Recently, I switched to a wireless EVDO connection for broadband. The EVDO modem connects to one PC, and the other PCs on my home LAN (workgroup-based, no domain) connect through it using FreeProxy (v.3.92 from Handcraftedsoftware.org)
I'm pretty happy with his setup, except for Outlook. I'm running Outlook 2003 on my laptop, and every time Outlook connects to check for e-mail, I must dismiss several dialogs with the following message:
Internet Security Warning The server you are connected to is using a security certificate that could not be verified.
The certificate's CN name does not match the passed value.
Do you want to continue using this server?
In Outlook, I am specifying the IP address of the machine running FreeProxy as the server address for each of my e-mail accounts, then in FreeProxy I configure the incoming port number to match what I entered in Outlook, and the outgoing port number to match what is required by my e-mail services.
I think I understand what is happening here. Since several of these services require a secure connection, Outlook is warning me that the connection to FreeProxy cannot be verified as trustworthy, since FreeProxy doesn't have a security certificate. But since this connection is only the first hop, and entirely within my own LAN, I don't care about that. What I do care about is not having to click multiple dialogs to dismiss the warnings whenever Outlook connects.
I've found on the 'net references to self-signed certificates that can be used with Outlook to avoid this warning, but they all seemed to apply to either Exchange Server or Outook Web Access on IIS. Can I use one of these in this instance, and if so, how do I get one and then how do I get the Outlook client to recognize it? If not, is there some other security setting I can change so that these dialogs will stop pestering me.
I posted this here rather than ServerFault because, as I'm not a server admin, I didn't know if I'd understand any answer I might get over there. 🙂 Thanks!
Best Answer
Instead of using an HTTP proxy, I suggest you set up Network Address Translation, to move IP packets at the IP layer. This will pass through the SSL connection without decrypting it at the gateway PC, and eliminate the security warning. Basically Outlook is telling you that your gateway PC is trying to perform a man in the middle attack, which it basically is.
The way SSL (encrypted) connections work is, it's perfectly fine if someone is sitting between you and the server you're communicating with and is simply viewing the encrypted traffic. The protocol is designed to accommodate situations where other computers (trusted or not) can see your encrypted traffic. But if other computers can see your encrypted traffic, such as with an HTTP proxy, the protocol is immediately aware of that fact, and flags the connection as insecure.
You can set up Network Address Translation on the gateway PC (the one connected to the EvDO modem) using for example, Windows Internet Connection Sharing. This allows the other PCs connected to have a private IP address on a private subnet that all routes out to the EvDO modem eventually. It basically treats your gateway PC as a router. (Note the term "gateway" refers to a box that performs router and/or firewall-like functions in order to push traffic to and from another network; in this case, the public Internet).
Guides for setting up Windows ICS are exhorbitantly common, not only on SU but also in the Microsoft knowledge base and Windows help. Please explore some of the existing resources along these lines prior to asking for help on how to set up ICS.
Your research regarding certificates is correct. There IS technically a way to induce a silent man in the middle attack, by trusting a Root CA for which your freeproxy server has a signing key. I don't know if the actual freeproxy program is able to encrypt the traffic on a domain basis, but programs such as Burp definitely can, and there are existing guides out there explaining how to set it up (on Burp's site at portswigger.net).
However, ICS is a solution that is much more flexible and does not involve this configuration hassle, so I highly recommend it.