Thank you for the answer.
I read the links - as I understand -
In order to receive messages from MWG user should install the certificate.
My question is -
Is there a way to block the user with a message such as -
And not like -
I want to block users without a certificate.
I tried to build the rule that blocks all users without the certificate -
But I did not succeed.
Thanks in advance.
Perhaps I did not explain myself well -
I want to block all users who do not have CERTIFICATE
(HTTP and HTTPS)
In addition, I want the MWG will block them.
I want a message telling users that they blocked because the CERTIFICATE.
The browser displays the error and doesn't communicate that fact to the proxy.
The proxy has no way of knowing what is being displayed on the client's screen and cannot arbitrarily send out a block page.
That won't be possible. Since the browser is expecting an SSL response, and you are redirecting them to a non SSL site (HTTP), Firefox and Chrome are blocking the connection. This ensure that the client is not the victim of a malicious attack such as a man in the middle attack.
The version of Internet Explorer may be allowing it because they are not enforcing this particular check. If you increased the security level for the particular zone in IE it may end up behaving the same as the other browsers.
The following link is a good read about setting SSL Client context:
Also in your rule above, you're redirecting all SSL traffic no matter what to your redirect page?
Thank you very much for your answer.
As I understand, there is no way to redirect users who do not have certificate, to html page, or to block them with a message from MWG (instead of the browsers notifications).
I read, that the recommended solution is "captive portal".
Is there a way to identify users with certificate?
Many thanks in advance.
You can check once you display a block page (Erik demonstrates this as part of his preconfig file, his modified template shows whether the certificate is installed or not in the footer)
You would have to do a coaching (splash) page, for everyone on their first connection in X time, so say, it expires every 12 hours so they'll only get the message once a day. And then you would need to configure that page to tell them whether they are good to proceed or need to install the certificate. This means everyone will get a splash message once in the amount of time you set for the coaching page. Also, if the users go to HTTPS sites first that don't have the certificate they will still get a browser error, until they get to an HTTP site and you can send the HTTP block page.
Snip from the block page:
<!-- CA Cert Check
Please define a URL for User-Defined.Certificate.Authority.URL
document.getElementById("caFooter").innerHTML ='<img style="vertical-align: middle;" src="$<propertyInstance useMostRecentConfiguration="false" propertyId="com.scur.engine.system.proxy.enduserurl"/>$/files/$<propertyInstanc e useMostRecentConfiguration="false" propertyId="com.scur.engine.proxy.message.collection"/>$/img/icon_cacert.gif"/> CA Certificate not installed. '
document.getElementById("caFooter").innerHTML +='<a href="$<propertyInstance useMostRecentConfiguration="false" propertyId="1404"/>$">Click here to download</a>'
<div id="caFooter" style="text-align:left;" >
<img style="vertical-align: middle;" src="https://mcp.webwasher.com$<propertyInstance useMostRecentConfiguration="false" propertyId="com.scur.engine.system.proxy.enduserurl"/>$/files/$<propertyInstanc e useMostRecentConfiguration="false" propertyId="com.scur.engine.proxy.message.collection"/>$/img/icon_cacert.gif" onerror="caCert()"/> CA Certificate installed.
<!-- /CA Cert Check -->
Erik can explain this in much more detail. Support can also help run you through creating a coaching page and integrating parts of this.
Had a discussion on the very same topic recently:
Bottom line: apart from mobile OSes (that do captive portal detection and bring up a brower forced to a HTTP page) most browsers now will detect the fact that https connection is being modified and will not give you the opportunity to display anything other than the browser default error "your TLS connection is broken"