cancel
Showing results for 
Search instead for 
Did you mean: 
wcoetsee
Level 7

SSL Inspection Requirements

Hi All,

Need to discuss and clarify SSL Inspection requriements. Currently deploying two 4500 MWG running v7.1 in Proxy HA configuration. One of the requirement are to perform SSL Inspection. They way I understand it is client will request HTTPS session, MWG initiate the HTTPS request to the destinationon behalf of the client and inturn open a HTTPS request to the Client using it's own certificate.

Now seeing that the MEG uses its own CA Cert it displays as untrusted on client machines/browsers. One way to solve this would be to distribute this MEG CA Cert as trusted to clients computers using GPO. However the client does not want to go down this path. What other options do we have as the customer does have their own internal MS CA.

1. Should I add the customers internal CA as CRL under settings\Engines\CertificateChain? And what would be the benfit? Only the fact that it would then trust other internal certs?

2. How do I solve our problem, can we import cert from internal CA? This is probably the answer but how does one generate a CSR from MWG which the internal CA need in order to create cert?

Any help would be much appreciated.

Thanks,

Werner

0 Kudos
3 Replies
eelsasser
Level 15

Re: SSL Inspection Requirements

If your internal CA's root certificate is already distributed to client, then you would create a Subordinate CA on your root CA server and export the certificate and private key it generates and import that into MWG.

This is not the same process as a Web Server certificate, so don't get confused.

The MWG does not need to generate the the CSR, Microsoft Certificate Services does that by itself and exports the keypair for import into MWG.

If you are not using Microsoft CA, consult documentation for you PKI servers. Any openSSL commandline can generate the CSR.

0 Kudos
McAfee Employee

Re: SSL Inspection Requirements

Hi Werner,

See PD22642 on page 41 (https://kc.mcafee.com/corporate/index?page=content&id=PD22642) for creating/importing a sub-ordinate CA from a microsoft authority. It contains the necessary commands to do so. The guide is for Web Gateway 6, but is relevent in any situation (6 or 7).

~Jon

0 Kudos
wcoetsee
Level 7

Re: SSL Inspection Requirements

Thank you both for your replies. I will do some reading up regarding the subordinate CA and will also have look at the PD. Will update this threat in the week.

Cheers,

Werner

0 Kudos