To make a connection that is used for communication between a Secure Web Gateway appliance and its clients secure, certificates are sent from the clients to the appliance, and from the appliance to the clients, when a connection is set up.
Information about whether a certificate has been revoked, which means it is no longer valid, can be retrieved from a server under the Online Certificate Status Protocol (OSCP) or from a server that has a Certificate Revocation List (CRL) stored.
You can configure the requests that an appliance sends to these servers to retrieve revocation information by specifying domains and other settings.
1. Select Configuration | Appliances.
2. On the appliance tree, select the appliance where you want to configure OCSP and CRL domains, then click Proxies.
3. Under Advanced Settings, configure these options.
- Default ocsp.mwginternal.com/crl.mwginternal.com – When selected, information about revoked certificates is retrieved from the internal default domains ocsp.mwginternal.com for OCSP and crl.mwginternal.com for CRL.
The domain name is then included in the URL that the appliance uses to connect to the OCSP or CRL server.
- Add UUID as prefix to ocsp.mwginternal.com and crl.mwginternal.com – When selected, information about revoked certificates is retrieved from domains with names that have the UUID added as prefix to the default names. Using this option requires that domains with these names exist.
The UUID is an identifier for an individual Secure Web Gateway appliance. Here it is the identifier for the appliance that you configure advanced proxy settings for.
- Custom OCSP and CRL domain – When selected, you can add a prefix of your own to the domain name. Use the textbox below to type this prefix.
- Pass OCSP/CRL request to rule engine – When selected, a request that the appliance sends to an OCSP or CRL server is processed by the rule engine on Secure Web Gateway. Depending on the rules of your web policy, the request is blocked or allowed.
4. Click Save Changes.