SSL Inspection

The administrator can use this section to configure the inspection of data transmitted using the TLS/SSL protocol, which is first and foremost HTTPS as well as the SMTPS and POP3S email protocols. UserGate utilizes the well-known man-in-the-middle (MITM) technique where the content is decrypted on the server and then analyzed.

The use of SSL is required for the content filtering and safe browsing rules to work correctly. SMTPS and POP3S decryption is required to block spam.

The rules in this section can be used to configure HTTPS inspection only for certain categories, such as "Malware", "Anonymizers", "Botnets", while excluding other categories like "Finance", "Government", etc. from decryption. UserGate uses the SNI (Server Name Indication) information from the HTTPS request to determine the website's category or, if not present, the Subject Name field in the server's certificate. The Subject Alternative Name field is ignored.

After decryption, the data is encrypted with a CA-issued certificate specified in the Certificates section. To ensure that user browsers do not display a certificate mismatch warning, add the CA certificate to the list of trusted root certificates. For more details on this, see the Installing local CA certificates appendix.

Similar to user browsers, some email servers and clients refuse to accept mail in case of a certificate mismatch. If this happens, configure the email software to disable certificate verification or add exception for UserGate's certificate. For more details on how to do this, see the documentation for your email software.

Note The rules are applied top to bottom in their listing order. Only the first rule in which all conditions are matched is applied. This means that more specific rules must be placed higher in the list than more general ones. To change the order in which the rules will be applied, use the Up/Down and Top/Bottom buttons or drag and drop the rules with the mouse.

Note The Negate checkbox changes the condition to the opposite, which corresponds to a Boolean NOT (negation).

Note If there are no rules created, SSL traffic is not intercepted or decrypted, and therefore the content transmitted using SSL is not filtered.

To create an SSL inspection rule, go to the Security policies ➜ SSL inspection section, click Add, and provide the desired settings.

Name

Description

Enabled

Enables or disables the rule.

Name

The name of the rule.

Description

A description of the rule.

Enable logging

If this is enabled, instances of the rule being triggered will be recorded in the Web Access Log.

Action

  • Decrypt.

  • Bypass.

  • Decrypt and forward. If the SSL/TLS traffic is successfully decrypted, a copy of the traffic will be forwarded in accordance with the SSL inspection rule and profile. If this action is selected, the SSL forwarding profile must be specified (on configuring forwarding profiles, see the section SSL Forwarding Profiles).

SSL profile

Select the SSL profile to use. The settings in this profile will be used for establishing SSL connections from the user browser to the UserGate server and from the UserGate server to the requested web resource.

For more details on SSL profiles, see the SSL Profiles chapter.

Block sites with invalid certificates

Allows blocking of access to servers that issue an incorrect HTTPS certificate, e.g., if the certificate is expired, revoked, issued to a different domain name, or issued by a non-trusted CA.

Check certificate revocation list

Check the website's certificate against a certificate revocation list (CRL) and block it if a match is found.

Block expired certificates

Block certificates that have expired.

Block self signed certificates

Block certificates that are self-signed.

Users

The list of users and groups to which this rule is applied. The Any, Unknown, and Known user types can be used. To apply rules to specific users or Known users, user identification needs to be configured. For more details on user identification, see the Users and Devices chapter.

Source

The zone, IP address lists, Geo-IP address lists, or URL lists of the traffic source.

The URL list must include only domain names. Every 5 minutes UserGate resolves domain names into IP addresses and stores the result in the internal cache for the DNS record's time-to-live (TTL). When the TTL expires, UserGate automatically updates the IP address value.

Important! The maximum number of GeoIPs that can be specified is limited to 15.

Important! The traffic processing logic is as follows:

  • The conditions are combined using Boolean OR, if several IP address and/or domain lists are specified.

  • The conditions are combined using Boolean AND, if GeoIPs and IP address and/or domain lists are specified.

Destination address

The lists of destination IP addresses for the traffic.

Important! The maximum number of GeoIPs that can be specified is limited to 15.

Important! The traffic processing logic is as follows:

  • The conditions are combined using Boolean OR, if several IP address and/or domain lists are specified.

  • The conditions are combined using Boolean AND, if GeoIPs and IP address and/or domain lists are specified.

For more details on working with IP address lists, see the chapter IP Addresses.

Services

The service for which traffic is to be decrypted. The options are HTTPS, SMTPS, or POP3S.

Categories

UserGate URL Filtering 4.0 category lists.

Domains

The domain lists, or the lists of domain names to which this rule is applied. The domain lists are created in the same way as URL lists, except that only domain names can be used for HTTPS inspection (www.example.com as opposed to http://www.example.com/home/). For more details on working with URL lists, see the URL Lists chapter.

Time

The time when this rule will be active. The administrator can add the required time period in the Time Sets section.

Usage

The trigger statistics for the rule: the total trigger count and the time of the first and last trigger.

To reset the trigger count, select the rules in the list and click Reset hit counts.

History

The time the rule was created and last changed as well as the related event log entries, such as rule added, rule updated, rule list position changed etc.

There is a default inspection rule named SSL Decrypt all for unknown users that is required to authorize unknown users using the captive portal.