cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Adding 3rd Party Certificate to the proxies

We currently have a SaaS application that requires protection. The SSL encrypted traffic coming from the client inside our network to the SaaS application server in the cloud, needs to be inspected by SSL Scanning. However, doing this type of scanning/inspection, the communication is broken to the SaaS application server. We would like to bypass the SSL scanning and tested it works but our policy will not allow to bypass SSL scanning as a protection from 3rd party vendor. One option as suggested by the vendor is for them to provide their digital certificate and this will need to be installed into our proxy servers for users of the application to be authenticated in their environment. Now the question is: 1) Is this technologically feasible? 2) What is the impact to our environment in terms of risks or security concerns?
3 Replies
asabban
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 4

Re: Adding 3rd Party Certificate to the proxies

Hi,

does the connection require a client certificate installed in the application? It sounds like this is the case. I If SSL Inspection needs to be done here, we need the client certificate on the Web Gateway to be able to inspect the connection.

In this case the vendor will give you the certificate and you need to import it on the Web Gateway, which is a typical setup we already did a couple of times. Given that my understanding of the client certificate is correct.

Andre

Re: Adding 3rd Party Certificate to the proxies

If a 3rd party certificate is allowed to be installed onto the proxy to allow authentication with the application with an certificate (sitting inside the network), what is the risk and impact with this arrangement (sInce the proxy will now have the certificate and be able to communicate/authenticate to the vendor SaaS Application server)? If there is no risk, can we bypass SSL Scanning for the 3rd party domain inside our proxies?

asabban
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 4 of 4

Re: Adding 3rd Party Certificate to the proxies

I don't see any risk installing the third party certificate on the Web Gateway. It is a client certificate that exists on the client machine anyway and from a security perspective I think certificates are better secured on infrastructure machines (Proxy Server) rather than on the endpoint.

The only difference is that the Web Gateway is now able to take a look into the traffic that is passed to this specific SaaS application (the certificate is not valid or usable for anything else). Doing SSL inspection allows you to scan within the encrypted communication but certainly the traffic is touched by the proxy, in case there is any incompatibility with the application this may lead to problems (same risk as with other applications that are used on the Internet).

It is up to you or some decision maker within your company. If you think there might be malicious or confidential data being sent to or received from that application it would make sense to inspect the traffic. If you trust the vendor you can bypass the application from SSL inspection.

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community