Make computers trust a Cisco IronPort Transparent HTTPS Proxy in an Active Directory environment

May 12, 2010

Using the Cisco IronPort Transparent HTTPS Proxy feature in an Active Directory environment with Windows clients is relatively simple. The process involves importing the self-generated certificate from the IronPort into the Trusted Certificate Root Certificate authorities store of your domain computers via Group Policy.

Firstly, log into the IronPort web management interface. Go to Security Services > HTTPS Proxy Settings and edit the settings.

Tick to enable the HTTPS Proxy.

Click Generate New Certificate and Key.

Enter the details for the certificate and click Generate.

You will now be given the option to Download Certificate in the generated key area. Save the certificate to your computer.

Commit the changes.

We are now ready to import the certificate into Group Policy.

Open the Group Policy Management Console (gpmc.msc) on a management workstation or server.

Edit the GPO you wish to import the certificate to. In this case we will be importing the certificate into the Default Domain Policy GPO.

Navigate to Computer Configuration/Windows Settings/Security Settings/Public Key Policies/Trusted Root Certification Authorities. Right click Trusted Root Certificate Authorities and select Import…

Browse to the location of the saved certificate. Note that the certificate will have been saved with a .pem extension so just select All Files (*.*) so you can find the certificate. Alternatively, you can rename the certificate file with a *.cer or *.crt extension.

Note that the certificate is being imported into the Trusted Root Certificate Authorities store.

Complete the wizard. You are now done!

If you want to test immediately, refresh group policy using gpupdate on a computer you have applied the GPO to.

Browse to an SSL protected website. You should not be presented with any certificate warnings. Checking the certificate should show the IronPort as being the certificate issuer.

tags: , , ,
posted in Cisco, Windows, Windows Server by Sam Kendall

Follow comments via the RSS Feed | Leave a comment | Trackback URL

5 Comments to "Make computers trust a Cisco IronPort Transparent HTTPS Proxy in an Active Directory environment"

  1. David Yarashus wrote:

    Well-presented, handy little tip. Thanks!

    David

    Link | March 10th, 2011 at 5:09 am

  2. Elliot wrote:

    Awesome. Thanks for that!

    Link | August 30th, 2011 at 11:06 pm

  3. uncle_nick wrote:

    Nice tip…. but what about the case where one generates the certificate and saves it for distribution by GPO – WITHOUT enabling the HTTPS Proxy until the cert has been distributed across the organisation ?

    In that situation, returning to IronPort HTTPS Proxy Settings, one can upload the previously-generated certificate…. but there is no private key to upload.

    What should one do then ?

    cheers
    Nick

    Link | October 4th, 2011 at 3:43 pm

  4. uncle_nick wrote:

    Update to previous post
    – IronPort have not documented my approach, distributing the cert BEFORE enabling HTTPS proxy
    – one must generate cert and Commit the Enable change, and afterwards export the certificate
    – then one can disable the proxy, distribute the cert, and finally re-enable the proxy, which retains the generated cert data
    – Feature request and documentation update are now in the IronPort pipeline

    Link | October 4th, 2011 at 5:09 pm

  5. John wrote:

    This will work fine for IE and Chrome because they both utilize the Windows certificafe store. For Firefox users, there is an additional step of importing the cert into its own certdb.

    Link | January 25th, 2012 at 8:40 pm

Leave Your Comment

 
Powered by Wordpress and MySQL. Theme by Shlomi Noach, openark.org