Enabling SSL decryption

SSL (Secure Sockets Layer) is the industry standard for transmitting secure data over the Internet. It is based on a system of trusted certificates issued by certificate authorities and recognized by servers.

When you enable SSL decryption for your end users, SSL-encrypted traffic is decrypted, inspected, and then re-encrypted before it is sent to its destination. This enables the cloud proxy to serve the correct notification page to the user. For example, a block page if the SSL site is in a category that the end user is prevented from accessing, or the Pre-logon welcome page for authentication.

Note: SSL decryption is not possible for connections that use Encrypted Client Hello (ECH)

To implement SSL decryption for your end users, you need a root certificate on each client machine that acts as a Certificate Authority for SSL requests to the cloud proxy.

To install the root certificate for your end users and enable notification pages for SSL sites:

Steps

  1. On the Web Categories tab, click the root certificate link and download the certificate to a location on your network. You can then deploy the certificate manually, using your preferred distribution method.
  2. Once the certificate has been deployed, return to this page and toggle the SSL decryption switch to ON.
  3. Click Save.
    Note: You should also define a certificate when you add an appliance and install that certificate on users’ machines, in order to avoid browser warnings regarding SSL termination block, authentication, or quota/confirm operations. See Generating device certificates.
    Note:

    Beginning with version 26.02, SSL decryption settings apply to hostnames and IP addresses defined in custom categories. If you include URL paths in a category entry (for example, example.com/login) and those paths must be decrypted, make sure that SSL decryption is also enabled for the hostname (example.com) in either the custom category or the matching standard category. URL paths alone will not trigger SSL decryption unless the associated hostname is configured for decryption.