3.16. Configure and test selective decryption by URL category

This test will demonstrate that traffic to select URLs (Financial and Medical) are no longer decrypted.

3.16.1. Enable SSL bypass

  • Return to SSL Orchestrator Guided Configuration.
  • Click on the sslo_demoL3 topology.
  • In the configuration summary, find the row labeled Security Policy, click on the pencil at the far right.

Here, you will create a an additional rule for "Financial Data and Services" and "Health and Medicine" URL categories.

../../_images/module1-301.png

  • Click Add to create a new rule.

  • Name - provide a unique name for the rule (ex. "urlf_bypass").

  • Conditions - Select Category Lookup (All) from the drop-down list and then add the Financial Data and Services and Health and Medicine URL categories. Start typing the category name to narrow the list.

    Note

    The Category Lookup (All) condition provides categorization for TLS SNI, HTTP Connect and HTTP Host information.

  • Action - select Allow.

  • SSL Forward Proxy Action - select Bypass.

  • Service Chain - select the ssloSC_all_services service chain.

  • Click OK.

    ../../_images/urlf-bypass.png
Rule list after URL-based selective decryption
../../_images/module1-281.png
  • Click Save & Next.
  • Pause for a few seconds and the yellow banner shown below will appear at the very top of the Interception Rule settings.
../../_images/module1-221.png
  • Click Deploy.

3.16.2. Financial and medical site test

  • Return to your Ubuntu client RDP session.
  • Open Chromium web browser on the outbound client system and navigate to https://bcbs.com.
  • Once the site opens in the browser, check the server certificate of the site.
../../_images/module1-271.png

Notice that it now shows it is issued by a public CA (not SSL Orchestrator). This means that this traffic is not decrypted because it belongs to the Health and Medicine URL category.

  • Try the same test for https://wellsfargo.com. This certificate should also be signed by a public CA, and therefore not decrypted, as it belongs to the Financial Data and Services URL category.
../../_images/module1-261.png

This certificate should also be signed by a public CA, and therefore not decrypted, as it belongs to the Financial Data and Services URL category.

In the next section, you will review the SSL Orchestrator Dashboard.