Allow Users to Handle Issues with Server Certificates
You can configure HTTPS scanning on Secure Web Gateway to allow users to decide themselves on how to handle issues with server certificates. The rules you have set up to deal with these issues are not followed then.
For example, your rules might block a user's request for web access when an issue with a server certificate has occurred and send a notification to the user's browser.
When this feature is enabled, the server certificate that caused an issue is revoked on Secure Web Gateway. The trusted Certificate Authority (CA) and the revocation status of the server certificate are shown in the user's browser, providing useful information to the user, who will decide on how to handle the issue.
The user might, for example, choose not to use this certificate and provide the clients with a new certificate instead.
Proceed as follows.
-
On the user interface for Secure Web Gateway, select Policy > Web Policy > Policy.
-
From the policy tree, select HTTPS Scanning > Certificate Verification.
- Under Native Browser CA, select Enable Native Browser with native certificate handling.
When this feature is enabled, the server and client connections are bound together, so one cannot persist longer than the other. This prevents Secure Web Gateway from reconnecting to the server in case the server connection closes while the client connection still persists, upon which the server would send a new certificate.
When web traffic is processed in the embedded objects cycle, several instances of Secure Web Gateway are usually involved performing load balancing, These instances will connect to different servers, which will send different certificates. Handling issues with these certificates is not possible for users.
The feature cannot be enabled for isolated sessions that have been set up in Remote Browser Isolation (RBI) mode.