Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Hussain1
New Contributor II

Created on ‎06-11-2023 01:06 AM

SSL Rollout for DPI in Educational Campus

Hi All, 

I'm testing to deploy DPI in our Firewall to extend our security level between our students/staff and guests. I know, I can deploy the Cert manually / using GPO or using JamF Pro for macBook Devices. 

 

However, a scenario will come where certain users are not getting the certificate in order to be downloaded and installed in their devices. Therefor, any internet connection won't work. 

 

I'm just thinking load in here to have a redirection / a landing page which hosts the certificate with few instruction to guide the users on how to obtain the cert and download it on their devices. 

 

Appreciate your idea / thoughts about how this can be implemented / already achieved. 

 

Regards, 

 

Labels:
1178
0 Kudos
3 REPLIES 3
ebilcari
Staff
Staff

Created on ‎06-11-2023 08:30 AM

You can use an external web page using http only, the page will not be blocked by DPI.

I don't know if there is a way to use a portal or redirect the users automatically, most probably you have to instruct the end user to manually open that site. If you are using Captive portal you can configure that URL to redirect the user after login.

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
1148
Hussain1
New Contributor II
In response to ebilcari

Created on ‎06-19-2023 11:53 PM

Hello, 

Thanks for your email. I have managed to deploy the solution with a minimal user interference and that was my intention. 

 

I have made a redirection page which contains all the download URLs, including the instruction for each platform. When users connected, will be redirected to a landing page.

 

The only challenge I have faced is Apple/iOS/iPAD devices. However, luckily we have a JAMF solution which manages our Apple devices. Using the Enrolment procedure to push a package that includes the CA certificate, is able to get the certificate profile installed, then Enable the certificate in the Apps/VPN section. 

 

The security measures in place of using DPI, but off-course you have to keep in mind the devices which need to be 

 

connected without inspections, APs, Phones, SBCs, etc etc... 

 

An access policy is in place for those devices and a restricted policy with DPI below as last policy for all http/https. 

 
 

FW Policy.JPG

 

Is there anything that I need to include / a recommendation of achieving this task in a better way?

 

Thanks, 

 

 

1082
Hussain1
New Contributor II
In response to anatollostalone

Created on ‎07-22-2023 02:11 AM

Hi,

Yes, that's exactly What I have done as a landing page and instructions on how to download and install the cert based on the devices categories.

1025
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.