Hello all,
I have been experimented with enable HTTPS proxying in web security.
Does anyone have a best practices guide (gotchas!) to setting this up? From what I'm seeing, whilst it does work:
1. We exported our internal CA in MS Certificate Services and imported successfully (after a bit of mucking about to get a PKCS12). The CA installed in the ASG is obviously self signed so each site you go to prompts for exceptions - or effectively comes up untrusted depending on the browser you use. I've loaded the CA into Firefox and it does appear to alleviate the issue slightly.
Is there a more transparent way of configuring this?
2. When the HTTPS certificate of the remote site is not signed by a recognised CA in the ASG - the pages returned to the end user are a visual mess and can send the browser depending on the version into fits of apoplexy.
What is the best method in order to capture all HTTPS sites in advance, to avoid/minimise any administrative overhead? And also where can I go and get all these CA's to load into the ASG?
3. With mobile devices (eg. laptop) - once the user accepts exceptions and then takes the device offsite and then attempts to access the same HTTPS server - even more warnings are thrown up since the certificate exception is now invalid.
Is there a way to get the browsers to quietly forget their exceptions when they change physical location?
Ultimately, the proxying of HTTPS does work but the end user experience is convoluted.
Any tips, advice appreciated.
j.
This thread was automatically locked due to age.
