Background:

SSL inspection is required for WinGate to access HTTPS traffic for AV scanning, caching and web access rules.  Some sites will validate the entire certificate chain and break the connection when it is inspected.  These sites will need to be exempted from SSL inspection via policy.

Task:

Create a policy to exempt sites from SSL Inspection

Steps:

 1. Create a new policy at Control Panel::Policy, for Any HTTP proxy, ConnectRequest event. Name the policy and enter a description if required.

2. Build the policy:

• Drag the WWW Proxy Server:ConnectRequest event onto the workspace
• Drag a Data boolean check onto the workspace. Enter Enable SSL inspection exemption policy into the Check boolean field. Name the element "Enable SSL inspection exemption policy?". Connect to the ConnectRequest event.
• Drag a result to the No output of the boolean check and set the result to allow. Connect to the "Enable SSL inspection exemption policy?" element.
• Drag a data list lookup onto the workspace.  Enter or select {{Request.Server}} into the "Check that the value of" field, enter No SSL Inspection sites into the "Is contained in" field.  Name the element "Is excepted site?". Connect to "Enable SSL inspection exemption policy?".
• Drag an expression evaluator onto the workspace. Enter or select Session.EnableSSLInspection = "false". Uncheck "resolve expression into true/false result". Name the element "Disable SSL Inspection". Connect to the Yes output of "Is excepted site?".
• Drag an expression evaluator onto the workspace. Enter or select Session.SetData("SSL_Inspection", Session.EnableSSLInspection), uncheck "resolve expression into true/false result". Name the element "Store SSL inspection state".  Connect to the Yes output of the Disable SSL Inspection element and the No output of the Is excepted site element

 Further tasks:

This policy will automatically create the boolean "Enable SSL inspection exemption policy" and the data list "No SSL Inspection sites" in Control Panel::Data::Global Data.  The boolean can be used to create a button on a dashboard to quickly bypass the policy.  The list of sites will need to be populated. Note that only the server part of the request will be added to the list, e.g. wingate.com, a URL will not be read. e.g. https://www.wingate.com/purchase/wingate/purchase.php.

This policy allows the SSL inspection state to be logged, this must be added manually to the WWW Proxy Usage log.  For information on adding this field to the log file, see this kb article.