HTTPS Compatibility

This section describes several areas of compatibility to be aware of prior to enabling HTTPS scanning. It is instructive to first review how HTTPS web requests work, and how HTTPS scanning operates.

In normal usage, the following things occur when a user accesses an HTTPS secured website:
  1. The browser negotiates a secure connection directly to the remote site. Once connected, the user can inspect the certificate authority if needed. If the remote site uses an unrecognized certificate authority, the user will be first prompted by the browser to inspect and accept this site’s certificate authority.
  2. The certificate authority contains a key that verifies the authenticity of the encrypted content that is received from the secure website, and which the SSL software decrypts.
  3. Any information that the user submits to the secure website is also encrypted, and the authenticity of their submission is similarly verified by the certificate authority.

The web appliance provides two security features related to this process: certificate validation and HTTPS scanning.

Certificate Validation

Often, end users have little knowledge about the reliability of a certificate authority, so they will often accept certificate authorities without knowing if they are from trusted sources. To overcome this problem, the web appliance includes most reliable certificate authorities, and it can automatically validate certificate authorities from the Sophos certificate authority list. You can also add custom certificate authorities. This allows you to prevent users from accepting certificate authorities.

HTTPS Scanning

To provide secure sessions between commercial or banking sites and users, HTTPS encrypts web content between the website server and the user’s browser. While the traffic between the two is encrypted during an HTTPS session, the content that is delivered is no less likely to be infected with viruses or other malware.

To scan encrypted content, the content must first be decrypted, then scanned, then re-encrypted for delivery to the requesting end-user’s browser. Doing this maintains the privacy of the encrypted content, as the process is done automatically without human eyes viewing the content.

However, because the traffic has been decrypted, the original site certificate cannot be used by the browser to authenticate the connection, so the original certificate is replaced by one generated automatically on the appliance using a Sophos-generated certificate authority. This replaces the original certificate, which requires that you download and install the Sophos-generated certificate authority into your users’ browsers. This can be done as a centralized system administration operation using Group Policy Objects.

Note For more information, see the knowledgebase article Installing the Sophos-Generated Certificate Authority in Your Users’ Browsers.

In greater detail, here is how the web appliance handles HTTPS scanning:

You, the administrator, download the Sophos certificate authority from the web appliance and install it in your user’s browsers.
The user requests a secure web page through the web appliance.
The secure site and the web appliance negotiate a secure connection.
The web appliance creates a certificate for its secure session with the user.
The returned page goes through the following process:
  • The secure site sends an HTTPS page to the web appliance.
  • The web appliance decrypts the page.
  • The web appliance scans the contents.
  • The web appliance re-encrypts the page.
  • The web appliance sends the re-encrypted page to the user, whose browser decrypts the page using the certificate authority installed in Step 1.
Note For more information about obtaining the certificate to install on your users’ browsers, see Downloading the Certificate Authority.

HTTPS Compatibility with Sites

Many financial sites require that clients use a specific certificate authority to establish an HTTPS session with the financial institution’s site. During HTTPS scanning, the appliance replaces the client certificate with its own certificate. Therefore, financial institutions that require special client certificates do not support HTTPS scanning. It is highly recommended that administrators enable the option to Exempt Financial & Investment sites from HTTPS scanning for maximum compatibility. This option is enabled by default when HTTPS scanning is enabled.

Some web services are incompatible with proxies that scan HTTPS content, and, therefore, it is recommended that you exempt them from HTTPS scanning. Of these, the Webex service is exempted from HTTPS scanning by default.

Some software applications use HTTPS for registration and expect specific certificates from the systems that are registering. When HTTPS scanning is enabled and the appliance generates its own certificate, such applications may not operate correctly. Of these, the Windows Vista activation site,, is exempted from HTTPS scanning by default.

For a complete list of known sites that are incompatible with HTTPS scanning, refer to the section Managing HTTPS Scanning Exemptions, and add sites from the list to be exempt from HTTPS scanning as required.