Hi Paul;
Actually I took a packet capture on the Proxy SG and I could see that the subscription service demands a client certificate. This is despite bypassing SSL interception (decryption) on the Proxy SG for domain "subscription.es.bluecoat.com"
I exported the keypair "bluecoat-appliance" out of the reporter appliance and imported its certificate and private key into the Proxy SG, then using an "SSL access layer" I presented them to the subscription service when demanded. I did this based on the article below. It worked.
Article Id: 166106
Status: Published
Updated On: 13-05-2017 09:24
Legacy Id: TECH241731
Kindly
Wasfi
Original Message:
Sent: 06-03-2020 03:29 AM
From: Paul Vilarino
Subject: What certificate does the Reporter appliance use for authentication to subscription.es.bluecoat.com
Hi Wasfi
Reporter doesn't use mutual authentication to access the subscription servers,
The recommendation is that you bypass ssl interception (as well as other services) for all subscription/license services
Original Message:
Sent: 06-02-2020 01:14 AM
From: Wasfi Bounni
Subject: What certificate does the Reporter appliance use for authentication to subscription.es.bluecoat.com
Hi;
Since the Reported needs to present its certificate to the subscription.es.bluecoat.com service "for mutual TLS authentication", I wanted to ask what certificate "key-ring" does it use for this purpose.
The reason I am asking is that the connection from the Reporter to the subscription service goes via a Proxy SG device. This means that I need to load the Reporter's client certificate to the Proxy SG. For this sake, I will create a keylist and add the Reporter's correct client certificate there.
Kindly
Wasfi