cancel
Showing results for 
Search instead for 
Did you mean: 
layer0
Level 7

Configuration SSL Scanner in Proxy HA

Hello

I would like to know how do you configure SSL scanner for Proxy HA. In specific how do you manage the certificates for multiples web gateways.

Thanks

0 Kudos
7 Replies
eelsasser
Level 15

Re: Configuration SSL Scanner in Proxy HA

All proxies in a centrally managed group share the same policy, including the CA certificate used for SSL scanning. you do not need one for each proxy.

0 Kudos
layer0
Level 7

Re: Configuration SSL Scanner in Proxy HA

Thanks

And how do i make the certificate?, my customer have a Microsoft CA.

Thanks

0 Kudos
McAfee Employee

Re: Configuration SSL Scanner in Proxy HA

Hi L0,

You only need one certificate for all MWGs. For the common name you can put whatever, like: "INSERT COMPANY NAME HERE Filtering CA"

This certificate needs to be a Subordinate Certificate authority. This is very different from what a CA admin will be asked to do, so be explicit that you need a Sub CA, NOT a web server certificate.

Best Regards,

Jon

0 Kudos
layer0
Level 7

Re: Configuration SSL Scanner in Proxy HA

Hello

Just to clarify, Do we have to use the following procedure?

McAfee KnowledgeBase - How to create and import a Microsoft subordinate certificate authority (Sub C...

Thanks

0 Kudos
bwallace1
Level 9

Re: Configuration SSL Scanner in Proxy HA

No you don't have to use that method, as there are multiple ways to create a CA. One of which is simply generating one via the MWG UI as outlined here:

https://community.mcafee.com/docs/DOC-5222#jive_content_id_How_do_I_replace_my_default_Certificate_A...

0 Kudos
layer0
Level 7

Re: Configuration SSL Scanner in Proxy HA

Hello

But with that method i am creating a certificate, then the customer will have to generate a GPO an deploy the certificate.

What we want is use the Microsoft CA of my client to generate the certificate, in order that he don't have to deploy the certificate with a  GPO, because the users already trust the Microsoft CA.of the organization.

Thanks

0 Kudos
McAfee Employee

Re: Configuration SSL Scanner in Proxy HA

Hi L0,

You do indeed want to follow that guide if you have a Microsoft CA, if and when you get stuck don't hesitate to give me or Brent a call and we can help out.

The tricky part is converting the pfx to crt and a key along with the chain.

Best Regards,

Jon

0 Kudos