Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 4 replies
  • Answers 1 answer
  • Subscribers 29 subscribers
  • Views 962 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos XG unable to verify certificate

tstan

Hi, 

we are trying to migrate from a Sophos Web appliance WS1100 to the Sophos XG Web Protection.

We get this error when trying to open www.google.co.uk.and some other sites.

On the WS1100 there is a Certificate Validation tool and I could add the site and use the "Get Certificate" button to download and add a valid in-date certificate.

Is there a similar feature on the Sophos XG? I can avoid the error by adding an exception and skipping HTTPS for this and other sites, but that doesn't seem quite right?

thanks. 

TStan



This thread was automatically locked due to age.
  • 0

    Hi TStan,

    This might be because the XG is decrypting https (aka TLS).

    When it does so, it inserts itself in the middle of the conversation, so you have an https connection to the XG; and the XG has a separate connection to the webserver.

    The XG dynamically creates a server certificate pretending to be google.co.uk, (for example)..  It uses its own  SSL CA for this (NB this is the SSL SA, not the general-purpose CA.  Look for 'SSL' in the cert name).

    So, if your device is not setup to trust the XG SSL CA root cert, you will gat these errors.

    Solution is to import the XG SSL CA root cert into your device.

    Regards

    Adrian

  • 0 in reply to adrianBromley

    Hi Adrian,

    thanks for the fast response.

    We have the certificate installed to all computers using Group Policy;

    so on the XG, there is no way to "Get Certificate" for another site and add it.

    I have another site www.smartassessor.co.uk which I have had to make an Exception so students can access it,

    On the WS1100, I would have added the certificate from the Website as below: Then I wouldn't have to make an exception and bypass HTTPS settings..

  • 0 in reply to tstan

    This alert looks like the Sophos Endpoint Web Protection. Do you use the endpoint protection? 

  • 0 in reply to LuCar Toni

    Hi, 

    We use Sophos Enterprise console, but not the Web Control part as we use the WS1100 for Web control.

    We are looking at upgrading from the WS1100 Web appliance to the Sophos XG.

    I think I have found that because we are still using the WS1100 "in line" with the Sophos XG as we tests its settings, the Certificate error seems to be the Sophos XG "needs"?  the  WS1100 certificate. If I add the problem sites to the exception list on the Sophos XG, everything works ok. 

    If I bypass the WS1100 and just use the XG, then the sites are ok.

    I wanted to know if there was a place on the Sophos XG where I could add certificates from a website to validate them so I didnt have to except them..

    We are not ready to totally bypass the WS1100 without more testing so this certificate validation made sense to me.... but it might be that the WS1100 cert is not valid on the XG?

    Thanks