Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 5 replies
  • Answers 1 answer
  • Subscribers 28 subscribers
  • Views 692 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Using factory SSL certificate for DPI/Filtering

MHSWA

Hi All

I've been using my XG210 now for a few years, but I've always had random issues with DPI/Web Filtering, around 10% or more of the time I have users who will see the self signed certificate wanting when going to a site they shouldn't be on then have to hot proceed and I accept the risk before the sophos blocked page shows up, sometimes it will just show up without the warning

I've come to realise this might be due to the Appliance certificate used that is deployed across the network's hostname is not the IP or hostname of the firewall.....

How can I change this? All of the places I've read is not clear, I have SSL vpn and sophos connect setup so I don't want to mess around d with the user certificates at all if I can avoid it...

Is there a way to update the common name or can someone point me in the right direction to regenerate a certificate for filtering/portal use



This thread was automatically locked due to age.
Parents
  • 0

    Hello

    Thank you for the detailed reply!

    So I adjusting the default cert will update the appliance CA that I've used? I'm not using a hostname and only the firewall IP to keep things simple, I will give it a try tomorrow 

    I'm okay to re generate the ssl vpn configurations if required, will this effect sophos connect? As I use both

  • 0 in reply to MHSWA

    You'll have to regenerate the rest appliance and SSL_CA if you update the default CA !
    SSL uses the server certificate under the SSL VPN Settings:

    And as you know the legacy SSL client is declarerd EoL, you must be using the sophos connect client for connecting SSL VPN profiles right ? Or you are also using the IPsec remote access profile too ?

    Thanks & Regards,
    _______________________________________________________________

    Vivek Jagad | Team Lead, Global Support & Services 


    Sophos Community | Product Documentation | Sophos Techvids | SMS
    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to Vivek Jagad

    Hi 

    Yes we plan to stop using the ssl vpn, but if I update the default certificate with the correct infomation and then re generate the CA will this effect the sophosconnect client/configurations? Will I need to re download them and provide to end users? 

Reply
  • 0 in reply to Vivek Jagad

    Hi 

    Yes we plan to stop using the ssl vpn, but if I update the default certificate with the correct infomation and then re generate the CA will this effect the sophosconnect client/configurations? Will I need to re download them and provide to end users? 

Children
  • 0 in reply to MHSWA

    Depends  which certificate you  are using For SSLVPN , if you are using the default / Appliance certificate then yes you would need to re-import again. And if IPsec [remote access] is in picture then if you are using digital cert, again it depends which one you are using. But for IPsec [remote access] if you are using PSK then no need !! 

    Thanks & Regards,
    _______________________________________________________________

    Vivek Jagad | Team Lead, Global Support & Services 


    Sophos Community | Product Documentation | Sophos Techvids | SMS
    If a post solves your question please use the 'Verify Answer' button.

Unfiltered HTML