Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

Blue Coat SSL Interception

Posted on 2011-02-22
4
1,975 Views
Last Modified: 2012-05-11
Hi,

We have the Blue Coat appliance that allow for SSL interception.  Is anyone familiar with this? Does this require pushing a certificate out to every work station?  Thanks.
0
Comment
Question by:NYGiantsFan
  • 3
4 Comments
 
LVL 33

Assisted Solution

by:Dave Howe
Dave Howe earned 500 total points
ID: 34952084
Yes, it does.

The bluecoat appliance has a fake "ca" certificate (which you can generate yourself if you wish, although it will happily self-generate) which you must push to all workstations or they will generate a "invalid certificate" error.

In an AD environment you can conveniently do this via group policy. on a non-ad environment (but one with login scripts) You can export the cert in the form of a registry key and use silent registry import (or a bit of vbs) to push it into registry keystores.

Note that the certificate will *still* be invalid for java applets and non-microsoft browsers (opera, firefox, chrome etc) as the windows keystore is used by ms products pretty much exclusively (so internet explorer or dotnet apps)
0
 

Author Comment

by:NYGiantsFan
ID: 34952280
Dave,

Thanks for your brilliance again!


The problem I am having is that people are saying that every user needs a seperate key that needs to be purchased from entrust. (Thus running into hundreds of thousands of dollars)

  I believe you can set up your own certificate authority and assign a private key to blue coat, then the public key will be sent to each brower.  That public certificate can be assigned via active directory.

Is this correct?

0
 
LVL 33

Accepted Solution

by:
Dave Howe earned 500 total points
ID: 34953148
no, not even that complex.

The bluecoat requires a CA type key and certificate - you can generate this yourself, but the bluecoat comes with a tool to create a self-signed certificate if you dont' have a ca already (I think its basically just openssl.exe though).

I usually use xca, which has stood me in good stead for such things, so haven't tried the bundled tool.

during operation, the bluecoat visits the target site, then generates a matching certificate signed with its own CA key, and with its own public key replacing the original (so it can decrypt the traffic) which is sent to the client. that is then used as the primary element in a man-in-the-middle attack, similar to that performed by the "webscarab" program.
0
 
LVL 33

Assisted Solution

by:Dave Howe
Dave Howe earned 500 total points
ID: 34953464
This might help
https://kb.bluecoat.com/index?page=content&id=KB3700
step by step instructions on how to set up a bluecoat ssl proxy using the MS CA.
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

It’s the first day of March, the weather is starting to warm up and the excitement of the upcoming St. Patrick’s Day holiday can be felt throughout the world.
Many businesses neglect disaster recovery and treat it as an after-thought. I can tell you first hand that data will be lost, hard drives die, servers will be hacked, and careless (or malicious) employees can ruin your data.
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

840 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question