I'm looking for other admins' experiences with utilizing the SSL Forward Proxy decryption options in a university environment. General overall experiences would be good but, specifically, I'm wondering about:
Alternatively, if your site chose not to use it for any reason I'd be curious about points against it as well.
In my reading I've already found a few hurdles, including deploying the cert to non-domain computers as well as Firefox's thing of not using the Windows cert store.
There are a ton of issues that you can run into with this; all of them solvable but some of them will likely need a good lawyer to protect yourself if you are running it on your campus housing.
Thanks for the reply BPry.
The non-domain computers definitely are the biggest hurdle I've come across so far (well, that and the previously mentioned issue with the Firefox browser). I've been trying to figure out a good deployment method here including maybe coming up with some install packages or scripts to assist a user in easily installing the cert in the correct place. Another option would be a knowledgebase article, should we proceed with this feature.
I've also seen some oddities when a website only partially loads. Amazon.com is one of these as I've added Shopping sites to the list of sites to not decrypt but Amazon has a bunch of files coming from an image server that is categorized as "Content Delivery Networks". The result is the page tries to load because the top level domain is Shopping and is excluded from SSL Decryption, however, most of the page doesn't load due to content coming from another server that doesn't fall under Shopping.
**EDIT** Looks like the oddity that I'm seeing might be because of a combination of having categories of non-decrypt and the Opti-In page enabled. Amazon would try to load but the Opt-In page hadn't been triggered and accepted so the the images and ads from other servers would not load.
I've found that a small install package is usually the best way to set these up and it can be included in a login page and it's easy for people to understand. Depending on your operating system and settings scripts are not always the best solution.
If you are selectively decrypting sites based on category then you will likely notice more sites over time that require special care. It's the nature of the beast really.
I was thinking about this last night and kind of came to the same conclusion... an install package would certainly be easier on the end-users although one could also have support pages online to walk people through the steps manually. It doesn't seem to matter which way you go, there would be a decent amount of setup work to come up with either instructions for the majority of major operating systems or a series of installers to support the main operating systems.
The more I think about this the more I feel like I'd recommend a phased rollout for the feature if it's something that is asked for. Start off with decryption policies that are limited to networks where you know the clients all have the cert installed and then start moving through the organization doing one network segment at a time to get 100% installation on the stragglers.
Agreed on the note about selective dycription behavoir although I definitely think it was made worse when I had the Opt-In page enabled... seems like it would be better as an all or nothing if you're going to give them the Opt-In page option. I imagine some selective decryption is probably unavoidable in many situations to help alleviate concerns about decrypting banking, credit card, and health information.
In general corporate owned devices or personal ones you're going to want to stay away from intercepting these categories.
BPry, did you make an install package for pushing the decrypt certificate to different web browsers (Firefox, Opera, Safari etc) on domain computers? If so, can you share some more details on how you did this?
@TerjeLundbo I appologize I never actually saw this come across. If you haven't already found it look at Firefox Autoconfig or there is an extension on Firefox itself for building the file, although I can't think of what it's called at this moment. Chrome also has mutiple different extensions and can be built in AD so that is less of an issue. I've never done this for Opera or Safari so ?
@MunitSingla just so you actually see this as well.
I'll try and figure out what the package was that I made the Firefox config in, as it was a really easy program to work with that let you setup a bunch of stuff like this.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!