This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Scanning HTTPS (SSL) Traffic causes Cert Warning

7.400 and 7.401, when I enable "Scan HTTPS (SSL) Traffic" and then browse to an HTTPS site, like https://www.paypal.com, I get a cert error, and viewing the details shows this:

Common Name (CN) = www.paypal.com
Organization (O) = PayPal, Inc.
Organizational Unit (OU) = Information Systems

The strange part is this, under the Issued By

Common Name (CN) = OurComany Proxy CA
Organization (O) = OurCompany Name
Organizational Unit (OU) = Not part of certificate.

Now obviously this info is causing the error, when not using the Scan HTTPS option the cert issued by section is normal like this:

Common Name (CN) = VeriSign Class 3 Extended Validation SSL SGC CA
Organization (O) = VeriSign, Inc.
Organizational Unit (OU) = VeriSign Trust Network.

Any ideas?

This thread was automatically locked due to age.

Parents

0 BigBen over 17 years ago

When you are in the HTTP/S item select the "HTTPS CAs" tab. Since the firewall handles all https you need to install a Signing CA on each machine to prevent them from getting the error. It can be a pain, but is well worth it in the long run.

Oh course if someone has an easier way of doing this than touching each machine or telling the users to do it through the user panel I would be VERY interested.

Take care,
Ben
Cancel
Vote Up 0 Vote Down

Cancel
0 scmiles over 17 years ago in reply to BigBen

That is what was thinking, but not 100%. I can push that out via GPO in Active Directory.

When you are in the HTTP/S item select the "HTTPS CAs" tab. Since the firewall handles all https you need to install a Signing CA on each machine to prevent them from getting the error. It can be a pain, but is well worth it in the long run.

Oh course if someone has an easier way of doing this than touching each machine or telling the users to do it through the user panel I would be VERY interested.

Take care,
Ben
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 scmiles over 17 years ago in reply to BigBen

That is what was thinking, but not 100%. I can push that out via GPO in Active Directory.

When you are in the HTTP/S item select the "HTTPS CAs" tab. Since the firewall handles all https you need to install a Signing CA on each machine to prevent them from getting the error. It can be a pain, but is well worth it in the long run.

Oh course if someone has an easier way of doing this than touching each machine or telling the users to do it through the user panel I would be VERY interested.

Take care,
Ben
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 Scott_Klassen over 17 years ago in reply to scmiles

Yep, GPO is definately the way to go. Either 1) create and link the GPO, then wait a minimum of 90 minutes (GPO refresh time) to turn on HTTPS scanning on your Astaro box, or you can make the process run much quicker if you have some remote mechanism to kick off a gpupdate on all the client systems.

__________________
ACE v8/SCA v9.3

...still have a v5 install disk in a box somewhere.

http://xkcd.com
http://www.tedgoff.com/mb
http://www.projectcartoon.com/cartoon/1
Cancel
Vote Up 0 Vote Down

Cancel