Scribd
Upload
102 views16 pages

TMWS Best Practices - 1-2

The document provides best practices for setting up authentication and other features in TMWS. It describes available authentication methods like direct, AD FS, agent, Okta and Azure AD. It also lists add-on methods like Kerberos and hosted users. The document recommends allowing access to external services TMWS depends on and provides step-by-step instructions for customizing authentication for a company by logging into the admin console and selecting the appropriate authentication method.

Uploaded by

chinduk
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
102 views16 pages

TMWS Best Practices - 1-2

The document provides best practices for setting up authentication and other features in TMWS. It describes available authentication methods like direct, AD FS, agent, Okta and Azure AD. It also lists add-on methods like Kerberos and hosted users. The document recommends allowing access to external services TMWS depends on and provides step-by-step instructions for customizing authentication for a company by logging into the admin console and selecting the appropriate authentication method.

Uploaded by

chinduk
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 16

TMWS Best Practices

Version 1.2
Contents
TMWS Best Practices ........................................................................................................ 1
1. How to set up the Authentication for your company? ......................................................... 3
2. How to set up Authentication on the TMWS on-premises?.................................................. 6
3. How to set up Authentication on the TMWS virtual gateways? ........................................... 7
4. How to get threat protection on your Cloud Access Rules? .................................................. 8
5. What is the scanning order of the scanning policies?........................................................... 9
6. How to customize the Cloud Applications in the Cloud Access Rules? ................................ 12
7. How to allow specific traffic in TMWS? ............................................................................. 13
8. How to use the Customized URL Categories in the Cloud Access Rules? ............................. 14
9. How to chain the TMWS decryption CA into your company’s trusted CAs? ........................ 15
10. How to manage HTTPS Tunnels?....................................................................................... 16

Tables

Table 1 - Authentication Methods .............................................................................................3


Table 2 - Add-on authentications ..............................................................................................4
Table 3 - Scanning Policy Types .................................................................................................9
Table 4 - Scanning Steps and Actions for HTTP Traffic ............................................................10
Table 5 - Scanning Actions for Cloud Access Rules ..................................................................10
Table 6 - Scanning Steps, Conditions and Actions for HTTPS Traffic .......................................11
Table 7 - Methods to allow specific traffic in TMWS ...............................................................13
1. How to set up the Authentication for your company?

1.1 General Description

TMWS provides many authentication methods to adapt to your company’s authentication system.
TMWS also provides some add-on methods to co-work with these authentication methods.
You can balance your choice according to the company’s present situation.

The following table shows the available authentication methods. The “Requirements & Guides”
column gives the basic requirements and the available guides for setting the corresponding
authentication method.

Table 1 Authentication Methods

Auth Method Description Requirements & Guides


Direct Communicate with  A public IP of your AD Service is required. Your AD
the AD server directly services need to expose the LDAP/LDAPS ports to the
for User Internet.
Authentication &  Allow Trend Micro public IPs to access your AD services.
Synchronization
Network Diagram: https://docs.trendmicro.com/en-
us/enterprise/trend-micro-web-security-online-
help/administration_001/directory-services/active-directory-
dir/direct-authenticatio.aspx

Setup Guide: https://docs.trendmicro.com/en-


us/enterprise/trend-micro-web-security-online-
help/administration_001/directory-services/active-directory-
dir.aspx
AD FS Communicate with  AD FS should be setup for the AD.
the AD FS Service for  The public IP of your AD FS is required if you want to use
User Authentication. the TMWS Cloud proxy outside your company’s office.
 The Sync Agent is required to synchronize the user
Install the Sync Agent information.
to synchronize the AD
users to TMWS. Network Diagram: https://docs.trendmicro.com/en-
us/enterprise/trend-micro-web-security-online-
help/administration_001/directory-services/active-directory-
fed/port-configuration-f.aspx

Setup Guide: https://docs.trendmicro.com/en-


us/enterprise/trend-micro-web-security-online-
help/administration_001/directory-services/active-directory-
fed.aspx
Agent Communicate with  The Auth Agent is required to authenticate users.
the Auth Agent for  The public IP of your Auth Agent is required if you want to
User Authentication. use the TMWS Cloud proxy outside your company’s
office.
Install the Sync Agent  The Sync Agent is required to synchronize the user
to synchronize the AD information.
users to TMWS.
Network Diagram: http://docs.trendmicro.com/en-
us/enterprise/trend-micro-web-security-online-
help/administration_001/directory-services/active-directory-
age/port-configuration-f_001.aspx

Setup Guide: https://docs.trendmicro.com/en-


us/enterprise/trend-micro-web-security-online-
help/administration_001/directory-services/active-directory-
age.aspx
Okta Communicate with  An Okta account is required for the setup.
Okta for User  Okta’s SAML and SCIM Apps are required for the setup.
Authentication &
Synchronization Setup Guide: https://docs.trendmicro.com/en-
us/enterprise/trend-micro-web-security-online-
help/administration_001/directory-services/okta-
authentication.aspx
Azure AD Communicate with  An Azure AD account is required for the setup.
Azure AD for User
Authentication & Setup Guide: https://docs.trendmicro.com/en-
Synchronization us/enterprise/trend-micro-web-security-online-
help/administration_001/directory-services/azure-active-
directo.aspx

The following table shows the available add-on methods to co-work with the authentication methods.

Table 2 Add-on authentications

Add-on Description Requirements & Guides


Method
Kerberos Communicate with AD with  Kerberos authentication is only
Kerberos for User Authentication. available for on-premise gateways.
 Users should be synchronized by the
Kerberos should co-work with company’s chosen authentication
one of the following company method.
authentication methods:
 Direct Refer to https://docs.trendmicro.com/en-
 AD FS us/enterprise/trend-micro-web-security-
 Agent online-help/gateways_001/editing-an-on-
 Okta premis/configuring-user-
 Azure AD aut_001/configuring-kerberos.aspx
Hosted Users Administrators can create TMWS  Hosted users only work under the
local users for user following authentication ways:
authentications. o Direct
o AD FS
o Agent

Refer to https://docs.trendmicro.com/en-
us/enterprise/trend-micro-web-security-
online-help/administration_001/hosted-
users.aspx
1.2 Allow to visit the external dependent services

TMWS has dependencies on some external services. Make sure your company’s network allows the
users to access these external services.

Refer to https://docs.trendmicro.com/en-us/enterprise/trend-micro-web-security-online-
help/introduction-and-get_001/task-overview-for-ne.aspx for the external services used by the
system.

1.3 Setup Authentications for your company

1.3.1 Log into your admin console

1.3.2 Customize your company’s authentication methods


1.3.2.1 Go to Administration -> Directories Services.
1.3.2.2 Click “here” to choose your company’s authentication method:
Click Here

1.3.3 Manage your AD domain


1.3.3.1 Go to Administration -> Directory Services.
1.3.3.2 Add/Delete your AD domains.
Refer to https://docs.trendmicro.com/en-us/enterprise/trend-micro-web-security-
online-help/administration_001/directory-services.aspx

1.3.4 Setup your Authentication settings according to your chosen authentication method.
1.3.4.1 For Direct/AD FS/Agent authentication method, please go to each domain’s setting page
to customize the detailed settings.
How to visit the domain setting page:
o Go to Administration -> Directory Services.
o Find your AD domain.
o Click the edit button in the column “AD Integration” of your AD domain
1.3.4.2 For the Okta/Azure AD authentication method, please go to the authentication method
page to customize the detailed settings.
How to visit the authentication method setting page:
o Go to Administration -> Directory Services.
o Click “here” to go to your authentication method page.
2 How to set up Authentication on the TMWS on-premises?

2.1 General Description


The TMWS on-premises authentication is decided by the authentication method settings plus the on-
premises self-settings.

2.2 Setup your company-level authentication method


Refer to the best practice How to set up the Authentication for your company?

2.3 Setup Authentication on your On-premises Gateway


2.3.1 Go to the Gateways page.
2.3.2 Find your on-premises gateway.
2.3.3 Click the gateway name. It will show your on-premises gateway page.
2.3.4 Click the Authentication menu of your on-premises authentication setting page.
2.3.5 Setup Kerberos if you need it.

2.4 Setup Hosted Users


Go to Administration -> USERS & AUTHENTICATIONS -> Hosted Users
Manage your hosted users on this page. Hosted users work in some authentication methods only.
Refer to How to set up the Authentication for your company? for the detailed introduction of
Hosted Users.

2.5 Setup Guest Users


TMWS provides 2 ways for Guest Users: Use Guest Port or Enable Guest User account.
2.5.1 Go to the Gateways page.
2.5.2 Find your on-premises gateway.
2.5.3 Click the gateway name. It will show your on-premises gateway page.
2.5.4 Click the Authentication menu of your on-premises authentication setting page.
2.5.5 Customize the Guest User settings under the section “Guest User Logon Settings”
2.5.5.1 Go to Administration -> USERS & AUTHENTICATIONS -> Hosted Users
2.5.6 Click “Guest User Account” to configure the Guest User Account information.

Available Helps:

Deployment Setup Helps


On-premises Gateway https://docs.trendmicro.com/en-us/enterprise/trend-micro-web-
Management Guide security-online-help/gateways_001/editing-an-on-premis.aspx

On-premises Gateway https://docs.trendmicro.com/en-us/enterprise/trend-micro-web-


Authentication Setup security-online-help/gateways_001/editing-an-on-premis/configuring-
user-aut_001.aspx
Transparent https://docs.trendmicro.com/en-us/enterprise/trend-micro-web-
Authentication security-online-help/gateways_001/managing-internet-
ga/transparent-authenti.aspx
Kerberos Setup https://docs.trendmicro.com/en-us/enterprise/trend-micro-web-
security-online-help/gateways_001/editing-an-on-premis/configuring-
user-aut_001/configuring-kerberos.aspx
Hosted User Setup https://docs.trendmicro.com/en-us/enterprise/trend-micro-web-
security-online-help/administration_001/hosted-users.aspx
Guest User Setup https://docs.trendmicro.com/en-us/enterprise/trend-micro-web-
security-online-help/administration_001/hosted-users/guest-user-
account.aspx
3 How to set up Authentication on the TMWS virtual gateways?

3.1 General Description


TMWS virtual gateways authentication is decided by the authentication method settings plus the
virtual gateway self-settings.

3.2 Setup your company-level authentication method


Refer to the best practice How to set up the Authentication for your company?

3.3 Setup Authentication on your Virtual Gateway


3.3.1 Go to the Gateways page.
3.3.2 Find your virtual gateway.
3.3.3 Click the gateway name. It will go to the virtual gateway page.
3.3.4 Click the Authentication menu of your virtual gateway authentication setting page.

3.4 Setup Hosted Users


Go to Administration -> USERS & AUTHENTICATIONS -> Hosted Users
Manage your hosted users on this page. Hosted users work in some authentication methods only.
Refer to How to set up the Authentication for your company? for the detailed introduction of
Hosted Users.

3.5 Setup Guest Users


TMWS provides 2 ways for Guest Users: Use Guest Port or Enable Guest User account.
3.5.1 Go to the Gateways page.
3.5.2 Find your virtual gateway.
3.5.3 Click the gateway name. It will show your virtual gateway page.
3.5.4 Click the Authentication menu of your gateway authentication setting page.
3.5.5 Customize the Guest User settings under the section “Guest User Logon Settings”
3.5.5.1 Go to Administration -> USERS & AUTHENTICATIONS -> Hosted Users
3.5.6 Click “Guest User Account” to configure the Guest to configure the Guest User Account
information.

Available Helps:

Deployment Setup Helps


Virtual Gateway http://docs.trendmicro.com/en-us/enterprise/trend-micro-web-
Management Guide security-online-help/gateways_001/editing-a-virtual-ga.aspx

Virtual Gateway https://docs.trendmicro.com/en-us/enterprise/trend-micro-web-


Authentication Setup security-online-help/gateways_001/managing-internet-ga/user-
authentications.aspx

Transparent Authentication https://docs.trendmicro.com/en-us/enterprise/trend-micro-web-


security-online-help/gateways_001/managing-internet-
ga/transparent-authenti.aspx

Hosted User Setup https://docs.trendmicro.com/en-us/enterprise/trend-micro-web-


security-online-help/administration_001/hosted-users.aspx

Guest User Setup https://docs.trendmicro.com/en-us/enterprise/trend-micro-web-


security-online-help/administration_001/hosted-users/guest-user-
account.aspx
4 How to get threat protection on your Cloud Access Rules?

4.1 General Description


By default, TMWS provides a default cloud access rule with a default threat template. The default
threat template has default threat protection settings. Different cloud access rules can share the same
threat template. The default cloud access rule has no DLP template.

The cloud access rule without threat/DLP template has no threat protection. Please choose a
threat/DLP template for your cloud access rule to get the threat protection ability.

4.2 Manage your threat templates


4.2.1 Log into your admin console.
4.2.2 Go to Policies -> SECURITY TEMPLATES -> Threat Protection
You can add/edit/delete your threat/DLP templates here.

4.3 Customize your threat template in your Cloud Access Rule


4.3.1 Go to Policies -> Cloud Access Rules
4.3.2 Find your rule name.
4.3.3 Click your rule name and go to the rule setting page.
4.3.4 Find the Action section
If you choose the “Block” action with the option “Block with no more actions”, you cannot choose
the threat template for your rule.
“Block with no more actions” means to directly block the traffic and it does not need to perform
further threat scanning.
4.3.5 Find the Security Templates section.
4.3.6 Change the threat protection to your preferred threat template.
4.3.7 Change the data loss prevention to your preferred DLP template.

Available Helps:

Topic Available Helps


Threat Protection https://docs.trendmicro.com/en-us/enterprise/trend-micro-web-
Management Guide security-online-help/policies_001/security-templates/threat-
protection.aspx

Data Loss https://docs.trendmicro.com/en-us/enterprise/trend-micro-web-


Prevention security-online-help/policies_001/security-templates/data-loss-
Management Guide prevention.aspx

Cloud Access Rule https://docs.trendmicro.com/en-us/enterprise/trend-micro-web-


Configuration Guide security-online-help/policies_001/cloud-access-rules/configuring-a-
cloud-.aspx
5 What is the scanning order of the scanning policies?

5.1 General Description


TMWS provides a variety of policy types to scan the web traffic step by step. HTTP traffic and HTTPS
traffic have different scanning steps.

5.2 Policy Types


The available policy types are listed in the following table. The corresponding online help documents
are provided in the Description column.

Table 3 Scanning Policy Types

Policy Type Description


Approved Approved URLs are used to allow trustworthy web traffic. Traffic matching the Approved
URLs URLs will be allowed immediately without further scanning. Trusted web sites can be added
into the Approved URLs.

Refer to https://docs.trendmicro.com/en-us/enterprise/trend-micro-web-security-online-
help/policies_001/approved_blocked-url.aspx
Blocked URLs Blocked URLs are used to block unwanted web traffic. Traffic matching the Blocked URLs
will be blocked immediately. Forbidden web sites can be added into the Blocked URLs.

Refer to https://docs.trendmicro.com/en-us/enterprise/trend-micro-web-security-online-
help/policies_001/approved_blocked-url.aspx
Decryption Decryption Rules are used to decide what kind of HTTPS traffic should be decrypted for
Rules content scanning. Traffic matching the Decryption Rules will be decrypted.

Refer to https://docs.trendmicro.com/en-us/enterprise/trend-micro-web-security-online-
help/policies_001/https-inspection/decryption-rules.aspx
HTTPS HTTPS Tunnels are used to decide what kind of HTTPS traffic should be bypassed directly.
Tunnels Traffic matching the HTTPS Tunnels will be allowed immediately without further scanning.
The manually added tunneled list will never expire. The system auto-added tunneled list
will expire in 24 hours.

Refer to https://docs.trendmicro.com/en-us/enterprise/trend-micro-web-security-online-
help/policies_001/https-inspection/https-tunnels.aspx
CA CA Certificates are used to manage the trusted status of the CAs. Traffic matching the
Certificates distrusted CAs will be blocked directly. Traffic matching the inactive CAs will be warned
immediately except if the user decides to continue to access the traffic. Traffic matching the
trusted CAs will continue to be scanned by other policy types.

Refer to https://docs.trendmicro.com/en-us/enterprise/trend-micro-web-security-online-
help/policies_001/https-inspection/digital-certificates.aspx
Server Server Certificate Exceptions are used to manage the trusted status of Server certificates.
Certificate Traffic matching the blocked common names will be blocked directly. Traffic matching the
warning common names will be warned immediately except if the user decides to continue
Exceptions
to access the traffic. Traffic matching the allowed common names will bypass scanning the
CA Certificates and will continue to be scanned by other policy types.

Refer to https://docs.trendmicro.com/en-us/enterprise/trend-micro-web-security-online-
help/policies_001/https-inspection/digital-certificates.aspx
Cloud Access TMWS provides a uniform cloud access rule to manage and control the company’s web
Rules traffic. The cloud access rule can match the web traffic with one or more conditions to
adapt to the company’s requirements.

Refer to https://docs.trendmicro.com/en-us/enterprise/trend-micro-web-security-online-
help/policies_001/cloud-access-rules/configuring-a-cloud-.aspx
5.3 Scanning HTTP Traffic
Scanning HTTP Traffic is straightforward, as the following table shows. The HTTP traffic will be
scanned by the scan steps in order. If the scan step matches the traffic, it will take the action or go to
the next scan step in the “Match” column; if it does not match the traffic, it will take the action or go
to the next scan step in the “Not Match” column.

Table 4 Scanning Steps and Actions for HTTP Traffic

Scan Scan Steps (By Order) Match Not Match


Phases
Scan HTTP 1. URL Matches the Allow Go to Scan Step 2. URL Matches the
Content Approved URLs Blocked URLs
2. URL Matches the Blocked Block Go to Scan Step 3. Match the Cloud
URLs Access Rules (Full)
3. Match the Cloud Access Refer to Table 5 Scanning Actions for Cloud
Rules (Full) Access Rules

The following table shows how the scan action of the Cloud Access Rule is decided according to the
Rule-action and the threat detection result. If a threat is detected, the system will take the action in
the “Threat detected” column for the matched rules with the action in the “Cloud Access Rule Actions”
column. If a threat is not detected, the system will take the action in the “No threat detected” column
for the matched rules with the action in the “Cloud Access Rule Actions” column.

Table 5 Scanning Actions for Cloud Access Rules

Policy Cloud Access Rule Actions Threat detected No threat detected


Match
Status
Matched Allow Block Allow
Block Block with no more N/A Block
actions
Enable warning Block Show warning page with the
“Continue” button.
Allow after clicking the
“Continue” button.
Enable password Block Show the password-required
override page.
Allow after entering the
correct password.
Not N/A Allow
Matched

Threat detection is not mandatory for the cloud access rules. Refer to How to get threat protection
on your Cloud Access Rules? on how to enable the threat detections for your Cloud Access Rules.

5.4 Scanning HTTPS Traffic


Scanning HTTPS traffic is more complicated than scanning HTTP traffic. It includes 5 Scanning Phases
as shown in the following table. The HTTPS traffic will be scanned by the indicated scan steps, in
order. If the scan step matches the traffic, it will take the action or go to the next scan step in the
“Match” column; if it does not match the traffic, it will take the action or go to the next scan step in
the “Not Match” column.
Table 6 Scanning Steps, Conditions and Actions for HTTPS Traffic

Scan Phases Scan Steps (By Match Not Match


Order)
Scan SNI 1. SNI Matches Allow Go to Scan Step 2.
Approved URLs SNI Matches
(Server Blocked URLs
Name 2. SNI Matches Block Go to Scan Step 3.
Indication) Blocked URLs SNI Matches HTTPS
Tunnels
3. SNI Matches HTTPS Allow Go to Scan Step 4.
Tunnels CA Matches CA
Certificates
Scan 4. CA Matches CA Go to Scan Step 6. Match Show a warning
Certificates Certificates Decryption Rules if it matches page with a
the Trusted CAs. “Continue” button.

Block if it matches the Untrusted Go to Scan Step 6.


CAs. Match Decryption
Rules after clicking
Continue.
5. Match Server Block for Matching Blocked Go to Scan Step 6.
Certificate Exceptions. Match Decryption
Exceptions Rules
Show a warning message for
matching the Warn-Exceptions
with a “Continue” button.

Go to Scan Step 6. Match


Decryption Rules for matching
Allow- Exceptions.

Go to Scan Step 6. Match


Decryption Rules after clicking
the “Continue” button.
Decryption 6. Match Decryption Go to Scan Step 7. URL Matches Go to Scan Step 10.
Rules Approved URLs Match Cloud Access
Rules (Conditional)
Scan 7. URL Matches Allow Go to Scan Step 8.
Decrypted Approved URLs URL Matches
Content Blocked URLs
(Scan HTTP 8. URL Matches Block Go to Scan Step 9.
Content) Blocked URLs Match Cloud Access
Rules (Full)
9. Match Cloud Take actions according to the rule settings.
Access Rules (Full) Refer to Table 5 Scanning Actions for Cloud Access Rules.
Scan Un- 10. Match Cloud Take actions according to rule settings.
decrypted Access Rules Refer to Table 5 Scanning Actions for Cloud Access Rules.
Content (Conditional)

Match Cloud Access Rules (Conditional) means matching WRS Score, URL Categories, Application
Categories and Cloud Applications. For Application Categories, the system may not identify the
Application Categories correctly if it does not decrypt the https traffic.
6 How to customize the Cloud Applications in the Cloud Access Rules?

6.1 General Description


Users can customize the Cloud Applications for the company. The customized Cloud Applications will
work together as the part of Cloud Access Rules to match the web traffic.

6.2 Manage your Cloud App Access Sets


Manage your Cloud App Access Sets via Policies -> OBJECTS -> Cloud App Access Sets.

Refer to https://docs.trendmicro.com/en-us/enterprise/trend-micro-web-security-online-
help/policies_001/objects/cloud-application-ac.aspx

6.3 Apply the Cloud Applications to the Cloud Access Rules


Choose your Cloud App Access Sets in the Traffic Types section of your Cloud Access Rules to apply
them.

Refer to https://docs.trendmicro.com/en-us/enterprise/trend-micro-web-security-online-
help/policies_001/cloud-access-rules/configuring-a-cloud-.aspx
7 How to allow specific traffic in TMWS?

There are different ways to allow specific traffic in TMWS. Read the description column in the following
table to know how to use them.

Table 7 Methods to allow specific traffic in TMWS

Method Description
Use the PAC file You can add websites into the skip-host list of the PAC file in
order not to forward their related web traffic to TMWS. In this
way, your traffic will not be blocked by TMWS.

TMWS provides the function to manage your PAC files on


TMWS. Refer to https://docs.trendmicro.com/en-
us/enterprise/trend-micro-web-security-online-
help/administration_001/pac-files.aspx on how to manage your
PAC files on TMWS.
Use the Approved URLs You can add websites into the Approved URLs of the TMWS
policies to directly allow the web traffic.

TMWS provides a guide for managing your Approved URLs.


Refer to https://docs.trendmicro.com/en-us/enterprise/trend-
micro-web-security-online-
help/policies_001/approved_blocked-url.aspx
Use the HTTPS Tunnels You can add https websites into the HTTPS tunnels of TMWS
policies to directly allow the web traffic.

TMWS provides a guide for managing your HTTPS Tunnels.


Refer to https://docs.trendmicro.com/en-us/enterprise/trend-
micro-web-security-online-help/policies_001/https-
inspection/https-tunnels.aspx
Use the Cloud Access Rules You can customize the Cloud Access Rules to directly allow the
web traffic.

TMWS provides a guide for managing your Cloud Access Rules.


Refer to https://docs.trendmicro.com/en-us/enterprise/trend-
micro-web-security-online-help/policies_001/cloud-access-
rules/configuring-a-cloud-.aspx
Not match any policy If your traffic does not match any policy, it will be allowed. You
can focus on the policies to block the traffic and allow the rest
of the traffic.

Refer to What is the scanning order of the scanning policies?


for all the available scanning policies and their scanning orders.
8 How to use the Customized URL Categories in the Cloud Access Rules?

8.1 General Description


Users can customize the Categories for the company. The customized URL Categories will work
together with the URL Categories as the part of the Decryption Rules or the Cloud Access Rules to
match the web traffic.

8.2 Customized URL Categories


Refer to http://docs.trendmicro.com/en-us/enterprise/trend-micro-web-security-online-
help/policies_001/objects/customized-url-categ.aspx

8.3 Apply the customized URL Categories to your Decryption Rules


Choose your Customized URL Categories in the Certificate section of your Decryption Rules to apply
them.

Refer to https://docs.trendmicro.com/en-us/enterprise/trend-micro-web-security-online-
help/policies_001/https-inspection/decryption-rules/configuring-a-decryp.aspx

8.4 Apply the customized URL Categories to your Cloud Access Rules
Choose your Customized URL Categories in the Traffic Types section of your Cloud Access Rules to
apply them.

Refer to https://docs.trendmicro.com/en-us/enterprise/trend-micro-web-security-online-
help/policies_001/cloud-access-rules/configuring-a-cloud-.aspx
9 How to chain the TMWS decryption CA into your company’s trusted CAs?

9.1 General Description


TMWS provides the default CA for HTTPS decryption. By default, the decrypted traffic’s server
certificate will be signed by the TMWS’ default CA.

You can cross-sign your TMWS CA to chain our CA as the subordinate CA of your company trusted
CAs. In this way your clients, which install your company’s trusted CAs, can trust the TMWS CA
without deploying the TMWS CA in your environment.

9.2 Cross-sign the TMWS default CA


TMWS provides help to guide you on how to cross-sign the TMWS’ default CA with your company’s
CA.
Refer to https://docs.trendmicro.com/en-us/enterprise/trend-micro-web-security-online-
help/policies_001/https-inspection/decryption-rules/configuring-a-decryp/cross-signing-the-ca.aspx

9.3 Customize the CA in your Decryption Rules


Configure your decryption policy and replace the CA. Refer to https://docs.trendmicro.com/en-
us/enterprise/trend-micro-web-security-online-help/policies_001/https-inspection/decryption-
rules/configuring-a-decryp.aspx
10 How to manage HTTPS Tunnels?

10.1 General Description


TMWS provides several ways to allow specific web traffic. HTTPS Tunnels is one way to allow the
HTTPS traffic. Refer to How to allow specific traffic in TMWS? for a complete list and the
corresponding description on how to allow your web traffic.

TMWS provides a guide to manage your HTTPS Tunnels.


Refer to https://docs.trendmicro.com/en-us/enterprise/trend-micro-web-security-online-
help/policies_001/https-inspection/https-tunnels.aspx

Refer to What is the scanning order of the scanning policies? for all the available scanning policies
and their scanning orders.

10.2 How to turn on Auto Tunnel


The system can automatically add the websites into the HTTPS Tunnels to get a better business
continuity if you turn on Auto Tunnel.

10.2.1 Go to Policies -> Global Settings -> HTTPS Inspection


Enable HTTPS Inspection
Enable HTTPS Tunneling

10.2.2 Policies -> HTTPS INSPECTION -> HTTPS Tunnels -> Failed HTTPS Access
Enable auto tunneling for fatal failures

You might also like