Solved

Blue Coat SSL Interception

Posted on 2011-02-22
4
1,963 Views
Last Modified: 2012-05-11
Hi,

We have the Blue Coat appliance that allow for SSL interception.  Is anyone familiar with this? Does this require pushing a certificate out to every work station?  Thanks.
0
Comment
Question by:NYGiantsFan
  • 3
4 Comments
 
LVL 33

Assisted Solution

by:Dave Howe
Dave Howe earned 500 total points
ID: 34952084
Yes, it does.

The bluecoat appliance has a fake "ca" certificate (which you can generate yourself if you wish, although it will happily self-generate) which you must push to all workstations or they will generate a "invalid certificate" error.

In an AD environment you can conveniently do this via group policy. on a non-ad environment (but one with login scripts) You can export the cert in the form of a registry key and use silent registry import (or a bit of vbs) to push it into registry keystores.

Note that the certificate will *still* be invalid for java applets and non-microsoft browsers (opera, firefox, chrome etc) as the windows keystore is used by ms products pretty much exclusively (so internet explorer or dotnet apps)
0
 

Author Comment

by:NYGiantsFan
ID: 34952280
Dave,

Thanks for your brilliance again!


The problem I am having is that people are saying that every user needs a seperate key that needs to be purchased from entrust. (Thus running into hundreds of thousands of dollars)

  I believe you can set up your own certificate authority and assign a private key to blue coat, then the public key will be sent to each brower.  That public certificate can be assigned via active directory.

Is this correct?

0
 
LVL 33

Accepted Solution

by:
Dave Howe earned 500 total points
ID: 34953148
no, not even that complex.

The bluecoat requires a CA type key and certificate - you can generate this yourself, but the bluecoat comes with a tool to create a self-signed certificate if you dont' have a ca already (I think its basically just openssl.exe though).

I usually use xca, which has stood me in good stead for such things, so haven't tried the bundled tool.

during operation, the bluecoat visits the target site, then generates a matching certificate signed with its own CA key, and with its own public key replacing the original (so it can decrypt the traffic) which is sent to the client. that is then used as the primary element in a man-in-the-middle attack, similar to that performed by the "webscarab" program.
0
 
LVL 33

Assisted Solution

by:Dave Howe
Dave Howe earned 500 total points
ID: 34953464
This might help
https://kb.bluecoat.com/index?page=content&id=KB3700
step by step instructions on how to set up a bluecoat ssl proxy using the MS CA.
0

Featured Post

Give your grad a cloud of their own!

With up to 8TB of storage, give your favorite graduate their own personal cloud to centralize all their photos, videos and music in one safe place. They can save, sync and share all their stuff, and automatic photo backup helps free up space on their smartphone and tablet.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Three simple tips to quickly and efficiently back up and protect the contents of your PC and Mac®.
How important is it to take extra precautions to protect your online business? These are some steps you can take to make sure you're free of any cyber crime.
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
A simple description of email encryption using a secure portal service. This is one of the choices offered by The Email Laundry for email encryption. The other choices are pdf encryption which creates an encrypted pdf of your email and any attachmen…

920 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now