ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Web Isolation: Trusted Server Certificate

book

Article ID: 173418

calendar_today

Updated On:

Products

Web Isolation

Issue/Introduction

This article is intended for users of SymDiag. Though general readers may benefit from the article’s contents, any solutions, insights, or guidance are geared toward those using SymDiag.

Problem

The end user cannot browse through the Web Isolation platform due to certificate trust errors.

Cause

Web Isolation Proxy intercepts SSL traffic by posing as a “man in the middle.” In order to play that role, the Web Isolation Server signs with the zone’s CA certificate on the fly. This CA must be trusted by the end user’s browser.

NOTE: In a downstream proxy scenario that also intercepts SSL traffic, the end user’s browsers will trust the Certificate Authority (CA) of the downstream proxy.

Resolution

Using the management console UI, the Web Isolation administrator should verify that the zone’s Certificate Authority (CA) is trusted by the end user’s browser.

NOTE: IE and Chrome share the same system certificate store, whereas Firefox maintains its own.

For further information, see the Symantec Threat Isolation Platform (STIP) Guide for Administrators section on Configuring Security Policy Settings > Configuring System Certificates.