scanning https blocking many websites

Hi,

first site fail because a security certificate issue at their end. Second site works fine.

Have you installed the XG certificate on  your PC?

Ian

installed certificate on my pc ,

 how could i exclude this errors 

Hi,

you need to create web exceptions or you can create your own classifications for each site.

What features in the blocking rule are you using?

Ian

Hi,

We are blocking gmail access except our company mail domain based on below link

https://community.sophos.com/kb/en-us/126532

after this policy applied https scanning blocking all untrusted https websites , we tried to exclude all the possibilities ( URL Group & categories )  nothing sort this issue.

We need to block gmail same time we need to access above category websites.

Hi,

how many sites are you trying to exclude?

When you look at log viewer what entries do you see when you try to connect to the sites?

If you use regex to build the exclude entires that exception will apply to all rules where as if you create your own web policies you can add them to the appropriate firewall.

Ian

thank you , we fix the issue with web -- exception to exclude sites from https scanning & policy check

The XG may be more strict about the certificate checks that browser do by default.

For example, your browser may be happy to go to https://testcaselab.com when not using the proxy.

But when the proxy tries to do HTTPS inspection it finds a bad certificate.  On the block page you can click "about this request"

If you want to know more, go to ssllabs.com and put in the domain.

https://www.ssllabs.com/ssltest/analyze.html?d=testcaselab.com&s=151.236.222.141

In this case, ssllabs gave it an F for different reasons.  However the also noted that the chain is incomplete (which is the reason that XG complained).

The XG may be more strict about the certificate checks that browser do by default.

For example, your browser may be happy to go to https://testcaselab.com when not using the proxy.

But when the proxy tries to do HTTPS inspection it finds a bad certificate.  On the block page you can click "about this request"

If you want to know more, go to ssllabs.com and put in the domain.

https://www.ssllabs.com/ssltest/analyze.html?d=testcaselab.com&s=151.236.222.141

In this case, ssllabs gave it an F for different reasons.  However the also noted that the chain is incomplete (which is the reason that XG complained).

thanks for the reply , will check & get back to you