Rosemark at 21:37, 8 October 2024

2024-10-08T21:37:32Z

← Older revision		Revision as of 21:37, 8 October 2024
Line 61:		Line 61:

	== Troubleshooting Firefox ==		== Troubleshooting Firefox ==
	There's a very good chance that you will now discover that you still cannot ~~invalid~~ content without being prompted with the bad certificate screen if you use Firefox on your client machine. This is because Firefox does not implicitly trust root enterprise certificates.		There's a very good chance that you will now discover that you still cannot view blocked content without being prompted with the bad certificate screen if you use Firefox on your client machine. This is because Firefox does not implicitly trust root enterprise certificates.

	To test if your certificate is working at all, in the Firefox URL bar type about:config and press continue past the warning that appears. Search for "enterprise" and enable the enterprise roots rule, then restart Firefox and attempt again. It should now work, but you probably do not want to do this to every single computer running Firefox.		To test if your certificate is working at all, in the Firefox URL bar type about:config and press continue past the warning that appears. Search for "enterprise" and enable the enterprise roots rule, then restart Firefox and attempt again. It should now work, but you probably do not want to do this to every single computer running Firefox.

	[https://community.spiceworks.com/how_to/138802-configure-firefox-to-use-windows-certificate-store-via-gpo This guide from spiceworks will allow you to fix this through GPO!]		[https://community.spiceworks.com/how_to/138802-configure-firefox-to-use-windows-certificate-store-via-gpo This guide from spiceworks will allow you to fix this through GPO!]

Rosemark: 1 revision imported

2024-10-08T15:02:02Z

1 revision imported

← Older revision	Revision as of 15:02, 8 October 2024
(No difference)

wikipedia>Maeve at 20:23, 18 November 2023

2023-11-18T20:23:19Z

New page

[[Category:Heard County School District]]
The following guide describes the system in place that allows Heard County School District to allow / deny HTTP(S) content coming from the internet.

== Overview ==
Firebox firewalls have a feature called Web Blocker which utilizes HTTPS Content Inspection. [http://www.watchguard.com/help/docs/help-center/en-US/content/en-us/Fireware/services/webblocker/webblocker_about_c.html WebBlocker] intercepts incoming traffic from the internet and analyzes it against a customizable table of rules to determine if it contains materials that violate the rules of the organization. Aside from the initial configuration, WebBlocker creates a problematic situation for any websites being served across SSL. It has to decrypt the HTTPS packets to analyze them for inappropriate content. This means that the firewall has to re-encrypt the pages with its own self-signed SSL certificate before passing it to the user, but the user doesn't automatically trust this certificate, and the average user does not know how to navigate this issue.

There are two possible solutions: you can distribute the self-signed certificate to each machine directly or replace the certificate with one signed by a third party certificate authority (CA).

Using a third party certificate authority (CA) is the best and most highly recommended option as, if you have to replace the firewall, it's going to have a completely different self-signed certificate and the clients will no longer trust it. This problem is irrelevant in the case of a third party CA as you only have to reissue / reinstall the certificate to the firewall, and it's implicitly trusted by the clients already.

== Certificate Authority ==
Setting up an enterprise CA can be a daunting task depending on your usecase. What we're aiming for here is to create a new [[Public Key Infrastructure|PKI]], where the root certificate is distributed to all client machines, and then the root certificate is used to sign a re-signing certificate (similar to an intermediary leaf in other, larger PKIs) that gets used to sign the content from inspected websites.

One system that fits this perfectly is the Windows Active Directory Certificate Services role.

Set up a machine in your AD domain and give it a static IP and hostname. Ensure that the hostname is exactly what you want it to be. '''Certificate Services breaks completely if you ever change it.'''

When installing the role, make sure the following are all set:

[[File:ADCSRoles.png|620x620px]]

When configuring the roles after the install, ensure that the options "Root CA" and "Enterprise CA" are selected. Root CA sets it to create a new root certificate which will be the start of our PKI. Enterprise distributes the root CA to all machines in the domain.

Also select the rest of the roles that were installed above when configuring. You don't have to do anything special to them, this just enables them.

It's a good idea to now run gpupdate /force and then reboot the machine.

Now, after you do this, open a web browser and navigate to http://[fqdn of the machine including domain]/certsrv. A login prompt at the top of your screen will appear. Log in with a domain administrator account. Make sure you include the domain prefix if you're using "Administrator" or else it will log in using the local admin privileges of that machine, which do NOT include "network admin" privileges.

== Generate the CSR ==
Now that we have our PKI infrastructure in place, we need to generate the signing certificate in the Fireware Web UI.

From the Fireware Web UI, go to '''System > Certificates''' and select '''Create CSR'''.

Press '''Next.'''

From the list of options that appears, select '''Proxy Authority''' (not ''Proxy Server'').

Fill out the following fields with either the defaults listed or with the information for your domain depending on the form.

At the end, you will have a CSR. Copy this and go to the url referenced previously, http://[fqdn of the machine including domain]/certsrv, and log in.

Select '''Request a certificate.'''

Choose '''advanced certificate request.'''

Paste your CSR into the box above and from the dropdown select '''Subordinate Certificate Authority.'''

From the results page, download the file as base 64.

Now, we also need to export the root CA and import it.

== Import Certificates ==
From certsrv, select '''Download a CA certificate, certificate chain, or CRL'''.

Select '''Download CA Certificate''' and download the file.

From the Fireware Web UI Certificate page we previously navigated to, select '''Import''' or '''Import Certificate'''. Select '''General Use'''. Import the root certificate we just downloaded. Repeat this procedure for the signing certificate, but select '''Proxy Authority.''' This will replace the existing Proxy Authority certificate and webblocker will now use your new one.

You may now test this by attempting to access invalid content.

== Troubleshooting Firefox ==
There's a very good chance that you will now discover that you still cannot invalid content without being prompted with the bad certificate screen if you use Firefox on your client machine. This is because Firefox does not implicitly trust root enterprise certificates.

To test if your certificate is working at all, in the Firefox URL bar type about:config and press continue past the warning that appears. Search for "enterprise" and enable the enterprise roots rule, then restart Firefox and attempt again. It should now work, but you probably do not want to do this to every single computer running Firefox.

[https://community.spiceworks.com/how_to/138802-configure-firefox-to-use-windows-certificate-store-via-gpo This guide from spiceworks will allow you to fix this through GPO!]

Firebox Content Inspection - Revision history

Rosemark at 21:37, 8 October 2024

Rosemark: 1 revision imported

wikipedia>Maeve at 20:23, 18 November 2023