Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 7 replies
  • Subscribers 30 subscribers
  • Views 896 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Generals Questions about HTTPS scanning

hoosty

Hello folks, hope you are all healthy!

I am quiet new to Sophos Firewalls, just bought a XG86 for the home. Works all fine so far.

I am interested in the HTTPS Inspection function and would like to enable that, of course.

But as far I understand, every Device/Browser needs to adopt the self signed Certificate to work with it.

So no problem, I can do that für MacOS, Win, Android, etc., but what do we do with devices, where I can not import certificates?

I mean all the IoT Stuff, SkyQ Receiver, Samsung TV and so on, I think you know what I mean.

Is there a way to exclude such devices?  And of course without loosing the comfort of Airplay, YouTube Streaming....

I know, this is not a business infrastructure Sophos is made for ...

Thanks for every hint you can give me and a happy 2021

Chris



This thread was automatically locked due to age.
Parents
  • 0

    Hello,

    hoosty said:
    I know, this is not a business infrastructure Sophos is made for ...

    Home Environments is not what Sophos XG has made for, but the amount of IoT Devices on the Enterprise nowadays is really high.

    As a Home User you have two options, If your IoT Devices are on a separate VLAN, you can exclude the entire VLAN from decryption; (Easier to maintain)

    If not, you can assign a Static IP Address through your current DHCP Server, and create "Clientless Users", this will allow to select all devices/computers as users in both Firewall & SSL/TLS Inspection Rules. (Harder to maintain)

    In there you will be able to select all IoT Devices and create a separate "Don't Decrypt" Rule.

    You can find more information about Clientless Users at the Docs.

    Thanks!

  • 0 in reply to Prism

    Thanks, you give me homework Stuck out tongue

    As far as I know, the VLAN option separates devices like TV, Hue, SkyQ, Nest Stuff from my standard (and then https) protected network. So comfortable things like Airplay, Spotify or Youtube Streaming will not work anymore - not comfortable at home.  

    I will tryout the Clientless User  - next year Cocktail

  • 0 in reply to hoosty

    Happy New Year!

    Depending on the Device you could use Multicast Routing on XG itself to route the requests to other VLAN's, but things like mDNS wouldn't work correctly. At the end, you would create a lot of issues, and you would also have some serious headache if you don't know what you're doing.

    So, your best option here is to use Clientless Users then.

    Thanks!

Reply
  • 0 in reply to hoosty

    Happy New Year!

    Depending on the Device you could use Multicast Routing on XG itself to route the requests to other VLAN's, but things like mDNS wouldn't work correctly. At the end, you would create a lot of issues, and you would also have some serious headache if you don't know what you're doing.

    So, your best option here is to use Clientless Users then.

    Thanks!

Children
No Data