nerdexam
ExamsCAS-002Questions#246
CompTIA

CAS-002 · Question #246

CAS-002 Question #246: Real Exam Question with Answer & Explanation

The correct answer is A: Install a self-signed Root CA certificate on the proxy server.. To perform HTTPS inspection with a transparent proxy without triggering browser certificate errors, the proxy must act as a trusted CA, traffic must be silently redirected at the network layer, and the proxy CA certificate must be distributed to all user browsers.

Question

The security administrator of a large enterprise is tasked with installing and configuring a solution that will allow the company to inspect HTTPS traffic for signs of hidden malware and to detect data exfiltration over encrypted channels. After installing a transparent proxy server, the administrator is ready to configure the HTTPS traffic inspection engine and related network equipment. Which of the following should the security administrator implement as part of the network and proxy design to ensure the browser will not display any certificate errors when browsing HTTPS sites? (Select THREE).

Options

  • AInstall a self-signed Root CA certificate on the proxy server.
  • BThe proxy configuration of all users' browsers must point to the proxy IP.
  • CTCP port 443 requests must be redirected to TCP port 80 on the web server.
  • DAll users' personal certificates' public key must be installed on the proxy.
  • EImplement policy-based routing on a router between the hosts and the Internet.
  • FThe proxy certificate must be installed on all users' browsers.

Explanation

To perform HTTPS inspection with a transparent proxy without triggering browser certificate errors, the proxy must act as a trusted CA, traffic must be silently redirected at the network layer, and the proxy CA certificate must be distributed to all user browsers.

Common mistakes.

  • B. Configuring the proxy address directly in browser settings creates an explicit proxy configuration, not a transparent proxy - the question specifies a transparent proxy where interception must occur at the network level without browser changes.
  • C. Redirecting TCP port 443 to port 80 would downgrade encrypted HTTPS sessions to unencrypted HTTP, breaking SSL connections entirely rather than enabling inspection of them.
  • D. Installing users' personal certificates' public keys on the proxy is not required for SSL inspection and would not prevent certificate errors - the proxy needs its own CA certificate to re-sign intercepted sessions, not the end users' personal certificates.

Concept tested. Transparent proxy HTTPS/SSL inspection configuration

Reference. https://www.cisco.com/c/en/us/support/docs/security/web-security-appliance/117808-technote-wsa-00.html

Community Discussion

No community discussion yet for this question.

Sign up to join the discussion
Full CAS-002 Practice