Video Screencast Help

Webgateway Inline mode + HTTPS

Created: 13 Jun 2013 • Updated: 13 Jun 2013 | 9 comments
This issue has been solved. See solution.


We are testing the webgateway in our environment.

We are using it phisically between our main core switch and our firewall in an Inline mode

is there any problem with HTTPS in such installation?

Our Symantec partner mentioned to us that Webgateway without Proxy mode does not work properly with HTTPS sites.

Is that true?


Operating Systems:
Discussion Filed Under:

Comments 9 CommentsJump to latest comment

SMLatCST's picture

When working in Inline mode, the SWG can only block HTTPS at the domain level, but only when the endpoint browser is configured to use an external proxy.  Please read through the below:

webgateway's picture

Thank you for yoru reply,

let me get it better... I am using Inline mode because i DONT want to configure any proxy inside any machine.

40% of our devices are MACbook, Ipads, LAptops and they go inside and outside the company very freequently.

The idea is not to use any proxy configuration and do it all Transparent.

So u want to tell me if using it in Inline mode without any proxy configuration inside any browser, it will not work with HTTPS?

Or in other word, it can open any HTTPS without a problem but it cannot detect& block a bad HTTPS site?

Does blocking the HTTPS at domain level as u mentioned is enough for my security? 

What does mean blockign HTTPS at domain level?

Thank you.

SMLatCST's picture

Yes, when working transparently (Inline or Span/Tap), the SWG is very limited in what it can do with HTTPS traffic.

The obvious reason for this is that HTTPS is encrypted, which means the SWG cannot tell what is being transferred.  Without being able to see what is being transferred, the SWG cannot make any meaningful decision on if something should be blocked or not.

This article may also be of use in explaining it:

Domain level SSL Inspection is the one that requires some form of external proxy (so it may not be applicable to you anyway).  It means the SWG will block an entire domain (rather than any specific part within it).  Any form of filtering is going to be better than none, but if you have to go through the trouble of configuring a proxy anyway, it might be better to use the SWG's proxy and implement the "SSL Deep Inspection" feature instead.

webgateway's picture

I am sorry for my silly questions... but i have zero experience with the SWG so far.

I can understand from your reply that i can use INline mode but i should configure  and implement the "SSL Deep Inspection" feature .. which is a feature inside the SWG in charge of decrypting HTTPS request from the client and try to block it if it is suspicious?

If enabeling SSL Deep inspection at the SWG level resolve the problem and give me an HTTPS security with an Inline mode i guess it is enough right?

the main problem is that using a proxy inside our browser is impossible.. our solution SHOULD be transparent.

Thank you.

SMLatCST's picture

I'm afraid not.  In a nutshell:

  • SWG's Inline mode alone, means you cannot filter HTTPS traffic
  • SWG Inline plus an External Proxy (e.g. ISA, Squid, whatever) means you can filter/block at the domain level
  • SWG Proxy mode, or Inline+Proxy means the SWG can fully inspect and block HTTPS traffic

Only the first option (which cannot filter HTTPS) requires no endpoint browser configuration.  Essentially, if you want any filtering of HTTPS, then you must configure a proxy in your user endpoint browsers.

The SSL Deep Inspection feature requires the SWG be in Proxy or Inline+Proxy mode

webgateway's picture

I got it now.

My only blury thing is this Inline+Proxy setup.

Inline means Transparent and des not need Proxy configuration at user level

Proxy means it needs configuration at user level.

BUt what does the INline+proxy do exactly?

I am not understanding this type of setup.

using INline+Proxy setup do u need to pu proxy at user level or no?


SMLatCST's picture

The Inline+Proxy mode just means the SWG is doing both at the same time.

It will be transparently scanning anything that is routed through it by your network configuration, and it will also be listening for, and proceeing client machine requests trying to use it as a proxy server (on a separate IP address and port).

While it may be doing both actions, the rules I identified earlier still apply with regards to HTTPS.  So if you want SSL Deep Inspection, you still need to configure the endpoints to use the SWG as a proxy server (the Inline part of it still won't be able to scan/filter encrypted traffic).

As always, it'd be appreciated if you could mark any posts you find useful with a "Thumbs Up" or as the Solution wink

webgateway's picture

Does this configuration method resolve the HTTPS detection problem?

Or any user without Proxy configured within his machine will not get HTTPS Scan/detection?

I can use Inline + Proxy to reduce the number of machines withour proxy? this is the isea?

for example:

I have 40% of machines that i cannot use a proxy = These machines will use inline and not get HTTPS scan

I have 60% of machines that i can use proxy through group policy = These machines will get HTTPS inspection and detection.

Correct me if i am wrong please.


SMLatCST's picture

Yup, your example is correct smiley