NETGEAR STM150EW3-100NAS Switch User Manual


 
ProSecure Web/Email Security Threat Management Appliance STM150 Reference Manual
Customizing Scans 4-21
v1.1, March 2009
Due to the nature of HTTPS scanning and how the certificates are handled, the end user will see
Security Alerts in their web browser as shown in the following figure. This is because the client
(browser) will get a certificate from the STM150 instead of directly from the server.
During SSL authentication, the client authenticates three items:
Is the certificate trusted?
Has the certificate expired?
Does the name on the certificate match that of the Web site?
If one of these is NOT satisfied, a security alert appears in the browser window.
If HTTPS scan is enabled, an alert message appears when a user connected to the STM150 visits
an HTTPS site. Note that this is not a bug in the STM150 – it is a result of HTTPS scanning and
the way SSL works. The STM150 generated certificate has the same name and expiration date of
the original certificate sent by the server. However, since the certificate was generated by the
STM150 and not a trusted certificate authority, the browser will notify the user that the certificate
is not valid. To prevent these popups, you must add NETGEAR as a trusted root CA in your
browser.
If client authentication is required, the STM150 may not be able to scan the HTTPS traffic in some
cases due to the nature of SSL. SSL has two parts – client and server authentication. Server
authentication occurs with every HTTPS request, but client authentication is NOT mandatory, and
rarely occurs. As a result, whether the request is from the STM150 or the real client is of less
importance.
Figure 4-13