when I browse there I get redirected to auth.hsin.gov. Do you have that certicate allowed as well?
Additionally you can try to add the missing RootCA. It should be this one:
You can add it to the list of known RootCAs.
cert.pem.zip 1.5 K
Yes I have these 3
and my users are still being blocked. Shouldn't the Certificate White list allow these?
This is happening again with code-2.com when a user tries to log in.
Okay fixed the code-2.com by tracking it down to the GeoTrust Global CA. The question still begs itself:
Why must I add these to the Default Trusted CA list when the sites should be stopped at the Certificate White List rule?
you are right. Adding the RootCA is the "more global" approach, since the list of RootCAs is not the most recent one on Web Gateway. With a recent list of known and trusted CAs there would be no need to add the entries to the "Certificate White List", thats why I suggested this approach.
But of course you are right in saying that adding the Certs to the "Certificate White List" should be enough. I have just tested the "Certificate White List" and have removed the RootCAs I have added to the storage, and Web Gateway allows me to access both, government.hsin.gov and code-2.com without problems. Without the "Certificate White List" entries I was blocked because of unknown RootCAs.
The question is now why my Web Gateway allows me to access, while yours does not. It somehow looks like the white list does not trigger for you as expected. Are you working in "normal" proxy mode or are you running in transparent bridge/router mode?
Can you maybe send me some more screenshot from your "Certificate White List"? The screenshot above looks good and identical to my SSL Scanner, but there seems to be a difference somewhere.
We are in Transparent /Bridged mode.
I'll work on those screen shots
Here's a little bit of a bigger shot
Not sure if it matters, but when I was testing the government.hsin.gov site I had strange issues with the Certificate White List.
- Originally, I added hsin.gov added to my Certificate White List. This should've allowed any *.hsin.gov sites through, but it didn't.
- I added government.hsin.gov to the Certificate White List. This gave me an error for auth.hsin.gov.
- I added auth.hsin.gov to the Certificate White List. I was able to get through and thought I had solved the issue.
- When trying this on other machines I was still blocked. I tried this on 2 machines other than my own with 3 different users, all were blocked from governemnt.hsin.gov due to unknown certificate authority.
- Only adding the issuing CA of certificate for government.hsin.gov to the Default Trusted CA list solved the issue for all users.
Thanks for the help!
I have not taken a deeper look yet, but I wonder about one thing. You mentioned it was working fine for you, but was not working for others. When you did the tests on your workstation, were you also redirected to MWG via transparent bridge mode, or did you have your browser configured to talk to Web Gateway explicitly?
I am just wondering why it was working on your machine... (besides the fact that obviously the *.hsin.gov cert needed to be trusted multiple times for each side).
Can you clarify?
My machine is also connecting to the MWG transparently. It was a strange occurance