Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 10 replies
  • Answers 2 answers
  • Subscribers 29 subscribers
  • Views 6177 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Blocked and warning message site for https url and certificate name problem?

IT_Chemes

I have on Sophos XG trusted certifikate for XG hostname (example xg.mycompany.com). When i access admin web or user portal i have no warrnings accesing this sites. But when i access some https page that is with web filtered, blocked or only warned, then internet browser block me or warn me that name of my trusted certificate on XG is different that is in inserted URL. Is no possibilitty that if https url is blocked and warned, XG show site with mesaage of blocking asked URL but with own url like https://xg.mycompany.com/blockmessage.html and no certificate naming problem? If warning message page after clicking on proceed URL in brovser again change to initialy asked URL. In this state blocking and warning message pages for https sites are totaly unusefull.



This thread was automatically locked due to age.
Parents Reply Children
  • 0 in reply to LuCar Toni

    Yes, this is what i want. If url blocked i need redirect to XG own user facing page wit url begin with XG hostanme. Mentioned option on Xg from version 17.5 word by wor say "Admin console and end-user interaction - When redirecting users to the captive portal or other interactive pages: - Use the firewall's configured hostname:... ". And i want that XG working as is writing in this option.  And ther Check settings button, what passed for me but in real scenario is this irrelevant. I dont go to downgrade to confirm, but i remeber than in 17.1 version blocking page have in URL XG LAN IP address and not hostname of client reguested page (but maybe only with http reguest and not https?...i dont remember). If only XG LAN IP was changed to XG hostname, then everything OK. I don go manage man-in the middle i want fix XG function from Sophos.

  • 0 in reply to IT_Chemes

    But how should XG intercept this Traffic, if it is encrypted? 

    This is not possible - there is no technical approach to resolve this. 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    Then option as is writed is totaly missleading.

  • 0 in reply to IT_Chemes

    The Option will be used for every user faced Page. 

    And this is still correct / true.

    You have to provide the technical prerequisite to use all features. 

     

    In fact, this new Feature in the webadmin is to help to configure everything properly for the certificate management. 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    OK...maybe some additional info in text to be aware that trusted certificate is not enough for this option. I am not network specialist then was not clear all about this.

  • 0 in reply to IT_Chemes

    Just to be sure, you should think about getting HTTPs Scanning working in your company. 

    There are a lot of advantages from security prospektive. 

    __________________________________________________________________________________________________________________

  • 0 in reply to IT_Chemes

    Ivan Mikita said:

    OK...maybe some additional info in text to be aware that trusted certificate is not enough for this option. I am not network specialist then was not clear all about this.

     

    That is the intention of this FAQ:

    https://community.sophos.com/kb/en-us/132997

     

    However in short - the new option in 17.5 allows you to use a use your purchased certificate whenever the browser address bar has your XG in it.

    If your browser bar has someillegalsite.com then the XG must continue to use the Certificate Authority to show the block page.

    If your browser bar has someillegalsite.com and you wanted to XG to redirect to show a block page hosted by the XG, it would need to use the Certificate Authority to do the redirection, and then be able to show the block page using your purchased certificate.

     

    Among other things, HTTPS is a way that users are assured that they are going to the site they intended to go.  You cannot interrupt HTTPS without users agreeing - either by installing a CA or by accepting a warning.

     

    There is also an option in Web, General Settings to just drop the connection rather than using the CA to display a block page.

     

     

     

Cookie Information Banner