Can someone please help me here. I have a rule ( test rule ) as detailed below:
Summary of this rule:
This is a simple rule - If the URL.Host is www.test.com, then display MWG Block Message. ( Please note this is no dis-respect to test.com ).
If I select http://www.test.com then I am presented with the MWG Block message ( as expected ):
But when I select https://www.test.com I am presented with:
With the increasing proportion if https: requests, we are experiencing an increase rate of incidents where if a https:// request is sent via Browser, and the MWG presents a Message ( Block, Authenticate, Welcome, Coach) etc. then we are receiving a message from the browser like immediately above. Browser message varies depending on browser type.
Hello. Have you turned on SSL Scanner inside MWG? If so, have you configured an SSL Client Context Certificate Authority within MWG?
Have you turned on SSL Scanner inside MWG? - Yes
If so, have you configured an SSL Client Context Certificate Authority within MWG? - Yes
When SSL Scanning is not applied: -
When SSL Scanning is applied ( as per Rule Set below): -
In this situation, I could have pressed the Advanced option and Trusted the site, but if I used Chrome, then the Trust option is not available (HSTS).
Additionally the environment I am using uses Bring You own Devices (BYOD) that do not have CA Installed locally.
Are you using an internal enterprise root CA or an external root CA?
I imagine the machine you're testing on sees MWG as a Trusted Root CA.
I am using an internal enterprise root CA and the test machine does not have this CA installed locally. The environment that I am managing is a Guest / Public WiFi setup with users having a variety of different O/S's and Browsers.
If the client makes an HTTPS request for a site the Web Gateway’s policy determines should be blocked, the Web Gateway will issue a block page. In order for that block page to be presented to the client (remember that the client expects a proper SSL handshake when it makes an HTTPS request), the Web Gateway must interact with that SSL Connection to be able to present the block page inside an SSL tunnel.
To do so, the Web Gateway issues a web server certificate (with common name matching the request from the browser, and signed by a certificate authority loaded on the box). It uses this web server certificate to establish the SSL connection with the client, in order to present the block page.
Have a look on the following articles:
That would be an issue, I believe. As fdurur explained above, the MWG appliance needs to be able to create a secure SSL tunnel with the client in order for the block page to be created.
You may want to try to export the CA cert from your MWG instance and then import that into your test machine as a Trusted Root CA. After that try your tests again.