0 Replies Latest reply on Jun 7, 2017 9:16 AM by jebeling

    MWG Client Side Detection of CA Certificate Installation

    jebeling

      If you are enabling SSL scanning, you likely have already learned about the need to create and distribute a Certificate Authority for MWG to use for the client side rewrite of the server cert. You probably also know that the best option is to use a sub CA that inherits the trust of your corporate root CA that should already be on most clients. Well, what about clients that may not have that trust or clients that don't have the certificate installed in the browser they are using? You'd like to reduce help desk calls from users that are getting certificate warnings in their browsers and you don't want to reinforce the behavior of clicking through those cert warnings.

       

      While there is no way for the Web Gateway to transparently detect the absence of client trust for its CA, a client side script that detects trust is possible, and can be implemented, to direct browsers without that trust to instructions for cert download and installation, or just to download of the cert itself. The script is typically embedded in a block page and this has less dependencies so I will show that here first.

       

      A client side script can attempt to connect to any external website via https. If that website is accessible through the proxy, and there aren't any rules blocking it, and the site is configured for SSL scanning, MWG will rewrite the cert with its CA. If the cert is not trusted by the client browser the fetch will fail due to not trusting the download and the GET request will throw an error. On error we call a script that rewrites the footer element. This example utilizes the McAfee owned HTTPS site mcp.webwasher.com (but any HTTPS site with a valid cert will do. By adding an img file in the block page directory, we can structure the link to serve an image over HTTPS with the cert rewritten from the chosen site.

       

      This concept should also work with WGCS managed by MWG with the exception that you do not have the file server option. If WGCS is managed by ePO cloud the concept will also work but doing it on the block pages is more cumbersome because there isn't a block page collection to use and you won't be able to host a certificate installation instruction page in the cloud.

       

      My MWG block page collection name is Intel. I put my img file in my Intel\img folder in the file system with the name icon_cacert.gif. And I put my exported MWG root CA (could be your sub CA) in Intel\Cert folder with the name Trust.cer. Proxy.EndUserURL is the property that fills the path to make the request content come from the proxy itself. Proxy.EndUserCollection provides the name of the current collection in the file system.

       

      Here is the snippet of my block page template:

       

      Here is the script that could be embedded into your block template.

       

      <script>

      function caCert(){

      document.getElementById("caFooter").innerHTML ='<img style="vertical-align: middle;" src="$<propertyInstance useMostRecentConfiguration="false" propertyId="com.scur.engine.system.proxy.enduserurl"/>$/files/$<propertyInstanc e useMostRecentConfiguration="false" propertyId="com.scur.engine.proxy.message.collection"/>$/img/icon_cacert.gif"/> <b> CA Certificate not installed. </b> '

      document.getElementById("caFooter").innerHTML +='<a href="$<propertyInstance useMostRecentConfiguration="false" propertyId="com.scur.engine.system.proxy.enduserurl"/>$/files/$<propertyInstanc e useMostRecentConfiguration="false" propertyId="com.scur.engine.proxy.message.collection"/>$/Cert/Trust.cer">Click here to download</a>'

      }

      </script>

      <div id="caFooter" style="text-align:left;" >

      <img style="vertical-align: middle;" src="https://mcp.webwasher.com$<propertyInstance useMostRecentConfiguration="false" propertyId="com.scur.engine.system.proxy.enduserurl"/>$/files/$<propertyInstanc e useMostRecentConfiguration="false" propertyId="com.scur.engine.proxy.message.collection"/>$/img/icon_cacert.gif" onerror="caCert()"/> CA Certificate installed.

      </div>

       

      Here is what my block page looks like on a machine without the MWG CA trusted with this template and image loaded:

      When I click on the link the cert is downloaded and you should get an installation dialog. Example in Firefox.

       

      Since most users wouldn't know what to do with this, alternatively you could just link to a block page with installation instructions or a link on another company owned web server with instructions.

      After Installation of the Cert the block page should look like this:

      So that's all great but what if you want to do something on a web page that isn't hosted on the web gateway? For example, put the script on your corporate home page that isn't accessed through the proxy. This is doable as long as the site you test with is accessible via HTTPS with a valid cert through the proxy. To use the method above you'll want to use an image that is hosted on the public server and is always at the same location. You can host your instructions, images and certs on the web gateway or on a web server.

       

      For this scenario you could insert the following script. (I used an image from the mcafee https web site for the CA test). My mwg is named mwgappl2 and is resolvable via shortname on my local network

       

      <script>

      function caCert(){

      document.getElementById("caFooter").innerHTML ='<img style="vertical-align: middle;" src="http://mwgappl2:4713/files/icon_cacert.gif"/> <b> CA Certificate not installed. </b> '

      document.getElementById("caFooter").innerHTML +='<a href="http://mwgappl2:4713/files/Trust.cer">Click here to download</a>'

      }

      </script>

      <div id="caFooter" style="text-align:left;" >

      <img width="40" height="10" src="https://www.mcafee.com/img/nwco/logo.svg" onerror="caCert()"/> CA Certificate installed.

      </div>

       

      Notice that I changed the function to reference files loaded on the MWG file server at mwgappl2 which resolves on my network. If using the MWG file server in this manner you need to enable it at Configuration > Appliances > <Appliance Name> > File Server and upload the files at Troubleshooting >  Files

       

       

      Without the cert installed as trusted on the client browser everything operates as above except that the download will not automatically start the install dialog so it would probably be best to have the redirect to an instruction or welcome page rather than a download of the cert. With the cert installed the generated footer as a result of the above script should look like this.

      Note that this is dependent on the image that is located on the McAfee website at the time of this writing, if that image were to be deleted the GET would generate an error even if the certificate is installed because you cannot distinguish between the error of the object referenced by the URL not being present and the cert not being signed by a trusted authority.

       

      When operating with WGCS only you could modify block pages with the same script as used when not hosting the script on MWG, with same caveats and the added limitation that you cannot host the remediation page either. Remediation instructions could only be on the filter based WGCS block pages themselves or on a separate web server. The example below uses a different HTTPS website (www.securecomputing.com) for the image retrieval test which is less likely to be in an SSL bypass list. This script has placeholder href (http://www.mcafee.com/webprotection) for an instruction page and a link to download the WGCS cert bundle.

       

      <script>

      function caCert(){

      document.getElementById("caFooter").innerHTML ='<img width="0" height="0" src="https://www.mcafee.com/img/nwco/logo.svg"/> <b> CA Certificate not installed. </b> '

      document.getElementById("caFooter").innerHTML +='<a href="http://www.mcafee.com/webprotection">Click here for instructions</a>  <a href="https://portal.mcafeesaas.com/wds/dist/WebProtection_SaaS_Certificate_Bundle.zip">Click here to download cert bundle </a>'

      }

      </script>

      <div id="caFooter" style="text-align: left;">

      <img width="0" height="0" onerror="caCert()" src="https://www.securecomputing.com/Mcafee/assets/img/logo-intel-security.png"> CA Certificate installed.

      </div>