This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

HTTPS Scanning Best Practices for public networks and BYOD

I would like to know what best practices are for providing HTTPS scanning, filtering, and inspection for public networks to protect users from virus infections, or if that is even done. I think it would be nice to provide this service, but I don't see it as possible to do so without somehow installing the cert on those devices, and how do you install a cert on a cell phone? Has anyone else done this, or do you just provide the HTTPS scanning for company machines on one specific VLAN/Subnet/etc?

This thread was automatically locked due to age.

Parents

0 Greg CT over 8 years ago

There are certainly ways to install certificates on cell phones. That said, you will find doing HTTPS scanning for your company challenging enough given that you need to get certificates on each machine and cell phone and then need to determine which sites break with HTTPS scanning and then create exceptions for each. Getting people to install certificates on public networks would be next to impossible - not to mention that you would not know what would break for them with the HTTPS scanning enabled.
Cancel
Vote Up 0 Vote Down

Cancel
0 lferrara over 8 years ago in reply to Greg CT

Paul,

as Greg wrote it will almost impossible to manage and distribute Certificate to every users in order to avoid the Certificate error page.

Can you give us more details about what you are thinking and what you would like to achieve?

Thanks
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 lferrara over 8 years ago in reply to Greg CT

Paul,

as Greg wrote it will almost impossible to manage and distribute Certificate to every users in order to avoid the Certificate error page.

Can you give us more details about what you are thinking and what you would like to achieve?

Thanks
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 Paul Schwegler over 8 years ago in reply to lferrara

It sounds like enabling HTTPS scanning is only reasonable for the core workstations, would everyone agree?
Cancel
Vote Up 0 Vote Down

Cancel
0 Paul Schwegler over 8 years ago in reply to Paul Schwegler

Another quick, related question. Is it possible to give the XG a certificate from a trusted certificate authority so that we don't have to install the self-signed cert on all of the machines? Something that is from an authority already trusted by all machines? I think I know the answer is no as there is no way to get a cert capable of signing other certs, but I thought I would ask.
Cancel
Vote Up 0 Vote Down

Cancel
0 Michael Dunn over 8 years ago in reply to Paul Schwegler

You can - for anything that appears to be coming from the XG - for example User Portal.

But for HTTPS scanning of websites through the proxy, there is no choice.

As for best practice, one thing that I have seen is customization of the block pages, user portal, etc. Then you can add a hyperlink to the CA for installation.
Cancel
Vote Up 0 Vote Down

Cancel