Intercepting HTTPS traffic

The SSL proxy tunnels HTTPS traffic by default; it does not intercept HTTPS traffic. Many existing policy conditions, such as destination IP address and port number can be used to decide which HTTPS connections to intercept. Additionally, the SSL proxy allows the hostname in the server certificate to be used to make the decision to intercept or tunnel the traffic.

Once the HTTPS connection is intercepted, you can do:

• anti-virus scanning over ICAP.
• URL filtering.
• Filtering based on the server certificate hostname or lack of a server certificate hostname.
• Caching.

Notes: HTTPS applications that require browsers to present client certificates to secure webservers do not work if you are intercepting traffic. Such applications should not be intercepted by creating a policy rule.

If you intercept HTTPS traffic, be aware that local privacy laws might require you to notify the user about interception or obtain consent prior to interception. You can use the HTML Notify User object to notify users after interception, or you can use consent certificates to obtain consent prior to interception.

For steps for setting up the interception of HTTPS traffic, please refer to the Configuration and Management Guide (CMG) for the version of SGOS that you are running.  The CMG is located at https://bto.bluecoat.com/ .