Managing HTTPS Scanning Exemptions

The Configuration > Global Policy > HTTPS Scanning page allows appliance administrators to create and manage a list of sites that are exempted from scanning. Certain sites do not function properly if HTTPS scanning is enabled. To ensure that these sites work properly, add these problematic sites to this list of sites exempt from HTTPS scanning.

  • To exempt sites from HTTPS scanning:
    1. In the text box to the left of the Add button, enter the domain or site (for example, or that you want exempted from scanning.
      The entry must be in one of the following forms:
      • a top-level domain, such as
      • a fully qualified domain name, such as
      • a fully qualified domain name including a subdomain, such as
      The entry must not be in either of the following forms:
      • a domain name including a sub-domain, but without the hostname, such as
      • a specific URL, such as

      Optionally, you can append a port number (for example, If a port number is not appended, a port number of 443 is assumed.

      Note The sites that typically require exemption are software activation and update sites, software that validates the site certificate (such as some instant messaging clients and banking software), and any specific HTTPS sites you do not want scanned.

      The following table lists the applications and domains of sites that you should add to the Sites exempt from HTTPS scanning list in order to make those applications to work properly for your users.

      Incompatible Application Domain that must be exempted
      Firefox updates
      LogMeIn (used for remote assistance) and
      Sophos appliance administrative web interface <SWAorSMA_hostname>.<your_domain>.<toplevel_domain>
      Surgient web site
      WebEx Communications Inc.
      Windows Vista activation
      Windows Live Messenger (No exemption is required for Windows Live Messenger 2009.) and and
      Yahoo! Messenger
      Note The appliance automatically exempts two sites from HTTPS scanning:, which is not compatible with proxies that scan HTTPS content, and the Windows Vista activation’s site, whose certificate is required by Windows Vista to complete its activation.
    2. Click Add.

      The domain or site appears in the Sites exempt from HTTPS scanning list.

    3. Click Apply.
  • To remove a site from the exempt sites list, select the check box to the right of that site or domain, click Delete to remove it from the list, and click Apply.
  • To exempt financial and investment sites from HTTPS scanning, select the Exempt Finance & Investment sites from HTTPS scanning option, and click Apply.
    Important Many financial sites check that the user’s browser has their certificate authority installed, so exempting such sites from HTTPS scanning is required.