Most applications encrypt outgoing connections with SSL or TLS. SSL Inspection transparently unencrypts and re-encrypts HTTPS traffic to allow Application Control features (such as the Virus Scanner, IPS, URL Filter, or Safe Search) to inspect the content of SSL-encrypted connections that would otherwise not be visible to the Firewall service. Before configuring SSL Inspection, you must install the SSL Inspection security certificate (root certificate). The root certificate is used to intercept, proxy, and inspect the HTTP/S session. The Barracuda NextGen Firewall X-Series can then inspect the HTTPS connections by presenting the client with a SSL certificate that is derived from this root CA.
Before You Begin
- Create or upload the SSL Inspection root certificate in the Certificate Manager. You must use a CA certificate (Certificate Authority). For more information, see How to Use and Manage Certificates with the Certificate Manager.
Step 1. Enable SSL Inspection
Enable SSL Inspection and prepare the root certificate for client download.
- Go to FIREWALL > Settings.
- In the SSL Inspection section, select the Enable SSL Inspection checkbox.
- Select the uploaded root certificate from the Select Certificate dropdown list.
Select Enable Browser Certificate Download.
- Select Allow SSLv3 if you must support clients that use SSLv3 only.
- In the Domain Exemptions section, add domains that should be excluded from SSL Inspection:
- Enter the domain name and click +.
In the URL Category Exemptions section, add website categories that should not be SSL-inspected.
- To automatically check for revoked CA certificates:
Click Show Advanced Options.
- Select the Enable CRL checks checkbox.
In the CRL validation fail behavior section, select the action to be taken if the CRL check fails.
In the Additional Certificates section, add additional trusted CA certificates. These certificates are deemed valid even if the CRL fails.
- Click Save.
Step 2. Install the SSL Inspection Root Certificate on all Clients
Download and install the security certificate on all clients. To prevent browser warnings and allow transparent SSL Inspection, install the certificate into the operating system's or web browser's certificate store.
On every client computer,
- Go to:
https://IP_OF_YOUR_BARRACUDA_FIREWALL:443/cgi-mod/cert_dl.cgi?get_ssl_insp_cert=cer
ORhttps://IP_OF_YOUR_BARRACUDA_FIREWALL:443/cgi-mod/cert_dl.cgi?get_ssl_insp_cert=pem
- Download the certificate to the client computer.
- Double-click the certificate to import it.
- Click Install Certificate.
- Select Local Machine as the certificate Store Location, and click Next.
- Select the path where to save the certificate (recommended: default), and click Next.
- Check the installation settings and click Finish.
Step 3. Enable SSL Inspection in Access Rules
SSL Inspection can now be enabled on a per-access rule basis. To use SSL Inspection, you must also enable Application Control. For more information, see Firewall Rules.