Iceni Web Proxy - Important Upgrade

To ensure that applications can continue to operate through your Iceni web filter, you must deploy a new security certificate to all devices on your network.

Four years ago, we introduced HTTPS interception functionality to the Iceni web proxy. This allowed Iceni's content inspection technologies to categorise encrypted HTTPS web requests in real time, and stood Iceni in good stead when Google enforced encrypted searches two years later.

Now, major application vendors and web services have announced plans to stop supporting the SHA-1 trusted root security certificates which Iceni uses. In order to continue to support the new security requirements, all customers are being issued with stronger SHA-384 trusted root certificates.

What Do You Need To Do?

In order to avoid disruption, you must deploy a new trusted root security certificate to all devices on your network, unless HTTPS interception is disabled or set to Passive mode in appropriate groups. You can check whether Active HTTPS Interception is enabled for a device through the Policy Modelling report (Reports -> Web Proxy -> Policy Modelling). However, if you needed to install the original SHA-1 trusted root certificate on a device, it is likely you will also need to install the new SHA-384 certificate.

Log into your Iceni system's web interface and click on the Web Proxy tab. The Web Proxy page includes links to both your original SHA-1 certificate and the new SHA-384 certificate. The Web Proxy page also includes QR codes which can be used to install the certificate onto mobile devices. Prior to 18th April 2017, both trusted root certificates must be installed on each device. After this date, the SHA-1 certificate will no longer be used, but there is no need to uninstall it from each device. For security reasons, the certificate is unique to each school.

Please see the appropriate Iceni user manual page for detailed installation instructions.

When Do You Need To Do It?

Your original SHA-1 certificate will stop being used on 18th April 2017. Any devices which do not have the new SHA-384 trusted root certificate installed will display security warnings when browsing HTTPS websites and many applications will no longer function.

If you would like the deadline to be brought forward to a date that is more convenient for you, please contact our support team.

Support

If you require any help, our support team are always happy to help. Please contact us on support@opendium.com or (01792) 824568.