Enabling SSL decryption

SSL (Secure Sockets Layer) is the industry standard for transmitting secure data over the Internet. It is based on a system of trusted certificates issued by certificate authorities and recognized by servers.

When you enable SSL decryption for your end users, SSL-encrypted traffic is decrypted, inspected, and then re-encrypted before it is sent to its destination. This enables the cloud proxy to serve the correct notification page to the user. For example, a block page if the SSL site is in a category that the end user is prevented from accessing, or the Pre-logon welcome page for authentication.

Note: Encrypted client hello is not supported when decrypting traffic.

To implement SSL decryption for your end users, you need a root certificate on each client machine that acts as a Certificate Authority for SSL requests to the cloud proxy.

To install the root certificate for your end users and enable notification pages for SSL sites:

Steps

  1. On the Web Categories tab, click the root certificate link and download the certificate to a location on your network. You can then deploy the certificate manually, using your preferred distribution method.
  2. Once the certificate has been deployed, return to this page and toggle the SSL decryption switch to ON.
  3. Click Save.
    Note: You should also define a certificate when you add an appliance and install that certificate on users’ machines, in order to avoid browser warnings regarding SSL termination block, authentication, or quota/confirm operations. See Generating device certificates.