|
|
|
|
|
|
|
|
Filtering of secure web sites did not exist in iPrism v3.x Transparent-Mode. This ability was added in iPrism v4.x Transparent-Mode. Users upgrading from v3.x to v4.x or users implementing new v4.x appliances should be aware that due to SSL encryption of packets for secure communications, a variety of https issues exist (listed below).
Transparent-Mode installations frequently accessing secured sites are the most affected by the issues listed below. As the iPrism administrator, you do have some choices on HTTPS filtering. You may:
Turn off https (SSL) filtering altogether using a Filter Exception
Implement Proxy-Mode for https traffic only, mitigating the Transparent-Mode issues below
Continue using Transparent-Mode
for https traffic, understanding current behaviors (see below) 
In brief, HTTPS affects iPrism in the following areas:
Reporting: SSL encryption affects the data Transparent-Mode can capture and display via reporting, see:
Why do Reports show IP instead of Username for HTTPS Requests?
Why do Reports NOT show the URL for HTTPS Requests?
You may encounter users having difficulty with https site access in Transparent-Mode. This could be due to session management or an improperly configured custom-filter (see below). In any case, you may use RTM to see https vs. http access attempts. Note that since https URLs are not visible in the reporting system due to encryption, you may want to perform # 2 below on a narrow basis (one machine) for testing purposes.
Using RTM as a Diagnostic Tool
Messaging: it varies between http (non-encrypted traffic) and https (encrypted traffic) for page blocks. Http blocks are identified with 'Access Denied' and https blocks are identified with the messages below. If users accessing https sites are blocked they will get the following:
For Proxy-Mode, see The requested URL could not be retrieved (See HTTPS)
For Transparent-Mode, see Page cannot be Displayed
Sessions: A users first web access should NOT be to a secured web site. This ensures a session where profiling and reporting of HTTPS sites is by username, instead of IP-address, see:
How do I Establish an Authenticated Web Session for HTTPS?
Custom-Filters: Creating an https Custom-Filter for Transparent-Mode networks requires an IP-address instead of hostname for the web site, see:
