SSLInspect
(→Note) |
|||
Line 63: | Line 63: | ||
== Note == | == Note == | ||
− | * When deployed in bridge mode, SSL Inspection can not work on "Trunk"(vlan tagged) | + | * When deployed in bridge mode, SSL Inspection can not work on "Trunk ports"(vlan tagged). You need to use "Access ports" instead. |
Revision as of 17:21, 3 December 2018
Contents |
1 SSL Inspection
"SSL Inspection" is based on [Man-in-the-middle attack]. It redirects SSL connections to a local SSL server, so it can intercept the ssl traffic. When enabled, you will be able to monitor and filter the contents of HTTPS websites and SSL emails(SMTP/POP3/IMAP over SSL):
- record https webpage titles and web posting in HTTPS sites.
- record emails over SSL connections.
- filter email accounts of emails over SSL connections.
- filter https websites contents.(filter download file types, block file uploading to https sites.)
2 SSL Inspection Policy
- Services
- Web: HTTPS traffic on port 443.
- POP3: POPS over SSL on port 995.
- IMAP: IMAP over SSL on port 993.
- SMTP: SMTP over SSL on port 465,587,994.
- More ports: other SSL ports to be intercepted.
- Remote IP, remote ip/domain to be intercepted. Two types are supported:
- Exclude below list, ip/domain in the list will be excluded from inspection.
- Below IPs only, only ip/domain in the list will be intercepted.
- Syntax: One IP segment or domain per line, example: 192.168.1.0/24,172.10.0.0/16,*.google.com
3 CA Certificate
- CA certificate to sign the certificates for SSL interception.
- When "HTTPS Inspector" is enabled, there will be a certificate warning in the client browser. You need to download and import this certificate into "trusted root certification authorities store" to silence client browser.
- You can click "Replace" to generate a new certificate.
- To import an existing CA certificate, the imported file shall be zip format with two files inside(ca.crt, ca.key).
SSL Inspection is based on [Man-in-the-middle attack]. It redirects SSL connections to a local SSL server, so it can intercept the ssl traffic. Though it can decode SSL traffic, there are some disadvantages you should know:
- Performance issue. Please check: SSL Inspector Performance
- Certificate warning issue. With https inspector enabled, there will be certificate warning. To silence client browser, please follow below steps to import WFilter's certificate into "trusted root certification authorities store" in client devices.
3.1 HTTPS Inspector
- There will be a certificate warning when visiting https websites. You may choose "continue to this website" to access this site, web surf and post will be recorded.
To get rid of this certificate warning, please follow below steps:
- Download WFilter's certificate
- Double click the "ca.crt" file, click "Install Certificate" and "Next". Enable "place all certificates in the following store" and choose "trusted root certification authorities". Then "Next" and "Finish".
- The certificate warning won't appear again.
- And this https visiting will be recorded.
3.2 SSL Email Inspection
There are three types of email connection.
- Plain text, emails can be recorded without "SSL Email Inspection".
- STARTTLS, even "SSL Email Inspection" can not record it.
- SSL/TLS, with "SSL Email Inspection" enabled, emails via SSL connections can be recorded.
Let's take "Mozilla Thunderbird" as an example:
Please note: to record https web emails, you need to enable "HTTPS Inspector" for this https website.
4 Note
- When deployed in bridge mode, SSL Inspection can not work on "Trunk ports"(vlan tagged). You need to use "Access ports" instead.