cancel
Showing results for 
Search instead for 
Did you mean: 
rukmalf
Level 9

Selectively Bypassing SSL Interception on MWG

Hi,

I have a transparent deployment and have enabled the SSL scanner. the CA importing and stuff have been completed and it would intercept any HTTPS site that goes through it.

Now what i want to do is only intercept sites like facebook.com gmail.com mail.yahoo.com

I tried using URL does not match in list NO_SSL where NO_SSL is an wildcard expression list. if the sites aren't in the list then it doesn't go through the rest of the SSL scanner ruleset (stop ruleset).

And I added the following wildcard expressions to the list

*.facebook.*

*.google.* etc

but what I see is that when a user tries to go to facebook.com it isn't intercepted. Am I missing something?

Thanks in advance

Regards,

Rukmal Fernando

6 Replies
rukmalf
Level 9

Re: Selectively Bypassing SSL Interception on MWG

I tried using URL.categories adding social networking, webmail in to the category. but still don't seem to get intecepted.

8.PNG

Regards,

Rukmal Fernando

0 Kudos
andyclements
Level 12

Re: Selectively Bypassing SSL Interception on MWG

There is no way for the proxy to know the URL requested in a transparent SSL connection unless you enable the SSL scanner.  That information is not exchanged until after the conneciton is secured.  You will need to enable the SSL scanner, but after that make the decision if you want to do any content inspection or not.

0 Kudos
McAfee Employee

Re: Selectively Bypassing SSL Interception on MWG

Check out this article, perhaps it will check some light on the issue:

https://community.mcafee.com/docs/DOC-4923

Best,

Jon

0 Kudos
rukmalf
Level 9

Re: Selectively Bypassing SSL Interception on MWG

what i want to know is is there a way to decide wether you are going to use the original certificate or the one signed by the gateway. in other words i would like to leave alone some banking sites completely and intercept traffic from sites such as facebook or webmail. I get a feeling this isn't possible when using it in transparent mode.

Regards,

Rukmal Fernando

0 Kudos
andyclements
Level 12

Re: Selectively Bypassing SSL Interception on MWG

Take a look at the 'Fix Hostname' parts of the document that John referenced, that will give you some information as to a path you can take.  Your only other option may be to apply rules based on destination IP address.

0 Kudos
rukmalf
Level 9

Re: Selectively Bypassing SSL Interception on MWG

I have tried using the rule set in the document 'fix hostname' and I have noticed a few things,

In our setup we want to use IP spoofing since the device in front of the MWG towards internet needs to know the client IP. So when i use Spoof IP HTTPS doesn't seem to work at all. the only way to get it to work is to remove the IP spoof option.

The funny thing is even if disable the SSL scanner rule set still with the spoof IP option on i cannot get the HTTPS to work.

Regards,

Rukmal Fernando

0 Kudos