Hello all !
My problem is simple, enabling DLP with SSL deep inspection generates warnings on client browsers.
how can i install my Domain Controller Certificate on FortiGate 100D so i won't have to install SSL certificate (from FortiGate ) on every Device connected ?
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
You need to create a CSR on your firewall and use your domain controller to sign a certificate which you will then import into your firewall and use in your SSL/SSH inspection options.
There are plenty of KB articles and videos that outline the process but having a general idea of how certificates work is helpful. Are you running certificate services on your domain controller?
Go to the section on using a custom cert on this cookbook article for some pointers http://cookbook.fortinet....-certificate-warnings/
FortiAdam wrote:You need to create a CSR on your firewall and use your domain controller to sign a certificate which you will then import into your firewall and use in your SSL/SSH inspection options.
There are plenty of KB articles and videos that outline the process but having a general idea of how certificates work is helpful. Are you running certificate services on your domain controller?
Go to the section on using a custom cert on this cookbook article for some pointers http://cookbook.fortinet....-certificate-warnings/
thank you for clearing this up.
I work in networking department, but i will ask if the IT department could help in signing (you know communications between different departments are never good).
another thing,
SSL inspection also breaks Microsoft Exchange. do i need to install the fortigate certificate on exchange server too ?? or it's a dc problem ??
That depends on what your issue is with exchange exactly. You will need that signed certificate from your domain admin either way so I would start with that. Keep in mind that you don't necessarily need to deep packet inspect all traffic. If you are wanting to inspect email, it would make more sense to do it as it comes in and out from the internet because it isn't typically encrypted at that point. Adjust your settings under Policy > Policy > SSH/SSL Inspection as needed.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1733 | |
1106 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.