cancel
Showing results for 
Search instead for 
Did you mean: 
haaris
Level 10

Block page with SSL Scanner

Jump to solution

I have enabled SSL Scanner ruleset but when try to access https URL which is not allowed in my policy I am getting block page after the browser asks for certificate verification.My question is that we should get the block page immediately as URL is not allowed in the policy.Is it the normal behaviour or something wrong.Screenshot attached below to give the idea of what i am trying to say...Instead of the below screenshot we should get the block page immediately without certificate verification

Certificate error1.png

1 Solution

Accepted Solutions
McAfee Employee

Re: Block page with SSL Scanner

Jump to solution

Hi Haaris,

This is happening because your browser doesnt trust the MWG's CA. See below Best Practice on the matter:

This also seems like you do not have full Content Inspection enabled, more likley just "Set Client Context" as per:

Here is the master list of Best Practices as well:

Best Regards,

Jon Scholten

5 Replies
McAfee Employee

Re: Block page with SSL Scanner

Jump to solution

Hi Haaris,

This is happening because your browser doesnt trust the MWG's CA. See below Best Practice on the matter:

This also seems like you do not have full Content Inspection enabled, more likley just "Set Client Context" as per:

Here is the master list of Best Practices as well:

Best Regards,

Jon Scholten

mbagheryan
Level 12

Re: Block page with SSL Scanner

Jump to solution

Hi Haaris,

Beside of all nice documents which is provided by Jon,
I can offer you to just fetch the site which you want to pass and also get rid of this block page for trusted sites.
You have to fetch those site which you are completely trust by the instruction described below:

WL-SSL-Fetch.PNG

Enjoy.

M. B. M

Troja
Level 14

Re: Block page with SSL Scanner

Jump to solution

Yes,

activating the SSL (Create Client Context) Rule is always a good idea to show the user a blockpage if any SSL site is blocked. :-)

With our customers we did it in this way.

1) one customer exported the CA from MWG and deployed the CA certificate to all endpoints using Microsoft Group Policy.

2) If there is a PKI in place generate a subordinary CA and import this certificate to MWG.

, i remember to webwashere where donwloading the CA directly from the blockpage was available. Is this still available with MWG?

Cheers

McAfee Employee

Re: Block page with SSL Scanner

Jump to solution

Hi,

@MBM, in this case I'm guessing Haaris does not have full SSL scanning on (only Set Client Content -- so that block pages can be displayed for HTTPS sites). As such, he may not want to allow the site, or perhaps he does.

@Thorsten, as of 7.5.1 you can now host a certificate (.crt, or .cer) in the block templates folder, and subsequently link to it on the block page. Previously you could, however it would not download properly (display as just text).

Best Regards,

Jon

0 Kudos
haaris
Level 10

Re: Block page with SSL Scanner

Jump to solution

Jon,

Thank you very much for your support,I have imported the SSL certificate in my browser and it seems the problem is solved......

0 Kudos