Where is V18 at?

What exactly would you like to see in the upcoming SFOS? Deploying certificates to domain machines can be done via a group policy. BYOD is a huge problem for us. Getting the certificate installed on over 1000 devices is an administrative nightmare.

Do you not manage the BYOD devices with any form of MDM/EDM?

cryptochrome said:

  Single points of failure are usually avoided at all cost.

Hence why you would configure the devices as a pair in HA mode - as stated before, there is no wrong or right answer DNS on a firewall appliance or not...20 years ago then yes I would agree with you, but today with the way technology and system level protection has gone, then it's not so much of an issue.

Same as running a virtual firewall, a DNS and a DHCP server on ESXi - a well known manufacturer does the same thing but under their control, they have the OS, which then sandboxes the relevant components as not to interfere with each other, and not to cause any issues - and when in HA mode these components can run active-active and fail between each of them.

envercpt said:

What exactly would you like to see in the upcoming SFOS? Deploying certificates to domain machines can be done via a group policy. BYOD is a huge problem for us. Getting the certificate installed on over 1000 devices is an administrative nightmare.

 

Some useful information and an explanation in this thread.

HTTPS bypasses Suspicious web filter

I too have had some BYOD devices - and not helped with a client who expects devices to just work and cannot understand why users need or should have to install anything on their devices to get it to work - they just want it to be trouble free, connect and away they go...

We did deploy certificates to domain machines, but that was not sufficient. Some machines use Java and then it required additional steps. Visual Studio requires additional steps and kept breaking it with updates.

So maybe a small Windows client that handles the certificate would be good. It can point to a well known CA.

We don't need SSL scanning for iot devices and mobile, just for Windows.

Hi,

please start a new thread on this subject it is way off the aim of this thread.

Thank you

Ian

Deploying CA via GPO and then you can exclude the few sites that can't deal with a MITM for trusted apps, a custom Endpoint client would be good however to give both heartbeat and cert so you are ensuring the endpoint is at least clean

Hi LuCar Toni,

i shared the request here...

BLS said:

Hence why you would configure the devices as a pair in HA mode - as stated before, there is no wrong or right answer DNS on a firewall appliance or not...20 years ago then yes I would agree with you, but today with the way technology and system level protection has gone, then it's not so much of an issue.

I am not stating whether it is right or wrong, I am simply stating how it is done. You may not have seen large enterprise networks. Not a single customer of mine, be that Accenture, Verizon, T-Mobile, Ernst & Young, Lufthansa and many others that I have actually worked for have ever put a DNS or DHCP server on a firewall. That is simply the reality. You may see that a lot in small businesses, but you won't see it in large networks. Period. And there are reasons for that.

The rules enterprises comply to such as ISO 27001, SOC 2 and PCI DSS actually even demand that services are separated, not just by machine, but also by zones and network segmentation. 

You really have to look at the bigger picture and must not apply your small business experience. The reality in large networks looks A LOT different than in SMEs. By a pretty big margin. And I am arguing that best practices used by large enterprises should also be considered by SMEs, if they have the resources. 

Please stop discussing other things not related to this thread, otherwise I am forced to close the thread. Thanks