?
Solved

Blue Coat SSL Interception

Posted on 2011-02-22
4
Medium Priority
?
2,021 Views
Last Modified: 2012-05-11
Hi,

We have the Blue Coat appliance that allow for SSL interception.  Is anyone familiar with this? Does this require pushing a certificate out to every work station?  Thanks.
0
Comment
Question by:NYGiantsFan
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
4 Comments
 
LVL 33

Assisted Solution

by:Dave Howe
Dave Howe earned 2000 total points
ID: 34952084
Yes, it does.

The bluecoat appliance has a fake "ca" certificate (which you can generate yourself if you wish, although it will happily self-generate) which you must push to all workstations or they will generate a "invalid certificate" error.

In an AD environment you can conveniently do this via group policy. on a non-ad environment (but one with login scripts) You can export the cert in the form of a registry key and use silent registry import (or a bit of vbs) to push it into registry keystores.

Note that the certificate will *still* be invalid for java applets and non-microsoft browsers (opera, firefox, chrome etc) as the windows keystore is used by ms products pretty much exclusively (so internet explorer or dotnet apps)
0
 

Author Comment

by:NYGiantsFan
ID: 34952280
Dave,

Thanks for your brilliance again!


The problem I am having is that people are saying that every user needs a seperate key that needs to be purchased from entrust. (Thus running into hundreds of thousands of dollars)

  I believe you can set up your own certificate authority and assign a private key to blue coat, then the public key will be sent to each brower.  That public certificate can be assigned via active directory.

Is this correct?

0
 
LVL 33

Accepted Solution

by:
Dave Howe earned 2000 total points
ID: 34953148
no, not even that complex.

The bluecoat requires a CA type key and certificate - you can generate this yourself, but the bluecoat comes with a tool to create a self-signed certificate if you dont' have a ca already (I think its basically just openssl.exe though).

I usually use xca, which has stood me in good stead for such things, so haven't tried the bundled tool.

during operation, the bluecoat visits the target site, then generates a matching certificate signed with its own CA key, and with its own public key replacing the original (so it can decrypt the traffic) which is sent to the client. that is then used as the primary element in a man-in-the-middle attack, similar to that performed by the "webscarab" program.
0
 
LVL 33

Assisted Solution

by:Dave Howe
Dave Howe earned 2000 total points
ID: 34953464
This might help
https://kb.bluecoat.com/index?page=content&id=KB3700
step by step instructions on how to set up a bluecoat ssl proxy using the MS CA.
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article provides a convenient collection of links to Microsoft provided Security Patches for operating systems that have reached their End of Life support cycle. Included operating systems covered by this article are Windows XP,  Windows Server…
If you're a modern-day technology professional, you may be wondering if certifications are really necessary. They are. Here's why.
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
This video Micro Tutorial shows how to password-protect PDF files with free software. Many software products can do this, such as Adobe Acrobat (but not Adobe Reader), Nuance PaperPort, and Nuance Power PDF, but they are not free products. This vide…
Suggested Courses

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question