123
Web Anonymous Proxy Guard + SSL Filter
This TFRS performs content filtering, web logging, spyware scanning, virus scanning for
both HTTP (Web Filter) and HTTPS traffic (SSL Filter). This TFRS also prohibits HTTP traffic
on any port other than port 80 or a designated proxy port and SSL traffic on any port other
than port 443 (Anonymous Proxy Guard).
Web SSL Filter
This TFRS performs content filtering, web logging, spyware scanning, virus scanning for
both HTTP (Web Filter) and HTTPS traffic (SSL Filter).
Depending upon how you would like to filter HTTPS traffic, you can choose the TFRS
accordingly. Again, once you have selected a TFRS with SSL Filter, you can now select
options under the HTTPS/SSL Filtering tab. In this section, we will only be detailing the
options of SSL Certificate-Based Filtering. Click on the HTTPS/SSL Filtering tab, and select
the radio button for Enable SSL Certificate-Based Content Filtering. Also, you can select the
check box for the Enable “Denied Access” page and Only Allow for Trusted Certificate
Authorities and Non-expired Certificates. You can also enter in any URLs for the Filter
Exemption List. Once modified, don’t forget to save your changes.
Once the IUR has been saved, make sure that the new rules are being applied to the group
under the Policy Manager. You can review how to do this under Chapter 5: Managing
Optinet.
You have now finished creating an Internet Usage Rule that will filter certificates for HTTPS
Web sites and assigned it to the corresponding group. You can follow the previous
mentioned steps to assign additional IURs that will filter certificates for HTTPS web sites or
groups as well.
The Optinet Digital Certificate
For Optinet to fully scan HTTPS web sites, the device will need to inspect the data traversing
the SSL connection between the user and the Web site. Consequently, deploying a third
party certificate to act as the “middle man” for the user and the secure Web site is the most
effective method to allow the secure connection while examining the content.
By deploying a third party certificate from Optinet to the user, a secure connection between
the two is established. Optinet then issues a separate secure connection between itself and
the secure Web site or server. In this fashion, Optinet acts as an SSL proxy, allowing the
two connections to be fully inspected without dropping the connection (see the following
diagram).
Figure 8.1 Optinet Certificate