You can also specify exclusions based on DNS names. If an SSL connection is made to a server with a matching domain name, the connection is not decoded.
Default List of Excluded Domains
The NBA is prepopulated with a default list of excluded domains. These domains are the addresses of Windows Update and Activation servers. We recommend that you add antivirus and other infrastructure management connections to this list. Or add an IP address filter or port number filter (or both) to exclude these sessions from SSL decoding.
How Are Domains Verified?
If you have an RFC2817 HTTP CONNECT proxy that browsers use to connect to secure web sites, and your NBA appliance is between the clients and the proxy, the NBA appliance identifies the destination domain for each connection. If the domain is excluded, SSL connections to the domain are allowed to proceed without decoding.
For connections that do not go through a proxy, the NBA compares domains against the "Subject" or "Issued to" property of the SSL certificate. The first connection to the domain is closed and subsequent connections are allowed to proceed without decoding.
Subdomains
Subdomains of excluded domains are also excluded. For example, if the excluded domain is "company.com" but the website is "special.company.com", then the subdomain is still excluded.
To exclude domains using the NBA console
To exclude domains by editing nbapolicy.xml
<domainexcludelist type="stringListType"> <element value="update.microsoft.com"/> <element value="download.microsoftupdates.com"/> <element value="activation.sls.microsoft.com"/> <element value="windowsupdate.microsoft.com"/> </domainexcludelist>
|
Copyright © 2014 CA.
All rights reserved.
|
|