Bypassing SSL decryption for specific sites

The SSL Decryption Bypass option enables you to define specific websites that are not subject to decryption as they flow through the proxy. Some websites may include personal identification information that should not be decrypted. In order to avoid liability for inspecting this type of information, you may want to specify some or all of these sites for decryption bypass. The selected sites will not be decrypted even if the category or categories that the sites belong to are selected for SSL analysis.

End users can determine that the website they are viewing is not decrypted by checking who has issued the certificate for that site. If the certificate was issued by Websense, Inc., or Forcepoint LLC, traffic to the site has been decrypted.

Note:

End user single sign-on uses SSL decryption to handle encrypted traffic and redirect SSL sites for authentication. If you have enabled single sign-on in a policy, you can maintain a list of hostnames for which SSL decryption is not performed on the Web Categories tab.

An end user accessing one of the specified hostnames using HTTPS will not be able to use single sign-on. End users can still access these sites using HTTP and authenticate successfully.

To set up the bypass of SSL decryption for certain sites:

Steps

  1. Under SSL Decryption Bypass on the Web Categories tab, enter a site’s hostname in the entry field.
    • You can enter multiple hostnames, each on a separate line.
    • You can use the asterisk wildcard in a hostname, for example *.google.com.
    • To edit or delete an existing site, select the name in the entry field and make your change.
  2. Click Save.