Meraki

Hammer · ‎Oct 30 2019

Hi.

I'm looking at using an MX as a web filter but the network will be used primarily as a guest network. This means I don't want to and can't install the root cert on devices. A lot of firewall vendors support HTTPS filtering using methods such as reviewing the name on the certificate instead of actually inspecting the traffic by doing a MITM. Does the MX offer any such features, aside from Cisco Umbrella?

Thanks.

Nash · ‎Oct 31 2019

The content filtering is URL-based and doesn't care about packet contents.

I don't believe the MX will perform certificate inspection this way.

I certainly do not recommend using it for HTTPS inspection, since it makes your throughput go to pot as well as the MITM issue.

Windows 10 Client VPN scripts: Makes life better!

PhilipDAth · ‎Oct 31 2019

>Does the MX offer any such features

Yes. When a web browser initially connects to an https site it sends a "connect" message in plain text with the domain name it wants to talk to.

When a server is configured to use SNI the server uses this connect message to decide which certificate to use to present to the client. After this the connection goes encryted.

Hammer · ‎Oct 31 2019

Hi @PhilipDAth

Thank you for confirming this. I haven't been able to find any documentation on it. Is it just part of the standard web filtering or is there anything extra to enable?

Also, is the behaviour that you describe affected by HSTS pre-loading?

Thanks.

PhilipDAth · ‎Oct 31 2019

Nothing extra to enable.

I don't know about HSTS.

Meraki

Community

HTTPS without MITM

HTTPS without MITM