Skyhigh Private Access Gateway uses certificates to set up a trust relationship with your endpoints, allowing the cloud service to scan HTTPS traffic between your endpoints and the cloud.
Skyhigh Security provides these certificate authorities:
- Default certificate authority — We recommend that you download the default CA from the WSGS Setup page and deploy it to the endpoints in your organization. You need this CA to use SAML authentication or see error messages that occur before you are authenticated.
- Customer certificate authority — When you log on for the first time, Private Access Gateway generates a custom CA for your organization. You can download and deploy this CA to your endpoints, but for the best protection, we recommend that you replace the custom CA with your own CA in the UI.
Managing your customer CA
You can manage your customer CA on the HTTPS Connection feature configuration page, which provides these options. Whatever option you choose, the CA configured in the UI must also be deployed on your endpoints.
- Generate — Replaces the customer CA provided by Skyhigh Security with the self-signed CA that you generate.
- Import — Replaces the customer CA provided by Skyhigh Security with the CA that you import.
- Export — Exports the customer CA.
HTTPS Scanning rule sets
The HTTPS Scanning rule sets are processed in order. The first rule set allows configured web requests to bypass HTTPS scanning and go directly to the internet. The second rule set specifies the rules used to verify certificates and allows some traffic to skip certificate verification. The third rule set allows configured web requests to skip decryption and content inspection and continue to the next rule set.
- HTTPS Connection Options — This rule set allows web requests sent to the configured domains, hosts, WebEx servers, or Citrix servers to bypass HTTPS scanning and go directly to the internet.
- Certificate Verification — This rule set allows you to configure which rules are applied during the certificate verification process and which web requests can skip the rules and continue to HTTPS decryption.
- HTTPS Decryption — This rule set allows web requests sent to the configured domains, hosts, or URL categories to skip HTTPS decryption and content inspection and continue to the next rule set.