Introduction

Secure Sockets Layer (SSL) and Transport Layer Security (TLS) are the industry standards for secure transmission of data on the Internet. They rely on data encryption and a system of trusted certificates issued by certificate authorities (CA) that are recognized by clients and servers. SSL/TLS requests made in a browser are easily identified by the “https” string that leads the URL.

In the topics that follow, for convenience and simplicity, SSL/TLS is referred to simply as SSL.

To establish an SSL connection, the client sends an SSL connection request to the server. If the server consents, the client and server use a standard handshake to negotiate an SSL connection.

Content Gateway offers 2 types of support for HTTPS traffic. Only one can be used at a time.

  • Simple connection management in which Content Gateway performs URL filtering and then allows the client to make the connection with the server.
    Note:

    Even when HTTPS support is not enabled and HTTPS is not decrypted, Content Gateway performs a URL lookup and applies policy. In these circumstances:

    • In explicit proxy mode, Content Gateway performs URL filtering based on the hostname in the request. If the site is blocked, Content Gateway serves a block page. Some browsers do not support display of the block page.

      To prevent this URL filtering, configure clients to not send HTTPS requests to the proxy.

    • In transparent proxy mode, if there is an SNI in the request, Content Gateway gets the hostname from the SNI and performs URL filtering based on the hostname. Otherwise, Content Gateway uses the Common Name in the certificate of the destination server. If the Common Name contains a wildcard (*), the lookup is performed on the destination IP address. If the site is blocked, the connection with the client is dropped; no block page is served.

      To prevent this URL filtering with WCCP, do not create a service group for HTTPS.

  • Advanced connection management in which Content Gateway:
    • Proxies requests
    • Decrypts content and performs real-time content and security analysis
    • Re-encrypts content for delivery to the client or origin server

When advanced connection management (HTTPS support or SSL support) is enabled, each HTTPS request consists of two separate sessions:

  • One from the client browser to Content Gateway. This is the inbound connection.
  • Another from Content Gateway to the origin server that will receive the secure data. This is the outbound connection.

Different certificates are required for each session.