3 Replies Latest reply on May 21, 2014 1:21 AM by snikhil03

    Issue with SSL Scanner

    snikhil03

      Hi ,

       

      I face a peculiar problem with my webgateway ..

       

      1.When I do not enable SSL Scanner,Block page does not display for the for URLs

      with https.It says page cannot be displayed.However I checked the rule trace and

      it hits the block rule of the URL Filtering rule set

      2.When I Enable SSL scanning Rule set,Chrome does not display the block page and

      it says "cannot connect to real facebook" etc .To resolve ,we have to add certificate in the

      browser which is not feasible for all end users

       

      Can you please suggest a solution for this .?

       

      Regards,

      Nikhil

        • 1. Re: Issue with SSL Scanner
          asabban

          Hello,

           

          that is how SSL Scanner works! When you enable SSL Scanner MWG replaces the server certificate with one it has the private key for. Without SSL Scanner:

           

          Client <--- server certificate for www.facebook.com ---> Server

           

          With SSL Scanner

           

          Client <--- certificate issued by MWG for www.facebook.com ---> MWG <--- server certificate for www.facebook.com ---> Server

           

          MWG creates server certificates for requested URLs on the fly and signs them with the Root CA which is configured in the "Enable Client Context" rule.

           

          1.) If you disable SSL Scanner you have no "Enable Client Context" rule, e.g. MWG does not have a Root CA to sign certificates with. If you go to an HTTPS web site and MWG blocks access it has to talk HTTPS to the browser. It cannot do this, because it has no certificate to sign the connection, so it sends a plain-text error message. The browser cannot understand this and shows "Page cannot be displayed"

           

          2.) You need to have a Root CA for which you own the private key exported to all clients and stored into their stores of "Trusted Certificate Authorities", via GPOs or other ways. This Root CA + its private key need to be known by MWG to create new certificates. The Root CA for MWG can be a subordinate CA of the one trusted in the browsers.

           

          Best,

          Andre

          • 2. Re: Issue with SSL Scanner
            pbrickey

            We have a document that explains this in detail here: https://community.mcafee.com/docs/DOC-4822

             

            -Patrick

            • 3. Re: Issue with SSL Scanner
              snikhil03

              Thanks a lot this helps