cancel
Showing results for 
Search instead for 
Did you mean: 
NetTas
Level 7
Report Inappropriate Content
Message 1 of 7

Can not display Block Message for HTTPS sites via MWG

Can someone please help me here. I have a rule ( test rule ) as detailed below:

Rule2.png

Summary of this rule:

rule1.png

This is a simple rule - If the URL.Host is www.test.com, then display MWG Block Message. ( Please note this is no dis-respect to test.com ).

If I select http://www.test.com then I am presented with the MWG Block message ( as expected ):

rule3.png

But when I select https://www.test.com I am presented with:

Rule4.png

With the increasing proportion if https: requests, we are experiencing an increase rate of incidents where if a https:// request is sent via Browser, and the MWG presents a Message ( Block, Authenticate, Welcome, Coach) etc. then we are receiving a message from the browser like immediately above. Browser message varies depending on browser type.

Annoying....

6 Replies
kbolt
Level 10
Report Inappropriate Content
Message 2 of 7

Re: Can not display Block Message for HTTPS sites via MWG

Hello. Have you turned on SSL Scanner inside MWG? If so, have you configured an SSL Client Context Certificate Authority within MWG?

NetTas
Level 7
Report Inappropriate Content
Message 3 of 7

Re: Can not display Block Message for HTTPS sites via MWG

Have you turned on SSL Scanner inside MWG?  - Yes

If so, have you configured an SSL Client Context Certificate Authority within MWG? - Yes

When SSL Scanning is not applied: -

https_test.com_noSSL.png

When SSL Scanning is applied ( as per Rule Set below): -

RuleSet1.png

https_with_SSL_Scan.png

In this situation, I could have pressed the Advanced  option and Trusted the site, but if I used Chrome, then the Trust option is not available (HSTS).

Additionally the environment I am using uses Bring You own Devices (BYOD) that do not have CA Installed locally.

kbolt
Level 10
Report Inappropriate Content
Message 4 of 7

Re: Can not display Block Message for HTTPS sites via MWG

Are you using an internal enterprise root CA or an external root CA?


I imagine the machine you're testing on sees MWG as a Trusted Root CA.

NetTas
Level 7
Report Inappropriate Content
Message 5 of 7

Re: Can not display Block Message for HTTPS sites via MWG

I am using an internal enterprise root CA and the test machine does not have this CA installed locally. The environment that I am managing is a Guest / Public WiFi setup with users having a variety of different O/S's and Browsers.

fdurur
Level 8
Report Inappropriate Content
Message 6 of 7

Re: Can not display Block Message for HTTPS sites via MWG

Hi,

If the client makes an HTTPS request for a site the Web Gateway’s policy determines should be blocked, the Web Gateway will issue a block page.  In order for that block page to be presented to the client (remember that the client expects a proper SSL handshake when it makes an HTTPS request), the Web Gateway must interact with that SSL Connection to be able to present the block page inside an SSL tunnel.

To do so, the Web Gateway issues a web server certificate (with common name matching the request from the browser, and signed by a certificate authority loaded on the box). It uses this web server certificate to establish the SSL connection with the client, in order to present the block page.

        Have a look on the following articles:

         

Main Article:

    

regards

fd

kbolt
Level 10
Report Inappropriate Content
Message 7 of 7

Re: Can not display Block Message for HTTPS sites via MWG

That would be an issue, I believe. As fdurur explained above, the MWG appliance needs to be able to create a secure SSL tunnel with the client in order for the block page to be created.

You may want to try to export the CA cert from your MWG instance and then import that into your test machine as a Trusted Root CA. After that try your tests again.