The HTTPS inspection feature makes use of certificates to sign for HTTPS services, and a warning message displayed to users attempting to access HTTPS websites. You can change the SSL certificate used to sign for certificates within the HTTPS interception feature. You must make sure that your client devices trust this certificate. You can create a new certificate to use for these services. You can clear the cache of certificates generated for use with HTTPS inspection policies.
The URL used to present the warning page, refers to the Smoothwall Filter IP address. However, if a system redirection to host name setting is in place, you can force the host name to be used instead. You do this from the Hostname page, see Changing the system's host name and how it identifies itself to the network.
Using BYOD Devices and HTTPS Interception Certificates
To help prevent BYOD users being presented with Man-in-the-Middle (MITM) warning pages, you can use the HTTPS Interception page, located on the Smoothwall Filter, to advise users to download and install a certificate. To guide you through the necessary steps, see Stopping the MITM Attack Warning When My Users are Using BYOD.
Managing settings
Use this page to manage certificates used to sign for HTTPS services and the warning message displayed to users.
Prerequisites
Make sure that your client devices trust the HTTPS interception certificate.
Procedures
- If you make use of a centrally managed Smoothwall configuration, you must make sure that the parent node's HTTPS interception certificate is installed and set on all child nodes. This is important for configurations that replicate MITM certificates.
- Clearing the cached certificates results in a full restart of the web filter. All the Smoothwall Filter services are halted for a few minutes. Therefore, we recommend that you do this during a quiet time.
- On the GUARDIAN menu, under the HTTPS inspection submenu, click Settings.
- Under the Manage HTTPS interception certificates section:
- To change the SSL certificate used to sign for certificates, from the Certificate Authority list, choose the relevant certificate.
- To create a new certificate, click Create and manage certificates.
- To download the root certificate authority used to sign this certificate, click Export.
- To clear the cache of certificates generated for use with HTTPS inspection policies, click Clear and restart.
- To change the SSL certificate used to sign for certificates, from the Certificate Authority list, choose the relevant certificate.
- Under the Manage HTTPS interception warning section:
- Informs the users that their HTTPS connections are decrypted and filtered if they continue to the site they have requested.
- To set up a warning message:
- Type the Warning message that you want to display.
- Local laws might warn your users before decrypting and inspecting HTTPS data. We recommend that you check with legal representation.
- Type the text that you want to appear on the Confirmation button label that your users need to click to close the message and proceed.
- From the Warning frequency list, choose how often to show the warning message to the user.
- Daily -Displays the warning daily.
- Weekly -Displays the warning weekly.
- Never -Never displays a warning. Typically, you wouldn't use this option. However, if you're using the Smoothwall Connect Filter for Windows client, we recommend that you turn off the warning message to ensure correct operations.
- Type the Warning message that you want to display.
- Under the Manage HTTPS interception certificates section:
- Click Save.