11-12-2020 09:04 AM
Great questions and am glad you asked.
First, you must create a self-signed certificate (or create a cert signing request to be signed by your INTERNAL enterprise cert authority). To be clear, you CANNOT use a publicly signed cert for decryption.
But you are correct on putting the self signed, or the enterprise signed cert into the computer Trusted Cert Authority/Store.
There is documentation on how to deploy, so I am not going into how to deploy.
My suggest is to start small (your own PC) and work outward towards other teammates, and then to other groups.
First Decrypt rule is a NO Decrypt for (financial, health and medicine, and shopping). By law, not allowed to disable this traffic.
Make a custom url category (No Decrypt) and populate it with sites you do NOT wanted decrypted.
Examples could be *.paloaltonetworks.com, *, apple.com, *.microsoftlogin.com, *.azure.com
You next rule could be another NO decrypt rule, with the url category of NO-Default, as described above.
From there, you should set up rules to decrypt traffic from ONLY your computer, to the Internet, on port 443 (as a start)
Test all sites you would want to, put any troublesome sites into the No Decrypt policy (and now, they will not be decrypted.)
I have been running decryption for 5 years, and only have about 20 sites (from the thousands I visited) that gave me problems.
The SSL fwd proxy works well, if it is configured properly. That is the challenge, just being careful, and create correct policies.
After you feel comfortable with only your computer, branch out to co-workers, test. Rinse, Wash, Repeat. 😛
Then roll out to groups (IT, HR, Marketing, Accounting, Sales) and continue to refine.
Once you get better, you can then start to include different ports beside 443 if they are still using TLS 1.2 (the current)
And then, eventually you need to create a Decryption Profile (object tab) to block expired certs, untrusted certs, etc....
Let me know what other questions we can assist with.
