8.3. SSL inspection

In this section, network administrators can set up inspection of the data passed by the TLS/SSL, such as HTTPS or SMTP/POP3. UserGate uses the well-known technology called Man-In-The-Middle (MITM) which decrypts and analyzes content on the server side. HTTPS inspection is required for proper operation of content filtering rules and safe browsing.

HTTPS inspection ensures proper operation of the content filtering rules and safe browsing rules. SMTPS and POP3S inspection is required for spam and virus checks of the email traffic.

Based on these rules, you can set up HTTPS inspection for various categories of content, e.g. "Malware", "Anonymizers" or "Botnets", without decryption of safe categories, such as "Finance", "Government", etc. The system identifies category of a website according to the information passed in HTTPS requests, such as SNI (Server Name Indication) or Subject Name in the server certificate (when SNI is missing). The values of the Subject Alternative Name are ignored.

After decryption and analysis, the data will be encrypted again with a certificate issued by the certification authority that you have previously specified in the Certificates section. Make sure to add this certificate to the trusted root certificates on users' computers - otherwise, web browsers on the user side will be displaying notification that the certificate has been compromised. For more details, please refer to Appendix 1: Installing a certificate issued by the local certification authority.

Similar to user browsers, some email servers and clients reject email messages when they detect a replaced certificate. In this case, make sure to disable certification checks in your email software or add exclusions for the given certificates to UserGate. For more details, please refer to your email software documentation.

Important! Rules are applied from top to bottom in the same order as they are displayed in the console. The system always applies only the first rule for which all criteria are met. This means that the most specific rules must be in the upper part of the list, while the broader rules must be in the bottom. If you want to change the order of rules, use the Up/Down buttons.

Important! The rule will be applied only when all its specific conditions are met. The Negate checkbox makes the condition opposite to the initial condition, i.e. corresponds to logical negation (NOT).

Important! When no rules are defined, the system will not be decrypting SSL and therefore the content passed through SSL will not be filtered.

Important! UserGate supports the inspection of a wide range of SSL protocols, including legacy versions such as TLSv1.0 and TLSv1.1 and new versions such as TLSv1.2 and TLSv1.3. By default, compatibility with legacy protocols is enabled, which provides support for TLSv1.0-TLSv1.2. If compatibility with legacy protocols is disabled, only TLSv1.0,TLSv1.2-TLSv1.3 are supported. Configuration is handled via the CLI command legacy_ssl_enabled. You can read more about CLI commands in the section Command-line interface (CLI).

To create a new SSL inspection rule, click Add in the Security policies--> SSL inspection section and specify the following parameters.

Name

Description

Enabled

Enables or disables a rule.

Name

Rule name.

Description

Description of a rule.

Action

  • Decrypt - decrypt traffic

  • Bypass - do not decrypt traffic

Enable logging

Logs information about rule triggered.

Block sites with invalid certificates

Blocks access to servers with invalid HTTPS certificates, e.g. servers with expired/recalled certificates or issued for another domain name and/or by untrusted certification authority.

Check the certificates revocation list

Check a site certificate against the list of revoked certificates (CRL) and block the site if any matches are found

Block expired certificates

Block certificates that are not valid anymore

Block selfsigned certificates

Block self-signed certificates

Users

List of users and groups of users to which this rule will be applied. You can add users of the Any, Unknown, Known type. To apply rules to individual users or user of the Known type, make sure to set up authentication properly. For more details on user identification, please refer to the Users and devices section.

Source

A source zone and/or a list of source IP addresses for the traffic.

Destination address

Lists of IP addresses of the traffic destination.

Services

Service for which rule will decrypt traffic. Can be HTTPS, SMTPS, POP3S.

Categories

List of categories from UserGate URL filtering 3.0.

Domains

Lists of domains. Domain names to which this rule is applied. Domain names are created similar to lists of URLs except that only domain names can be used for HTTPS inspection (such as www.example.com, but not http://www.example.com/home/). For more details on how to work with lists of URLs, please refer to Libraries-->URL lists.

Time

Time period when the rule is active. Network administrators can add necessary time intervals in Libraries-->Time sets.

By default, UserGate has SSL inspection rule Decrypt all for unknown users which is required for authentication of unknown users on the Captive portal.