Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 4 replies
  • Subscribers 27 subscribers
  • Views 1126 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Change the certificate on web browser block pages.

Neil_Evolve

Is this possible? Guest users are being presented with untrusted certificates when block pages are displayed.

Thanks.



This thread was automatically locked due to age.
Parents
  • 0

    Hello Neil,

    Thank you for contacting the Sophos Community.

    Yes, you can change the certificate used for HTTPS scanning, but anyway, the certificate would need to be also installed in the Guest computers. If you still want to Decrypt & Scan for the Guest users, the other alternative you have is to change the action on block/warn policy actions on HTTPS (Protect >> Web >> General Settings >> HTTPs decryption and Scanning >> For errors and block/warn policy actions on HTTPS connections when Decrypt & Scan is disabled >> Drop connections without a user notification.

    Regards,

  • 0 in reply to emmosophos

    Hi,

    Just to clarify, BYOD users on our guest wifi are getting certificate errors when being presented with block pages.

    MEric, thanks for your suggestion, but I'm not sure this would resolve the issue.

    Is the certificate used for block pages the same as the CA used to sign certificates or can I specifiy a specific certificate just for block pages? I don't believe so.

    Emmosophos, again, thanks for your reply, but these are BYOD/guest users, so installing the SSL CA isn't really an option. Simply not displaying the page with no explanation is not really a solution, users will probably complain about the wifi, not realising they are actually being actively blocked.

    Is there any plan to allow a custom certificate or url for blocked pages?

    Thanks.

Reply
  • 0 in reply to emmosophos

    Hi,

    Just to clarify, BYOD users on our guest wifi are getting certificate errors when being presented with block pages.

    MEric, thanks for your suggestion, but I'm not sure this would resolve the issue.

    Is the certificate used for block pages the same as the CA used to sign certificates or can I specifiy a specific certificate just for block pages? I don't believe so.

    Emmosophos, again, thanks for your reply, but these are BYOD/guest users, so installing the SSL CA isn't really an option. Simply not displaying the page with no explanation is not really a solution, users will probably complain about the wifi, not realising they are actually being actively blocked.

    Is there any plan to allow a custom certificate or url for blocked pages?

    Thanks.

Children
  • 0 in reply to Neil_Evolve

    Hello Neil,

    Thank you for the follow up!

    Yes so if you enable HTTPS to decrypt and Scan and the users don't have the SSL Certificate they will get the certificate error. To avoid this you would need to install the certificate in their devices which is not possible or doable for BYOD for guest users.

    You could opt for not doing the decrypt and scan for the guest network and thus avoid the users to present the invalid certificate.

    Unfortunately, there is no way to use a different certificate for these users or have a way to decrypt their traffic without them installing the certificate as this is needed to do the redirection for the blocked page.

    Regards,