Have an account?

  •   Personalized content
  •   Your products and support

Need an account?

Create an account

Cisco ScanCenter Administrator Guide, Release 5.2

Book Contents
Find Matches in This Book
Available Languages
Download Options

Book Title

Cisco ScanCenter Administrator Guide, Release 5.2

Chapter Title

Secure Traffic Inspection

Results

Updated:
September 25, 2019

Chapter: Secure Traffic Inspection

Secure Traffic Inspection

Overview

When a user connects to a website using HTTPS, the session is encrypted with a digital certificate. When secure traffic inspection is enabled, Cisco Cloud Web Security forwards all self-signed, expired, invalid, and revoked certificates.

Secure traffic inspection decrypts and scans the HTTPS traffic passing through Cisco Cloud Web Security for threats and carries out actions based on your policy settings. If the traffic is deemed safe, it is re-encrypted and passed back to your organization with a new SSL certificate.

All users must have an SSL certificate deployed to their web browser. You can generate a certificate in Cisco ScanCenter with Cisco as the Certificate Authority (CA), or alternatively, download a Certificate Signing Request (CSR) and use it with a tool (such as Microsoft Certificate Services or OpenSSL) to generate and upload your own certificate (where your organization is the CA). The certificate is then associated with your secure traffic inspection policy.

When using a CSR, the following fields must be present in the certificate: 

X509v3 Basic Constraints:
       CA:TRUE

With OpenSSL, the command openssl x509 -extfile v3_ca.txt -req -days 365 -in scancenter.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out scancenter.crt performs this function, where v3_ca.txt contains the following: 

subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer:always
basicConstraints = CA:true

Two changes are required on the client:

  1. Proxy settings for SSL traffic must be configured in the client web browser or on your organization’s firewall or gateway device.
  2. The Cisco root certificate must be imported into the client web browser to enable it to trust SSL connections with Cisco Cloud Web Security.

    Note
    Browsers may automatically import the certificate to the Intermediate Certificate Authorities store. However, the certificate must be placed in the Trusted Root Certificate store for Secure Traffic Inspection to function correctly.

Legal Disclaimer

It is your responsibility to determine if it is legal for you to inspect HTTPS traffic in your jurisdiction. Switching on this functionality will permit Cisco Cloud Web Security to inspect HTTPS traffic. While all such inspection is carried out automatically, rather than by individuals, such decryption may nonetheless be in breach of privacy laws in certain countries. By enabling this functionality, you agree that you have the legal right to decrypt this traffic in all relevant jurisdictions and that you have obtained all necessary consent from your users to do so.

In most jurisdictions you are required by law to inform your users that secure traffic is being inspected. It is possible to present an HTML page to the user that states that the session will be decrypted and that gives the user the option to continue or not. However, if you do this, you will not be able be able to use the standard warning page for other purposes.

Procedure

Step 1

In Web Filtering > Notifications > User Messages, edit the Customized Warn Alert Page to display an HTTPS warning.

Step 2

In the Timeout value drop-down list, click 0.

Step 3

Clear the Include standard HTML page template for warning page check box.

Note 
If you also want to display warnings for non-HTTPS pages, you can select the check box and add the HTTPS warning to the standard Acceptable Use Policy warning.
Step 4

Click Save to apply your changes.

Step 5

In Web Filtering > Management > Global Settings, select the Enable HTTP/HTTPS split check box and click Save.

Step 6

In Web Filtering > Management > Filters, create HTTPS filters for websites you want to block.

Step 7

In Web Filtering > Management > Filters, create an HTTPS filter for all categories called “HTTPS warn.”

Step 8

In Web Filtering > Management > Policy, create a block rule and add the HTTPS filters for websites you want to block.

Step 9

In Web Filtering > Management > Policy, create a warn rule and add the “HTTPS warn” filter with the anytime schedule.

Step 10

Ensure that the HTTPS warn rule has a lower priority than the HTTPS block rule, and then select the Activate check box for both rules.

To comply with privacy laws, notice is given to the user before the SSL connection is established.

You can exclude websites such as banking websites from secure traffic inspection. These websites will bypass secure traffic inspection, and the user will be connected to the site via a direct SSL connection.

Tip 

Exclude the 'scansafe.com' domain from HTTPS inspection to avoid accidentally blocking your access to ScanCenter when web browsing via CWS. Otherwise, if you've locked yourself out, log onto ScanCenter from a device that is not being redirected to CWS and cancel the setting that locked you out.

Caution 
To comply with privacy laws, CWS does not record the Path or Query fields in the logs of HTTPS requests that are inspected. However, you are responsible for ensuring that the content decryption and encryption takes place in a closed loop and that no content is cached.

Secure Sockets Layer Certificates

When you generate an SSL certificate in Cisco ScanCenter, Cisco is the Certificate Authority (CA). If you want your organization to be the CA, generate a Certificate Signing Request (CSR) in Cisco ScanCenter, use that to generate the certificate, and then upload it to Cisco ScanCenter.

Procedure

Step 1

Click the Admin tab to display the administration menus.

Step 2

In the HTTPS Inspection menu, click Certificates to display the HTTPS Certificates page.

Creating a Certificate in Cisco ScanCenter

Procedure

Step 1

Click Admin, HTTPS Inspection, and Certificates.

Step 2

Click the Create a New Certificate tab.

Step 3

In the Duration drop-down, choose the number of years before the certificate expires. The available options are one year, three years, five years, or seven years.

Step 4

Enter an Identifier.

Step 5

Enter a unique Description.

Step 6

Click Submit to apply your changes. Alternatively, navigate away from the page to abandon your changes.

What to do next

In the List of Certificates table, go to the Action column to download the certificate with either CRT or PEM extension .


Note

The certificate with PEM extension is required for users of the CWS Mobile Browser with Chrome Extension.

Using an Externally Generated Certificate

Before you begin

If you want to generate your own SSL certificate with your organization as the CA, you need SSL software such as Microsoft Certificate Services (a component of Windows Server operating systems) or OpenSSL (a toolkit included with most UNIX and UNIX-like operating systems). If you are not familiar with using SSL software, you can use Cisco ScanCenter instead to create an SSL certificate.

Procedure

Step 1

Click Admin, HTTPS Inspection, and Certificates.

Step 2

Click the Create a CSR (Certificate Signing Request) tab.

Step 3

Enter a unique name for the CSR in the Identifier box.

Step 4

Enter a Description.

Step 5

Click Next to create the CSR.

Step 6

Click Download Your CSR to download the CSR to your computer.

Step 7

Use the downloaded CSR with your SSL software to generate your SSL certificate. For details, see your SSL software support documentation. You have 30 minutes to create and upload the certificate before your current session expires.

Step 8

After you have generated your SSL certificate, click Next.

Step 9

Click Select File and navigate to the SSL certificate to associate with the CSR.

Step 10

Click Upload.

Editing a Certificate Description

Procedure

Step 1

In the Description column, click the pencil icon next to the certificate.

Step 2

Enter a new Description.

Step 3

Click the check icon to apply your change. Alternatively, click the x icon or navigate away from the page to abandon your change.

Removing a Certificate

To remove an SSL certificate, click the box next to the certificate and click Remove. You will be prompted to confirm deleting the selected certificate.

Filters

Filters enable you to set the websites and categories that will be subject to HTTPS inspection. For more information on managing filters, see Managing Filters. The following HTTPS filters are available:

  • Categories
  • Domains
  • Exceptions
  • Applications

Tip

Exclude the 'scansafe.com' domain from HTTPS inspection to avoid accidentally blocking your access to ScanCenter when web browsing via CWS. Otherwise, if you've locked yourself out, log onto ScanCenter from a device that is not being redirected to CWS and cancel the setting that locked you out.

Procedure

Step 1

Click the Admin tab to display the administration menus.

Step 2

In the HTTPS Inspection menu, click Filters to display the filters page.

Step 3

Applications that use the HTTPS protocol will not be matched against application filters unless HTTPS inspection is enabled for all traffic, or Application Decryption is enabled. If you have not enabled HTTPS inspection for all traffic and you want to enable application decryption, select the filter, and on the Applications page, select the Enable Application Decryption check box.

Policy

Policy enables you to set the rules for applying HTTPS filters.

Procedure

Step 1

On the Admin > HTTPS Inspection > Policy page, you can set the priority of a rule by clicking the up and down arrow icons and then clicking Save.

Step 2

Click Create HTTPS Rule.

Step 3

Enter a rule Name.

Step 4

In the Certificate pull-down list, select a previously generated certificate.

Step 5

In the Filter pull-down list, select a previously created filter.

Step 6

Select the Active check box to enable the rule action. Alternatively, clear the check box to activate the rule at another time.

Step 7

Search for each group that you want to use this rule by entering the group name and clicking Add Group. If no group is selected, this rule will apply to anyone. Select the Set as Exception check box to exclude this group from the rule.

Step 8

Click Submit to apply your changes. Alternatively, click Cancel or navigate away from the page to abandon your changes.

Was this Document Helpful?

FeedbackFeedback

Contact Cisco

Related Cisco Community Discussions

About Us
Contact Us
Work with Us