We use cookies on our website to ensure we provide you with the best experience on our website. By using our website, you agree to the use of cookies for analytics and personalized content.This website uses cookies. More Information
It seems like your browser didn't download the required fonts. Please revise your security settings and try again.
Barracuda Web Security Gateway

How to Configure SSL Inspection Version 8.1 to 9.1

  • Last updated on

SSL Inspection is a resource intensive feature and is configured differently by model as shown in this article. It is extremely important that you run firmware version 8.1.0.005 or above on your Barracuda Web Security Gateway in order to use SSL Inspection safely, if you decide to turn on the feature. For background information, see Using SSL Inspection With the Barracuda Web Security Gateway. If you are using Google Chrome browser, see How to Configure SSL Inspection for Google Chrome Browser to prevent certificate errors users might encounter.

IMPORTANT: If you want to use SSL Inspection with Google consumer apps, see G Suite Control Over HTTPS.

Use the Barracuda Web Security Gateway as a secure intermediary between HTTPS requests and destination web servers to apply granular control to applications and sub applications you want to block or allow. If you only need to block domains and content categories, then you can use the HTTPS Filtering feature instead. See HTTPS Filtering With the Barracuda Web Security Gateway.

Configure SSL Inspection for Barracuda Web Security Gateway 410

  1. Log in to the Barracuda Web Security Gateway web interface and go to the BLOCK/ACCEPT > Configuration page.
  2. Set Enable SSL Inspection to Yes.
  3. Select whether to use the default Barracuda root certificate or create your own self-signed certificate. Barracuda recommends creating your own self-signed certificate. To create one,  click Create Certificate and follow instructions.

    410SSlGenerateCert.jpg
  4. Click the Download button next to Root Certificates For Browsers, and save the file to the Trusted Root Certificate path. If the certificate is installed to the personal path, it will not work correctly. The certificate must be installed on all remote devices that will be SSL inspected.

    As an administrator you may have methods of pushing the certificate to managed remote devices. For unmanaged devices, you may want to enable users to install the certificate in their browsers themselves. In this case you will need to provide them access to the certificate file. You can do so by emailing the certificate, or posting it on an internal network share, or posting it on a public or private web server.

  5. Install the certificate file in all client browsers. If you want to enable users to install the certificate in their browsers, see the note above.

SSL Inspection will then apply to YouTube for Schools access and to any Safe Search selections you make on the BLOCK/ACCEPT > Content Filters page.

Configure SSL Inspection for Barracuda Web Security Gateway 610 and higher

  1. Log in to the Barracuda Web Security Gateway web interface, and go to the ADVANCED > SSL Inspection page.
  2. Select the SSL Inspection Method.
    • Transparent – Use with inline deployments. This inspection method is more resource intensive than the Proxy inspection method. If you have a Barracuda Web Security Gateway Vx virtual appliance, you must select Proxy since the Vx does not support inline deployment .

      CAUTION: This is a resource intensive feature, and Transparent inspection can, under certain configurations, result in a large impact on performance. 

      Barracuda Web Security Gateway 610 and 810 deployed inline: Note that you cannot select specific domains or categories for SSL Inspection in Transparent mode (see step 3 for details). However, SSL Inspection will automatically be applied to Safe Search, Google searches and applications and features you configure on the BLOCK/ACCEPT > Web App Monitor and Web App Control pages.
      Barracuda Web Security Gateway 910 and higher: Note that you cannot select specific content filter categories to inspect with this method.

    • Proxy Use with Forward Proxy deployments. This mode is less resource intensive than the Transparent inspection method. Configure all client web browsers with the IP address of the Barracuda Web Security Gateway as their forward proxy server. Select this method if you have a  Barracuda Web Security Gateway Vx virtual appliance . With the Barracuda Web Security Gateway 610 and 810, you can select specific domains and categories for SSL Inspection (see step 3 for details). If you are using the Chrome browser, also see How to Configure SSL Inspection for Google Chrome Browser.

    • Off Disable SSL Inspection of HTTPS traffic. This means that the Barracuda Web Security Gateway will not decrypt HTTPS traffic at the URL level. You will be able to block/allow HTTPS domains, but you will not be able to archive actions users take on social media sites such as Facebook chat content, logins on Twitter or Yahoo!, etc. as defined on the BLOCK/ACCEPT > Web App Monitor page.

  3. Optionally enter specific domains or content filter categories to SSL inspect. In most use cases, no further configuration is necessary for the Barracuda Web Security Gateway to SSL inspect sites and applications you specify on the BLOCK/ACCEPT > Web App Control page and the BLOCK/ACCEPT > Web App Monitor page.

    You only need to specify specific domains or categories in the Domains or Content Filter Categories sections of the ADVANCED > SSL Inspection page if

    you need to SSL inspect web traffic for a domain that is not associated with any applications on the BLOCK/ACCEPT > Web App Control page.

    Because enabling SSL Inspection increases the load on system resources, you should only specify inspection domains and/or content filter categories that meet the needs of your organization. With the Barracuda Web Security Gateway 610 and 810 using Transparent Mode, you cannot select domains and categories to inspect.

    If you do need to specify domains or categories on the ADVANCED > SSL Inspection page:

    • Inspected Domains – Enter up to 5 domain names that you want inspected and filtered at the URL level. You will see the entire HTTPS URL in reports for these domains.

    • Content Filter Categories – Using the Add and Remove buttons, from the Categories List, you can add or remove content filter categories to/from the list of categories that you want to be inspected. You must use the Proxy inspection method to inspect categories.

  4. Required: Create a self-signed SSL certificate and install it in client browsers. Click Create Certificate and follow instructions.
  5. Click the Download button next to Root Certificates For Browsers, and save the file to the Trusted Root Certificate path. If the certificate is installed to the personal path, it will not work correctly. The certificate must be installed on all remote devices that will be SSL inspected.    For details, see How to Create and Install a Self-Signed Certificate for SSL Inspection.

SSL Inspection Modes by Model

Table 1.

 MODEL COMPARISON

410

410 Vx

610

610 Vx

810

910

1010 / 1011

Proxy Mode

Auto

Auto

X

X

X

X

X

  Add up to 5 domains

-

-

X

X

X

X

X

  Add categories

-

-

X

X

X

X

X

Transparent Mode

Auto

Auto

X(1)

X(1)

X(1)

X (2)

X(2)

  Add up to 5 domains

-

-

-

-

-

X

X

  Add categories

-

-

-

-

-

-

-

Remote Filtering Tab (WSA)XXXXXXX
Safe SearchXXXXXXX
Web Application Control--XXXXX
Web Application Monitoring--XXXXX

Notes:

(1) In Transparent mode, you cannot configure domains or categories. If you currently use Proxy inspection and are switching to Transparent inspection, any domains or categories you have specified for SSL Inspection are DISABLED. If you switch back to Proxy inspection, domains and categories are restored.

(2) In Transparent mode, you can configure domains, not categories. Test SSL Inspection with a few domains to ensure system performance is satisfactory. If you currently use Proxy inspection and are switching to Transparent inspection, any categories you have specified for SSL Inspection are DISABLED. If you switch back to Proxy inspection, categories are restored. To prevent system overload, after switching to Transparent inspection, you cannot add more domains.

Using SSL Inspection With the Barracuda Web Security Agent

If you have remote users with Macs or Windows laptops outside the network running the Barracuda Web Security Agent (WSA) with the Barracuda Web Security Gateway, you can configure the Barracuda Web Security Gateway to SSL Inspect HTTPS traffic. See SSL Inspection With the Barracuda Web Security Agent.

Last updated on