If your network topology includes a next hop proxy/server that performs SSL termination, the CA certificate of this next hop proxy/server will sign website server certificates. The endpoint browser needs to trust only the Threat Isolation Gateway. However, Symantec Threat Isolation is aware of the next hop proxy/server and must trust it. You must therefore add the CA certificate of the next hop proxy/server to the list of Symantec Threat Isolation trusted certificates.
Fig. 1 Trusted CA Certificate
If your organization uses a next hop proxy/server and your endpoints already trust its CA certificate, the Gateway can use the same certificate for simplicity's sake. In this case, you can import your next hop proxy/server’s CA certificate into Symantec Threat Isolation.
If the network topology does not include a next hop proxy/server, or if it includes a next hop proxy/server that does not perform SSL termination, the Threat Isolation Gateway might want to trust a server certificate. In this case, it is required, that the trusted server certificate be imported and added it to the list of Symantec Threat Isolation trusted certificates.
Fig. 2 Trusted Server Certificate
Sometimes the Gateway needs to trust LAN resources, such as an Active Directory server that uses SSL for Active Directory connections and has a server certificate that is signed by an enterprise CA that is not trusted. In this case, the Gateway must trust the Active Directory server.
Adding a Trusted Certificate