Pacific Computer Wizards - Memory Repository ....

An informational repository of … thoughts, data, sharing, and ideas, posted.
    – Use the information in these posts at your own risk.      
                                The ideas, thoughts, and expressions posted here are for my own use.                 
                                 
  -President & Chief Wizard                                                        


Sophos UTM – SSL Web Proxy Scanning Configuration and GPO Deployment

posted Jul 20, 2018, 8:38 AM by Andrew Chadick   [ updated Jul 20, 2018, 10:58 AM ]

This article comes from TCPTechs.  Copied here for my own reference.
https://www.tcptechs.com/sophos-utm-ssl-web-proxy-scanning-configuration-and-gpo-deployment/

This document will provide instructions on how to implement SSL Scanning to filter websites that use HTTPS on a Sophos UTM firewall.

Requirements:

– Access to manage the Sophos UTM
– A test computer on the network subnet that SSL Scanning is being enabled for.
– Access to the Active Directory Server and GPO management.

  1. Log into the clients Sophos Router https://SophosIPAddr:4444
    1. Use your credentials to log in
  2. Go to Web Protection, Web Filtering, HTTPS CAs and click on Download under Signing CA
    DO NOT CLICK REGENERATE. If you do then the existing certificate deployment will fail and you will have to do this all over again.
  3. Use export type PEM. Click Download.
  4. Now that we have the SSL certificate that is needed to enable HTTPS scanning we will need to import it into group policy. Open Group policy and edit the default domain policy if you want it to apply to the entire domain. Or you can create a new GPO and link it to whatever OU you want it to apply to.
  5. Go to Computer Configuration, Policies, Windows Settings, Security Settings, Public Key Policies, Trusted Root Certification Authorities
  6. Here you can see I already have a Proxy CA certificate. Yours might be called something else but it will have the word proxy in it. Since I need to reimport it, so I will go ahead and update this. If you need to update it, first Delete the existing Proxy CA. Then right click and select import.
  7. Click Next and browse for the certificate you just downloaded. When you browse you may have to select All Files to see the certificate. Use the date modified to your advantage because sometimes you might have multiple certificates show up.
  8. Make sure Trusted Root Certification Authorities is selected and click next.
  9. Click Finish
  10. Now we have the Proxy CA
  11. Verify all the Domain Controllers replicate this.
  12. Now we need to check and make sure they do not have block inheritance on any OUs with computers. Typically people don’t use this but you need to double check and make sure. Here you can see the blue exclamation marks which means they have block inheritance on. That means these OUs will not get the default domain policy. DO NOT CHANGE ANY OU settingsDo not use Enforced settings. Just make the changes explained in this document that need to be made to get the certificate installed. Do not make any changes that can impact users.
  13. So in this example, Netbooks, Student, Tablets, Windows 8, need to have the newly created group policy linked. Fo each OU and Link the new Install Proxy Certificate. Remember this certificate is install on the computer level not user level. So the Students OU wouldn’t matter since it just contains student accounts.
  14. Now that we have the certificate deployed to Active Directory we need to have all computers restarted. When they restart they will install the certificate. Restart your test computer. Alternatively you can run gpupdate /force from command line.
  15. Now we need to enable SSL scanning. In the Sophos UTM, go to Web Protection, Web Filtering Profiles, Filter Profiles.
  16. Edit All of the profiles and select HTTPs and select Decrypt and Scan and click Save.
  17. Make sure you enabled Scan HTTPS for all of the profiles. Now on the test computer open up internet explorer and go to https://www.bankofamerica.com. If you get a certificate not trusted warning then you need to restart.
  18. If you are using a Standard Proxy instead of Transparent, you need to make sure you have a “FallBack” filter profile. This profile is used to ensure that anyone without proxy settings at least gets filtered transparently. So under Webfiltering Proxy Profiles in this screen shot you can see that there is a proxy fallback profile.

    If you don’t have one then follow these steps
    1. Click New Proxy Profile
    2. The name should be called fallback. The position should be bottom. We want this to be very last. The network should be the LAN internal Network
    3. Make sure Fallback action is set to the most restrictive Filter. This is important! Then make sure operation mode is transparent. Authentication type is none. Full transparent is UN-CHECKED. Make sure Decrypt and Scan is checked in HTTPs tab.
    4. Click Save.
    5. So now if you go to a device that does not have proxy settings in internet explorer and view the Sophos Live Log you should see that device profile listed as fallback.
  19. Now if you need to install the certificate on the IPADs then go to http://passthrough.fw-notify.net/cacert.pem. When the IPAD tries to access that site behind the Sophos it will pop up with an option to install the certificate. Note an IPAD may require the PKCS cert exported from step 2.
  20. The client should do some extensive testing to ensure the sites the need to access work.
This article comes from TCPTechs.
https://www.tcptechs.com/sophos-utm-ssl-web-proxy-scanning-configuration-and-gpo-deployment/


Importing the Certificate on Mac OS X

Follow the steps below to manually import the certificate on Mac OS X.

  1. Open the Keychain Access application - Use the spotlight search to easily find this app.
  2. Click the lock symbol to unlock the key chain for changes.
  3. Open the File menu and select Import Items.
  4. Select the CA certificate exported from the UTM.  (At this point you should see the certificate in the keychain with the message "This root certificate is not trusted")
  5. Double click the certificate and expand the trust section of the dialog box. In the first dropdown box called "When using this certificate" select always trust.
  6. Close the dialog boxes and exit the keychain access application.
Related Links:
https://community.sophos.com/kb/en-us/115315


Global Phones - Bands

posted Jul 18, 2018, 11:24 AM by Andrew Chadick

Gearbest and Banggood offer some very cool phones.  But you have to make sure it's compatible.
Start by searching for "Global" or "International".

AT&T
GSM 1900  = B2
GSM 850   = B5
LTE 700   = B12
LTE 1700  = B4
LTE 2100  = B4


Checkout what Google is tracking on your account

posted Jul 13, 2018, 6:11 AM by Andrew Chadick   [ updated Jul 16, 2018, 11:28 AM ]

Location Sharing - Not always a good idea

posted Jul 9, 2018, 7:45 AM by Andrew Chadick

Especially when the data is an active duty soldier's current location.

Duty to Retreat - FYI - Washington State

posted Jul 9, 2018, 7:35 AM by Andrew Chadick   [ updated Jul 16, 2018, 11:33 AM ]

Washington State has no “duty to retreat,” as precedent was set in State v. Studd (1999) and State v. Reynaldo Redmond (2003) when the court found: "that there is no duty to retreat when a person is assaulted in a place where he or she has a right to be." https://lewiscountywa.gov/sheriff/information-on-use-of-deadly-force
DEADLY FORCE – ISSUES TO CONSIDER

"The Second Amendment to the U.S. Constitution protects the rights of the people to keep and bear arms. The laws of the State of Washington define how one can carry a weapon and legally protect themselves.

While the right to keep and bear arms and the laws pertaining to use of force reside in separate documents, they are closely intertwined on issues of deadly force. The instrument of deadly force is not limited to a firearm and can be anything, including someone’s bare hands. 

It is your obligation to act in a responsible manner in exercising your right to keep and bear arms, and at the same time know and understand the laws governing the use of deadly force.

Over the years, the Lewis County Sheriff’s Office has investigated several encounters involving citizens using deadly force. Some of these incidents involved self-defense, others involved protection of property. Many times the use of deadly force was clearly justified, sometimes it was not, and occasionally it was ambiguous. In those cases where the use of force was not justified or ambiguous, the user of the force was charged and the matter put before the court system for determination.

As a law enforcement officer, I field many questions concerning the use of deadly force. Unfortunately, I often find confusion and misinformation exists among members of the public on this very important topic. The bottom line is…if you use deadly force, the law will protect you, but only if you have acted within the law. The decision to arm yourself is a personal choice, as is the choice to use deadly force in an encounter.

Before you decide to arm yourself with a weapon and be faced with the possibility of using deadly force, you should first and foremost arm yourself with the most valuable weapon of all – knowledge. Possessing advance knowledge of the limits of the law, the boundaries of your rights, and the capabilities of your weapon, will not only enhance your ability to effectively and safely react during a potential deadly force encounter, but will also increase your chances of surviving under the most stressful conditions." - Excerpt from above link.

The latest thing in Windows 10

posted Jun 29, 2018, 11:45 AM by Andrew Chadick

Want the latest thing in Windows 10 updates?  Skip ahead and join the insider program.  You get to see and test the latest advances before everyone else!  Some cool stuff awaits! 


Snipping Tool to be replaced- Insider Preview

posted Jun 29, 2018, 11:28 AM by Andrew Chadick   [ updated Jun 29, 2018, 11:40 AM ]

One of my favorite tools built in to Win 10 has just been announced as being sunset.  The new tool, Screen Sketch is similar but has some new and interesting functionality.  I'm not thrilled to lose tried and true, but I'll give this one a go.


Windows 10 Insider Preview - Run apps with GPU

posted Jun 29, 2018, 11:18 AM by Andrew Chadick

The next Gen version of Windows 10 will allow you to run certain apps using your graphics processor!!  This is so cool!

RunwithGPU

Mail and Domain Tools

posted Jun 26, 2018, 10:01 AM by Andrew Chadick   [ updated Jun 27, 2018, 7:32 AM ]

https://mxtoolbox.com/NetworkTools.aspx


SPF DKIM DMARC  Tests:  http://www.appmaildev.com

Great Tool for Double Checking everything:   www.whatsmydns.net

Google Maps and Waze

posted Jun 19, 2018, 7:06 PM by Andrew Chadick   [ updated Jun 29, 2018, 8:02 AM ]

Ok, so this is a bit of a rant, but, I think it needs to be said.  Waze when it first came out was a breath of fresh air, it gave you maps, plotted your route, and allowed you to interact with the map to let the system know that there was trouble on the route, car accident, pot hole, weather issue, etc.  Other drivers were then alerted of the issue.  It was a good balance of information to you, and information from you.
Over time, Waze started to implement advertising, it was small at first, you would see fast food and gas station logos in your map as you drove along.  Not really a big deal.  Not a deal breaker.  You were still getting good information, and as a payment of that good info, you gave good information in return.  It also has a social media aspect to it, which I never dove in to, but it is there.  
Then I guess the small ads weren't enough, then full screen ads would pop up when ever you came to a stop.  What is wrong with that you might ask?  Well, for one thing, when you are following a map on your phone, even with it propped up in front of you, mounted on the dash, the only real time you have to actually "look" at your phone is when you are fully stopped. Usually at a traffic light.  This is your chance to actually figure out your route, where you are going next and what alternate course you may be considering.  It is at this time, prior to the new traffic law about touching your phone, your opportunity to update the system with traffic issues, congestion, etc. Now you have to touch, and talk to it, but that's a different issue...  Instead of just having interface issues, now, you have this ad to deal with too, which takes far too much time from the few seconds you are at a light.  
What bugs me the most about it, is that it threw off the in/out balance;  you were getting useful info, and you were paying Waze back with "your time and effort" to feed into the system.  Now, the Waze app not only asks for your input as payment, but also forces ads at you.   I put up with the ads for a long time, after logging tens of thousands of miles on the system.  I'm done though.  I can't stand the advertising.  No more full screen ads to deal with. I think Waze made a huge mistake, and its a shame because the system overall is good.  
But with no way to stop the ads, no way to buy out of them, its basically just an ad machine.  I can watch TV if I want ads pushed at me, I don't need it when I'm driving too.   I'm done with Waze.

Now just an interesting anecdote, Waze was created in Israel, and when I was there last year, I noticed that the program updated itself, and all the ads went away.  The moment I came back to the US, update again, then ads.  
I think that is such BS.  If you are going to force ads on everyone in the US, you should subject yourself to them as well.

Anyway, end of rant.

1-10 of 165

Comments