■
To exempt financial and investment sites from HTTPS scanning, select the Exempt Finance
& Investment sites from HTTPS scanning option, and click Apply.
Important: Many financial sites check that the user’s browser has their certificate authority
installed, so exempting such sites from HTTPS scanning is required.
4.3.5.2 Downloading the Certificate Authority
Once the HTTPS content has been decrypted, the original site certificate cannot be used by the
browser to authenticate the connection, so the original certificate is replaced by one generated
automatically on the appliance using a Sophos-generated certificate authority. This replaces the
original certificate, which requires that you download and install the Sophos-generated certificate
authority into your users’ browsers, which can be done as a centralized system administration
operation using Active Directory Group Policy Objects.
To download the Sophos-generated certificate authority and distribute it to your users’ browsers:
1. Click Download a copy of the certificate authority.
If you are prompted for the purpose of the authority, select "to identify web sites".
2. Save the authority.
3. Distribute the authority to your users using a Group Policy Object in Active Directory.
See the Installing the Sophos-Generated Certificate Authority in your Users’ Browsers
Knowledgebase article for instructions on how to do this.
4.3.6 Configuring Certificate Validation
Often, end users have little knowledge about the reliability of a certificate authority, so they will
often accept certificate authorities without knowing if they are from trusted sources.To overcome
this problem, the Web Appliance includes most of the reliable certificate authorities, and it can
automatically validate certificate authorities from the Sophos certificate authority list.There is also
the ability to add custom certificate authorities.This allows you to deny users the ability to accept
certificate authorities.
The Configuration > Global Policy > Certificate Validation page allows you to control the
HTTPS (SSL) certificate validation process. Sophos provides a list of certificates from recognized
third-party certificate authorities that are automatically accepted. Also, you can add certificates
from other sources that you want to be accepted. If Certificate Validation is enabled, your users
will only be able to access HTTPS sites that use a certificate listed in the Sophos certificate list
or the Custom certificate list. If your users attempt to access HTTPS sites that use certificates
from sources that are not in these lists, the Invalid certificate page is displayed and access to
the requested site is blocked.
■
To enable or disable automatic certificate validation, beside Certificate Validation, either click
On to enable it, or click Off to disable it, and click Apply.
Automatic certificate validation is based on both the Sophos and Custom lists.
Important: When HTTPS scanning is enabled, certificate validation is also automatically
enabled. If you want certificate validation disabled while HTTPS scanning is enabled, you must
disable it on this page, but be aware of the risks of doing so. Having certificate validation
enabled is advised as HTTPS scanning replaces the actual certificate from the site, so it may
108 | Configuration | Sophos Web Appliance
To Next Page
Loading...
Need help?
General
