Description: 1) Enabling the HTTP(S) proxy: 1.1) Enable the HTTP(S) proxy in the menu UTM -> Proxy -> HTTP proxy settings. 1.2) For this example proxy operations should be transparent. With this setting, the Unified Firewall automatically forwards all requests that arrive on port 80 (HTTP) or port 443 (HTTPS) via the proxy. 1.3) In this example, the default certificate of the HTTPS proxy CA is used as the proxy CA. The CA (certificate authority) is used by the HTTP(S) proxy to issue pseudo-certificates. 1.4) In this example, no client authentication is performed. With this feature enabled, HTTP(S) client authentication is based on the Unified Firewall user administration.
1.5) Optionally you can whitelist domains that should be excluded from SSL inspection, virus scanning and URL filtering. Whitelisted domains are accepted by the HTTP(S) proxy without inspection and can be accessed directly with the user's browser. No certificates are created. This setting is required by services that use strict certificate pinning, such as Windows Update at windowsupdate.com. You can add any number of domains. Type in a domain and click “+” to add it to the list. You can edit or delete any entry in the list by clicking on the appropriate icon. Tip:The domains can include the following placeholders: * and . for whole words, ? for single characters. 1.6) Click on the Save button to accept your settings.
2) Configure usage of the HTTP(S) proxy: In this example, the LAN contains Windows PCs that can access the Internet. Throughout the LAN, access to web pages is forced to go via the HTTP(S) proxy of the Unified Firewall. 2.1) In the host/network groups desktop object for the LAN, click the connection icon and then click the WAN network object. 2.2) The dialog with the settings for this connection is opened. Now you have to click on the NAT option for the HTTP and/or HTTPS service. 2.3) Set a checkmark for the option Enable proxy for this service and click Save. 2.4) The entries in the list of services for HTTP and/or HTTPS should look like this. Click on Save again. 2.5) Finally, implement the configuration changes by clicking Activate in the firewall.
3) Export certificate and import it on a Windows PC: In this example, the LAN contains numerous Windows PCs that can access the Internet. Access should be directed via the HTTP(S) proxy of the Unified Firewall. 3.1) Go to the menu Certificate management → Certificates. 3.2) Expand the Certificates menu and, for the certificate of the default HTTPS Proxy CA, click the export icon. 3.3) The certificate has to be exported in PEM format. Click the Export button to start the process. 3.4) On your computer, go to the folder where you exported the certificate. 3.5) In order to install the certificate under Windows, change the file extension from *.pem to *.crt.
Please note that you must have administrator rights to install the certificate on a Windows system. 3.6) Click the certificate file and acknowledge the subsequent security warning with OK. 3.7) In the Certificate dialog, select the option Install certificate. 3.8) In this example, the certificate installed on the local computer is to be used by all users of this computer. 3.9) Select the option Place all certificates in the following store, click Browse and select the Trusted root certification authorities store. 3.10) Click Next and continue until the Certificate Import Wizard is finished. 3.11) This concludes the certificate import. Any popular browser will be able to use the certificate after the computer is restarted.
Repeat the certificate import procedure (steps 3.7 to 3.11) on all of the other computers in the LAN.
Note on using the certificate in Mozilla Firefox: Do the following to use the certificate in Mozilla Firefox: - Enter the following into the address bar of the browser: about:config.
- Search for the value security.enterprise_roots.enabled.
- Change the value from false to true.
- Restart the browser.
|