The concept is similar to Coaching. you hit a site, show a warning, and allow the user to click through.
Try to import and integrate the Coaching rules from the library into the (SelfSigned==true OR FoundKnownCA==false) criteria.
Hello E. Elsasser
thanks for your prompt answer. This seem to work - i have to bring the config to perfection - but basicly i was suggessful - thanks.
This brings me to a next question. As we run several MWGs and loadbalance using round robin the above config is quite a pain as the "Coaching Dialog" appears several time (one time for each MWG). Is there a way to sync state between the Gateways? Or do we have to rethink out load balancing method....
have a good day
if your users are talking to multiple MWGs it is recommended to have a session stickiness configured. Some options that should work fine:
- Client IP stickiness
- Destination URL stickiness
The integrated HA uses Client IP stickiness (with all Pros and Cons actually) to keep a Users session on the same MWG. If "round robin" is used a Users session may be distributed across all available boxes, which may cause problems, especially with all kinds of quota/coaching stuff, as well as progress pages.
The coaching information is synched between the gateways (as far as I can tell), but not in "real time". It is only used to make the other nodes aware of the coaching/quota information, but is not intended to be distributed so quickly that accepting coaching on Box A will automatically allow access on Box B.
From my perspective I think a tweak to the load balancing should be made to have session stickiness. But maybe someone has a different idea :-)