Network Integration Guide › Decoding SSL Communications › How to Set up SSL Decode › Activate the Decoder

Activate the Decoder

The SSL decoder is a module within the NBA that decrypts intercepted SSL traffic and then re-encrypts the communication when policy processing is complete. For the SSL decoder to operate, the NBA must be online and in active mode, and network filters in the NBA policy must be set up for packet decryption.

Before you enable SSL decoding

1. Verify that master certificates from the NBA SSL decoder are distributed to all clients where you want to decode network traffic.

   Use Group Policy or your preferred client administration tool to install the master certificates.

2. Review the SSL network traffic that you expect to see on the network segment of the NBA.

   The NBA must be configured with details of sessions to include or exclude from decoding. For example, some instant messaging clients cannot be configured to accept the NBA master certificate, so they cannot be decoded and must be excluded.

Activating the SSL decoder

For the SSL decoder to operate, bring the NBA online and verify that it is in active mode:

• Install the NBA physically inline between the corporate LAN and the Internet.
• Switch on Packet Processing.
• Switch on Stream Blocking.
• Configure network filters in the NBA policy to enable packet decryption for selected IP addresses, or port numbers, or both. The NBA policy contains a preconfigured network filter to start the SSL decode of HTTPS traffic. The filter is named "Default SSL decryption".

  To enable SSL decode, do one of the following:

Enable SSL decode using the web UI

1. Select the 'Filters' tab and browse to the 'Network (packet) filters' section.
2. Select the Enable checkbox for the "Default SSL decryption" filter.
3. Click 'Apply'.

   The NBA reloads the policy and activates the network filter.

Enable SSL decode using FTP

1. Edit the file /config/nbapolicy.xml
2. Change enabled=false to true in the networkfilter element:

   <networkfilter enabled="true">
       <filtername type="stringType" value="Default SSL decryption"/>
       <ipaddrlist type="stringListType">
           <element value=":80"/>
           <element value=":443"/>
       </ipaddrlist>
       <protocols type="stringListType">
           <element value="tcp"/>
       </protocols>
       <action type="simpleEnumStreamBlock" value="decrypt"/>
       <loglevel type="simpleEnumLogLevel" value="error"/>
   </networkfilter>
   

3. Save the file.

   The NBA reloads the policy and activates the network filter.

More information:

Active (Inline) Mode