Configuring HTTPS Scanning

Note HTTPS scanning is not supported for Endpoint Web Control.

To provide secure sessions between your users and commercial or banking sites, HTTPS encrypts web content between the website server and the user’s browser. While the traffic between the two is encrypted during an HTTPS session, the content that is delivered is just as likely to be infected with viruses or other malware as content from non-encrypted sites. To scan encrypted content, it must first be decrypted, then scanned, then re-encrypted for delivery to the requesting end user’s browser.

Doing this maintains the privacy of the encrypted content, as the process is done automatically without human eyes viewing the content. However, because the traffic has been decrypted, the original site certificate cannot be used by the browser to authenticate the connection, so the original certificate is replaced by one generated automatically on the appliance using a Sophos-generated certificate authority. This replaces the original certificate, which requires that you download and install the Sophos-generated certificate authority into your users’ browsers, which can be done as a centralized system administration operation using Active Directory Group Policy Objects.

Just as there is a slight performance impact on the processing of encrypted traffic with any SSL transaction, so there will be if you enable HTTPS scanning. Consider this impact on the traffic throughput and capacity for your network and the appliance when deciding whether to use this feature.

The Configuration > Global Policy > HTTPS Scanning page allows you to enable or disable HTTPS (SSL) scanning and set logging options for HTTPS transactions.

  • To enable or disable HTTPS scanning, either click On beside HTTPS scanning to enable it, or click Off to disable it, and then click Apply.
    Important When you enable HTTPS scanning, certificate validation is automatically enabled. Certificate validation ensures that sites with invalid certificates (often phishing sites) are not accessed. If you do want certificate validation disabled while HTTPS scanning is enabled, you must disable it on the Configuration > Global Policy > Certificate Validation page after enabling HTTPS scanning.
  • To set the HTTPS logging options, select either Log hostname only for HTTPS transactions or Log complete URLs for HTTPS transactions to enable that logging option for HTTPS transactions, and then click Apply.
  • To create and manage a list of sites exempted from scanning, see the "Managing HTTPS Scanning Exemptions" page.
  • To download a copy of the Sophos certificate authority, see the "Downloading the Certificate Authority" page.
  • When HTTPS scanning is enabled, you need to select the minimum TLS version required for the client and server. Select one of the following versions from the drop-down list: TLSv1.0, TLSv1.1 or TLSv1.2. Connections that do not match the minimum TLS version you have selected are dropped.
    Note For non-HTTPS scanned connections, a minimum TLS version is not enforced.