Configure SSL Inspection for Barracuda Web Security Gateway 310
- Log in to the Barracuda Web Security Gateway web interface and go to the BLOCK/ACCEPT > Configuration page.
- Set Enable SSL Inspection to Yes.
- Select whether to use the default Barracuda Networks root certificate or create your own self-signed certificate. Barracuda Networks recommends creating your own self-signed certificate. To create one, click Create Certificate and follow instructions.
Click the Download button next to Root Certificates For Browsers, and save the file to the Trusted Root Certificate path. If the certificate is installed to the personal path, it will not work correctly. The certificate must be installed on all remote devices that will be SSL inspected.
Install the certificate file in all client browsers. If you want to enable users to install the certificate in their browsers, see the note above.
SSL Inspection will then apply to YouTube for Schools access and to any SafeSearch selections you make on the BLOCK/ACCEPT > Content Filters page.
Configure SSL Inspection for Barracuda Web Security Gateway 410 and higher
- Log in to the Barracuda Web Security Gateway web interface, and go to the ADVANCED > SSL Inspection page.
- Select the SSL Inspection Method.
Transparent – Use with inline deployments. This inspection method is more resource intensive than the Proxy inspection method. If you have a Barracuda Web Security Gateway Vx virtual appliance, you must select Proxy since the Vx does not support inline deployment .
Barracuda Web Security Gateway 410 and 610 deployed inline: Note that you cannot select specific domains or categories for SSL Inspection in Transparent mode (see step 3 for details). However, SSL Inspection will automatically be applied to Safe Search, Google searches and applications and features you configure on the BLOCK/ACCEPT > Web App Monitor and Web App Control pages.
Barracuda Web Security Gateway 910 and higher: Note that you cannot select specific content filter categories to inspect with this method.Proxy – Use with Forward Proxy deployments. This mode is less resource intensive than the Transparent inspection method. Configure all client web browsers with the IP address of the Barracuda Web Security Gateway as their forward proxy server. Select this method if you have a Barracuda Web Security Gateway Vx virtual appliance . With the Barracuda Web Security Gateway 410 and 610, you can select specific domains and categories for SSL Inspection (see step 3 for details). If you are using the Chrome browser, also see How to Configure SSL Inspection for Google Chrome Browser.
Off – Disable SSL Inspection of HTTPS traffic. This means that the Barracuda Web Security Gateway will not decrypt HTTPS traffic at the URL level. You will be able to block/allow HTTPS domains, but you will not be able to archive actions users take on social media sites such as Facebook chat content, logins on Twitter or Yahoo!, etc. as defined on the BLOCK/ACCEPT > Web App Monitor page.
Optionally enter specific domains or content filter categories to SSL inspect. In most use cases, no further configuration is necessary for the Barracuda Web Security Gateway to SSL inspect sites and applications you specify on the BLOCK/ACCEPT > Web App Control page and the BLOCK/ACCEPT > Web App Monitor page.
Because enabling SSL Inspection increases the load on system resources, you should only specify inspection domains and/or content filter categories that meet the needs of your organization. With the Barracuda Web Security Gateway 410 and 610 using Transparent Mode, you cannot select domains and categories to inspect.
If you do need to specify domains or categories on the ADVANCED > SSL Inspection page:Inspected Domains – Enter up to 5 domain names that you want inspected and filtered at the URL level. You will see the entire HTTPS URL in reports for these domains.
Content Filter Categories – Using the Add and Remove buttons, from the Categories List, you can add or remove content filter categories to/from the list of categories that you want to be inspected. You must use the Proxy inspection method to inspect categories.
- Required: Create a self-signed SSL certificate and install it in client browsers. Click Create Certificate and follow instructions.
- Click the Download button next to Root Certificates For Browsers, and save the file to the Trusted Root Certificate path. If the certificate is installed to the personal path, it will not work correctly. The certificate must be installed on all remote devices that will be SSL inspected. For details, see How to Create and Install a Self-Signed Certificate for SSL Inspection.
SSL Inspection Modes by Model With Version 10 and Above
Table 1.
Model Comparison | 310 | 410 | 410 Vx | 610 | 610 Vx | 810 | 910 | 1010 / 1011 |
Proxy Mode | X | X | X | X | X | X | X | |
Add up to 5 domains | X | - | X | X | X(3) | X | X | |
Add categories | X | - | X | X | X | X | X | |
Transparent Mode | X(1) | X(1) | X(1) | X(1) | X(2) | X (2) | X(2) | |
Add up to 5 domains | - | - | - | - | X | X | X | |
Add categories | - | - | - | - | - | - | - | |
Remote Filtering Tab (WSA) | X | X | X | X | X | X | X | |
SafeSearch | X(3) | X | X | X | X | X | X | X |
Web Application Control | X(3) | - | X | X | X | X | X | |
Web Application Monitoring | X(3) | - | X | X | X | X | X | |
Notes: (1) In Transparent mode, you cannot configure domains or categories. If you currently use Proxy inspection and are switching to Transparent inspection, any domains or categories you have specified for SSL Inspection are disabled. If you switch back to Proxy inspection, domains and categories are restored. (2) In Transparent mode, you can configure domains, not categories. Test SSL Inspection with a few domains to ensure system performance is satisfactory. If you currently use Proxy inspection and are switching to Transparent inspection, any categories you have specified for SSL Inspection are disabled. If you switch back to Proxy inspection, categories are restored. To prevent system overload, after switching to Transparent inspection, you cannot add more domains. (3) Available with version 10.0 The Barracuda Web Security Gateway 310 Vx does NOT support SSL Inspection, and the 610 Vx supports only Proxy Mode inspection, including adding domains and categories. |
Using SSL Inspection With the Barracuda Web Security Agent
If you have remote users with Macs or Windows laptops outside the network running the Barracuda Web Security Agent (WSA) with the Barracuda Web Security Gateway, you can configure the Barracuda Web Security Gateway to SSL Inspect HTTPS traffic. See SSL Inspection With the Barracuda Web Security Agent.