Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 6 replies
  • Answers 1 answer
  • Subscribers 27 subscribers
  • Views 5559 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SophosApplianceCertificate warning from XG 230, but HTTPS scanning is not enabled.

Grant Beaver

I'm a new XG user, currently trying to do some testing before moving my company from a SonicWall to our new XG 230 appliance. I've configured the firewall and setup a small subset of computers on it while the remainder of our corporate network continues to function using the SonicWall. Today, I tried to move our WiFi subnet over to perform more testing and immediately ran into a problem trying to get email from our on-prem Exchange. Mobile clients (iPhones) get a certificate mismatch for "SophosApplianceCertificate...", which seems to indicate that HTTPS scanning has been enabled, but as far as I can tell it has not.

I only have a few firewall rules, and none of them have HTTPS scanning enabled. Desktop clients running through the XG do not get this message, even though they are using the same firewall rule (but a different subnet and different physical port). I've looked high and low and can't figure out how this is happening.

Does anyone have any ideas?



This thread was automatically locked due to age.
Parents Reply Children
  • 0 in reply to rfcat_vk

    One of my four rules is the "Auto added firewall policy for MTA". Source = Any zone, Any host; Destination = Any Zone, Any host; Service = SMTP, SMTPS.

    Does a business rule that has SMTP or SMTPS enabled also use the man-in-the-middle certificate intercept?

  • 0 in reply to Grant Beaver

    Hi,

    anything that has a /s in its name will be trying to do a man-in-the-middle scan.

    Ian

  • 0 in reply to rfcat_vk

    Understood. I'll disable that rule until (if) we start doing HTTPS inspection.

  • 0 in reply to Grant Beaver

    I'm still getting the SophosApplianceCertificate, even after disabling my SMTP/SMTPS rule. I now only have literally one firewall rule (LAN and WiFi to WAN) that does not have HTTPS scanning or SMTPS scanning enabled. Where else could this be coming from?

  • 0 in reply to Grant Beaver

    After much gnashing of teeth (and being unable to open a ticket through sophos.com) I was able to get this resolved with the help of support. This behavior was apparently caused by the firewall being unable to route the traffic from one port out to the Internet and back in through another port (hairpinning). The reason it was giving the HTTPS certificate error is because the firewall was trying to display a "site blocked" page, but the page uses HTTPS and the firewall's internal certificate. It wasn't actually trying to connect to my mail server, it was just trying to show a "can't do that" page.

    The fix was:

    1) Create a rule that routes traffic from WiFi to LAN (requires masquerading (MASQ))

    2) Create a DNS Request Route for my internal DNS servers on the LAN (In Network > DNS > DNS Request Route)

    3) Configure the WiFi DHCP pool to use the XG's IP as the primary DNS server

    This seems like a pretty convoluted way to solve the issue, but it did work. It would seem to me that it would be easier to force WiFi traffic that is pointed to our public IPs to re-route to the LAN port, but this works and it's the configuration support suggested.