This article is intended for users of SymDiag. Though general readers may benefit from the article’s contents, any solutions, insights, or guidance are geared toward those using SymDiag.

Problem

The end user cannot browse through the Web Isolation platform due to certificate trust errors.

Web Isolation Proxy intercepts SSL traffic by posing as a “man in the middle.” In order to play that role, the Web Isolation Server signs with the zone’s CA certificate on the fly. This CA must be trusted by the end user’s browser.

NOTE: In a downstream proxy scenario that also intercepts SSL traffic, the end user’s browsers will trust the Certificate Authority (CA) of the downstream proxy.

Using the management console UI, the Web Isolation administrator should verify that the zone’s Certificate Authority (CA) is trusted by the end user’s browser.

NOTE: IE and Chrome share the same system certificate store, whereas Firefox maintains its own.

For further information, see the Symantec Threat Isolation Platform (STIP) Guide for Administrators section on Configuring Security Policy Settings > Configuring System Certificates.