Page 1 of 2 12 LastLast
Results 1 to 10 of 16
  1. #1
    Untangle Ninja YeOldeStonecat's Avatar
    Join Date
    Aug 2007
    Posts
    1,549

    Default Future of the SSL Inspector module

    With the removal of the "Certificate Installer" button on a recent Untangle version upgrade, it will become difficult to distribute the certificates across clients networks, especially those networks which have a lot of revolving BYODs. While Apple devices were a pain, Windows devices were easy to get done by clients staff...with the .EXE installer for the certificate. We have a few schools we have Untangle it, and it was easy for staff to get it installed quickly and easily thanks to the .EXE installer.

    For our clients that are on active directory sure it's no prob with GPOs. And we can manually import the certs on the servers we manage.

    To me it seems like removing the cert installer function from Untangle is step 1 in a long steady death of this app. Is it to be phased out and replaced with something else?
    JoergChm likes this.
    Resident "Geek on a Harley" in Southeast Connecticut, USA.

  2. #2
    Untangle Ninja dwasserman's Avatar
    Join Date
    Jun 2008
    Location
    Argentina
    Posts
    4,348

    Thumbs down

    Same to OpenVPN client, no more installer inside Untangle :-(
    The world is divided into 10 kinds of people, who know binary and those not

  3. #3
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    25,250

    Default

    Yeah, but OpenVPN has two clients available now and still provides configuration files. That one is a totally different situation, where the load of getting a standardized installer from a known trusted location actually improves matters. If you have AV software on a platform that's worth anything, you've had to do this for years anyway because that untrusted, unsigned custom installer for OpenVPN would get caught every time.

    The SSL certificate installer going away is almost inexplicable... And reeks of Untangle losing critical talent more than an actual future forward decision.

    As for Untangle's installer, I've replaced it with a Powershell script using this: https://docs.microsoft.com/en-us/pow...?view=win10-ps
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  4. #4
    Untangle Ninja dwasserman's Avatar
    Join Date
    Jun 2008
    Location
    Argentina
    Posts
    4,348

    Default

    Quote Originally Posted by sky-knight View Post
    Yeah, but OpenVPN has two clients available now and still provides configuration files. That one is a totally different situation, where the load of getting a standardized installer from a known trusted location actually improves matters. If you have AV software on a platform that's worth anything, you've had to do this for years anyway because that untrusted, unsigned custom installer for OpenVPN would get caught every time.

    The SSL certificate installer going away is almost inexplicable... And reeks of Untangle losing critical talent more than an actual future forward decision.

    As for Untangle's installer, I've replaced it with a Powershell script using this: https://docs.microsoft.com/en-us/pow...?view=win10-ps
    Yes, you can, I can, but the end user client in your home with 0 knowledge of IT?
    The world is divided into 10 kinds of people, who know binary and those not

  5. #5
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    25,250

    Default

    Quote Originally Posted by dwasserman View Post
    Yes, you can, I can, but the end user client in your home with 0 knowledge of IT?
    The end user client with zero knowledge isn't downloading a random EXE off the internet and running it on their own at all. If you're doing that, you're enforcing bad habits that end in crypto propagation.

    Installation of a 3rd party VPN client is a remote support call, that's the only way to do it sanely.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  6. #6
    Untangle Ninja dwasserman's Avatar
    Join Date
    Jun 2008
    Location
    Argentina
    Posts
    4,348

    Default

    Or sent by email, your network your rules
    The world is divided into 10 kinds of people, who know binary and those not

  7. #7
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    25,250

    Default

    Quote Originally Posted by dwasserman View Post
    Or sent by email, your network your rules
    EXE via email? People still do that?

    Every single email server I touch gets a rule that obliterates every single executable format, and .zip files. Heck, Google and M365 both practically do that to you by default.
    skearton likes this.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  8. #8
    Untangle Ninja dwasserman's Avatar
    Join Date
    Jun 2008
    Location
    Argentina
    Posts
    4,348

    Default

    Its a neverend talk :-) zipped with pass of course.
    Pay attention to the concept, not the details. Are we talking to exchange ideas or to see who is right?
    What was the benefit for us or for Untangle having removed the auto-installers within the new distributions? It was not explained, or at least I did not find why
    ncksh likes this.
    The world is divided into 10 kinds of people, who know binary and those not

  9. #9
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    25,250

    Default

    Quote Originally Posted by dwasserman View Post
    Its a neverend talk :-) zipped with pass of course.
    Pay attention to the concept, not the details. Are we talking to exchange ideas or to see who is right?
    What was the benefit for us or for Untangle having removed the auto-installers within the new distributions? It was not explained, or at least I did not find why
    If you have users that can handle password protected archives, they can handle decompressing a zip into a specified folder. Mine... can't do either... so you're making even less sense to me.

    And I've already told you WHY. OpenVPN has TWO different clients to choose from, and development on them both is faster than Untangle releases. There are security issues associated with out of date clients to manage. So if you were properly deploying OpenVPN you were having to manually install the things ANYWAY.

    Win10's built in Quick Assist feature makes all this so easy for me to do. I hit OpenVPN's website, get the client, slap the .zip with their certificates into my Onedrive in a public share and copy/paste a link. BOOM, installed, setup, and tested all in 10min without me explaining squat to a user that's not going to care enough to do it correctly anyway.

    So yeah, I was annoyed to because now I have to do two things instead of one. But, in the same breath again I was having to do that anyway. In the end, I'm working to move off OpenVPN entirely to Wireguard anyway because it's just better.

    But this doesn't solve the SSL certificate issue from the OP and we're derailing this thread.
    Last edited by sky-knight; 10-20-2020 at 02:41 PM.
    JoergChm likes this.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  10. #10
    Untangler
    Join Date
    Aug 2016
    Posts
    73

    Default

    If I had an easier way to differentiate personal accounts from GSuite accounts on Windows devices I don't think I'd even need SSL inspector anymore, luckily its only a concern on my domain joined devices at this time. BYOD and the ssl cert kept me too busy.

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2