If your network topology includes a next hop proxy/server that performs SSL termination, the CA certificate of this next hop proxy/server will sign website server certificates. The endpoint browser needs to trust only the Threat Isolation Gateway. However, Symantec Threat Isolation is aware of the next hop proxy/server and must trust it. You must therefore add the CA certificate of the next hop proxy/server to the list of Symantec Threat Isolation trusted certificates.

Fig. 1 Trusted CA Certificate

If your organization uses a next hop proxy/server and your endpoints already trust its CA certificate, the Gateway can use the same certificate for simplicity's sake. In this case, you can import your next hop proxy/server’s CA certificate into Symantec Threat Isolation.

If the network topology does not include a next hop proxy/server, or if it includes a next hop proxy/server that does not perform SSL termination, the Threat Isolation Gateway might want to trust a server certificate. In this case, it is required, that the trusted server certificate be imported and added it to the list of Symantec Threat Isolation trusted certificates.

Fig. 2 Trusted Server Certificate

Sometimes the Gateway needs to trust LAN resources, such as an Active Directory server that uses SSL for Active Directory connections and has a server certificate that is signed by an enterprise CA that is not trusted. In this case, the Gateway must trust the Active Directory server.

Adding a Trusted Certificate

• To add a trusted certificate, go to:
     
  System Configuration → Trusted Certificates → New Trusted Certificate
  
  
• Choose the relevant option:
     
  Trusted CA Certificate, or Trusted Server Certificate – Currently, Symantec Threat Isolation supports trusted server certificates only in Isolation mode. If you require a trusted certificate in Inspect mode, provide a CA certificate instead.
  
  
• Configure the parameters described in the table below for the new trusted certificate:
  
  
  
  
• Import the certificate file.  If the certificate is provided as text, click Import to import the certificate.