9 Replies Latest reply on Oct 20, 2016 10:48 AM by gunnars

    users without certificate

    abigail

      Hi,

       

      I enabled the SSL scanner .

      Some users have a certificate on their devices, and everything works fine for them.

      But others are blocked by browsers.

      I want to block them with MWG and not with the browser. I want them to receive a message from MWG.

       

      Can I do this?

      Can I change the message from MWG to installation instructions ?

       

      Thank you in advance.

        • 1. Re: users without certificate
          fdurur

          Hi,

           

          i'm not sure if im getting you right but you may check this link.

          It may be similar:

           

          Can not display Block Message for HTTPS sites via MWG

          • 2. Re: users without certificate
            abigail

            Hi,

             

            Thank you for the answer.

            I read the links - as I understand -

            In order to receive messages from MWG user should install the certificate.

            My question is -

            Is there a way to block the user with a message such as -

            block.png

             

            And not like -

            system.png

             

            I want to block users without a certificate.

            I tried to build the rule that blocks all users without the certificate -

            rule.png

             

            But I did not succeed.

             

            Thanks in advance.

            • 3. Re: users without certificate
              abigail

              Perhaps I did not explain myself well -

              I want to block all users who do not have CERTIFICATE

              (HTTP and HTTPS)

              In addition, I want the MWG will block them.

              I want a message telling users that they blocked because the CERTIFICATE.

              • 4. Re: users without certificate

                The browser displays the error and doesn't communicate that fact to the proxy.

                The proxy has no way of knowing what is being displayed on the client's screen and cannot arbitrarily send out a block page.

                • 5. Re: users without certificate
                  abigail

                  Thank you for the answer.

                  I tried to add rule to redirect users to specific http page.

                   

                  rule.png

                  In Explorer works well, but in Chrome and Firefox not.

                  What can i do?

                  • 6. Re: users without certificate
                    pcoates

                    That won't be possible. Since the browser is expecting an SSL response, and you are redirecting them to a non SSL site (HTTP), Firefox and Chrome are blocking the connection. This ensure that the client is not the victim of a malicious attack such as a man in the middle attack.

                     

                    The version of Internet Explorer may be allowing it because they are not enforcing this particular check. If you increased the security level for the particular zone in IE it may end up behaving the same as the other browsers.

                     

                     

                     

                    The following link is a good read about setting SSL Client context:

                    Best Practices: Giving your SSL Client some Context

                     

                    EDIT:

                     

                    Also in your rule above, you're redirecting all SSL traffic no matter what to your redirect page?

                    • 7. Re: users without certificate
                      abigail

                      Thank you very much for your answer.

                       

                       

                      As I understand, there is no way to redirect users who do not have certificate, to html page, or to block them with a message from MWG (instead of the browsers notifications).

                      I read, that the recommended solution is "captive portal".

                      Is there a way to identify users with certificate?

                       

                       

                      Many thanks in advance.

                      • 8. Re: users without certificate
                        pcoates

                        You can check once you display a block page (Erik demonstrates this as part of his preconfig file, his modified template shows whether the certificate is installed or not in the footer)

                         

                        You would have to do a coaching (splash) page, for everyone on their first connection in X time, so say, it expires every 12 hours so they'll only get the message once a day. And then you would need to configure that page to tell them whether they are good to proceed or need to install the certificate. This means everyone will get a splash message once in the amount of time you set for the coaching page. Also, if the users go to HTTPS sites first that don't have the certificate they will still get a browser error, until they get to an HTTP site and you can send the HTTP block page.

                         

                        Preconfig link:

                         

                        MWG PreConfig

                         

                        Snip from the block page:

                         

                        <!-- CA Cert Check

                        Please define a URL for User-Defined.Certificate.Authority.URL

                        -->

                         

                         

                        <script>

                        function caCert(){

                        document.getElementById("caFooter").innerHTML ='<img style="vertical-align: middle;" src="$<propertyInstance useMostRecentConfiguration="false" propertyId="com.scur.engine.system.proxy.enduserurl"/>$/files/$<propertyInstanc e useMostRecentConfiguration="false" propertyId="com.scur.engine.proxy.message.collection"/>$/img/icon_cacert.gif"/> CA Certificate not installed. '

                        document.getElementById("caFooter").innerHTML +='<a href="$<propertyInstance useMostRecentConfiguration="false" propertyId="1404"/>$">Click here to download</a>'

                        }

                        </script>

                        <div id="caFooter" style="text-align:left;" >

                        <img style="vertical-align: middle;" src="https://mcp.webwasher.com$<propertyInstance useMostRecentConfiguration="false" propertyId="com.scur.engine.system.proxy.enduserurl"/>$/files/$<propertyInstanc e useMostRecentConfiguration="false" propertyId="com.scur.engine.proxy.message.collection"/>$/img/icon_cacert.gif" onerror="caCert()"/> CA Certificate installed.

                        </div>

                        <!-- /CA Cert Check -->

                         

                         

                         

                         

                        Erik can explain this in much more detail. Support can also help run you through creating a coaching page and integrating parts of this.

                        • 9. Re: users without certificate
                          gunnars

                          Had a discussion on the very same topic recently:

                          https://community.mcafee.com/thread/92337

                           

                          Bottom line: apart from mobile OSes (that do captive portal detection and bring up a brower forced to a HTTP page) most browsers now will detect the fact that https connection is being modified and will not give you the opportunity to display anything other than the browser default error "your TLS connection is broken"