SSL Tips and Best Practices

  • We recommend testing SSL inspection on a single policy with a limited number of users in a small test location prior to enabling it across your organization. This will help familiarize you and your users with this feature.

  • Upgrade or configure any software or devices to use TLS v1.1 or better.  SSL v2, SSL v3, and TLS v1.0 are considered insecure and are not supported by the SecureSurf platform.

  • It's always a good idea to inform users of your organization's acceptable use and SSL inspection policy so they can be educated on the feature.

  • Prior to enabling SSL Inspection on a policy, make sure that the root certificate is installed in all users' browsers. The AppRiver root certificate installer and instructions can be found on the Downloads tab within the Web Protection area of the Customer Portal.

  • You can create a list of domains and categories that will not be SSL Inspected. This list is applied globally throughout an organization for all policies with SSL Inspection enabled, and includes several sensitive categories by default.

  • Certain apps and websites may implement certificate pinning or HSTS, which require specific certificates and might not work with SSL Inspection.  If you encounter an encryption issue with specific software or websites, please review your logs to find the offending domains, then add them to the SSL Inspection exempt domains list.