HTTPS Compatibility
This section describes several areas of compatibility to be aware of prior to enabling HTTPS scanning. It is instructive to first review how HTTPS web requests work, and how HTTPS scanning operates.
- The browser negotiates a secure connection directly to the remote site. Once connected, the user can inspect the certificate authority if needed. If the remote site uses an unrecognized certificate authority, the user will be first prompted by the browser to inspect and accept this site’s certificate authority.
- The certificate authority contains a key that verifies the authenticity of the encrypted content that is received from the secure website, and which the SSL software decrypts.
- Any information that the user submits to the secure website is also encrypted, and the authenticity of their submission is similarly verified by the certificate authority.
The Web Appliance provides two security features related to this process: certificate validation and HTTPS scanning.
Certificate Validation
Often, end users have little knowledge about the reliability of a certificate authority, so they will often accept certificate authorities without knowing if they are from trusted sources. To overcome this problem, the Web Appliance includes most reliable certificate authorities, and it can automatically validate certificate authorities from the Sophos certificate authority list. You can also add custom certificate authorities. This allows you to prevent users from accepting certificate authorities.
HTTPS Scanning
To provide secure sessions between commercial or banking sites and users, HTTPS encrypts web content between the website server and the user’s browser. While the traffic between the two is encrypted during an HTTPS session, the content that is delivered is no less likely to be infected with viruses or other malware.
To scan encrypted content, the content must first be decrypted, then scanned, then re-encrypted for delivery to the requesting end-user’s browser. Doing this maintains the privacy of the encrypted content, as the process is done automatically without human eyes viewing the content.
However, because the traffic has been decrypted, the original site certificate cannot be used by the browser to authenticate the connection, so the original certificate is replaced by one generated automatically on the appliance using a Sophos-generated certificate authority. This replaces the original certificate, which requires that you download and install the Sophos-generated certificate authority into your users’ browsers. This can be done as a centralized system administration operation using Group Policy Objects.
In greater detail, here is how the Web Appliance handles HTTPS scanning:
![]() |
![]() |
![]() |
![]() |
![]() |
![]() |
![]() |
![]() |
![]()
|
![]() |
HTTPS Compatibility with Sites
Many financial sites require that clients use a specific certificate authority to establish an HTTPS session with the financial institution’s site. During HTTPS scanning, the appliance replaces the client certificate with its own certificate. Therefore, financial institutions that require special client certificates do not support HTTPS scanning. It is highly recommended that administrators enable the option to Exempt Financial & Investment sites from HTTPS scanning for maximum compatibility. This option is enabled by default when HTTPS scanning is enabled.
Some web services are incompatible with proxies that scan HTTPS content, and, therefore, it is recommended that you exempt them from HTTPS scanning. Of these, the Webex service webex.com is exempted from HTTPS scanning by default.
Some software applications use HTTPS for registration and expect specific certificates from the systems that are registering. When HTTPS scanning is enabled and the appliance generates its own certificate, such applications may not operate correctly. Of these, the Windows Vista activation site, sls.microsoft.com, is exempted from HTTPS scanning by default.
For a complete list of known sites that are incompatible with HTTPS scanning, refer to the section Managing HTTPS Scanning Exemptions, and add sites from the list to be exempt from HTTPS scanning as required.