KCSiE TLS decryption
We have numerous WG's installed for our customers, but we will be implementing SafeGuarding for a new install.
The majority of the devices will be BYOD.
I (am coming to appreciate that) will need to install a certificate on each device for the TLS decryption to take place.
So curious to know how any of you guys have implemented this for the easiest BYOD end user experience?
Simon.
0
Sign In to comment.
Comments
Hi @CRU_Technologies_Ltd
For BYOD devices, we designed the certificate portal which allows the firewall to host the cert for users to download.
(Certificate Portal)
https://www.watchguard.com/help/docs/help-center/en-us/Content/en-US/Fireware/certificates/certificate_portal_c.html
We also provide instructions on most platforms/browsers on how to import the proxy authority certificate so that users can access the internet.
(Import a Certificate on a Client Device)
https://www.watchguard.com/help/docs/help-center/en-us/Content/en-US/Fireware/certificates/import_client_cert.html
If devices get enrolled into any RMM type service as part of onboarding, it may also be possible to push the certificate to the device itself via that tool.
Is it possible to block all traffic unless the certificate has been installed on the client device?
Hi @CRU_Technologies_Ltd
It's not possible to do this as it's up to the client device to verify that cert. If the client device doesn't have the cert installed, they will usually see a banner warning of an insecure connection.
That's what I thought, but now that we have implemented this for a client, they are concerned that 50% of the websites that they have tested with, if the option to 'continue anyway' is available then the site loads anyway.
Hi @CRU_Technologies_Ltd
The firebox doesn't have a way to determine whether the client device has the proxy authority (inspection) cert installed. If the client sees the "continue anyway" screen, they should install the certificate.