Following this setup:
- All the traffic is blocked.
- Only certain websites are allowed through access lists.
- It is checking both HTTP & HTTPS traffic.
- For all allowed website, it is bypassing ‘MAN IN THE MIDDLE’ and redirect the original SSL through SSL Rules.
Your facing issues with the SSL implementation…
You have created self-signed certificate and configured SSL as per the guidelines.
You have also downloaded the generated certificate and installed in the client computer under ‘Trusted Root Certificate Authorities’. You still get the certificate error when clients PC try to surf any blocked website.
This is what happens:
- Client try to visit any blocked SSL site. Ex. https://www.youtube.com
- Client get the ‘certificate warning’.
- When clicks on allow:
- For IE, it shows the ‘RED Error Page.
- For Google Chrome, It stays at error page, explaining that the certificate is not trusted.
This error is normal, when the request is deny, the proxy forward the connection to the proxy box web server in order to serve the deny web page in SSL mode.
The deny SSL web page must be configured with the following parameters:
- The URL must point to the domain defined in the certificate or if you have created a self certificate and import it into browsers you can keep the same URL.
- You have to define the same the certificate used by the proxy on the Web SSL error page.
- On the TOP menu, click on Your Proxy button.
- Choose the link “Banned page service“
- You will be redirected to the Banned page service main configuration.
- Down to the end of this section.
- Modify the desired hostname value. It should be an IP address or an fully qualified host name.
- Choose the certificate used by the proxy in the “Certificate” drop-down list.
- Click on Apply button.