SSL Inspection is not simple. You are basically going to use your filter to pull off a man in the middle attack on your desktops. So every client will have to have a cert from that filter that trusts your filter. So the windows boxes in your domain will be easy. But Iphones, androids, chromebooks and byod will have to download that cert and install it and trust it.
Double check the Windows CA cert idea, many filters won’t take them for SSL inspection….they will only work with their own self generated cert. Remind the powers that be that youtube blocking is not a CIPA/Erate requirement. So the blocking it must be a behavior issue, the students are sucking up your bandwidth, or they are goofing off. Those are behavioral issues that are seldom solved by technology. And that their attempt to solve it via technology is going to create a nightmare, for them. You too but they will be more concerned about their nightmare. From: [email protected] [mailto:[email protected]] On Behalf Of Matthew W. Ross Sent: Tuesday, October 14, 2014 3:17 PM To: [email protected] Subject: Re: [NTSysADM] Windows CA Server Short answer: We don't _need_ this. Not yet, anyways. Slightly longer answer: The powers that be are asking for me to block Youtube for some students, allow Youtube for Schools for the rest, and unfiltered Youtube for staff. It's possible with our current filter, but to get the best results (including https:// access to youtube, which is often the default) is to have SSL inspection. I'd like to have SSL inspection anyways, as many sites are going to SSL/TLS encryption anyways... some without the option to for regular http access... The only other option is to configure a proxy instead of the current transparent proxy setup we have now. We have done that in the past, with mixed results. The various responses I've received so far have halted my test deployment, as I'm now trying to fully understand the enormity of this. I'm a fan of keeping it simple, so we will wait and see what solution works best for us. --Matt Ross Ephrata School District Brian Desmond <[email protected]<mailto:[email protected]>> , 10/14/2014 9:00 AM: I’d ask the question of why you need a CA for this? Thanks, Brian Desmond [email protected]<mailto:[email protected]> w – 312.625.1438 | c – 312.731.3132 From: [email protected]<mailto:[email protected]> [mailto:[email protected]<mailto:[email protected]>] On Behalf Of Matthew W. Ross Sent: Monday, October 13, 2014 5:58 PM To: [email protected]<mailto:[email protected]> Subject: [NTSysADM] Windows CA Server We have been happily getting by without doing SSL inspection on our content filter. Now, it seems that we may need to take that next step. I'm making a windows CA server on our VMWare cluster now. Before I get too deep, any "gotchas" I should be looking for? Looking into this, it looks like I might be diving right into the deep end. Time for a lot of reading... --Matt Ross Ephrata School District
