Configuring HTTPS Scanning
To provide secure sessions between your users and commercial or banking sites, HTTPS encrypts web content between the website server and the user’s browser. While the traffic between the two is encrypted during an HTTPS session, the content that is delivered is just as likely to be infected with viruses or other malware as content from non-encrypted sites. To scan encrypted content, it must first be decrypted, then scanned, then re-encrypted for delivery to the requesting end user’s browser.
Doing this maintains the privacy of the encrypted content, as the process is done automatically without human eyes viewing the content. However, because the traffic has been decrypted, the original site certificate cannot be used by the browser to authenticate the connection, so the original certificate is replaced by one generated automatically on the appliance using a Sophos-generated certificate authority. This replaces the original certificate, which requires that you download and install the Sophos-generated certificate authority into your users’ browsers, which can be done as a centralized system administration operation using Active Directory Group Policy Objects.
Just as there is a slight performance impact on the processing of encrypted traffic with any SSL transaction, so there will be if you enable HTTPS scanning. Consider this impact on the traffic throughput and capacity for your network and the appliance when deciding whether to use this feature.
The
page allows you to enable or disable HTTPS (SSL) scanning and set logging options for HTTPS transactions.