cancel
Showing results for 
Search instead for 
Did you mean: 
abigail
Level 9

users without certificate

Jump to solution

Hi,

I enabled the SSL scanner .

Some users have a certificate on their devices, and everything works fine for them.

But others are blocked by browsers.

I want to block them with MWG and not with the browser. I want them to receive a message from MWG.

Can I do this?

Can I change the message from MWG to installation instructions ?

Thank you in advance.

0 Kudos
1 Solution

Accepted Solutions
pcoates
Level 10

Re: users without certificate

Jump to solution

You can check once you display a block page (Erik demonstrates this as part of his preconfig file, his modified template shows whether the certificate is installed or not in the footer)

You would have to do a coaching (splash) page, for everyone on their first connection in X time, so say, it expires every 12 hours so they'll only get the message once a day. And then you would need to configure that page to tell them whether they are good to proceed or need to install the certificate. This means everyone will get a splash message once in the amount of time you set for the coaching page. Also, if the users go to HTTPS sites first that don't have the certificate they will still get a browser error, until they get to an HTTP site and you can send the HTTP block page.

Preconfig link:

Snip from the block page:

<!-- CA Cert Check

Please define a URL for User-Defined.Certificate.Authority.URL

-->

<script>

function caCert(){

document.getElementById("caFooter").innerHTML ='<img style="vertical-align: middle;" src="$<propertyInstance useMostRecentConfiguration="false" propertyId="com.scur.engine.system.proxy.enduserurl"/>$/files/$<propertyInstance useMostRecentConfiguration="false" propertyId="com.scur.engine.proxy.message.collection"/>$/img/icon_cacert.gif"/> CA Certificate not installed. '

document.getElementById("caFooter").innerHTML +='<a href="$<propertyInstance useMostRecentConfiguration="false" propertyId="1404"/>$">Click here to download</a>'

}

</script>

<div id="caFooter" style="text-align:left;" >

<img style="vertical-align: middle;" src="https://mcp.webwasher.com$<propertyInstance useMostRecentConfiguration="false" propertyId="com.scur.engine.system.proxy.enduserurl"/>$/files/$<propertyInstance useMostRecentConfiguration="false" propertyId="com.scur.engine.proxy.message.collection"/>$/img/icon_cacert.gif" onerror="caCert()"/> CA Certificate installed.

</div>

<!-- /CA Cert Check -->

Erik can explain this in much more detail. Support can also help run you through creating a coaching page and integrating parts of this.

0 Kudos
9 Replies
fdurur
Level 8

Re: users without certificate

Jump to solution

Hi,

i'm not sure if im getting you right but you may check this link.

It may be similar:

0 Kudos
abigail
Level 9

Re: users without certificate

Jump to solution

Hi,

Thank you for the answer.

I read the links - as I understand -

In order to receive messages from MWG user should install the certificate.

My question is -

Is there a way to block the user with a message such as -

block.png

And not like -

system.png

I want to block users without a certificate.

I tried to build the rule that blocks all users without the certificate -

rule.png

But I did not succeed.

Thanks in advance.

0 Kudos
abigail
Level 9

Re: users without certificate

Jump to solution

Perhaps I did not explain myself well -

I want to block all users who do not have CERTIFICATE

(HTTP and HTTPS)

In addition, I want the MWG will block them.

I want a message telling users that they blocked because the CERTIFICATE.

0 Kudos
eelsasser
Level 15

Re: users without certificate

Jump to solution

The browser displays the error and doesn't communicate that fact to the proxy.

The proxy has no way of knowing what is being displayed on the client's screen and cannot arbitrarily send out a block page.

0 Kudos
abigail
Level 9

Re: users without certificate

Jump to solution

Thank you for the answer.

I tried to add rule to redirect users to specific http page.

rule.png

In Explorer works well, but in Chrome and Firefox not.

What can i do?

0 Kudos
pcoates
Level 10

Re: users without certificate

Jump to solution

That won't be possible. Since the browser is expecting an SSL response, and you are redirecting them to a non SSL site (HTTP), Firefox and Chrome are blocking the connection. This ensure that the client is not the victim of a malicious attack such as a man in the middle attack.

The version of Internet Explorer may be allowing it because they are not enforcing this particular check. If you increased the security level for the particular zone in IE it may end up behaving the same as the other browsers.

The following link is a good read about setting SSL Client context:

EDIT:

Also in your rule above, you're redirecting all SSL traffic no matter what to your redirect page?

0 Kudos
abigail
Level 9

Re: users without certificate

Jump to solution

Thank you very much for your answer.

As I understand, there is no way to redirect users who do not have certificate, to html page, or to block them with a message from MWG (instead of the browsers notifications).

I read, that the recommended solution is "captive portal".

Is there a way to identify users with certificate?

Many thanks in advance.

0 Kudos
pcoates
Level 10

Re: users without certificate

Jump to solution

You can check once you display a block page (Erik demonstrates this as part of his preconfig file, his modified template shows whether the certificate is installed or not in the footer)

You would have to do a coaching (splash) page, for everyone on their first connection in X time, so say, it expires every 12 hours so they'll only get the message once a day. And then you would need to configure that page to tell them whether they are good to proceed or need to install the certificate. This means everyone will get a splash message once in the amount of time you set for the coaching page. Also, if the users go to HTTPS sites first that don't have the certificate they will still get a browser error, until they get to an HTTP site and you can send the HTTP block page.

Preconfig link:

Snip from the block page:

<!-- CA Cert Check

Please define a URL for User-Defined.Certificate.Authority.URL

-->

<script>

function caCert(){

document.getElementById("caFooter").innerHTML ='<img style="vertical-align: middle;" src="$<propertyInstance useMostRecentConfiguration="false" propertyId="com.scur.engine.system.proxy.enduserurl"/>$/files/$<propertyInstance useMostRecentConfiguration="false" propertyId="com.scur.engine.proxy.message.collection"/>$/img/icon_cacert.gif"/> CA Certificate not installed. '

document.getElementById("caFooter").innerHTML +='<a href="$<propertyInstance useMostRecentConfiguration="false" propertyId="1404"/>$">Click here to download</a>'

}

</script>

<div id="caFooter" style="text-align:left;" >

<img style="vertical-align: middle;" src="https://mcp.webwasher.com$<propertyInstance useMostRecentConfiguration="false" propertyId="com.scur.engine.system.proxy.enduserurl"/>$/files/$<propertyInstance useMostRecentConfiguration="false" propertyId="com.scur.engine.proxy.message.collection"/>$/img/icon_cacert.gif" onerror="caCert()"/> CA Certificate installed.

</div>

<!-- /CA Cert Check -->

Erik can explain this in much more detail. Support can also help run you through creating a coaching page and integrating parts of this.

0 Kudos
gunnars
Level 7

Re: users without certificate

Jump to solution

Had a discussion on the very same topic recently:

https://community.mcafee.com/thread/92337

Bottom line: apart from mobile OSes (that do captive portal detection and bring up a brower forced to a HTTP page) most browsers now will detect the fact that https connection is being modified and will not give you the opportunity to display anything other than the browser default error "your TLS connection is broken"

0 Kudos