Certificates IronPort

Unanswered Question
Sep 10th, 2010


I have implemented an IronPort in Proxy Mode. It´s working fine.

The only problem is when the clients access to sites that asked HTTPS certificate (attached example).

How I can solve this problem for this to be transparent to all customers?



I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
edadios Tue, 09/14/2010 - 20:27

The site example you provided is a bank.

For bank site, it is best to configure for pass through policy through custom url category.

Jaime Soto Vale... Wed, 09/15/2010 - 06:03


Why is it better to leave bank sites as pass through policy?.

How do I do with other HTTPS sites?



edadios Wed, 09/15/2010 - 20:29

I attach here picture samples of steps you  can do if the WSA is using self signed certificate.

You can download the certificate on the WSA from the Security Services > HTTPS Proxy > Select Edit settings, and download the certificate.

The certifiocate will be in pem format, and need to be converted to DER format, so you can use with the browser.

You can use openssl to convert PEM to DER format. Someone wrote a good document here http://tinyurl.com/d3yr8

Once you have the DER format certificate, install the certificate to the browser trusted root certification authorities store.

This will allow your browser to trust the certificate on the WSA.

This will work as long as the certificate form the real website has no actual issues on it (expired, unknown) , and the only issue is to overcome the certificate on the WSA not trusted by your browser to do https proxy.

I hope this information helps you.


Jaime Soto Vale... Tue, 09/21/2010 - 17:11


When the Ironport intercept HTTPS traffic will not store important information of the users?, As keys for example.

I could not find information.



edadios Wed, 09/22/2010 - 22:26

Hello Jaime,

The ironport will not store user keys. It only keeps user tcp session, until the session is timed out.


Jaime Soto Vale... Thu, 09/23/2010 - 05:54


A query, why in a previous answer you say that banking sites is best to set as pass through policy?.



edadios Thu, 09/23/2010 - 21:40

I guess if you are donig decryption of https, I am more wondering if your end users will really be happy to have their supposed encrypted traffic to banking be going through the WSA.

In the end it is up to your security policy, and end user acceptance of how you are implementing your proxy.



This Discussion