Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Tony_Graham
Contributor

HTTPS Inspection Harmony Connect Beta

One of the downsides of HTTPS inspection has been the perceived complexity with basically setting up what is a MITM configuration. Harmony does a pretty good job at presenting the setup of HTTPS inspection but doesn't quite go into enough detail. You have a nice selection box for enabling it versus Basic but when it comes time to implement it you just say, Download Certs or Upload your own. There is zero help and assumes a great deal of prior knowledge which a newcomer may not have. I think this is an area that can be improved.

0 Kudos
4 Replies
PhoneBoy
Admin
Admin

Ultimately, what is required for HTTPS Inspection is a Certificate Authority key.
You can either generate that yourself (if you have an enterprise CA your users already trust) or use ours.
In either case, you will have to distribute this CA key to your users and ensure it is marked trusted.

And, you're correct: this could be clearer.
Another one for @Tomer_Sole 

0 Kudos
Tomer_Sole
Employee Alumnus
Employee Alumnus

Thank you for this suggestion - indeed we should explain in more detail about the underlying technology. Our on-premises products have had detailed best practices for years, and even though we run the same software under the hood, the use cases are sharpened for mostly outbound traffic (inbound is coming later this year) and the web management is different than the on-premises management described at those guides. So until we spin-off the guides from our on-premises products, you are welcome to see this one: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

 

Also until we work out the guides, a few advices below

 

Harmony Connect has 3 deployment types:

- Branch offices - where the administrator needs to deploy the certificate at the computers of the end users

- Remote users - the default certificate is actually automatically deployed as part of the first-time activation of Harmony Connect App. In case the admin modifies the certificate, they then do need to deploy the replaced certificate at the computers of the end users 

- Client-less users - this use case is not applicable and SSL Inspection happens the other way around. Users do not need a special certificate in this case.

 

 

0 Kudos
Tony_Graham
Contributor

Thank you for the clarifications. If you put one line in the 'Download Full Inspection Certificate', and/or the popup when you click

on 'Select' I think it would go a long way.

      "A default certificate is automatically deployed as part of the first-time activation of Harmony Connect App."

Otherwise if all someone is using it for are Remote Users they may try and deploy, install and update the end user certificates

which is both unnecessary and a waste of effort. If I am understanding you correctly.

0 Kudos
Tomer_Sole
Employee Alumnus
Employee Alumnus

That is correct - thanks

0 Kudos