UniFi Gateway - NeXT AI SSL Traffic Inspection
NeXT AI Inspection utilizes SSL/TLS decryption to intercept encrypted traffic and analyze its contents for security monitoring or filtering purposes.
Requirements
- Enterprise Fortress Gateway (EFG)
- UXG-Enterprise
Inclusions, Exclusions and Privacy Implications
In networks where traffic is decrypted, clients need to be informed that their traffic is no longer private. Consider carefully on which networks NeXT AI Inspection is enabled, which traffic is inspected and seek legal advice to avoid privacy violations. It is possible to configure NeXT AI Inspection in two modes:
- Specific - This is the default and recommended mode. Select categories and add individual domains that should be inspected. With Search Engines selected it is possible to view, track and block user queries.
- All - Inspect all traffic and exclude individual domains that should not be inspected. This mode requires manually excluding websites that include confidential information.
Decrypting and inspecting traffic is a balance between providing security and visibility and the experience of clients connecting to the internet. Before enabling NeXT AI Inspection, carefully consider which mode to use and which client traffic should be inspected.
Specific Traffic - View, Track and Block Queries
When using Specific, when clients type queries into search engines and ChatGPT, the results will appear automatically on the Inspection page. Using Actions, specific queries can also be tracked and blocked to prevent clients from seeing the results. If a query is tracked, the client traffic matching this query can be filtered on the Inspection page.
All Traffic
When using All, it is likely needed to add more exclusions as time goes on as clients can report issues with accessing specific websites or services. It is recommended to start with excluding all health care, government and financial websites as these include confidential information. To avoid performance and connectivity issues with provided services, Apple, Microsoft and Ubiquiti domains are automatically excluded but can be inspected if necessary.
Best Practices for Traffic Inspection and Scanning with NeXT AI
-
Understand Session Limits:
- NeXT AI supports a maximum of 10,000 concurrent sessions. A session refers to a specific internet query that a browser can make.
- The number of users that can be supported varies as one browser window may open anywhere from 2 to 30 queries at once.
-
Optimal Concurrent Sessions:
- To avoid CPU stress, it is recommended to keep the number of concurrent sessions to 5,000 or fewer.
-
Select Traffic to Inspect:
- Focus on inspecting users' search queries and ChatGPT usage to manage session load effectively.
-
Isolate Inspection to Specific VLANs:
- Run NeXT AI inspection only on a VLAN dedicated to employee devices.
- Since NeXT AI requires a certificate installed on devices for inspection, it is impractical to include guest devices.
- Configure Network Devices Properly:
- If you have a UNVR or any other UniFi console behind your gateway, ensure it is on a non-inspected VLAN to avoid potential software update issues.
Implementing these best practices will help in optimizing the performance and efficiency of NeXT AI traffic inspection and scanning.
Simple, Advanced Mode, and the NeXT AI Certificate
Simple mode is the most straightforward way to configure NeXT AI Inspection. It inspects traffic from all or specific networks and all or specific traffic types. Advanced mode provides the ability to use Inspection Profiles. Each profile can be associated with a different network and has its own set of configuration options.
When NeXT AI Inspection is enabled on all or specific networks, traffic from clients is first decrypted, then inspected and finally re-encrypted using the NeXT AI Inspection certificate. The self signed certificate is issued by the UniFi Gateway needs to be installed on each client to avoid security warnings when visiting websites.
Note: Only a single NeXT AI Inspection certificate is used, even when configuring different profiles.
Certificate Installation
When NeXT AI Inspection is enabled, clients will see security warnings and experience reachability issues if the certificate is not installed on their device. Providing the certificate to the client can be done via manual installation or by distributing it. The manual installation steps are listed below.
Note: It is currently not possible to distribute the certificate using UniFi Identity.
macOS
- Download the certificate to the Downloads directory on the client.
- Launch Keychain Access and select the System keychain.
- Open Finder and drag the certificate from Downloads to the list inside Keychain Access.
- Double click the certificate to open the details and expand Trust.
- Change When Using this Certificate from Use System Defaults to Always Trust.
- To ensure that all applications recognize the new certificate, restart the client device.
Note: Certificates added to the Login keychain are only available to the currently logged in user. The System keychain applies to all users.
Windows
- Download the certificate to the Downloads folder on the client.
- Open File Explorer and double click the certificate to open the details.
- Select Install Certificate to import it to the Current User store location.
- Select Place All Certificates in the Following Store and browse to select Trusted Root Certification Authorities.
- To ensure that all applications recognize the new certificate, restart the client device.
Note: Certificates located under Current User are only available to the currently logged in user. Local Machine applies to all users.
iOS
- Use a browser to download the certificate from a secure location.
- Tap Allow when prompted to download the Configuration Profile.
- Open the settings and tap Profile Downloaded to install the certificate*.
- After installing the profile, navigate to the General - About - Certificate Trust Settings and toggle Enable Full Trust For Root Certificates for this certificate.
- To ensure that all applications recognize the new certificate, restart the client device.
*Alternatively, navigate to General - VPN & Device Management and tap Downloaded Profile.
Android
- Download the certificate from a secure location to the internal storage.
- Navigate to the Security and Privacy - More Security settings, tap Install From Device Storage - CA Certificate and browse the internal storage to select the certificate*.
- Verify that the certificate is correctly installed with View Security Certificates.
- To ensure that all applications recognize the new certificate, restart the client.
*The location of the certificate settings may differ depending on the Android version and manufacturer.
Custom Certificate
Besides using the built-in self signed certificate, it is also possible to upload a certificate to the UniFi Gateway. This certificate is then used to re-encrypt the client traffic and should also be installed on each client device.
Note: Only a single certificate can be active at once.