server, although the appliance must still have access to the ports and services indicated in the
preceding tables.
Related concepts
Understanding Mode and Model Differences on page 43
Updates on page 113
Grouping Web Appliances on page 39
Related tasks
Configuring Active Directory Access on page 124
C.5 HTTPS Compatibility
This section describes several areas of compatibility to be aware of prior to enabling HTTPS
scanning. It is instructive to first review how HTTPS web requests work, and how HTTPS scanning
operates.
In normal usage, the following things occur when a user accesses an HTTPS secured website:
1. The browser negotiates a secure connection directly to the remote site. Once connected, the
user can inspect the certificate authority if needed. If the remote site uses an unrecognized
certificate authority, the user will be first prompted by the browser to inspect and accept this
site’s certificate authority.
2. The certificate authority contains a key that verifies the authenticity of the encrypted content
that is received from the secure website, and which the SSL software decrypts.
3. Any information that the user submits to the secure website is also encrypted, and the
authenticity of their submission is similarly verified by the certificate authority.
The Web Appliance provides two security features related to this process: certificate validation
and HTTPS scanning.
Certificate Validation
Often, end users have little knowledge about the reliability of a certificate authority, so they will
often accept certificate authorities without knowing if they are from trusted sources.To overcome
this problem, the Web Appliance includes most reliable certificate authorities, and it can
automatically validate certificate authorities from the Sophos certificate authority list.You can also
add custom certificate authorities.This allows you to prevent users from accepting certificate
authorities.
HTTPS Scanning
To provide secure sessions between commercial or banking sites and users, HTTPS encrypts
web content between the website server and the user’s browser. While the traffic between the
two is encrypted during an HTTPS session, the content that is delivered is no less likely to be
infected with viruses or other malware.
To scan encrypted content, the content must first be decrypted, then scanned, then re-encrypted
for delivery to the requesting end-user’ s browser. Doing this maintains the privacy of the encrypted
content, as the process is done automatically without human eyes viewing the content.
Sophos Web Appliance | Appliance Behavior and Troubleshooting | 213
To Next Page
Loading...
Need help?
General
