6 Replies Latest reply on Mar 14, 2013 7:30 AM by jont717

    SSL Certificate


      I have Web gateway 7.3 .... I am trying to allow some sites that uses ssl certificate.


      My intention is to skip the certificate verification and allow the site for all users.


      I am trying to do this with a test site www.outlook.com


      I did the following


      1- I added outlook.com into Certificate White List

      2- I added *.outlook.com into SSL Inspection White List

      4- Also added *.live.com into SSL Inspection White List because somehow it redirect to there.


      Still i am nto able to open the site. It open parcially and stays with a white page.


      What is the correct process to Skip certificate check and allow directly the website. (i need to do this for almost 15 sites, banks, Gov etc..)


      Should i really wait for the log generation and see whish site is blocked and allow it one by one?


      Any details let me know plz.



        • 1. Re: SSL Certificate

          You do not have a wildcard after your sites. outlook.com and live.com.


          This will fail if anything is after the .com, which is almost always.


          you need to add a wildcard after the .com

          • 2. Re: SSL Certificate

            Also, a lot of times you need to put the actual IP address of the site too....

            • 3. Re: SSL Certificate

              thx for your reply.. so i should do it that way *.outlook.com/* ??


              Its important for me to use Wildcard in the beginning also.. because most of the sites that i want to allow have diffrent sites and not all of them starts with www.


              u got it right?


              EX: www.outlook.com , support.outlok.com, finance.outlook.com/users .. etc....



              • 4. Re: SSL Certificate

                Depending on how your client systems are traversing MWG, you may have a partial chicken/egg situation.


                If the clients are not configured to directly proxy to the MWG, the initial value for URL.Host will be the destination IP address and not a domain name. Until the connection goes through the SSL Inspection rule set, MWG won't know what the destination domain is.

                • 5. Re: SSL Certificate



                  if using something that is NOT Windows XP + Internet Explorer plus a recent MWG the client should be able to send the desired hostname in the SSL handshake which will allow MWG to apply all rules that utilize URL.Host.


                  Unfortunately the combination  Windows XP + Internet Explorer still seems to be a common platform. They don't support the extension, so in this case you will have to use the IP (transparent mode only, of course).




                  • 6. Re: SSL Certificate

                    Just skipping the Content Inspection should be enough.  You should then see the site load with the web sites certificate and not the Web Gateways certificate.


                    When you make the wildcard rule, you can test it.  There is a test button and you can put in a long URL and make sure it matches.