HTTPS Inspector

[dw5304]

this is a two part post. Mods please feal free to move this post to proper section as no https inspector subsection exists right now.

should explain how to add the root cert in a group policy if its in a domain.
like how the ad login script page works


how to install the cert into group policy:
1.) open group policy management editor
2.) open default domain policy
3.) go to computer configuration>Policies>Windows Settings>Security Settings> Public Key
4.) right click on trusted root and click import
5.) select untangles cert and hit next and Finnish
6.) reboot every workstation or run a gpupdate /force for new setting to take effect.

[dmorris]

I just created a HTTPS Inspector subforum.
Thanks for reminder.

Great tip!
Does this add it to the windows trusted root CA list?

That should work fine for IE (and maybe chrome).
Firefox maintains its own root CA list.

[jcoffin]

We have posted steps for different certificate installation scenarios on the wiki.

http://wiki10.untangle.com/index.php/HTTPS_Inspector

[dw5304]

yes it does, i have tried with chrome and ie with no issues firefox will complain.
I did not see it in the wiki when i was originally looking at it, was just pointing out that the adlogin script documentation was added directly in the untangle thought might be a wise idea to also add in group policy on the https inspector module.

[jcoehoorn]

Sadly, I don't see this app being very useful to me. I greatly desire the ability to gain more insight into my https traffic, but the majority of my clients are student-owned machines over which I have little control, and it's these machines for which I most need to see https traffic. For faculty/staff and lab machines I don't really care about https much at all.

Now if I could get a captive portal rule or policy manager rule that only triggered if the required certificate was missing, and a captive page where the client could download and accept the certificate, that would be a start. Add a way to bypass this for game consoles, smart phones, and smartTVs/DVD players, and we'd be in business.

[dmorris]

Sadly, I don't see this app being very useful to me. I greatly desire the ability to gain more insight into my https traffic, but the majority of my clients are student-owned machines over which I have little control, and it's these machines for which I most need to see https traffic. For faculty/staff and lab machines I don't really care about https much at all.

Now if I could get a captive portal rule or policy manager rule that only triggered if the required certificate was missing, and a captive page where the client could download and accept the certificate, that would be a start. Add a way to bypass this for game consoles, smart phones, and smartTVs/DVD players, and we'd be in business.

We have spoken with another vendor serving schools about their HTTPS man-in-the-middle functionality.
The say between 10%-20% of schools use it. That is not surprising to me.

If anyone thinks "Wow, SSL man-in-the-middle, this will be easy to deploy and manage" then they will be sorely mistaken. It is not easy, it requires management and work. So much that in *most* environments it doesn't make sense.

That being said, we are exploring options to make it way way easier, such as captive portal integration, built-in bypasses, easier cert distribution and management etc, but these will not be part of 10.0. Nor will the necessarily make it brainless like some other apps.

[jcoehoorn]

I have to take it back: I do have a scenario where this will be very useful; I can use it when dealing with (potential/suspected) policy offenders.

There's no way I could get certificates going for all my students and all those different devices, especially the embedded devices, but if I put this on a specific rack that is paired with a captive portal page for onboarding, and write policy manager rules so that students only end up in the rack if I manually enter their IP address to send them there because I see something in the logs that is suspicious, but not convicting, I should be able to keep the certificate issues manageable and avoid problems with weird devices, and it will take some of the guesswork out of policy enforcement.