you selected in the text box. Click Finish. The cacert.cer file imports into the Certificate Store. You have now completed the Network Composer SSL Certification installation. Testing Network Composer s ability to inspect, filter, and report on SSL traffic. Verify a successful connection to the SSL site Within your browser s address bar enter in the URL https://login.yahoo.com. This website is the same as mail.yahoo.com and is associated to the Webmail category. 7
8 Verify Network Composer is inspecting SSL traffic through Network Composer reports 1. Log in to Network Composer. 2. Click the Report Tab. 3. Select Web Usage > Overview/Hits. Then change the Encryption Type located in the top options pane from No Filter to SSL. 8
9 4. Right Click on Allowed and highlight Report Correlations and then select Correlate by Host. 5. You will see yahoo.com listed as a host, meaning that SSL content was analyzed and reported on. 6. You can additionally right click on yahoo.com and View URL Details to see all SSL content from the web site. Note: You must have View URL Details turned on in your advanced settings for this option to be available. Navigate to Admin > Configuration > Advanced Settings to verify the URL details setting. 9
10 Configure Network Composer to filter SSL content by category 1. Log in to Network Composer 2. Click the Manage Tab. 3. Go to Manage > Policies & Rules > Internet Usage Rules > Test Group 1. Note: If you re performing this test case from a network node or with a directory user that is not a member of Test Group 1, make sure you edit the Internet Usage Rule that is associated to your current group membership in Policy Manager Within the Blocked Categories tab click Edit Blocked Categories 10
11 Choose Webmail from the Allowed Categories list and Add to the Blocked Categories and then click ok. Click Save at the bottom of your Add/Edit Internet Usage Rule Set page. Verify Network Composer is Filtering SSL Traffic by category Within your browser s address bar enter in the URL https://login.yahoo.com. This website is the same as mail.yahoo.com and is associated to the Webmail category. You should receive a blocked page that lists a Blocked Reason of Category: Webmail. 11