Certificate for DNSWatchGO
Hi Guys,
When we install the DNSWatchGO client, everytime a block occurs we get a Certificate Error on the Browser.
Where can we download the DNSWatchGO Certificate Authoritity?
Should the client install the CA during the setup?
Thanks in advance
0
Sign In to comment.
Comments
Hi @jmsoares91
The CA that the block page you're seeing is signed by a public CA -- but it's not signed for the domain that your browser is looking for. There will always be a certificate error here, as there will be a cert name mismatch.
Thank you,
-James Carson
WatchGuard Customer Support
Hi we used avast/zscaler dns before and the had a root CA and if installed we never gets a certificate error after a redirect to there sink hole
Now I get a certificate error ever time a site is inspected by dns-watch
Hi @ConnectNow
It'll be impossible for the blackhole server to predict what you typed in, so the cert will never match. If there was something like an application on each PC (like dnswatchGo), this may be possible -- but the blackhole server out on the internet itself will never know what it is. DNS resolution happens long before the request (by IP) gets to the blackhole.
-James Carson
WatchGuard Customer Support
How is avast / zscaler doing this?
:no_upscale():strip_icc():fill(white):strip_exif()/f/image/VGlgFQXBwGKcR3g8zzNtcbWf.jpg?f=user_large)
See the screenshots from a iPad without a dns agent installed ( not available for iOS) installing there root CA create error free redirects
:no_upscale():strip_icc():fill(white):strip_exif()/f/image/cBRdePJkE3l2jhOkeaGmrxdb.jpg?f=user_large)
Secure web gateway is avast dns watch with including off premises ssl inspection. How I understand do both products redirects on the same way and by watchguard we getting CA errors and on avast we don’t if we install there root CA
:no_upscale():strip_icc():fill(white):strip_exif()/f/image/sx3Zg2sGBlLza4oKb104ES4b.jpg?f=user_large)
:no_upscale():strip_icc():fill(white):strip_exif()/f/image/rTDG3smkvHsyDlNarkuzZT6k.jpg?f=user_large)
Hi @ConnectNow
Based on the screenshot description, it's likely using a piece of software to help with that. There is a feature request for the DNSWatch Go client -- but just via DNS redirection, which is what the firewall is doing, there is no way to display that error.
-James Carson
WatchGuard Customer Support
Avast does not have a iOS agent for there cloudcare platform. The thing only you have to do is point your dns to the Zscaler dns and install the CA.
There is an open feature request to have the firebox generate the deny pages vice being redirected to a static page (by IP) on the internet. That type of action should generate the type of result you're looking for. That feature request is DNSW-505.
-James Carson
WatchGuard Customer Support
How about Soho Customers there are passport only Customers and do nog have a Firebox and use a dns Watch go agent on there laptop and desktop. Only the rest of device’s requests are forward by there Home router.
It could be a nice win for passports /dnswatch go to move the ssl/https inspection and sandboxing to cloud like avast did.