This section defines the XML tags used to control NBA SSL Decode.
Contains the tags that control NBA SSL Decode.
Specifies a list of URL domains that are not subject to SSL Decoding. Domains are checked in two ways:
If you have an RFC2817 HTTP CONNECT proxy that browsers use to connect to secure web sites and the NBA is between the clients and the proxy, the destination domain for each connection is checked by the NBA. If the domain matches a listed domain, the SSL connection is allowed to proceed without decode.
Connections that do not go through a proxy have their domains checked against the "Subject" or "Issued to" property of the SSL certificate. The first connection to the domain gets closed and subsequent connections are allowed to proceed without decoding.
Sub-domains are also excluded from decoding. If the excluded domain is "company.com" but the site is "special.company.com", the domain is still excluded.
Always set to type="stringListType".
Identifies a single domain name. Use multiple <element> tags to identify multiple domains.
Each <element> supports a single attribute.
Specifies a domain.
Example:
<element value="update.microsoft.com"/> <element value="activation.sls.microsoft.com"/>
(Optional) The server exclusion cache will allow unmonitored sessions to SSL servers that will not accept connections from the decoder. This might be because the decoder's SSL protocols are unacceptable to the server. An attempt to connect to the server has to be made before the decoder can determine this, so it's only subsequent connections that will be permitted. The IP address and port number of the server are cached so that future connections to this server and port will not be subject to SSL decode.
If there is a web proxy or some other device between the decoder and the internet that hides the real server's IP address from the internal network, the server exclusion cache cannot be used and it must be disabled. This is because all servers will appear to have the same IP address so one exclusion will affect all connections.
Always set to type="booleanType".
Defaults to false, disabling this cache.
(Optional) The client exclusion cache will allow unmonitored sessions from clients that fail to connect to the decoder. This could be because the client has not had the decoder's master root certificate installed (though some applications don't cause the SSL negotiation error needed to trigger the cache - they just close the connection after it has been negotiated). The IP addresses of both server and client as well as the port number of the server are cached so that future connections from this client to this server will not be subjected to SSL decode.
If there is a web proxy or other device between the decoder and clients that hides the real client IP addresses from the NBA, this cache must be disabled. This is because all clients will appear to have the same IP address so one exclusion will affect all clients.
Always set to type="booleanType".
Defaults to false, disabling this cache.
|
Copyright © 2014 CA.
All rights reserved.
|
|