How to achieve SSL Forward Proxy if the root certificate is already present on huge number of end points.

In SSL Forward Proxy decryption, the firewall is a man-in-the-middle between the internal client and the external server. The firewall uses certificates to transparently represent the client to the server and to transparently represent the server to the client so that the client believes it is communicating directly with the server (even though the client session is with the firewall), and the server believes it is communicating directly with the client (even though the server session is also with the firewall). The firewall uses certificates to establish itself as a trusted third party (man-in-the-middle) for the client-server session. 

For a big infrastructure as they have users from all over the globe. Either it can be achieved by making a root certificate as a forward trust or creating a Self-Signed Certificate and manually installing it on all the local machines and making a cert under the root certificate with the Forward Trust checked.

• Next-Generation Firewall
• A huge number of endpoints need to access a particular internal website as a secured site.

1. Making the root certificate as a Forward Trust:
   1. To Make it work the root certificate shout have CA and Key checked. So that if the root certificate is already present in all the devices globally we can be able to check the root cert as the Forward Trust certificate.

2. If the root certificate does not have key or CA checked then we would not get an option to check the Forward Trust Certificate.

2. Manually installing it on all the endpoints:

   1. This method sometime could not be possible based on most of the company's policies. This can be achievable by making this certificate pushed from Group Policy Object ( GPO ) which is a third-party tool.

3. Create a Self-Signed Certificate with the Forward Trust checked:-

   1. Note: the CN names should not be identical or this method will not work.