Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 2 replies
  • Subscribers 28 subscribers
  • Views 589 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

HTTPS Inspection

ptho

Hey Sophos,

I'd like to enable HTTPS Inspection on some firewall rules, but I'm wondering what would happen if I left this checked but not have the certificate available on the device that would be included in the rule's scope.

I'm aware HTTPS Inspection won't take place until the device has the certificate available/won't work but I want to avoid any negative consequences on any devices who haven't yet got the certificate installed - i.e. if we deploy the certificate via GPO, there will doubtless be some devices that don't pick up the certificate right away - will they still work?

Thanks



This thread was automatically locked due to age.
  • 0

    Hello!

    Are you using the old Web Proxy or DPI?

    In either way, if you apply TLS Inspection in a device that doesn't have the certificate installed, any application that verifies the Certificate Authority (Such as Web Browsers) won't work, all of them will give a warning that the certificate isn't trusted for the user over all websites where you're inspecting.

    Some other applications such as Office or outlook also won't work (as expected) since they also verify the Certificate Authority.

    If you can, create an HTTPS Inspection Rule only with the devices that already have the CA installed. (if possible)

    ptho said:
    i.e. if we deploy the certificate via GPO, there will doubtless be some devices that don't pick up the certificate right away - will they still work?

    tl;dr: Any application that uses TLS and verifies the Certificate Authority or have certificate pinning won't work.

  • 0 in reply to Prism

    Hi Prism,

    We use Web Proxy for this particular rule. Thanks for clarifying the other points. I'll do some testing on the variety of client-types we'd like to use with this rule and see how we get on. Good to see that it won't entirely break their connectivity, but certainly wouldn't be an ideal operational experience for the user. We'll deploy the certificate in a managed way, then give it a few weeks before enabling HTTPS Inspection to ensure all policies are applied, provided the testing goes well.

    Thanks