1 of 1 people found this helpful
the only option I see is to disable SSL Scanner for the user group that it not able to install the root certificate. MWG with enabled Content Inspection works as a Man-In-The-Middle to look into the encrypted data. To keep the certificates signed by the original authority MWG would require access to the private keys for those certificates. Without access to those keys MWG has to present its own certificate in order to encrypt the connection. Those certificates are signed by the Root CA that is hosted on MWG. You need a root CA that is signed by a CA that is trusted in the browser, which should be easily doable in a controlled environment such as a Windows Domain.
Clients not under your control have to install a Root CA, otherwise they will keep seeing the errors. The only option I see here is to turn SSL Scanning off which causes MWG to tunnel the original certificate to the client. You cannot filter within SSL tunnels, of course. You could use some kind of a welcome page that is displayed when a user starts to access the internet, which explains how to install the CA.
Maybe others can share how they manage SSL Scanner / Root CAs.
I hope there is idea which could work.
Let's say we have proxy FQDN proxy.company.com, I think, you can get verified SSL certificate from public CA and use this certificate in settings for "SSL client Context with CA". There can be imported external certificate which is used for MITM during SSL Scanner decryption.
If such cert will come from public CA, it will be trusted for internal and for external users and browser should not ask for confirmation. You can test is with StartSLL free 1Y certificate.
I don't think this will work.
You will get a server certificate for "proxy.company.com". When you browse to https://www.google.com through MWG the SSL Scanner creates a NEW certificate which has www.google.com as the subject name. This certificate is then signed with the certificate you imported into the SSL Scanner setting.
You cannog sign server certificates with a server certificate... if this was possible you could easily use your publically trusted certificate and make yourself certificates for www.google.com or other major sites. This is not what CA vendors want, therefore it won't be possible.
It would be possible to make such a setup if you obtain a CA which is signed by a trusted CA. But even if you are able to obtain such a CA it will most likely be revoked sooner or later, because you are not allowed to use such a CA to create certificates for any domain you like - unless this is explicitly allowed, which I assume is not.
You could also use an SSL Client Context without CA and feed it with a trusted server certificate. But then you go to https://www.google.com and MWG presents your (trusted) certificate for proxy.company.com. The browser will complain that there is a hostname mismatch between requested domain and certificate subject.
1 of 1 people found this helpful
Andre is right. In order for MWG to perform SSL scanning it has to be a CA or sub-ordinate CA that has the ability to generate other SSL certs. (Thats the key here) A public CA will not issue a certificate that has signing authority for other SSL certs. Therefore, the only way to do SSL scanning is to have MWG as its own CA, or as a sub-ordinate CA from an internal Certificate authority. If you had a Microsoft CA already on the domain and its CA certificate has been distributed to the clients already, by making MWG a sub-ordinate from your own Microsoft CA, you could do SSL scanning because the internal Microsoft CA is already deployed to the client. There is no other way for MWG or any other SSL decryption product.
For your guest/wifi users: Only option is to disable the SSL scanning or implement the CA.