(Cloud) Going to Google properties results in SSL errors, even though I have SSL intercept disabled

book

Article ID: 168835

calendar_today

Updated On:

Products

Web Security Service - WSS

Issue/Introduction

SYMPTOMS:

SSL Intercept is disabled for my account

SSL Intercept is disabled for google.com
I have Google Safe Search enabled
I am being prompted with a certificate warning
The untrusted CA is the Cloud Services Root CA, or Cloud Services CA or DPx-SG1-YYY, where x=1 to 20, where YYY is a location, such as DA1, DE1, DC5, SV2, CH2, etc.

Resolution

With the release of Web Security Service 6.8.2 on October 23, 2015, there are some changes to safe search.  The 6.8.2 release notes state the following:

============================

Force Safe Search Changes
  • This release introduces changes to the Force Safe Search feature. The feature now fully supports Google safe search.
If you had previously enabled Safe Search and specified actions for specific engines, the Web Security Service defaults to this policy: Enable Safe Search for Google Search and Allow Unsafe Searches.
http://portal.threatpulse.com/docs/sol/Solutions/ManagePolicy/AdvancedPolicy/advpol_safesearch_ta.htm
============================


The Advanced Policy Safe Search Link above references the following information:


============================

When Safe Search is enabled, the Web Security Service performs minimal SSL interception, which is required for policy enforcement. This is regardless of the current SSL Interception enabled/disabled state (Network > SSL Interception). If your employee base reports certificate warnings, deploy the Web Security Service trusted certificate. See Examine Encrypted (HTTPS) Traffic.
============================

If you are unable to deploy the Web Security Service (Cloud) Root CA to your workstations, you can disable Google Safe Search until the certificate has been deployed to your user base.  Once the cert has been deployed, then you can re-enable Google Safe Search.