Sites that require tunneling with Websense Content Gateway
- Article Number: 000001579
- Products: Web Security Gateway, Web Security Gateway Anywhere
- Version: 7.7, 7.6, 7.5, 7.1, 7.0, 1.2, 1.1
- Last Published Date: November 07, 2015
Notes & Warnings
I have SSL decryption enabled in Websense Content Gateway. I cannot receive Firefox updates and activate Microsoft Windows. What can I do to access these sites?
Firefox updates must be tunneled
The Firefox update host aus2.mozilla.org must be tunneled in order to work when SSL decryption is enabled. This is because the Firefox browser will not trust a proxy CA cert for this site, even if that cert is in its trusted root cert store. It requires that connections to the update server be signed and encrypted using the actual aus2.mozilla.org cert chain.
Microsoft Windows activations must be tunneled
The Microsoft Windows Server 2008 activation server activation.sls.microsoft.com must be tunneled in order to work with SSL decryption enabled. This is because Windows will not trust a proxy CA cert for this site, even if that cert is in its trusted root cert store. It requires that connections to the update server be signed and encrypted using the actual activation.sls.microsoft.com cert chain.
Adding a Website to Tunnel, Allow, or Blacklist a Site
The administrator can define sites they wish to allow, blacklist, or tunnel by using the “Add Website” menu under WCG > Configure > SSL > Incidents > Add Website. This option can be used if your reports are having trouble with site access even though the HTTPS module is not validating certificates.
There are times when these sites do not generate an incident or if you have not enabled certificate validation, but site access is still impeded by the HTTPS module.
If you have problems accessing an HTTPS site and the administrator trusts the site and believes tunneling the site will have no ill affect, you can add the site to the incident list as a tunneled site.
There are two options available for every action. The site can be added by certificate or URL and set to allow, tunnel, or blacklist. If the site access does not improve by adding the incident by certificate, delete the incident and try adding the incident by URL. Often, adding the site by URL will provide access.