Your connection is not Private

Question

Hi, 
 purchased an XGS2100 to replace our SG230 for our Public WiFi connection. 
 The device is not on a domain and has its own internet connection. It is only used for members of the public to get access to the internet on their own personal devices, mobiles, laptops and tablets etc. We have APX320 access points connected to the device. 
 Using the default Web Policy with Source Any Zone Any Host, and Destination Wan Any host Any Service 
 Have a hotspot set up with Terms and conditions front page sign in. 
 A user can connect to the Wifi, then a screen pops up. 
 SSL Certificate Not Trusted. The security certificate for this network is not from a trusted authority. We do not recommend that you connect to this network. 
 They can continue and accept the terms and conditions. 
 After that, a large number of webites show up with the Error, Your connection is not Private. Attackers etc. CERT-Authority-Invalid 
 Is it because their device doesnt have the SSL installed ? if so, how do I get their device to do this so they can acess the internet? 
 or is it the message we get when trying to access blocked sites and the Blocked site message doesnt show? 
 Thanks 
 Trev

Michael Dunn · Accepted Answer

Please read
HTTPS Decrypt and Scan FAQ

You have two choices:
Decrypt traffic - all HTTPS sites will be decrypted and any user without the CA will get the browser warning for all HTTPS sites.

Do not decrypt traffic - only HTTPS that we need to display a block page will get the browser warning before the block page

I am pretty sure you want the latter. If you want you can configure the proxy so that HTTPS blocks will just drop the connection rather than display a block page (signed with the CA).

dirkkotte · Answer

You need to add/import a trusted certificate

Raphael Alganes · Answer

Hello Trev, 
 
 Thanks for reaching out to Sophos Community and hope you are well. 
 
 Was this happening to all sites? or just large number of them but not all? If Decryt HTTPS is Not enabled/not checked but the site they are trying to reach is configured to be blocked by a Web Filter policy this is the expected behavior. 
 
 In this example I blocked the category "Anonymizers" then I tried going to an anonymizer category listed website and this is the expected default block page if an HTTPS site gets blocked by a Web Filter Rule. If this is the case kindly review your Web filtering rule and kindly check if those sites are configured to be block, you can also verify this when users try to access under Log Viewer > Web Filter and see if a filter policy is blocking the access. 
 And kindly tick the 'Log Firewall Traffic' on the specific firewall rule

-If your Decrypt HTTPS checked/enabled under Firewall Rule > Web Filtering you will also face the same error page and what you need to do on this case is upload the Firewall's self-signed certificate on the devices 
 
 Downloading the signing CA: https://docs.sophos.com/nsg/sophos-firewall/19.5/Help/en-us/webhelp/onlinehelp/AdministratorHelp/Web/HowToArticles/WebProxyDPITLSDecryption/index.html#decryption-ca 
 Installing CA to endpoints: https://docs.sophos.com/nsg/sophos-firewall/19.5/Help/en-us/webhelp/onlinehelp/AdministratorHelp/Certificates/HowToArticles/CertificatesAddCAManually/index.html 
 
 Hope this helps and thank you for choosing Sophos. 
 
 Cheers,

Your connection is not Private

Top Replies