Hi,

Why is it better to leave bank sites as pass through policy?.

How do I do with other HTTPS sites?

Regards,

Jaime.

I attach here picture samples of steps you  can do if the WSA is using self signed certificate.

You can download the certificate on the WSA from the Security Services > HTTPS Proxy > Select Edit settings, and download the certificate.

The certifiocate will be in pem format, and need to be converted to DER format, so you can use with the browser.

You can use openssl to convert PEM to DER format. Someone wrote a good document here http://tinyurl.com/d3yr8

Once you have the DER format certificate, install the certificate to the browser trusted root certification authorities store.

This will allow your browser to trust the certificate on the WSA.

This will work as long as the certificate form the real website has no actual issues on it (expired, unknown) , and the only issue is to overcome the certificate on the WSA not trusted by your browser to do https proxy.

I hope this information helps you.

Regards

Thanks for your information. I will do the test in client.

Regards,

Jaime.

Hi,

When the Ironport intercept HTTPS traffic will not store important information of the users?, As keys for example.

I could not find information.

Regards.

Jaime

Hello Jaime,

The ironport will not store user keys. It only keeps user tcp session, until the session is timed out.

Regards,

Thanks.

A query, why in a previous answer you say that banking sites is best to set as pass through policy?.

Regards,

Jaime

I guess if you are donig decryption of https, I am more wondering if your end users will really be happy to have their supposed encrypted traffic to banking be going through the WSA.

In the end it is up to your security policy, and end user acceptance of how you are implementing your proxy.

Regards