I have a transparent deployment and have enabled the SSL scanner. the CA importing and stuff have been completed and it would intercept any HTTPS site that goes through it.
Now what i want to do is only intercept sites like facebook.com gmail.com mail.yahoo.com
I tried using URL does not match in list NO_SSL where NO_SSL is an wildcard expression list. if the sites aren't in the list then it doesn't go through the rest of the SSL scanner ruleset (stop ruleset).
And I added the following wildcard expressions to the list
but what I see is that when a user tries to go to facebook.com it isn't intercepted. Am I missing something?
Thanks in advance
I tried using URL.categories adding social networking, webmail in to the category. but still don't seem to get intecepted.
There is no way for the proxy to know the URL requested in a transparent SSL connection unless you enable the SSL scanner. That information is not exchanged until after the conneciton is secured. You will need to enable the SSL scanner, but after that make the decision if you want to do any content inspection or not.
what i want to know is is there a way to decide wether you are going to use the original certificate or the one signed by the gateway. in other words i would like to leave alone some banking sites completely and intercept traffic from sites such as facebook or webmail. I get a feeling this isn't possible when using it in transparent mode.
Take a look at the 'Fix Hostname' parts of the document that John referenced, that will give you some information as to a path you can take. Your only other option may be to apply rules based on destination IP address.
I have tried using the rule set in the document 'fix hostname' and I have noticed a few things,
In our setup we want to use IP spoofing since the device in front of the MWG towards internet needs to know the client IP. So when i use Spoof IP HTTPS doesn't seem to work at all. the only way to get it to work is to remove the IP spoof option.
The funny thing is even if disable the SSL scanner rule set still with the spoof IP option on i cannot get the HTTPS to work.