Hi All,
I'm testing to deploy DPI in our Firewall to extend our security level between our students/staff and guests. I know, I can deploy the Cert manually / using GPO or using JamF Pro for macBook Devices.
However, a scenario will come where certain users are not getting the certificate in order to be downloaded and installed in their devices. Therefor, any internet connection won't work.
I'm just thinking load in here to have a redirection / a landing page which hosts the certificate with few instruction to guide the users on how to obtain the cert and download it on their devices.
Appreciate your idea / thoughts about how this can be implemented / already achieved.
Regards,
You can use an external web page using http only, the page will not be blocked by DPI.
I don't know if there is a way to use a portal or redirect the users automatically, most probably you have to instruct the end user to manually open that site. If you are using Captive portal you can configure that URL to redirect the user after login.
Hello,
Thanks for your email. I have managed to deploy the solution with a minimal user interference and that was my intention.
I have made a redirection page which contains all the download URLs, including the instruction for each platform. When users connected, will be redirected to a landing page.
The only challenge I have faced is Apple/iOS/iPAD devices. However, luckily we have a JAMF solution which manages our Apple devices. Using the Enrolment procedure to push a package that includes the CA certificate, is able to get the certificate profile installed, then Enable the certificate in the Apps/VPN section.
The security measures in place of using DPI, but off-course you have to keep in mind the devices which need to be
connected without inspections, APs, Phones, SBCs, etc etc...
An access policy is in place for those devices and a restricted policy with DPI below as last policy for all http/https.
Is there anything that I need to include / a recommendation of achieving this task in a better way?
Thanks,
Implementing a redirection or landing page to host the certificate and provide instructions can be a helpful approach. Here's a general outline of how you can implement this solution for your SSL rollout in an educational campus:
Create a landing page: Design a webpage that hosts the certificate file and provides clear instructions on how to download and install it. You can include step-by-step guides, visuals, and any relevant information to assist users in obtaining and installing the certificate.
Configure firewall rules: Set up firewall rules to redirect users to the landing page whenever they attempt to access the internet without the required certificate. This can be done by intercepting and redirecting HTTP/HTTPS traffic to the landing page.
SSL certificate hosting: Host the SSL certificate file on a web server or a specific location accessible to users. Ensure that the certificate is easily downloadable from the landing page.
Hi,
Yes, that's exactly What I have done as a landing page and instructions on how to download and install the cert based on the devices categories.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2023 Fortinet, Inc. All Rights Reserved.