Results 1 to 7 of 7

Thread: HTTPS Inspector

  1. #1
    Untangler
    Join Date
    May 2009
    Posts
    67

    Default HTTPS Inspector

    this is a two part post. Mods please feal free to move this post to proper section as no https inspector subsection exists right now.

    should explain how to add the root cert in a group policy if its in a domain.
    like how the ad login script page works


    how to install the cert into group policy:
    1.) open group policy management editor
    2.) open default domain policy
    3.) go to computer configuration>Policies>Windows Settings>Security Settings> Public Key
    4.) right click on trusted root and click import
    5.) select untangles cert and hit next and Finnish
    6.) reboot every workstation or run a gpupdate /force for new setting to take effect.
    Last edited by dw5304; 09-19-2013 at 11:48 AM.

  2. #2
    Untangle Junkie dmorris's Avatar
    Join Date
    Nov 2006
    Location
    San Carlos, CA
    Posts
    17,486

    Default

    I just created a HTTPS Inspector subforum.
    Thanks for reminder.

    Great tip!
    Does this add it to the windows trusted root CA list?

    That should work fine for IE (and maybe chrome).
    Firefox maintains its own root CA list.
    Attention: Support and help on the Untangle Forums is provided by volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  3. #3
    Untangler jcoffin's Avatar
    Join Date
    Aug 2008
    Location
    Lake Tahoe
    Posts
    9,682

    Default

    We have posted steps for different certificate installation scenarios on the wiki.

    http://wiki10.untangle.com/index.php/HTTPS_Inspector
    Attention: Support and help on the Untangle Forums is provided by
    volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  4. #4
    Untangler
    Join Date
    May 2009
    Posts
    67

    Default

    yes it does, i have tried with chrome and ie with no issues firefox will complain.
    I did not see it in the wiki when i was originally looking at it, was just pointing out that the adlogin script documentation was added directly in the untangle thought might be a wise idea to also add in group policy on the https inspector module.
    Last edited by dw5304; 09-19-2013 at 06:18 PM.

  5. #5
    Untangle Ninja jcoehoorn's Avatar
    Join Date
    Mar 2010
    Location
    York, NE
    Posts
    1,943

    Default

    Sadly, I don't see this app being very useful to me. I greatly desire the ability to gain more insight into my https traffic, but the majority of my clients are student-owned machines over which I have little control, and it's these machines for which I most need to see https traffic. For faculty/staff and lab machines I don't really care about https much at all.

    Now if I could get a captive portal rule or policy manager rule that only triggered if the required certificate was missing, and a captive page where the client could download and accept the certificate, that would be a start. Add a way to bypass this for game consoles, smart phones, and smartTVs/DVD players, and we'd be in business.
    Five time Microsoft ASP.Net MVP managing a Lenovo RD330 / E5-2420 / 16GB with Untangle 16.5 to protect a 1Gbps fiber link for ~450 residential college students and associated staff and faculty

  6. #6
    Untangle Junkie dmorris's Avatar
    Join Date
    Nov 2006
    Location
    San Carlos, CA
    Posts
    17,486

    Default

    Quote Originally Posted by jcoehoorn View Post
    Sadly, I don't see this app being very useful to me. I greatly desire the ability to gain more insight into my https traffic, but the majority of my clients are student-owned machines over which I have little control, and it's these machines for which I most need to see https traffic. For faculty/staff and lab machines I don't really care about https much at all.

    Now if I could get a captive portal rule or policy manager rule that only triggered if the required certificate was missing, and a captive page where the client could download and accept the certificate, that would be a start. Add a way to bypass this for game consoles, smart phones, and smartTVs/DVD players, and we'd be in business.
    We have spoken with another vendor serving schools about their HTTPS man-in-the-middle functionality.
    The say between 10%-20% of schools use it. That is not surprising to me.

    If anyone thinks "Wow, SSL man-in-the-middle, this will be easy to deploy and manage" then they will be sorely mistaken. It is not easy, it requires management and work. So much that in *most* environments it doesn't make sense.

    That being said, we are exploring options to make it way way easier, such as captive portal integration, built-in bypasses, easier cert distribution and management etc, but these will not be part of 10.0. Nor will the necessarily make it brainless like some other apps.
    Attention: Support and help on the Untangle Forums is provided by volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  7. #7
    Untangle Ninja jcoehoorn's Avatar
    Join Date
    Mar 2010
    Location
    York, NE
    Posts
    1,943

    Default

    I have to take it back: I do have a scenario where this will be very useful; I can use it when dealing with (potential/suspected) policy offenders.

    There's no way I could get certificates going for all my students and all those different devices, especially the embedded devices, but if I put this on a specific rack that is paired with a captive portal page for onboarding, and write policy manager rules so that students only end up in the rack if I manually enter their IP address to send them there because I see something in the logs that is suspicious, but not convicting, I should be able to keep the certificate issues manageable and avoid problems with weird devices, and it will take some of the guesswork out of policy enforcement.
    Five time Microsoft ASP.Net MVP managing a Lenovo RD330 / E5-2420 / 16GB with Untangle 16.5 to protect a 1Gbps fiber link for ~450 residential college students and associated staff and faculty

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2