By default, the SSL proxy only intercepts HTTPS traffic when there is an exception—such as a certificate error—and tunnels all other HTTPS traffic. However, if you want to apply other security measures such as virus scanning or content filtering to SSL traffic you must configure the appliance to intercept SSL traffic. Keep in mind that the encryption and decryption operations required for SSL intercept are resource intensive; therefore you should only intercept the SSL traffic that you believe poses a threat to your network. You specify what SSL traffic to intercept by creating policy rules in the SSL Intercept layer.
One way to define which SSL traffic to intercept is to restrict intercept based on user or group membership as follows:
1. Make sure you have an SSL license.
Although some appliance models include an SSL license, other models require that you purchase and install an add-on license. To see whether you have a valid SSL license, launch the Management Console and select Maintenance > Licensing > View. You should see an entry for SSL in the list of licensed components.
2. Set up the issuer keyring and CA certificate list (CCL) to allow the ProxySG appliance to emulate server certificates.
When the ProxySG appliance intercepts HTTPS traffic, it establishes two separate SSL connections: one between the client and the appliance and one between the appliance and the OCS. In order to establish the SSL connection with the client and to enable it to decrypt the data, the appliance emulates the OCS certificate, making itself (the ProxySG appliance) the certificate issuer. To enable this behavior you must:
a. Determine which keyring to use to emulate OCS certificates. You can: