[Ace] Fwd: SSL Decryption coming
Anthony Cuffe
cuffe at jlab.org
Tue Sep 6 16:40:36 EDT 2016
FYI. We will need to formulate a plan for this.
-------- Forwarded Message --------
Subject: SSL Decryption coming
Date: Tue, 6 Sep 2016 16:10:46 -0400 (EDT)
From: Kelvin Edwards <kelvin at jlab.org>
To: Anthony Cuffe <cuffe at jlab.org>
Anthony,
We're planning on enforcing decryption of all outbound SSL connections through the proxy
starting later this month (9/27). What this means for you is that any Linux or Windows
system that makes an SSL connection to a system offsite, is going to get a certificate
signed by the JLab Windows CA. And this is true even if you're using the JLab proxy
server. So, prior to the 27th, you'll need to ensure that:
1) The JLabWinCA is installed and configured on all Windows and Linux systems in teh ACE
network.
2) Any system that has been specifically setup to use jprox.jlab.org should, instead, be
set to us the wpad.dat file to determine which proxy to use. Or, you can set it to
use the jprox-2016 proxy server. The wpad.dat file is more flexible, though, as it
ensures that the proxy is not used for local web servers.
Let me know if you have any questions or concerns. Please note that sometime in the next
few months, the CA that is used by the Palo Alto SSL decryption engine, will be set to
use the new JLab CA and that will need to be pushed out as well. If you want to do them
all together, let me know and I'll get you the new JLab CA cert.
Also, if you want to move to using SSL Decryption earlier, let me know. The new jprox-2016
proxy server is set up and we can always set the ACE networks in the wpad.dat file to use
jprox-2016 instead of jprox.
-- kelvin
More information about the Ace
mailing list