Coincidently enough, I had this same conversation with a large bank today. Some of the topics discussed included these, and some of this is my editorialization, of course.
By default with MWG, decrypted traffic is never put back on the wire. Decrypted content is not stored on the disks. Logs can optionally be encrypted on-box, so even the IP, Usernames and URLs are never written in the clear. It makes reporting a pain, but possible.
As a general rule most users will bypass decryption on Banking/Finance, Health, Stocks and a handful of whitelisted sites. But I don't recommend bypassing decryption on webmail. It is a primary vector of infection/leakage.
Typically, there should be an acceptable use policy that spells out the terms of using your network. Create the understanding that you can be watched. Big warning pages when you go to an SSL site with an 'Agree' button to consent to monitoring can be used. I've created rules for MWG7 that inject a banner on the top of all pages that indicates "Monitoring in Progress" for one customer. They let the users go to Social Networking sites, but they have informed consent. Is there really privacy on the internet? If there is something you don't want discovered, don't do it. I told my kids when they were 10 & 12 not to expect anything you do on the internet to be considered private, because somewhere, somehow it can be seen by someone. Then I showed them Ethereal (at the time) traces of their AIM messages with their friends to prove it. It's 10+ years later and they still remember that lesson.
The problem of an abusive admin is a carbon-based problem, not a silicon-based one. Separation of functional duties, configuration auditing and strict change control policies help reduce the potential of abuse. Most organizations have these mitigating controls in place to watch the watchers.
It's clearly up to your policy if you want to do it or not. Weigh the risk and benefits. And trust but verify what the admins are doing.
...Just my humble opinion.
regarding your statement:
"I've created rules for MWG7 that inject a banner on the top of all pages that indicates "Monitoring in Progress" for one customer."
Could You please give me a hint on how to accomplish such task, I would really appreciate.
First create your own image to insert at the top of the page. A JPG, GIF or PNG should suffice. Upload it to the img/ directory where the block pages are. In this example, my image name is monitor.jpg.
Then you have rules that open the HTML tags and insert the <img> tag right after the <body> tag.
You should probably restrict this rule set to only a few categories that you want to warn against, not everything you are proxying. If you want to warn on everything, you should just have a welcome page display once at the beginning of the day instead.
Rule Sets Monitoring In Progress Enabled
Applies to Requests: False / Responses: True / Embedded Objects: True
1: MediaType.EnsuredTypes contains text/html
Enabled Rule Action Events Comments Enabled Enable HTML Opener
Continue Enable HTML Opener<HTML Filtering> Enabled Set the Redirect Image
Continue Set User-Defined.redirectImage =
"<img src="" +
Enabled Remove Header for "Content-Length"
Continue Header.RemoveAll("Content-Length") The HTML rules will modify the content length. So we delete this header so that user agents will not complain about getting not that much data as promised. Enabled Find End of Start Tag
1: HTMLElement.Name equals "body"
Continue Set User-Defined.endOfStartTag =
Enabled Inject Image right after <body>
1: HTMLElement.Name matches *body*
Continue Body.Insert(User-Defined.endOfStartTag,User-Defined.redirectImage) User Defined Properties Name Type Initial Value User-Defined.endOfStartTag Number 0 User-Defined.redirectImage String "" Settings Enable HTML Opener Engines HTML Filtering Enable HTML Opener Value List of elements that should be opened
Node Name Start Tags Only body true Only open elements that refer to external sources
Here is some of the output I tested:
Thank You very much for the hint, it was very useful.
I really appreciate .
is there also a coaching page possible before a SSL Tunnel is decrypted by MWG?