The administrator can use this section to configure the inspection of data transmitted using the TLS/SSL protocol, which is first and foremost HTTPS as well as the SMTPS and POP3S email protocols. UserGate utilizes the well-known man-in-the-middle (MITM) technique where the content is decrypted on the server and then analyzed.
The use of SSL is required for the content filtering and safe browsing rules to work correctly. SMTPS and POP3S decryption is required to block spam.
The rules in this section can be used to configure HTTPS inspection only for certain categories, such as "Malware", "Anonymizers", "Botnets", while excluding other categories like "Finance", "Government", etc. from decryption. UserGate uses the SNI (Server Name Indication) information from the HTTPS request to determine the website's category or, if not present, the Subject Name field in the server's certificate. The Subject Alternative Name field is ignored.
After decryption, the data is encrypted with a CA-issued certificate specified in the Certificates section. To ensure that user browsers do not display a certificate mismatch warning, add the CA certificate to the list of trusted root certificates. For more on this, see Appendix 2. Installing local CA certificates.
Similar to user browsers, some email servers and clients refuse to accept mail in case of a certificate mismatch. If this happens, configure the email software to disable certificate verification or add exception for UserGate's certificate. For more details on how to do this, see the documentation for your email software.
Note
The rules are applied top to bottom in their listing order. Only the first rule in which all conditions are matched is applied. This means that more specific rules must be placed higher in the list than more general ones. To change the order in which the rules will be applied, use the Up/Down and Top/Bottom buttons or drag and drop the rules with the mouse.
Note
The Negate checkbox changes the condition to the opposite, which corresponds to a Boolean NOT (negation).
Note
If there are no rules created, SSL traffic is not intercepted or decrypted, and therefore the content transmitted using SSL is not filtered.
To create an SSL inspection rule, go to the Security policies --> SSL inspection section, click Add, and provide the desired settings.
|
Name |
Description |
|---|---|
|
Enabled |
Enables or disables the rule. |
|
Name |
The name of the rule. |
|
Description |
A description of the rule. |
|
Enable logging |
If this is enabled, instances of the rule being triggered will be recorded in the corresponding statistics log. |
|
Action |
The following actions are available:
|
|
SSL profile |
Select the SSL profile to use. The settings in this profile will be used for establishing SSL connections from the user browser to the UserGate server and from the UserGate server to the requested web resource. For more details on SSL profiles, see the chapter SSL Profiles. |
|
Block sites with invalid certificates |
Allows blocking of access to servers that issue an incorrect HTTPS certificate, e.g., if the certificate is expired, revoked, issued to a different domain name, or issued by a non-trusted CA. |
|
Check certificate revocation list |
Check the website's certificate against a certificate revocation list (CRL) and block it if a match is found. |
|
Block expired certificates |
Block certificates that have expired. |
|
Block self signed certificates |
Block certificates that are self-signed. |
|
Users |
The list of users and groups to which this rule is applied. The Any, Unknown, and Known user types can be used. To apply rules to specific users or Known users, user identification needs to be configured. For more details on user identification, see the chapter Users and Devices. |
|
Source |
The zone, IP address lists, GeoIP address lists, or URL lists of the traffic source. The URL list must include only domain names. Every 5 minutes UserGate resolves domain names into IP addresses and stores the result in the internal cache for the DNS record's time-to-live (TTL). When the TTL expires, UserGate automatically updates the IP address value. Important! There is a limit on the number of GeoIPs that can be specified: the number cannot exceed 15. Important! Traffic processing performed with the following statements:
|
|
Destination address |
The lists of destination IP addresses for the traffic. Important! There is a limit on the number of GeoIPs that can be specified: the number cannot exceed 15. Important! Traffic processing performed with the following statements:
For more details on working with IP address lists, see the chapter IP addresses. |
|
Service |
The service for which traffic is to be decrypted. The options are HTTPS, SMTPS, or POP3S. |
|
Categories |
UserGate URL Filtering 4.0 category lists. |
|
Domains |
The domain lists, or the lists of domain names to which this rule is applied. The domain lists are created in the same way as URL lists, except that only domain names can be used for HTTPS inspection (www.example.com as opposed to http://www.example.com/home/). For more details on working with URL lists, see the chapter URL Lists. |
|
Time |
The time when this rule will be active. The administrator can add the required time period in the Time sets section. |
|
Usage |
The rule triggering statistics: the total number of triggers, the time of the first and last triggers. To reset statistics, select rules in the list and click Reset hit counts. |
|
History |
The time when the rule was created and last modified, as well as the event log entries related to this rule: adding, updating the rule, changing the position of the rule in the list, etc. |
There is a default inspection rule named SSL Decrypt all for unknown users that is required to authorize unknown users using the captive portal.