You can configure HTTPS scanning on Secure Web Gateway to handle issues with server certificates not according to the rules you have set up to deal with such issues, but to allow the user to decide on how to continue.
For example, your rules might block a user's request for web access when an issue with a server certificate has occurred and send an error message to the user's browser.
When this feature is enabled, the server certificate that caused an issue is resigned on Secure Web Gateway. Information about the trusted certificate authority (CA) and revocation status of the server certificate is passed on to the user's browser.
The feature cannot be enabled for isolated sessions that have been set up in Remote Browser Isolation (RBI) mode.
For this configuration, you can select an option or import a rule set, depending on the view of the user interface you are working with. If you are not working with the new standard view, complete these steps:
- On the user interface, select Policy > Web Policy > Policy.
- From the policy tree, select HTTPS Scanning > Certificate Verification.
- Under Native Browser CA, select Enable Native Browser with native certificate handling.
To handle an issue with a server certificate, the user might, for example, choose not to use this certificate and provide the clients with a new certificate instead.
When this feature is enabled, the server and client connections are bound together, so one cannot persist longer than the other. This prevents Secure Web Gateway from reconnecting to the server in case the server connection closes while the client connection still persists, upon which the server would send a new certificate.
When web traffic is processed in the embedded objects cycle, several instances of Secure Web Gateway are usually involved performing load balancing, These instances will connect to different servers, which will send different certificates. Handling issues with these certificates is not possible for users.