VMware Cloud Community
kennega
Contributor
Contributor
‎05-04-2009 08:40 AM

VUM with SSL Interception / BlueCoat ??

We just moved our ESX and vCenter hosts behind a secured network, and we have a BlueCoat web proxy sitting between the secured network and our Internet router. We have enabled SSL interception and decryption on the BlueCoat, and we cannot get Update Manager to properly download its updates from VMware's secure sites. The metadata xml file downloads file, but when it attempts to grab any other files, it just pukes. We imported the self-signed CA cert for our web proxy into the Windows Cert Manager on the host running vCenter, and that made no difference.

We ran across an option in vci-integrity.xml which may or may not have anything to do with the problem at hand. Has anyone encountered the issue we have above, and does anyone know what the following stanza in vci-integrity.xml under the <Config> ... <HostConfig> section will allow us to do, and if it will help?

<SSLCertLocation>RootCert.pem</SSLCertLocation>

Thanks to anyone who can help.

-Kenny

0 Kudos
3 Replies
petkom
Community Manager
Community Manager
‎05-11-2009 11:48 PM

Hi Kenny,

why don't you comment this <SSLCertLocation> tag and give another try to see if there is any difference.

And does VUM download its updates if you stop BlueCoat? Take a look at vCenter Server Settings - Advanced. There is a setting - VerifySSLCertificates

thanks,

Petko

kennega
Contributor
Contributor
‎05-12-2009 06:36 AM

Thanks Petko.

What we actually did was direct proxy it. I defined my proxy host under the Update Manager - Configuration - Internet Access tab, and turned off SSL Intercept for that specific host going to VMware's servers. Everything works like a charm now. I suspect in the future that our Security Team will want us to re-visit this, so I will keep your post earmarked. Thanks for the suggestion... if we ever try it, I'll respond and let you know how we make out. For now it's on to the next project. Thanks!

0 Kudos
AndreTheGiant
Immortal
Immortal
‎07-24-2009 11:28 PM

I've got the same problem with other proxy appliance that do content filtering.

Andre

Andrew | http://about.me/amauro | http://vinfrastructure.it/ | @Andrea_Mauro
0 Kudos