Secure HTTPS sites present a security warning in the client browser
Product Version: Astaro Security Gateway Version 7.400+
Astaro Web Gateway Version 7.400+
 
Symptom:

Beginning with 7.400 release, the web proxy has a new functionality to transparently filter HTTPS traffic.  When this is activated, secure sites will be prompted with a security warning in the client browser.

Cause:

New functionality has been added which allows for the filtering of HTTPS (port 443) sites via new additions to the Web Proxy. This is achieved by preserving the chain of trust between the client and the server via a system of certificate exchanges between the client, the AxG, and the Server being accessed.

Prevously, there woulld be a single channel of encrypted traffic between the client and server, making it difficult to transparently filter traffic between client and server.  Starting with 7.400 release, the proxy initiates one connection with the server, and another with the client. As the proxy does the keyexchange, it is able to read the traffic as plaintext, which in turn allows the same content filtering capabilities as with HTTP traffic.   As a result, it is necessary to import the web proxy's Signing Certificate Authority (CA) into the client browser(s).

Resolution:

Deploying the Proxy CA


As the Client browser will need to import or “Trust” the Proxy CA that exists on the Astaro Device, there are three ways that administrators can deploy this to their users:

 

1)    Have the users sign in to the UserPortal, select the “HTTPS Proxy” tab, and import the proxy CA certificate. Select all option-boxes and select “OK”, and the import will finish. Note that you should do this for all browsers you use.

2)    Publish the CA using an Active Directory Group Policy. As the administrator, navigate to Web SecurityàHTTP/S and select the “HTTPS CAs” tab. From there, click the “Download” Button at the top in the “Signing CA” section, and use Active Directory to distribute it to your network users.  Please refer to KB Article, 302524, "https CA trusted in AD", at www.astaro.com/kb ,for more information.

3)    Have the users directly download it via a special URL directly from the Astaro Device, by navigating in their web browser to:

 https://passthrough.fw-notify.net/cacert.pem

Select all the checkboxes on the import dialog box, and select “Ok” to complete the process.

Testing the HTTPS Filter


Once deployed, you can verify the HTTPS scanning by using a harmless file which has been agreed upon by vendors to be reported as a malware/virus file. The site is www.eicar.org and a direct link to one of the files via HTTPS is https://secure.eicar.org/eicar_com.zip.
 

*Note that while this file will be reported as a virus, it is harmless and used only for testing these systems.