Certificate Trust in Web Isolation
search cancel

Certificate Trust in Web Isolation


Article ID: 219945


Updated On:


Web Isolation Web Isolation Cloud


If your network topology includes a next hop proxy/server that performs SSL termination, the CA certificate of this next hop proxy/server will sign website server certificates. The endpoint browser needs to trust only the Threat Isolation Gateway. However, Symantec Threat Isolation is aware of the next hop proxy/server and must trust it. You must therefore add the CA certificate of the next hop proxy/server to the list of Symantec Threat Isolation trusted certificates.

Fig. 1 Trusted CA Certificate


If your organization uses a next hop proxy/server and your endpoints already trust its CA certificate, the Gateway can use the same certificate for simplicity's sake. In this case, you can import your next hop proxy/server’s CA certificate into Symantec Threat Isolation.

If the network topology does not include a next hop proxy/server, or if it includes a next hop proxy/server that does not perform SSL termination, the Threat Isolation Gateway might want to trust a server certificate. In this case, it is required, that the trusted server certificate be imported and added it to the list of Symantec Threat Isolation trusted certificates.

Fig. 2 Trusted Server Certificate


Sometimes the Gateway needs to trust LAN resources, such as an Active Directory server that uses SSL for Active Directory connections and has a server certificate that is signed by an enterprise CA that is not trusted. In this case, the Gateway must trust the Active Directory server.


Adding a Trusted Certificate

  • To add a trusted certificate, go to:
    System ConfigurationTrusted CertificatesNew Trusted Certificate

  • Choose the relevant option:
    Trusted CA Certificate, or Trusted Server Certificate – Currently, Symantec Threat Isolation supports trusted server certificates only in Isolation mode. If you require a trusted certificate in Inspect mode, provide a CA certificate instead.

  • Configure the parameters described in the table below for the new trusted certificate:

  • Import the certificate file.  If the certificate is provided as text, click Import to import the certificate.