Https filtering using WPAD questions



  • I am new to pfsense and https filtering using wpad.  I read articles here about how to use wpad and how to configure them.

    First, I noticed that I need a CA certificate and I need to export and import the certificate to the work station internet explorer.
    That would be ok if the work stations or computers can be managed, but what if that users is a public user like wifi or users of BYOD.
    Does that mean, I need to install the self generated CA certificate?  Possible work around is to have or purchase a certificate which any
    browser had already have installed certificates on it.

    Second, I noticed that after configuring the DNS for wpad, there is a need to configure the workstation or device network configuration on DNS suffix so that when you ping wpad it will return the ip address.  I cant possibly configure public and all BYOD users dns suffix on their device network configuration.  I cant find a solution for this.

    But that was just my problem, probably you guys have already had a solution for those.  May I ask, how do you resolved those problems stated above.

    Thanks



  • @techbee:

    I need to install the self generated CA certificate?

    Yes

    @techbee:

    Possible work around is to have or purchase a certificate which any browser had already have installed certificates on it.

    No because the certificate you create is no a server certificate, it's a certificate authority.

    @techbee:

    Second, I noticed that after configuring the DNS for wpad, there is a need to configure the workstation or device network configuration on DNS suffix so that when you ping wpad it will return the ip address.  I cant possibly configure public and all BYOD users dns suffix on their device network configuration.  I cant find a solution for this.

    Yes. you can push dns suffix using dhcp

    Take a look on squid package and the splice all ssl transparent interception. It will not intercept the connection but will check sites and acls under every https certificate requested.



  • Hi Marcelloc,

    Can you kindly direct me. I dont know much about wpad and https filtering but I am here to learn. Thanks again.

    What I understood was, if I choose splice all, I dont need to install the CA cert to clients, am I right?
    On the other hand, I dont know how to push dns suffix using dhcp or maybe I get it the wrong way.



  • @techbee:

    What I understood was, if I choose splice all, I dont need to install the CA cert to clients, am I right?

    Yes, that's it.

    @techbee:

    On the other hand, I dont know how to push dns suffix using dhcp or maybe I get it the wrong way.

    take a look or search for dns dhcp options. BTW, if you're going to configure squid splice all, it can be in transparent mode. this way, you do not need a wpad file. Mobile devices ignores wpad configuration too.


Log in to reply