Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
17617
Views
10
Helpful
0
Comments

[WSA Training Series] How to configure the HTTPS Proxy on the Cisco Web Security Appliance

Jeffrey Richmond
Cisco Employee
Cisco Employee

on ‎04-02-2014 09:56 AM

Introduction

The HTTPS Proxy is a powerful tool on the Web Security Appliance (WSA) that can be used for filtering HTTPS traffic. In order to utilize this feature, it must be configured correctly. In this article, I will review the steps required to configure the HTTPS Proxy.

 

Problem

The WSA does not filter HTTPS traffic by default. In order to filter HTTPS traffic, you must enable the HTTPS Proxy. This article discusses the steps required to configure the HTTPS Proxy.

 

Solution

1) To enable the HTTPS Proxy, access the WSA GUI and go to Security Services > HTTPS Proxy.

 Edit SS.PNG

2) Click on Enable and Edit Settings and click the box next to "Enable HTTPS Proxy".

 Enable SS.PNG

 

3) The WSA must have a root or intermediate certificate in order for the HTTPS Proxy to work. There are a few options for getting that certificate on the box, which are listed below:

  • Generate the Certificate and Key on the WSA

     - Click on the "Generate New Certificate and Key" button

     - Fill out the fields for the new Certificate and Key

     - Click "Generate" when done

  • Generate a Certificate and Key and download a CSR to have signed by a CA

     - Follow the steps for "Generate the Certificate and Key on the WSA" above

     - Click on the link for "Download Certificate Signing Request" and save the file in PEM format

     - Take the file to your CA and have it signed

     - Click "Browse" under the section "Signed Certificate" to upload the signed certificate

 

*Important*

The CA cannot be a third party trusted CA, such as Verisign or Thawte, as they will not sign an intermediate or root certificate.

  • Upload an existing Certificate and Key

     - Click on the box next to "Use Uploaded Certificate and Key"

     - Select "Browse" to search for the Certificate and Key (as stated, Private key must be unencrypted)

     - Click "Upload Files" to upload the certificate and key

 Cert SS.PNG

 

4) (Optional) Configure the other settings for the HTTPS Proxy

 

Version 7.5 and earlier

  • HTTPS Transparent Request

     - This is to determine how to handle HTTPS traffic in regards to unauthenticated users that require authentication. This is almost always set to the default setting of "Decrypt the HTTPS request and redirect for authentication".

  • Applications that Use HTTPS

     - This settings is enabled by default and allows the WSA to decrypt HTTPS requests that may be subject to the Application Visibility and Control feature. This setting only takes affect if the web category decision is "Monitor" in the decryption policies.

  • Invalid Certificate Handling

     - These settings determine how the WSA will handle HTTPS sites that present a certificate that is not valid for the reasons listed in this section. These settings are applied prior to the web category decision in the Decryption policies except for Custom Categories that are set to Passthrough.

 

Version 7.7 and later

  • Decryption Options

     - These options include decryption for Authentication, End User Notification, End User Acknowledgement, and Application Detection. In order to use these features for HTTPS requests, the WSA must decrypt these transactions.

  • Online Certificate Status Protocol Options

     - These settings deal with how the WSA handles Online Certificate Status Protocol (OCSP) checks. The WSA only uses the OCSP feature if the certificate is valid.

  • Certificate Management

     - This section allows configuration and management of the trusted Certificate Authorities on the WSA. The "Manage Trusted Root Certificates" allows for importing custom Root Certificate Authorities to be trusted by the WSA as well as overriding existing Certificate Authorities from being trusted.

 

5) Submit and Commit the changes!!!

 

The HTTPS Proxy has now been configured. Below are some items to consider, now that the HTTPS Proxy has been enabled, that are not covered in this guide:

  • Configuring the Decryption policies
  • Re-directing the HTTPS traffic via WCCP
  • Uploading the Certificate used for the HTTPS Proxy to users' browsers
Labels:
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents