When updating firefox, it will do this using HTTPS. If you have SSL Scanning enabled this will interfere because Webwasher will attempt to scan the traffic (so our certificate authority will be used). I believe that the update process is hard-coded to only allow/trust the Mozilla certificate authority, so regardless of firefox trusting the CA used by Webwasher it wont work. Therefore a certificate list entry needs to be put in under SSL scanner > Certificate list, then enter it by host otherwise a SSL scanner bypass can be put into place.
A whitelist entry does not apply to SSL scanner.
After adding aus2.mozilla.org update process started.
Do you know why adding mozilla.org wasn't helpful ?
Like I said in my previous response, whitelisting is independent from the SSL Scanner. (that's why you dont see an option to "whitelist" from the SSL Scanner)
How would this work in MWG7? Would you simply have to bypass the certificate verification by adding an entry to the list in the rule 'Skip Verification for Certificates Found in Certificate White List' under SSL Scanning --> Certificate Verification? Or would you have to bypass SSL Content inspection totally for the Firefox update servers, or completely bypass SSL Scanning?
Does anyone have a list of all the firefox update servers? I'm aware of the following:
Any thoughts as to how this would work in MWG 7? (See my unanswered post above from August)
I would expect that skipping the Vertificate Verification only will not be enough, since Firefox may check the certificate it receives from the server. If MWG is in the loop, the certificate will change and Firefox will complain.
In the SSL Scanner rule set you have a "Tunneled Hosts" rule set. I would add the hosts there to prevent MWG from touching the connection. Please note that the list uses "is in list" as an operator, and therefore does not accept wildcards. You could create another rule similar to the "Tunneled Hosts" rule, and use "URL.Host matches aus*.mozilla.org" as a criteria, to make the updates work.