Enabling SSL support

Steps

  1. In the Content Gateway manager, go to the Configure > My Proxy > Basic > General tab.
  2. Under Features > Protocols, set HTTPS to On.
    Note: If you are deployed with the DLP Module and it is configured to inspect HTTPS traffic, you must enable HTTPS.
  3. Click Apply and then Restart.
  4. Enter the name of the SSL certificate file. See Creating a subordinate certificate authority.
  5. Go to the Configure > Protocols > HTTPS page.
  6. Specify the HTTPS Proxy Server Port used for client to Content Gateway connections (8080, by default).
    If traffic is transparent on 443, a default ARM redirection rule redirects the requests to 8080. See Configure > Networking > ARM > Redirection Rules.
  7. To tunnel HTTPS requests when the SSL handshake results in an unknown protocol error, set Tunnel Unknown Protocols to Enabled.
    Note:

    By default, Content Gateway does not try to tunnel non- SSL traffic. To change this, update the records.config file (in /opt/WCG/config, by default) as follows:

    CONFIG proxy.config.ssl_decryption_bypas s.tunnel_non-ssl_traffic INT 1

    Restart Content Gateway to implement the change.

    Set the value to 0 to turn off tunneling of non-SSL traffic.

    Warning: Tunneled connections are not decrypted or inspected.

    When tunneling is enabled, Forcepoint Web Security behavior varies based on the type of proxy deployment.

    • When Content Gateway is an explicit proxy, a URL lookup is performed and policy is applied before the SSL connection request is made. Transactions are logged as usual.
    • When Content Gateway is a transparent proxy, if there is an SNI in the request, Content Gateway gets the hostname from the SNI and performs URL filtering based on the hostname. Otherwise, when Content Gateway sends the connect to the server, the unknown protocol error causes the request to be tunneled without the proxy being aware of it, and no transaction is logged.

    Tunneling of WebSocket traffic over HTTPS (secure mode) is enabled by default.

    Note: Client authentication may not work correctly for WebSocket traffic. To avoid the issue, it is recommended that a filtering rule be added for each WebSocket Primary Destination Type so client requests to those destinations are not authenticated. See Configure > Security > Access Control > Filtering for instructions.