Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 47 replies
  • Subscribers 47 subscribers
  • Views 176821 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos XG breaks SSL when connecting to Outlook Anywhere

MatthiasHess

Hi, I have setup a virtual XG firewall at home. I have have created an "allow all" policy for the web filter and have switched off the "Scan HTTPS" Feature. In my web browsers, this works fine and I see the SSL certificates of all the websites I visit.

When I start Outlook and connect to the mailbox of my company, I get a certificate warning from Outlook 2013 that shows the Sophos CA. Obviously, the XG appliance is breaking SSL for the connection to Outlook Anywhere. The company is running Exchange Server 2013.

When I connect to another Exchange 2013 system, the certificate warning does not appear, which totally confuses me. I assume this issue might be related to Exchange 2013 autodiscover, but I am sure it is related to Sophos XG as well. I did not have this problem with UTM 9 that I have been using before migrating to XG.

Do you have any ideas on how to resolve this issue?

Kind regards, Matthias



This thread was automatically locked due to age.
Parents
  • 0

    Hi Matthias,

    Installing the Sophos SSL CA into your domains Trusted Root Certificates Group Policy for Machine store and it resolves the problem.

    However to permanently fix is not what I've looked at as I'm satisfied with this resolution. Has anyone created specific exceptions for it and stopped it from breaking SSL on Autodiscover?

  • 0 in reply to Emile Belcourt

    Hi Emile,

    thanks for the quick reply. Yes, that would resolve the certificate warning from the user point of view. But as a firewall admin, I want to know what is happening in my network. If I decide not to scan HTTPS traffic, my firewall should not do other things.

    Maybe there is a way to "globally" stop HTTPS scanning on XG firewall?

Reply
  • 0 in reply to Emile Belcourt

    Hi Emile,

    thanks for the quick reply. Yes, that would resolve the certificate warning from the user point of view. But as a firewall admin, I want to know what is happening in my network. If I decide not to scan HTTPS traffic, my firewall should not do other things.

    Maybe there is a way to "globally" stop HTTPS scanning on XG firewall?

Children
No Data