Security

Reply
Frequent Contributor I
Posts: 94
Registered: ‎01-27-2016

ArubaQuickConnect Windows SmartScreen

User running Windows 10 (possily 8.1 as well) run into issues when attempting to install the ArubaQuickConnect application as part on the OnBoarding process. The Windows Smartscreen pops up a window "Windows protected your PC". This is causing confusion and making it difficult for users to onboard. Some research shows I might need an EV signed cert? Has anyone else encountered this and worked through it? Thanks a bunch!

 

Philip Wightman, ACMP, ACCP

 

 

Guru Elite
Posts: 7,987
Registered: ‎09-08-2010

Re: ArubaQuickConnect Windows SmartScreen

You can upload a code-signing certificate which will be used for the Windows exe and also the Mac/iOS .mobileconfig file.

 

You also need to be sure to allow access to Microsoft SmartScreen in the onboard enrollment role.

 

code-signing.png


Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
Frequent Contributor I
Posts: 94
Registered: ‎01-27-2016

Re: ArubaQuickConnect Windows SmartScreen

Tim,

 

Thank you very much for the quick reply. I will look into creating and uploading a code-signing certificate. 

 

For the SmartScreen URL's, I created a NetDestination with the following URLs and applied it on my Whitelist for the Captive Portal profile. I still seem t be getting blocked. Do you know a better list of domain names to block?

 

  netdestination SmartScreen                         
  name crl.godaddy.com
  name certificates.godaddy.com
  name crl.starfieldtech.com
  name certificates.starfieldtech.com
  name ocsp.godaddy.com
  name ocsp.starfieldtech.com
  name urs.microsoft.com

 

 

Thanks so much for the help!

Guru Elite
Posts: 7,987
Registered: ‎09-08-2010

Re: ArubaQuickConnect Windows SmartScreen

Hm. AFAIK, urs.microsoft is the only one you should need. Best thing to do would be fire up wireshark, run QuickConnect and then filter the pcap down to DNS. There may be an additional entry these days.


Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
Frequent Contributor I
Posts: 94
Registered: ‎01-27-2016

Re: ArubaQuickConnect Windows SmartScreen

Thanks again. 

 

I had to add the following URL as well.

 

w.apprep.smartscreen.microsoft.com

 

I am digging into the Cert now. 

 

Phil

 

Frequent Contributor I
Posts: 94
Registered: ‎01-27-2016

Re: ArubaQuickConnect Windows SmartScreen

So I have made it a little farther...

 

I created a Code Signing CSR, bought a Code Signing Cert with GoDaddy and applied the CSR. GoDaddy turned around the Certificate and I have it on hand. 

 

I am now attempting to Upload the Certificate and it is requiring that I attach the Key. Since I generated the CSR on CPPM, doesnt it already have the Key? If I need to attach it, where do I get it? I cant seem to find a way to export the Key from CPPM so I can attach it. 

 

In hind-site, I probably should have done this with OpenSSL. 

 

Thanks again for the help!

Guru Elite
Posts: 7,987
Registered: ‎09-08-2010

Re: ArubaQuickConnect Windows SmartScreen

Where did you do a signing request in ClearPass? If you did it under certificates, it used an Onboard CA. You need to do the request outside of ClearPass. The DigiCert tool works well: https://www.digicert.com/util/


Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
Frequent Contributor I
Posts: 94
Registered: ‎01-27-2016

Re: ArubaQuickConnect Windows SmartScreen

Ahhh... That would explain it. I wish that was clear in the CPPM documentation. Thanks for the tool. Looks a little easier to use than OpenSSL. Thanks, I will post back when configuration is complete. 

 

Note - GoDaddy states they need up to 10 business days to process a Code Signing Cert. I was able to get them to push it through much quicker but I was not expecting this. They may not do it so quickly this time around. 

 

Phil

 

Guru Elite
Posts: 7,987
Registered: ‎09-08-2010

Re: ArubaQuickConnect Windows SmartScreen

They'll usually revoke it once for free. Just tell them there was a private key issue.


Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
Frequent Contributor I
Posts: 94
Registered: ‎01-27-2016

Re: ArubaQuickConnect Windows SmartScreen

I hate to be a pain and feel like a complete n00b but I want to make sure I do this right on the second go around.  When I use DigiCert, it generates the CSR but I cannot seem to find the key. I see that in my windows certificate store there is a new CERT that reflects the name I chose when creating the CSR. I could certianly export this but I am not confident this is just a Key and not sure if this will import correctly into CPPM. Can you walk me through this start to finish?

 

Here is what I think needs to be done:

1. Use DigiCert to create Code Signing CSR

2. Have Public CA (Such as GoDaddy) create a Code Signing Cert from this CSR

3. Using Windows Certificate Manager MMC Snap-in - Export the Certificate created by DigiCert

3a. The only option for export is a .pfx file

3b. Create a password when exporting

4. Download the Certificate from GoDaddy

5. In ClearPass OnBoard / Management and Control / - Upload Code Signing Certificate

5a. Upload the Certificate and Private Key

 

The New Code Signing Cert will now be available as a selection in the OnBoard Client settings found in the OnBoard Provisioing Settings configuration. Select it and save.

 

Now when clients with Windows 8.1 / 10 attempt to OnBoard machines, they will no longer receive a SmartScreen pop-up from Windows. (Assuming the whitelisy has allowed the communication to microsoft as discussed earlier in this thread). 

 

Thanks so much for the help! I hope this will help other users out there running into the same issue that are not intimately familiar with Code Signing Certs!!

 

Phil

 

 

Search Airheads
Showing results for 
Search instead for 
Did you mean: