To "repair" the chain of trust when using HTTPS scanning, the client browser must trust the "Signing CA" of the proxy. This CA can be managed at "HTTP/S Proxy".
Three options are available to get the public "Signing CA" certificate installed into the client browsers (or in the case of IE, Window's certificate management):
a) Have clients visit the URL "http://passthrough.fw-notify.net/cacert.pem". This will trigger certificate installation. The process varies from browser to browser.
b) Download the "Signing CA" in PEM format in WebAdmin (HTTP/S Proxy -> HTTPS CAs), then distribute it to clients using AD group policies (good for MS shops).
c) Have clients visit the End User Portal. It has a new menu entry "HTTPS proxy" which features a single button to install the "Signing CA".
__________________
Tom Kistner
Product Development & Administrator
Astaro AG
|