Symantec Web Gateway (SWG) - Best Practice: SSL Decryption Policy


Article ID: 157243


Updated On:


Web Gateway


You wish to understand the correct policy order to use when utilizing the Web Gateway SSL decryption proxy.


The correct way to configure the policies when using SSL decryption is to arrange them in the following order:

  1. Authentication policy (If using. Only required if using NTLM authentication).
  2. SSL Decryption Policies (Required if SSL Interception to DLP or for AV scanning is required).
  3. Blocking policies.

SSL Decryption Policy Configuration:
The SSL Decryption policy is essentially a filter to intercept and redirect all SSL traffic that needs to be decrypted, generally in order to send it to DLP. In general, it would be assumed that this traffic will not be blocked (unless a negative DLP response is returned).

Configuration options:

  1. Configure the SSL policy to “Intercept” all categories: This will have the advantage of correctly display a blocking page on those SSL sites that are blocked, but it will place additional resource overhead on the SSL proxy. A single SSL decryption policy intercepting all SSL traffic is required.
  2. Configure the SSL decryption policy to intercept only those categories that you do not wish to explicitly block. Note that this may require more than one SSL decryption policy in order to tune individual policies that apply to specific groups. This has the advantage of minimizing the overhead on the SSL proxy, but blocked sites will display a blank page because the SSL traffic is tunnelled.

In the second scenario, if for example you want to run DLP on everyone’s Blog posts, but also on the Web mail of Sales, you would need two separate SSL decryption policies; one for Sales above a general policy for all. The Sales SSL policy would apply to Sales LDAP group only, and would ignore everything but Web Mail and Blogs, while the general SSL decryption policy would ignore everything but blogs. You could then apply whatever blocking policies you wish below the SSL policies to apply to the ignored traffic.

Remember that if you wish to intercept SSL traffic, you need to import the SWG root certificate on all machines that will be using the SSL proxy (see HOWTO54180 and HOWTO54181).

DLP Network Prevent configuration

Consult your DLP documentation for direction on implmenting DLP Network Prevent configuration. Symantec does recommend however that you choose to remove/replace the POST/PUT content RATHER THAN block the connection. This will prevent the user from seeing an inexplicable browser error or connection time out, and reduce the impact on the user experience while posting or uploading files.

Applies To

The Web Gateway is running in inline-proxy or proxy-only mode. The SSL decryption proxy has been configured.