Hi all,
we got one customer who complained that users were able to download certain files, even when they should have been blocked.
The webprotection was not able to block several file types, because everything went via SSL. So we distributed the Proxy CA certificate of the firewall to all PCs via group policy in the domain and after a week the SSL inspection was switched over to decrypt and scan. This worked fine as expected.
What nobody had in mind was, that some of the users also had iPhones and they need to use the internal network to be able to print from some of the applications. We had the discussions about this already…
I found no way to add self-signed certificates (like the Proxy CA certificate of the UTM) as a trusted certificate in the iPhone.
So I see three possible solutions:
1) Change the hostname so it fits the name of an external domain and get a signed certificate of an external trusted CA and upload it into the UTM as a Proxy CA certificate.
2) Switch the firewall to standard proxy mode and block outgoing traffic for port 80 and 443 for the normal devices from the network. All devices have to use the proxy for outgoing web traffic
3) Move a printer into a new WLAN subnet and move all iPhones into the same WLAN/SSID
Did anybody of you had a similar challenge and which solution did you prefer ?
Many thanks for your help
This thread was automatically locked due to age.
