Live Chat Software by Kayako |
SSL Inspection
Posted by Matt Parker on 04 July 2018 12:05 PM
|
|
Background: SSL inspection is required for WinGate to get access to the full URL of a requested HTTPS resource for AV scanning, caching and web access rules. It is also required to return a block page to an HTTPS request. Without SSL inspection, WinGate is able to see the requested site, but not the full URL of a request, and if the page is blocked by web access rules, a connection error is presented instead of the WinGate block page.
Task:
Steps: 1. Create or import a certificate into WinGate to use for SSL inspection From Control Panel::Certificates, choose New Certificate from the tasks panel. Alternatively, choose Import to import an existing certificate. Fill in the required fields to create the certificate. The certificate will appear in the Certificates panel when it has been generated. Double click the certificate, choose the Details tab and click the Copy to file button to export the certificate. 2. Configure clients to use the WinGate WWW proxy for HTTPS For Internet Explorer/Chrome go to Internet Options::Connections and click the LAN settings button. Enable the Proxy Server check box and enter the IP address and port of the WinGate WWW proxy. Click the Advanced button and select the option to "Use the same proxy server for all protocols". Note: This option can be configured in a Group Policy Object in an Active Directory environment For Firefox go to Options::Network Proxy::Settings and choose the option for Manual proxy configuration. Enter the IP address and port of the WinGate WWW proxy and select the option to "Use this proxy server for all protocols" For Edge go to More::Settings::View Advanced Settings and click the switch beneath Use a proxy server. Enter the IP address and port of the WinGate WWW proxy. Click Save.
3. Configure client to trust the signing certificate
The certificate that will be used by WinGate for SSL inspection must be placed in the Trusted Root folder for the local machine on the LAN clients. Launch the Microsoft Management Console (type mmc.exe from the run command) and add the Certificates snap-in for the computer account. Navigate to the Trusted Root Certification Authorities::Certificates folder, right click and choose All Tasks::Import and import the certificate. Note: This option can be configured in a Group Policy Object in an Active Directory environment 4. Enable SSL inspection in the WWW proxy
In the WinGate console go to Control Panel::Services::WWW Proxy service, select the SSL inspection tab. Check the box to "enable inspection of encrypted content" and select the certificate from the drop-down box. Inspected connections appear on the activity panel as having a gold padlock beside them, and are presented as https connections instead of CONNECT requests.
Further Tasks: Some sites validate the entire certificate chain and will break with SSL inspection. These sites should be added to a policy to exempt them from SSL inspection. See this kb article for more information.
| |
|