8.4. SSL Inspection

The administrator can use this section to configure the inspection of data transmitted using the TLS/SSL protocol, which is first and foremost HTTPS as well as the SMTPS and POP3S email protocols. UserGate utilizes the well-known man-in-the-middle (MITM) technique where the content is decrypted on the server and then analyzed.

The use of SSL is required for the content filtering and safe browsing rules to work correctly. SMTPS and POP3S decryption is required to block spam.

The rules in this section can be used to configure HTTPS inspection only for certain categories, such as "Malware", "Anonymizers", "Botnets", while excluding other categories like "Finance", "Government", etc. from decryption. UserGate uses the SNI (Server Name Indication) information from the HTTPS request to determine the website's category or, if not present, the Subject Name field in the server's certificate. The Subject Alternative Name field is ignored.

After decryption, the data is encrypted with a CA-issued certificate specified in the Certificates section. To ensure that user browsers do not display a certificate mismatch warning, add the CA certificate to the list of trusted root certificates. For more on this, see Appendix 2. Installing local CA certificates.

Similar to user browsers, some email servers and clients refuse to accept mail in case of a certificate mismatch. If this happens, configure the email software to disable certificate verification or add exception for UserGate's certificate. For more details on how to do this, see the documentation for your email software.

Note

The rules are applied top to bottom in their listing order. Only the first rule in which all conditions are matched is applied. This means that more specific rules must be placed higher in the list than more general ones. To change the order in which the rules will be applied, use the Up/Down and Top/Bottom buttons or drag and drop the rules with the mouse.

Note

The Negate checkbox changes the condition to the opposite, which corresponds to a Boolean NOT (negation).

Note

If there are no rules created, SSL traffic is not intercepted or decrypted, and therefore the content transmitted using SSL is not filtered.

To create an SSL inspection rule, go to the Security policies --> SSL inspection section, click Add, and provide the desired settings.

Name

Description

Enabled

Enables or disables the rule.

Name

The name of the rule.

Description

A description of the rule.

Enable logging

If this is enabled, instances of the rule being triggered will be recorded in the corresponding statistics log.

Action

The following actions are available:

  • Decrypt.

  • Bypass.

  • Decrypt and forward. On a successful SSL/TLS decryption according to the SSL inspection rule and profile, a copy of the traffic can be forwarded to the chosen destination. If this action is selected, the SSL forwarding profile must be specified (on configuring forwarding profiles, see the section SSL Forwarding Profiles).

SSL profile

Select the SSL profile to use. The settings in this profile will be used for establishing SSL connections from the user browser to the UserGate server and from the UserGate server to the requested web resource.

For more details on SSL profiles, see the chapter SSL Profiles.

Block sites with invalid certificates

Allows blocking of access to servers that issue an incorrect HTTPS certificate, e.g., if the certificate is expired, revoked, issued to a different domain name, or issued by a non-trusted CA.

Check certificate revocation list

Check the website's certificate against a certificate revocation list (CRL) and block it if a match is found.

Block expired certificates

Block certificates that have expired.

Block self signed certificates

Block certificates that are self-signed.

Users

The list of users and groups to which this rule is applied. The Any, Unknown, and Known user types can be used. To apply rules to specific users or Known users, user identification needs to be configured. For more details on user identification, see the chapter Users and Devices.

Source

The zone, IP address lists, GeoIP address lists, or URL lists of the traffic source.

The URL list must include only domain names. Every 5 minutes UserGate resolves domain names into IP addresses and stores the result in the internal cache for the DNS record's time-to-live (TTL). When the TTL expires, UserGate automatically updates the IP address value.

Important! There is a limit on the number of GeoIPs that can be specified: the number cannot exceed 15.

Important! Traffic processing performed with the following statements:

  • applying logic OR if several IP lists and/or domain lists are specified;

  • applying logic AND if several GeoIP and lists of IPs and/or domains are specified.

Destination address

The lists of destination IP addresses for the traffic.

Important! There is a limit on the number of GeoIPs that can be specified: the number cannot exceed 15.

Important! Traffic processing performed with the following statements:

  • applying logic OR if several IP lists and/or domain lists are specified;

  • applying logic AND if several GeoIP and lists of IPs and/or domains are specified.

For more details on working with IP address lists, see the chapter IP addresses.

Service

The service for which traffic is to be decrypted. The options are HTTPS, SMTPS, or POP3S.

Categories

UserGate URL Filtering 4.0 category lists.

Domains

The domain lists, or the lists of domain names to which this rule is applied. The domain lists are created in the same way as URL lists, except that only domain names can be used for HTTPS inspection (www.example.com as opposed to http://www.example.com/home/). For more details on working with URL lists, see the chapter URL Lists.

Time

The time when this rule will be active. The administrator can add the required time period in the Time sets section.

Usage

The rule triggering statistics: the total number of triggers, the time of the first and last triggers.

To reset statistics, select rules in the list and click Reset hit counts.

History

The time when the rule was created and last modified, as well as the event log entries related to this rule: adding, updating the rule, changing the position of the rule in the list, etc.

There is a default inspection rule named SSL Decrypt all for unknown users that is required to authorize unknown users using the captive portal.