+ Post New Thread
Page 1 of 2 12 LastLast
Results 1 to 15 of 18
Internet Related/Filtering/Firewall Thread, Transparent proxy problem in Technical; Hi, We have recently configured a transparent proxy on our system with SSL login so guests, students etc can log ...
  1. #1

    Join Date
    Apr 2012
    Location
    Cheshire
    Posts
    119
    Thank Post
    4
    Thanked 1 Time in 1 Post
    Rep Power
    0

    Transparent proxy problem

    Hi,

    We have recently configured a transparent proxy on our system with SSL login so guests, students etc can log onto our wireless and just input their credentials to go online. There is a slight problem though when users are directed to the SSL login page we receive a certificate error:

    Server IP Address
    The identify of this website has not been verified
    -Servers certificate does not match the URL
    - Servers certificate is not trusted

    This means we get a really quite horrible untrusted box on android devices and I am concerned that users will not want to work around it. Also due to this most https sites don't load properly.

    Is there a workaround for this?

    Thanks

  2. #2

    localzuk's Avatar
    Join Date
    Dec 2006
    Location
    Minehead
    Posts
    17,683
    Thank Post
    516
    Thanked 2,452 Times in 1,898 Posts
    Blog Entries
    24
    Rep Power
    832
    Buy an SSL certificate for the URL of the login box?

  3. #3
    browolf's Avatar
    Join Date
    Jun 2005
    Location
    Mars
    Posts
    1,525
    Thank Post
    106
    Thanked 89 Times in 75 Posts
    Blog Entries
    46
    Rep Power
    40
    however you can't buy ssl certificates for private servers any more.

  4. #4

    localzuk's Avatar
    Join Date
    Dec 2006
    Location
    Minehead
    Posts
    17,683
    Thank Post
    516
    Thanked 2,452 Times in 1,898 Posts
    Blog Entries
    24
    Rep Power
    832
    Depends on the SSL cert seller. Digicert will sell them, as will Trustwave SSL, InstantSSL etc... A search for "buy intranet SSL certificate" brings up lots.

    Try contacting your LEA (even if you're an academy, I believe they manage the sales for regions), they should be able organise one via JaNet. It might not be free any more, but they are relatively cheap I believe.

  5. Thanks to localzuk from:

    browolf (19th November 2013)

  6. #5

    twin--turbo's Avatar
    Join Date
    Jun 2012
    Location
    Carlisle
    Posts
    2,334
    Thank Post
    1
    Thanked 381 Times in 340 Posts
    Rep Power
    150
    Buy an internet one and fudge your internal DNS

    We have to do that so that our internal clients can get to our webmail server without cert warnings.

    Rob
    Last edited by twin--turbo; 14th November 2013 at 03:47 PM.

  7. #6
    SovietRussia's Avatar
    Join Date
    Mar 2013
    Location
    Powys, Wales
    Posts
    615
    Thank Post
    69
    Thanked 132 Times in 103 Posts
    Rep Power
    43
    Quote Originally Posted by localzuk View Post
    Depends on the SSL cert seller. Digicert will sell them, as will Trustwave SSL, InstantSSL etc... A search for "buy intranet SSL certificate" brings up lots.

    Try contacting your LEA (even if you're an academy, I believe they manage the sales for regions), they should be able organise one via JaNet. It might not be free any more, but they are relatively cheap I believe.
    Janet is about £35, which was cheap

  8. #7

    Join Date
    Apr 2012
    Location
    Cheshire
    Posts
    119
    Thank Post
    4
    Thanked 1 Time in 1 Post
    Rep Power
    0
    Quote Originally Posted by twin--turbo View Post
    Buy an internet one and fudge your internal DNS

    We have to do that so that our internal clients can get to our webmail server without cert warnings.

    Rob
    Hi Rob,

    Are you able to give me some more information on how to do this? we buy a yearly wildcard cert from godaddy that we use on many of our https intranet sites so It makes sense that we would use this for smoothwall too as it is on the same domain that the wildcard cert uses. The thing that is confusing me is how do I get these certs into smoothwall itself or don't I? we have https inspection working on all our domain connected PCs using the certificate from smoothwall that has been imported onto all the workstations but for wireless devices It needs to just work.

  9. #8

    twin--turbo's Avatar
    Join Date
    Jun 2012
    Location
    Carlisle
    Posts
    2,334
    Thank Post
    1
    Thanked 381 Times in 340 Posts
    Rep Power
    150
    on your internal DNS server add your external domain name.

    then add a record for your smoothie and point it at the internal IP of the smoothie..

    So say you get redirected to lanportal.myschool.org.uk

    add lanportal.myschool.org.uk to your wildcard cert ( if you need to )
    add the domain to your internal dns server myschool.org.uk
    add an a record to that domain lanportal.myschool.org.uk - to the IP of the smoothie.
    add the certificate to smothwall ( can't help you on that one )

    client hits your redirect fetches DNS for lanportal.myschool.org.uk from your DNS, goes to the IP you specified.

    Smoothwall sees a request for lanportal.myschool.org.uk, has a certificate that matches and the client is happy.

    make sense?

    Rob

  10. #9

    Join Date
    Apr 2012
    Location
    Cheshire
    Posts
    119
    Thank Post
    4
    Thanked 1 Time in 1 Post
    Rep Power
    0
    Yeah it does make sense thanks. I have just downloaded our wildcard cert from GoDaddy for Apache which is what I am told smoothwall uses. I asked smoothwall support to import the cert so we can use it and they are telling me I have to generate a key so that smoothwall can use it. Thing is I can't do that because its a wildcard cert so we have it applied on a few of our subdomain sites and I can't re-key it as it will break the others arghhhh why don't smoothwall just allow you through the GUI to either use their inbuilt cert or use your own how hard can it be.

  11. #10

    Join Date
    Apr 2012
    Location
    Cheshire
    Posts
    119
    Thank Post
    4
    Thanked 1 Time in 1 Post
    Rep Power
    0
    I have just had a look here:

    Jon Witts' Blog » Changes after a Smoothwall upgrade

    I have opened /etc/httpd and found 3 files on the smoothie box server.crt server.key and server.csr now I am presuming that server.crt is the certificate you receive on the https inspection policies when you click on export guardian certificate (correct me if I'm wrong) as we want to use our wildcard ssl certificate it has already been signed to *.ourdomain.sch.uk our smoothwall box is smoothwall.ourdomain.sch.uk so could I not simply replace the crt with our wildcard one? smoothwall are saying I need to create a csr and send it to godaddy to then receive a new .key file and a new .crt file but surely I don't need these with it being a wildcard do I?

  12. #11
    jonwitts's Avatar
    Join Date
    Dec 2006
    Location
    England
    Posts
    132
    Thank Post
    17
    Thanked 12 Times in 11 Posts
    Blog Entries
    1
    Rep Power
    18
    The crt file is generated and signed against the key and csr file. In this case the three files you have found have all been generated by the Smoothwall box using OpenSSL; hence why they are know as a self-signed cert.

    For Apache to serve your wildcard SSL certificate for your Smoothwall box, you would need the matching .key and .csr files for your wildcard crt file. These would also most likely need to have been generated by OpenSSL for them to work on your Apache / Smoothwall box. If they were generated on a Windows box, then I believe they will not transfer (although I am willing to stand corrected on this one!) and you will need to purchase a new certificate for your Apache / OpenSSL/ Smoothwall server... They are not very expensive ;-)

  13. #12
    jonwitts's Avatar
    Join Date
    Dec 2006
    Location
    England
    Posts
    132
    Thank Post
    17
    Thanked 12 Times in 11 Posts
    Blog Entries
    1
    Rep Power
    18
    Quote Originally Posted by Badaz52 View Post
    I am presuming that server.crt is the certificate you receive on the https inspection policies when you click on export guardian certificate (correct me if I'm wrong)
    Missed that bit!

    Even if you install a real world signed SSL certificate; the HTTPS inspection is still handled by the self-signed Smoothwall cert. This is because it needs to have the full Certificate Authority to be able to perform the HTTPS Man in the Middle inspection. The SSL certs my blog post is talking about is for the SSL Login and Admin web pages...

    Jon

  14. #13

    Join Date
    Apr 2012
    Location
    Cheshire
    Posts
    119
    Thank Post
    4
    Thanked 1 Time in 1 Post
    Rep Power
    0
    Thanks for your response. I have purchased a new SSL certificate and will be able to key this for use with Apache. It is the SSL login bit I am after sorting anyway because it just doesn't look good for guests if they just get a certificate error on the SSL login page. How do I go about generating a CSR with smoothwall for this new cert?

  15. #14

    Join Date
    Apr 2012
    Location
    Cheshire
    Posts
    119
    Thank Post
    4
    Thanked 1 Time in 1 Post
    Rep Power
    0
    I'm having trouble with the Godaddy certificate now, I have submitted the CSR that I generated with smoothwall and then chose a whois for godaddy to verify and this is the email I received back:

    We have received a Certificate Signing Request for the domain: smoothwall.etc.etc

    We were unable to retrieve an email address for the domain name Registrant or Administrative Contact. It appears your WHOIS record does not present valid or public email address contacts or has private registration in place.

    Please use one of the following alternative methods to facilitate the validation of your domain access control. Your unique ID for these methods is "".

    1. If you are able to make Domain Name Zone changes, you can use the Domain Zone Control validation process. Domain Zone Control instructions
    2. If you are able to store a web page in the root of your hosting account, you can use the Domain Website Control validation process and this HTML file to validate the domain name control for your SSL. Website Control instructions
    When finished, log into your account and select your pending request. In the "Request Progress" section, click the "What's the hold up?" link. Complete the validation process by clicking the link for your selected method. A status message will indicate success or failure. Please allow a few minutes for the status of your request to be updated.

    Does this mean my smoothwall box needs to be visible from the outside to do this? if so which ports do I need open as I don't want to open up everything to the outside world.

    Cheers

  16. #15
    jonwitts's Avatar
    Join Date
    Dec 2006
    Location
    England
    Posts
    132
    Thank Post
    17
    Thanked 12 Times in 11 Posts
    Blog Entries
    1
    Rep Power
    18
    Sounds like they are just trying to verify you as the owner of the domain name you used fro your smoothwall. What was the .etc.etc you used in your CSR? Is it a real world domain name?

SHARE:
+ Post New Thread
Page 1 of 2 12 LastLast

Similar Threads

  1. Squid transparent proxying
    By MK-2 in forum *nix
    Replies: 46
    Last Post: 4th June 2008, 11:26 AM
  2. ISA server as a transparent proxy
    By FN-GM in forum Wireless Networks
    Replies: 30
    Last Post: 25th February 2008, 04:33 PM
  3. VPN with Transparent Proxy
    By Jackd in forum Wireless Networks
    Replies: 6
    Last Post: 14th February 2008, 04:18 PM
  4. Squid Transparent Proxy.
    By Jackd in forum Network and Classroom Management
    Replies: 2
    Last Post: 25th July 2007, 06:54 PM
  5. Possible Proxy Problem
    By Pear in forum *nix
    Replies: 6
    Last Post: 1st November 2005, 08:31 AM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •