Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 10 replies
  • Answers 2 answers
  • Subscribers 29 subscribers
  • Views 6166 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Blocked and warning message site for https url and certificate name problem?

IT_Chemes

I have on Sophos XG trusted certifikate for XG hostname (example xg.mycompany.com). When i access admin web or user portal i have no warrnings accesing this sites. But when i access some https page that is with web filtered, blocked or only warned, then internet browser block me or warn me that name of my trusted certificate on XG is different that is in inserted URL. Is no possibilitty that if https url is blocked and warned, XG show site with mesaage of blocking asked URL but with own url like https://xg.mycompany.com/blockmessage.html and no certificate naming problem? If warning message page after clicking on proceed URL in brovser again change to initialy asked URL. In this state blocking and warning message pages for https sites are totaly unusefull.



This thread was automatically locked due to age.
Parents
  • 0

    Hi  

    Have you already installed the Firewall's SSL CA Certificate on your local machines?

    Please refer to: Sophos XG Firewall: SSL CA certificate installation guide

    Regards,

  • 0 in reply to FloSupport

    I know what you mean but i dont want go this way. I dont purchease trusted certificate for XG domain name that i have to distribute CA to all local machines.I need that block and warning page from XG present to browser as user portal or admin pages using in URL XG domain name corensponding with CN in my world wide trusted certificate. I was happy looking forward in version 17.5 for option Administration->Admin settings->Admin console and end-user interaction->When redirecting users to the captive portal or other interactive pages ->Use the firewall's configured hostname: xg.mycompany.com. But i see this option is totaly unusefull for XG blocking page. For redistributing CA to local machines i dont need trusted certificate and therefore thats not solution for me. If not resolution in XG at this time i want implement solution to near version of XG. For what is trusted certificate on my XG if a cant use his benefits? Option mentionet above is misleading for me.

  • 0 in reply to IT_Chemes

    The Point is, XG uses the Datastream of the Client request page and fill in the blockpage instead of using a redirect to an own user facing page.

    https://community.sophos.com/kb/en-us/132997

     

    So you need a man - in the middle. 

  • 0 in reply to LuCar Toni

    Yes, this is what i want. If url blocked i need redirect to XG own user facing page wit url begin with XG hostanme. Mentioned option on Xg from version 17.5 word by wor say "Admin console and end-user interaction - When redirecting users to the captive portal or other interactive pages: - Use the firewall's configured hostname:... ". And i want that XG working as is writing in this option.  And ther Check settings button, what passed for me but in real scenario is this irrelevant. I dont go to downgrade to confirm, but i remeber than in 17.1 version blocking page have in URL XG LAN IP address and not hostname of client reguested page (but maybe only with http reguest and not https?...i dont remember). If only XG LAN IP was changed to XG hostname, then everything OK. I don go manage man-in the middle i want fix XG function from Sophos.

  • 0 in reply to IT_Chemes

    But how should XG intercept this Traffic, if it is encrypted? 

    This is not possible - there is no technical approach to resolve this. 

  • 0 in reply to LuCar Toni

    Then option as is writed is totaly missleading.

  • 0 in reply to IT_Chemes

    The Option will be used for every user faced Page. 

    And this is still correct / true.

    You have to provide the technical prerequisite to use all features. 

     

    In fact, this new Feature in the webadmin is to help to configure everything properly for the certificate management. 

  • 0 in reply to LuCar Toni

    OK...maybe some additional info in text to be aware that trusted certificate is not enough for this option. I am not network specialist then was not clear all about this.

  • 0 in reply to IT_Chemes

    Just to be sure, you should think about getting HTTPs Scanning working in your company. 

    There are a lot of advantages from security prospektive. 

Reply Children
No Data