Summary
I need to stop BYOD users thinking they are under a MITM attack when I enable HTTPS inspection.
If HTTPS inspection is enabled on the Smoothwall, users using Bring Your Own Device (BYOD) clients may see a warning in their browser that they are under a Man-In-The-Middle (MITM) attack.
Problem
In order for the Smoothwall to intercept and inspect the content of HTTPS traffic, a certificate authority is required to be installed on all devices (to understand why, read our MITM explanation). Since the Smoothwall is intercepting traffic, it cannot use the site's real certificate. This is done using a Certificate Authority (CA) that is created on the Smoothwall or imported. In order for the client devices to trust the certificates produced using the CA, the CA must be installed on the client devices. Usually for school-owned devices this is deployed automatically using Active Directory Group Policy or Google G Suite
In the case of BYOD clients, the device is not centrally managed, and so the owner of the device must install the certificate themselves. Without it they will see security warnings when being filtered through a Smoothwall Filter that has Decrypt and Inspect policies enabled.
The Smoothwall contains a page which offers the CA for download along with instructions for how to install it on the most common browsers, including those on mobile devices. It is recommended you share this link with users.
Solution
For security reasons, it's not possible for the Smoothwall to detect whether the client has the CA. As a result, the Smoothwall is unable to automatically detect whether the BYOD device needs the CA, nor redirect them to this page. However, most BYOD devices connect via wireless, often encountering a splash screen as the first page when opening a browser, either for logging on or for accepting T&Cs. It is recommended you add a link to the HTTPS Interception page to the splash screen if used. Alternatively, you should advertise the link out by other means.
The URL to use for the redirect is:
http://<IPAddress_or_Hostname>/getmitm/
where IPAddress_or_Hostname
is the IP address or host name of the intercepting Smoothwall appliance.
This is the certificate download page located on the Smoothwall: