Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 5 replies
  • Subscribers 28 subscribers
  • Views 5179 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

HTTPS Scanning Best Practices for public networks and BYOD

Paul Schwegler

I would like to know what best practices are for providing HTTPS scanning, filtering, and inspection for public networks to protect users from virus infections, or if that is even done. I think it would be nice to provide this service, but I don't see it as possible to do so without somehow installing the cert on those devices, and how do you install a cert on a cell phone? Has anyone else done this, or do you just provide the HTTPS scanning for company machines on one specific VLAN/Subnet/etc?



This thread was automatically locked due to age.
Parents
  • 0

    There are certainly ways to install certificates on cell phones.  That said, you will find doing HTTPS scanning for your company challenging enough given that you need to get certificates on each machine and cell phone and then need to determine which sites break with HTTPS scanning and then create exceptions for each.  Getting people to install certificates on public networks would be next to impossible - not to mention that you would not know what would break for them with the HTTPS scanning enabled.

  • 0 in reply to Greg CT

    Paul,

    as Greg wrote it will almost impossible to manage and distribute Certificate to every users in order to avoid the Certificate error page.

    Can you give us more details about what you are thinking and what you would like to achieve?

    Thanks

  • 0 in reply to lferrara

    It sounds like enabling HTTPS scanning is only reasonable for the core workstations, would everyone agree?

Reply Children
  • 0 in reply to Paul Schwegler

    Another quick, related question. Is it possible to give the XG a certificate from a trusted certificate authority so that we don't have to install the self-signed cert on all of the machines? Something that is from an authority already trusted by all machines? I think I know the answer is no as there is no way to get a cert capable of signing other certs, but I thought I would ask.

  • 0 in reply to Paul Schwegler

    You can - for anything that appears to be coming from the XG - for example User Portal.

    But for HTTPS scanning of websites through the proxy, there is no choice.

     

    As for best practice, one thing that I have seen is customization of the block pages, user portal, etc.  Then you can add a hyperlink to the CA for installation.