Managing HTTPS Scanning Exemptions

The Configuration > Global Policy > HTTPS Scanning page allows appliance administrators to create and manage a list of sites that are exempted from scanning. Certain sites do not function properly if HTTPS scanning is enabled. To ensure that these sites work properly, add these problematic sites to this list of sites exempt from HTTPS scanning.

  • To exempt sites from HTTPS scanning:
    1. In the text box to the left of the Add button, enter the domain or site (for example, example.com or host.example.com) that you want exempted from scanning.
      The entry must be in one of the following forms:
      • a top-level domain, such as example.com
      • a fully qualified domain name, such as host.example.com
      • a fully qualified domain name including a subdomain, such as host.subdomain.example.com
      The entry must not be in either of the following forms:
      • a domain name including a sub-domain, but without the hostname, such as subdomain.example.com
      • a specific URL, such as host.example.com/page.html

      Optionally, you can append a port number (for example, example.com:443). If a port number is not appended, a port number of 443 is assumed.

      Note
      The sites that typically require exemption are software activation and update sites, software that validates the site certificate (such as some instant messaging clients and banking software), and any specific HTTPS sites you do not want scanned.

      The following table lists the applications and domains of sites that you should add to the Sites exempt from HTTPS scanning list in order to make those applications to work properly for your users.

      Incompatible Application Domain that must be exempted
      Firefox updates mozilla.org
      LogMeIn (used for remote assistance) logmeinrescue-enterprise.com and logmein.com
      Sophos appliance administrative web interface <SWAorSMA_hostname>.<your_domain>.<toplevel_domain>
      Surgient web site surgient.com
      WebEx Communications Inc. webex.com
      Windows Vista activation sls.microsoft.com
      Windows Live Messenger (No exemption is required for Windows Live Messenger 2009.) loginnet.passport.com and login.live.com and msn.com
      Yahoo! Messenger login.yahoo.com
      Note
      The appliance automatically exempts two sites from HTTPS scanning: webex.com, which is not compatible with proxies that scan HTTPS content, and the Windows Vista activation’s site sls.microsoft.com, whose certificate is required by Windows Vista to complete its activation.
    2. Click Add.

      The domain or site appears in the Sites exempt from HTTPS scanning list.

    3. Click Apply.
  • To remove a site from the exempt sites list, select the check box to the right of that site or domain, click Delete to remove it from the list, and click Apply.
  • To exempt financial and investment sites from HTTPS scanning, select the Exempt Finance & Investment sites from HTTPS scanning option, and click Apply.
    Important
    Many financial sites check that the user's browser has their certificate authority installed, so exempting such sites from HTTPS scanning is required.