SSL Inspection is a resource intensive feature which is supported by the Barracuda Web Security Gateway as follows:
- 410 and above, running version 7.1 and above. After enabling SSL Inspection, all applications you select on the BLOCK/ACCEPT > Web App Control and Web App Monitor pages are automatically subject to SSL Inspection.
- 310 and above, running version 10.0 and above.
For background information about this feature, see Using SSL Inspection With the Barracuda Web Security Gateway. If you are using Google Chrome browser, after reading this article, see How to Configure SSL Inspection for Google Chrome Browser to prevent certificate errors users might encounter.
Work Flow to Enable and Configure SSL Inspection
If you have a Barracuda Web Security Gateway 410, simply enable SSL Inspection on the BLOCK/ACCEPT > Configuration page, then download the Barracuda root certificate from the page as shown in Figure 1. The certificate needs to be installed on all remote devices that will be inspected. As an administrator you may have methods of pushing the certificate to managed remote devices. For unmanaged devices, you may want to enable users to install the certificate in their browsers themselves. In this case you will need to provide them access to the certificate file. You can do so by emailing the certificate, or posting it on an internal network share, or posting it on a public or private web server. SSL Inspection will then be applied to any Safe Search selections you make on the BLOCK/ACCEPT > Content Filter page. To further restrict YouTube content, see How to Restrict YouTube Content On Your Network.
Figure 1: Download a secure certificate for browsers from the BLOCK/ACCEPT > Configuration page
If you have a Barracuda Web Security Gateway 610 or higher, follow these steps:
- Go to the ADVANCED > SSL Inspection page and set SSL Inspection Method to one of the following:
Transparent – This inspection method is more resource intensive than the Proxy inspection method. This method works with inline deployments, where the Proxy method does not. If you have a Barracuda Web Security Gateway Vx virtual appliance, you must select Proxy since the Vx does not support inline deployment.
Barracuda Web Security Gateway 610 and 810 deployed inline: Note that you cannot specify domains or categories for SSL Inspection in Transparent mode. However, SSL Inspection will automatically be applied to Safe Search, Google searches and applications and features you configure on the BLOCK/ACCEPT > Web App Monitor and Web App Control pages.
Barracuda Web Security Gateway 910 and higher: Note that you cannot inspect content filter categories with this method - just domains that you specify.
Proxy – This method works with Forward Proxy deployments only and is less resource intensive than the Transparent inspection method. Configure all client web browsers with the IP address of the Barracuda Web Security Gateway as their forward proxy server. Select this method if you have a Barracuda Web Security Gateway Vx virtual appliance. With the Barracuda Web Security Gateway 610 and 810, you can select domains and categories for SSL Inspection. If you are using the Chrome browser, also see How to Configure SSL Inspection for Google Chrome Browser.
Off – Disable SSL Inspection of HTTPS traffic. This means that the Barracuda Web Security Gateway will not decrypt HTTPS traffic at the URL level. You will be able to block/allow HTTPS domains, but you will not be able to archive actions users take on social media sites such as Facebook chat content, logins on Twitter or Yahoo!, etc. as defined on the BLOCK/ACCEPT > Web App Monitor page.
Specify domains and content filter categories where you want to apply SSL inspection. Because enabling SSL Inspection increases the load on system resources, you should only specify domains and/or content filter categories to inspect that meet the needs of your organization. With the Barracuda Web Security Gateway 610 and 810 using Transparent inspection, you cannot select domains and categories to inspect as described above.Configure one or both of the following settings for applying SSL Inspection:
Domains to Be Inspected – Enter up to 5 domain names that you want inspected and filtered at the URL level.
Content Filter Categories – Using the Add and Remove buttons, from the Categories List, you can add or remove content filter categories to/from the list of categories that you want inspected. You must use the Proxy inspection method to inspect categories.
Any domains or URL categories not specified on this page will not be subject to SSL Inspection, except for those configured on the BLOCK/ACCEPT > Web App Monitor and Web App Control pages, Safe Browsing selections you make on the BLOCK/ACCEPT > Content Filter page.
- Select and install an SSL certificate to use with client browsers. Barracuda recommends using the which you can download from the Barracuda Web Security Gateway and install on client browsers. See How to Use the Barracuda Default Certificate for SSL Inspection.
Alternatively, you can create and download your own self-signed certificate from the Barracuda Web Security Gateway and install it in client browsers. This method is simple and you can do everything from the ADVANCED > SSL Inspection page, except for installing the certificate in client browsers. See How to Create and Install a Self-Signed Certificate for SSL Inspection.
SSL Inspection With the Barracuda Web Security Agent (WSA)
If you have remote users outside the network running the Barracuda WSA on their laptops or Macs, you can configure SSL Inspection as follows:
- Enable SSL Inspection on the Barracuda Web Security Gateway as described above,
- Go to the ADVANCED > Remote Filtering page and set Policy Lookup Only Mode to No - this is required when using SSL Inspection, because in that mode, web traffic is not routed through the Barracuda Web Security Gateway.
On the WSA client, sync the settings. To do so manually from the WSA client, click on the agent in the toolbar tray and click Sync.
See Using the Barracuda WSA With the Barracuda Web Security Gateway Version 7.1 and Above for additional information.