I face a peculiar problem with my webgateway ..
1.When I do not enable SSL Scanner,Block page does not display for the for URLs
with https.It says page cannot be displayed.However I checked the rule trace and
it hits the block rule of the URL Filtering rule set
2.When I Enable SSL scanning Rule set,Chrome does not display the block page and
it says "cannot connect to real facebook" etc .To resolve ,we have to add certificate in the
browser which is not feasible for all end users
Can you please suggest a solution for this .?
that is how SSL Scanner works! When you enable SSL Scanner MWG replaces the server certificate with one it has the private key for. Without SSL Scanner:
Client <--- server certificate for www.facebook.com ---> Server
With SSL Scanner
Client <--- certificate issued by MWG for www.facebook.com ---> MWG <--- server certificate for www.facebook.com ---> Server
MWG creates server certificates for requested URLs on the fly and signs them with the Root CA which is configured in the "Enable Client Context" rule.
1.) If you disable SSL Scanner you have no "Enable Client Context" rule, e.g. MWG does not have a Root CA to sign certificates with. If you go to an HTTPS web site and MWG blocks access it has to talk HTTPS to the browser. It cannot do this, because it has no certificate to sign the connection, so it sends a plain-text error message. The browser cannot understand this and shows "Page cannot be displayed"
2.) You need to have a Root CA for which you own the private key exported to all clients and stored into their stores of "Trusted Certificate Authorities", via GPOs or other ways. This Root CA + its private key need to be known by MWG to create new certificates. The Root CA for MWG can be a subordinate CA of the one trusted in the browsers.