Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
EricAnderson
Participant

Multiple outbound HTTPS inspection certificates

I believe this was asked 3 years ago, but not properly answered (if at all).  I've asked a few folks as well, but nothing yet.

The desire is to have different certificates/CA's used on/by different gateways.  One example would be different locations with separate Active Directory domains.  Users at each location already have different trusted CA's and would ideally be presented with different trusted root CA's upon outbound inspection.

AFAIK there is only a single outbound inspection certificate (whether internal or imported) - installed on the SMS and deployed to GW's during access policy installation.

One [rather impractical] workaround could be to install policy to site A, re-import site B's certificate (scriptable in R81.20?), install policy to site B.  If R81.20's certificate scripting permits (as I've read), this could become fairly automated if we script all policy installation operations.  Somewhat ugly, but it may at least help better covey the goal.

Even more ideally (but likely more of an RFE), what about allowing multiple outbound certificates in the inspection policy?  The policy already allows for certificate selection - but only for inbound.  Allowing certificate selection in outbound inspection rules would allow for even greater flexibility, like using roles and dynamic objects in source - allowing members of different AD domains (and even non-member machines) to use different certs.  We can always dream 😉

Thanks,

-E

2 Replies
PhoneBoy
Admin
Admin

What we allow for outbound HTTPS inspection is a single CA to be used per management domain.
That ultimately signs all the outbound certificates generated for user connections.

That implies MDM is a potential workaround for this.
Like you point out, these operations in can potentially be automated in R81.20.
Otherwise having different Outbound CA certs for different gateways managed by the same management domain is an RFE.

0 Kudos
EricAnderson
Participant

Thanks for confirming, bud.

Makes sense that MDM would work, but even more impractical than scripting in this case.

Thinking about the scripting more, it makes me wish "Before install Policy" was a SmartTask trigger 😉

Still curious if anyone else has any creative ideas, or even just has the same need/desire.

-E

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events