SSL Decryption is an important part of the Umbrella Intelligent Proxy. This article goes through how it works and what the requirements are to implement it.
The feature allows the Intelligent Proxy to go beyond simply inspecting normal URLs and actually proxy and inspect traffic that's sent over HTTPS. The feature has been in testing for several months and is now ready for you to try out.
The SSL Decryption feature does have several important caveats for use, and a bit of configurability to consider when you're implementing it for your users. Please take care in introducing the feature as partial or incomplete implementation will cause significant technical problems for your end users.
NOTE: This is the first version of this feature; we intend to introduce additional capabilities (including the ability to decide which categories of websites you'd like to enable SSL decryption for) in a future release.
Requirements and Implementation
The root certificate
Although only SSL sites on our 'grey' list will be proxied, it's very important the root certificate be installed on the computers that are using SSL Decryption for the Intelligent Proxy in their security settings. Sites on our 'grey' list can include very popular sites, such as file sharing services, that can potentially host malware on certain specific URLs while the vast majority of the rest of the site is perfectly harmless.
- Without the root certificate, when your users go to that service, they will receive errors in the browser and the site will not be accessible. The browser, correctly, will believe the traffic is being intercepted (and proxied!) by a 'man in the middle', which is our service in this case. The traffic won't be decrypted and inspected; instead, the entire website won't be available.
- With the root certificate installed, errors won't occur and the site will be accessible when it's been proxied and allowed. For information on installing the root certificate on multiple browsers and platforms, read here:https://docs.umbrella.com/product/umbrella/cisco-certificate-import-information/
Enabling SSL Decryption
This feature is part of the Intelligent Proxy and as such, the Intelligent Proxy must be enabled first. You can find it under Policy Settings > Security Settings, just below the list of security categories.
Testing SSL Decryption
Once you’ve deployed the Cisco Root CA to your client machines and configured the feature, you’ll want to confirm it is working. We’ve created the following URL to allow you to test this:
This will lead to a page advising if your request was successfully proxied or not.
What is being decrypted and proxied?
Some solutions, such as deep packet inspection solutions on the gateway of a network, will inspect all of the traffic sent through at it a granular level to look for information, such as strings of malicious code, or confidential information. This is *not* what the SSL Decryption for the Intelligent Proxy does, instead, this is really just the Intelligent Proxy for SSL websites. The only thing that is being inspected are the requested URLs and domain names that are considered suspicious to begin with and are on our 'grey list', and we will block HTTPS URLs if they're considered malicious in our ruleset. We are not recording (or even looking) at anything beyond the URLs and the domain names themselves.