WebProxy with Signed Certificates

[lomax0990]

So one more question...

How do people handle BYOD situations for say like student cell phones were we can't install a certificate?

We have some DNS filtering in place but were hoping to proxy that traffic also.

[Patrick M. Hausen]

Use a separate VLAN with plain Internet.

And VPN combined with MDM if these users must access company resources.

[Maurice]

What's your actual goal?

You can't and shouldn't proxy anyone's HTTPS traffic without their consent and cooperation. That's exactly what TLS is for, to prevent you from doing this.

If you want to block access to certain websites from your network, use IP blocklists. DNS filtering might work to some degree, too, but (thankfully) is becoming more and more ineffective with the spread of DoT / DoH.

[lomax0990]

My goal is to allow students/staff to bring their own device but be able to block malicious sites, reverse proxies, porn, etc.

Then I would have other networks with different proxy rules.

These are already segmented by vlan. 

IP blocklists seems to defeat the point.  I can’t possibly block all of the bad sites by an ip blocklist.

[Maurice]

You can and should protect the devices owned and managed by your organisation, but not personal devices owned by students or staff. This is neither technically viable nor, frankly, your job. From their perspective, the WiFi they are allowed to use with personal devices is no different from any other public WiFi or mobile data (where no-one "protects" you either). Just make sure this network is isolated from the networks used by your organisation's devices.

If this is about accessing internal resources (not just the Internet) with personal devices, that's a whole can of worms on its own. Organisations which allow this typically require these devices to be managed by them, even though they are personally owned (MDM as suggested by Patrick).

[cookiemonster]

However institutions are expected to block content in their networks, even when not accessing internal resources.
So say a guest network. If users were able to access questionable content, there is potential for reputational damage; so it's less of not being the admin's job to protect the users' devices. I imagine this is where the OP is coming from.
OP, you might want to see what Zenarmor can do for you.

[Maurice]

@cookiemonster "Reputational damage" to an institution because it provides a simple guest network with plain Internet access? Now I've heard everything.

[cookiemonster]

yup, maybe is different in different geopgraphies but where I am, the press is brutal. But it doesn't stop there.
There are statutory requirements too https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/1105569/Online_safety_in_schools_and_colleges.Questions_from_the_Governing_Board__2022_.pdf
https://learning.nspcc.org.uk/research-resources/schools/e-safety-for-schools
https://www.gov.uk/guidance/meeting-digital-and-technology-standards-in-schools-and-colleges/filtering-and-monitoring-standards-for-schools-and-colleges
So the relationship is that if the institution fails its duty, the goverment will intervene. The press will ensure it doesn't go unnoticed.