• How do I enable TLS/SSL interception for Cloud SWG (formerly known as WSS)?
• How do I bypass certain sites or categories from SSL interception for CloudSWG?
• After enabling SSL Interception, the service apparently does not intercept some sites.

Enable TLS/SSL interception

To enable TLS/SSL interception: 

After you enable TLS/SSL interception, your end users might begin receiving SSL warnings in the browser because the CA which signs the intercepted traffic is not automatically trusted by the browsers.

You must manually download the CloudSWG TLS/SSL Root Certificate and install it into the browser Trusted Root Certification Authorities. This can normally be pushed out to your browsers through your internal organizations group-policy (GPO).

See Install the SSL root certificate below.

Install the SSL root certificate in Internet Explorer and Chrome.

To install the SSL Root Certificate manually

1. In the Cloud SWG portal, navigate to Service -> Network -> SSL Interception.
2. Under the SSL Root Certificate section, click Download.
3. In the Start menu, search for and open Internet Options.
   
   
    
4. In the Internet Options window, click on the Content tab, then click Certificates.
   
   
    
5. Click on Import.
   
   
    
6. Click Next on the Import Wizard.
7. Click Browse and find the CertEmulationCA.crt file that you downloaded earlier. Then click Next.
8. Click Browse and select Trusted Root Certification Authorities from the list.
   
   
9. Click Next and then Finish.
10. Click Yes on the security warning that pops up.

By default, the following categories are not intercepted, as they might contain private/personal information:

• Brokerage/Trading
• Financial Services
• Health

To edit these categories, select "TLS/SSL Interception Policy" and tick the categories to bypass SSL interception (or clear any categories).

You can also bypass specific domains or IP addresses in the same policy section.

Additional information

See About Scanning Encrypted Traffic.

See Create SSL Policy.