Overview
This method of traffic redirection should be used for trials, pilots, and limited deployments. In most cases, using this method most end users will be able to bypass the security and governance that SurePath AI provides. For production deployments, customers should use a redirection method that can not be easily bypassed.
Devices accessing GenAI sites using the SurePath solution will also be required to add the SurePath AI security certificates. In large quantities this could be an onerous task without automation or an MDM tool.
Prerequisites
SurePath AI Root Certificate (get this from you SurePath AI Field CTO)
DNS over HTTP (DoH) Address (in this document)
Use a web browser capable of DoH (We will show how to do this with Google Chrome)
Procedures
All Operating Systems and Browsers
All operating systems will need these files and information.
DoH server URL
Configuration validate page
This site will also allow downloads of the SurePath AI security certificates should you not have them already.
Setup Chrome on Mac
Select Chrome -> Settings from the MacOS Menu Bar (alternatively click the three vertical dots next to the icon of your Google login on the right side of the Chrome menu bar)
From the left navigation bar select Privacy and security > Security
Turn on Use secure DNS with the toggle
Select Add custom DNS service provider from the drop down menu
Enter the SurePath DoH server address into the field provided.
5. Be sure to leave this field or the setting will not take effect.
Install the SurePath Security Certificate on Mac
Find the SurePath AI Root Certificate that you downloaded or was sent to you.
Right click on the file and select Open With > Keychain Access
Enter your password or authenticate as required.
Once open the certificate may be selected. If it’s not, type SurePath into the search window to find it and select it. It should show that This root certificate is not trusted.
5. Double Click the SurePath AI Root CA (same as Right click > Get info)
6. Expand and select Trust > When using this certificate > Always Trust
7. Be sure to close the window for the settings to take effect.
8. Setup is complete and you can do Configuration Validation next.
Configuration Validation
Once you have completed interception with SASE software or a DoH setup you can use the following website to ensure that GenAI traffic will pass through the SurePath AI system.
Navigate to https://ready.surepath.ai/
This webpage will let you know if you are configured properly.