https inspection step-by-step

Use this forum to post questions relating to WinGate, feature requests, technical or configuration problems

Moderator: Qbik Staff

https inspection step-by-step

Postby tito_gate » Nov 03 15 3:46 am

Dear Wingate people...

This is intended to be and advice to improve your product.
I'm trying to test the HTTPS inspection to effectively control Access to the huge quantity of pages starting with https (even Google!). OK.
I found on YouTube (Qbik) and your forums a lot of information about how to install Wingate, first steps, services, how to manual create rules to restrict navigation, etc. But I can't found any step-by-step from the server to the clients in the subject HTTPS inspection. I am advancing very slowly using "test-and-error" techniques, reading partial answers in the forum, but I need (most of us) a real example like the other parts you explain in text and video.
Now I'm stocked after create a certificate in Control Panel > Certificates > New Certificate... Just a name of the cert, the name of the server (my local server?) and that's it! is created. Ok. What next? How to export to the clients? Using Windows Certificate Manager, this new Cert does not appear in the list.
Besides, it's so easy? Create a cert (putting just a name) and export to clients resolve all the problems in https pages? With no more specifications? After that, every web navigation is controlled by the access rules?
I really need a guidance here. A video, an example, something. Someone explaining the whole process.
If you can help with the export to the clients, I'll be one step closer to the solution. But I'm sure is something more after that.
Thank you in advance.



Jorge
tito_gate
 
Posts: 8
Joined: Oct 21 15 3:10 am

Re: https inspection step-by-step

Postby adrien » Nov 05 15 9:13 pm

Hi Jorge

basically the steps are this

1. configure clients to use the proxy for https
2. configure the www proxy to use https inspection
- generate or import a signing cert and select this as the signing cert in the https inspection page
3. configure the clients to trust the signing cert
- this means deploying the cert to the trusted root authorities store on the computers.

To access a cert that you generated in WinGate, double click the cert, choose the details tab and export to file. This will give you a .cer file you can import.

To deploy it, you can use Active Directory Group Policy, or manually add it to computer cert stores. If you are using firefox, you'll need to add it to firefox cert store as well, since it doesn't use the windows cert store.

Adrien
adrien
Qbik Staff
 
Posts: 5441
Joined: Sep 03 03 2:54 pm
Location: Auckland

Re: https inspection step-by-step

Postby tito_gate » Nov 10 15 4:09 am

Dear Wingate people,

I need to tell you my experience: this cannot be in the way I'm going.
I'm trying to allow the users in the net to Access YouTube (and other pages, but for the example this is enough).
The clients are configured to use proxy, the rules are in effect (tested), I created a certificate because YouTube is https, right, the certificate is trusted, ok.

For start, the YouTube home page seems "broke" on clients, the links randomly distributed on screen, no images at all.
I went to the activity page in Wingate and I can check there is "a lot" of pages with access denied, for sure youtube calls it and that rejection cause the "broken web result". Ok. I started to add permissions to this blocked access to give better onscreen result in clients.
I must to add permissions to: *.doubleclick.net, *.ggpht.com, *.googleapis.*, *.googlevideo.*, *.gstatic.com, *.youtube-nocookie¨.*, *.ytimg.com
This domains appears "one each time". I mean: I check activity, discover one of this, I manually add the permission, the reload the page on client. Then appears the second, all the process again, and so on...
I already have the the youtube home page with "normal vision", but when I need to search a video inthere, again appears new activity domains blocked... a lot of them!
Is this the real work to allow "one page: YouTube"? Must I check all the links they use, one by one, and add the permissions? This take HOURS of testing just for one page. Imagine to add Spotify and a couple more... is too much. I will need days of working checking activity!
Every person in the world do this work for each page allowed? I can't believe it. Must be something easier.
Please give me some help here. Is any way to "not to check anything about my allowed pages" and block/check/whatever on the rest?

Thank you for your patience.


Jorge
tito_gate
 
Posts: 8
Joined: Oct 21 15 3:10 am

Re: https inspection step-by-step

Postby tito_gate » Nov 14 15 2:00 am

People of Wingate Forum,

I'm waiting the response of this subject...
To allow the YouTube page to users, is this the process descripted in the previous post, the right one? Or there is other way?
Still waiting for your answer...
Thank you



Jorge
tito_gate
 
Posts: 8
Joined: Oct 21 15 3:10 am

Re: https inspection step-by-step

Postby adrien » Nov 15 15 11:17 am

Hi Jorge

sorry about the delay in responding.

Yes it can be quite tedious figuring out what needs to be enabled to get a single page loading ok. Many sites use over 100 different resources from dozens of different servers just to display a single page.

Normally we just scour log files to see what requests are being blocked, and then allow those.

However it should be possible to create a flow-chart policy to allow training of the system. You can add items to a list from policy, and you could set up a test proxy which you just use, and any site you go to it could be set to add the server to the list for the main web access control to use (using list of allowed sites).

Basically the policy would do something like

Data.GetList("allowed sites").AddMember(Request.Server)

the list "allowed sites" would be added to the web access rule. Then if you want to allow a site, you just go there and surf it, that opens it for others.

Regards

Adrien
adrien
Qbik Staff
 
Posts: 5441
Joined: Sep 03 03 2:54 pm
Location: Auckland

Re: https inspection step-by-step

Postby garth » Apr 30 18 5:23 am

adrien wrote:Hi Jorge

basically the steps are this

1. configure clients to use the proxy for https
2. configure the www proxy to use https inspection
- generate or import a signing cert and select this as the signing cert in the https inspection page
3. configure the clients to trust the signing cert
- this means deploying the cert to the trusted root authorities store on the computers.

To access a cert that you generated in WinGate, double click the cert, choose the details tab and export to file. This will give you a .cer file you can import.

To deploy it, you can use Active Directory Group Policy, or manually add it to computer cert stores. If you are using firefox, you'll need to add it to firefox cert store as well, since it doesn't use the windows cert store.

Adrien


If would be helpful if you posted a link on how to do each step. if they existed, they are not showing up in searches.

Step 1 for example, is there a GPO for this? Shouldn't this step be combined with step #3? For that matter should step #3 be done before step #1, otherwise, the client will be blocked from using HTTPS until step #3 is done. You generally don't want to create downtime for clients.
garth
 
Posts: 11
Joined: Jul 20 14 8:58 am

Re: https inspection step-by-step

Postby adrien » May 02 18 4:09 pm

Hi

yes a GPO can be used to deploy certs and also to set proxy configuration.

Regards

Adrien de Croy
adrien
Qbik Staff
 
Posts: 5441
Joined: Sep 03 03 2:54 pm
Location: Auckland

Re: https inspection step-by-step

Postby garth » May 06 18 6:03 am

adrien wrote:yes a GPO can be used to deploy certs and also to set proxy configuration.


This is not all that helpful of a reply. You should post a step-by-step document on setting up WinGate for HTTPS. What is listed within the doc just doesn't help. it is far too vague.
garth
 
Posts: 11
Joined: Jul 20 14 8:58 am


Return to WinGate

Who is online

Users browsing this forum: No registered users and 27 guests

cron