Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Certificates IronPort

Hi,

I have implemented an IronPort in Proxy Mode. It´s working fine.

The only problem is when the clients access to sites that asked HTTPS certificate (attached example).

How I can solve this problem for this to be transparent to all customers?

Regards.

Jaime.

8 REPLIES
Cisco Employee

Re: Certificates IronPort

The site example you provided is a bank.

For bank site, it is best to configure for pass through policy through custom url category.

Re: Certificates IronPort

Hi,

Why is it better to leave bank sites as pass through policy?.

How do I do with other HTTPS sites?

Regards,

Jaime.

Cisco Employee

Re: Certificates IronPort

I attach here picture samples of steps you  can do if the WSA is using self signed certificate.

You can download the certificate on the WSA from the Security Services > HTTPS Proxy > Select Edit settings, and download the certificate.

The certifiocate will be in pem format, and need to be converted to DER format, so you can use with the browser.

You can use openssl to convert PEM to DER format. Someone wrote a good document here http://tinyurl.com/d3yr8

Once you have the DER format certificate, install the certificate to the browser trusted root certification authorities store.

This will allow your browser to trust the certificate on the WSA.

This will work as long as the certificate form the real website has no actual issues on it (expired, unknown) , and the only issue is to overcome the certificate on the WSA not trusted by your browser to do https proxy.

I hope this information helps you.

Regards

Re: Certificates IronPort

Thanks for your information. I will do the test in client.

Regards,

Jaime.

Re: Certificates IronPort

Hi,

When the Ironport intercept HTTPS traffic will not store important information of the users?, As keys for example.

I could not find information.

Regards.

Jaime

Cisco Employee

Re: Certificates IronPort

Hello Jaime,

The ironport will not store user keys. It only keeps user tcp session, until the session is timed out.

Regards,

Re: Certificates IronPort

Thanks.

A query, why in a previous answer you say that banking sites is best to set as pass through policy?.

Regards,

Jaime

Cisco Employee

Re: Certificates IronPort

I guess if you are donig decryption of https, I am more wondering if your end users will really be happy to have their supposed encrypted traffic to banking be going through the WSA.

In the end it is up to your security policy, and end user acceptance of how you are implementing your proxy.

Regards

528
Views
0
Helpful
8
Replies
CreatePlease to create content