This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Cisco VPN outgoing connection on SFVH (SFOS 17.5.0 GA) with https scanning & decrypting

My general outgoing policy is working with the Cisco VPN client if I do not decrypt and scan https ... My other general policy where https scanning / decrypting is working and the certificates are installed on the clients is also working well on the client for normal and https web traffic. If I turn on https and scanning the Cisco VPN then fails to connect on either policy.

Are there any idea on how to get this functioning with https scanning and decrypting active?

Thanks

This thread was automatically locked due to age.

0 ThibautVan der Kluft over 6 years ago

Hey Rick,

Do you know the public IP where the Cisco VPN client connect ? If yes, you could create a firewall network rule on top, from LAN to WAN and with this public IP as destination host and with service "HTTPS". And you don't apply any scanning on this rule, so it will pass through.
Cancel
Vote Up 0 Vote Down

Cancel
0 Rick Dunn over 6 years ago in reply to ThibautVan der Kluft

Thanks I did this on the source however once I find the block of correct addresses I will reverse that to the destination.
Cancel
Vote Up 0 Vote Down

Cancel
0 LuCar Toni over 6 years ago in reply to Rick Dunn

So you are using Cisco AnyConnect (based on SSL VPN)?

I would assume, this is not possible to intercept this traffic with a man-in-the-middle.

Ether the Client will not connect, or the Cisco will drop the connection, because the certificate is not matching.

Keep in mind: Https scanning is a man-in-the-middle.

More information here: community.sophos.com/.../132997
Cancel
Vote Up 0 Vote Down

Cancel
0 Rick Dunn over 6 years ago in reply to LuCar Toni

I was assuming this was the case and though the client may have the proper cert built into the config there's not much chance the VPN endpoint would allow the secondary cert to setup a proper tunnel as it is expecting the client cert to verify the identity...
Cancel
Vote Up 0 Vote Down

Cancel