Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 47 replies
  • Subscribers 47 subscribers
  • Views 176835 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos XG breaks SSL when connecting to Outlook Anywhere

MatthiasHess

Hi, I have setup a virtual XG firewall at home. I have have created an "allow all" policy for the web filter and have switched off the "Scan HTTPS" Feature. In my web browsers, this works fine and I see the SSL certificates of all the websites I visit.

When I start Outlook and connect to the mailbox of my company, I get a certificate warning from Outlook 2013 that shows the Sophos CA. Obviously, the XG appliance is breaking SSL for the connection to Outlook Anywhere. The company is running Exchange Server 2013.

When I connect to another Exchange 2013 system, the certificate warning does not appear, which totally confuses me. I assume this issue might be related to Exchange 2013 autodiscover, but I am sure it is related to Sophos XG as well. I did not have this problem with UTM 9 that I have been using before migrating to XG.

Do you have any ideas on how to resolve this issue?

Kind regards, Matthias



This thread was automatically locked due to age.
Parents
  • 0

    If Outlook complains about the certificate it means that connection to the company's Outlook is made using a rule with HTTPS scanning enabled.

    Haven't you created "Outlook Business Rule" and have forgotten about it ? Use LogViewer for WebFilter to find which HTTP request go to specific rules.

  • 0 in reply to Slawski

    OK, I got a step further now. In my "ANY/ANY/PERMIT"-rule I had the web filter policy "allow all" activated. If I set this to "none", the certificate warning does not occur. But I do not see any options to modify this web filter policy. Strange behaviour...

    Kind regards, Matthias

  • 0 in reply to MatthiasHess

    Matthias,

    check on your policy rule if "Decrypt and Scan HTTPS" is enabled. Use log viewer to see which rule is applied.

    Luk

  • 0 in reply to lferrara

    Yes, this is and has always been disabled. In the web browser I can open webmail and it comes with the original CA, but using Outlook, SSL will be broken. It might be a combination of not 100% perfect Autodiscover configuration on the one hand and the processing in XG on the other hand.

    As I mentioned, I can reproduce the behaviour with only one Exchange Server 2013. When connecting to another one (both outside my organization), everything seems to be fine.

    Regards, Matthias

  • 0 in reply to MatthiasHess

    Good evening,

    with the help of a debugging proxy I found the reason for the certificate warning in Outlook and I think it is a bug of XG´s web filtering module.

    Let us assume the connection to Outlook Anywhere goes via mail.company.com. During autodiscover, Outlook automatically tries to establish a connection to the main domain company.com. However, company.com exists in DNS, but the server does not accept HTTPS connections. If I open that URL without XG web filtering in my browser, I get a "page cannot be displayed" error. After activating web filtering (without HTTPS scanning, of course), I get a certificate warning. If I ignore this and continue, I get a blank page. The CA of the certificate shown is from my Sophos XG.

    This is also the solution for the question why I could connect to another Exchange 2013 system without certificate warning. For this server, the URL https://company.com is available and thus there is no interference with the Sophos CA.

    Kind regards, Matthias

  • 0 in reply to MatthiasHess

    has anyone found a permanent fix for this?  we are using Office 365 with outlook client and autodiscovery.  I am also getting the certificate warning. 

    On our default outbound policy, we have not turned on HTTP or HTTPS malware scanning.  I have tried turning it on with an exception created for the office 365 domain, but I get the same result.

  • 0 in reply to ZaneDonaldson

    The only way to currently fix this is to deploy the SSL Certificate from the XG found under Protection > Web Server Protection > Certificate Authority and downloading it to the devices or deploying by Group Policy.

    The not advised way is to physically turn off web filtering.

    Neither are appropriate really (except in the first instance and you're proxying) and this does need to be fixed.

  • 0 in reply to Emile Belcourt

    Kind of a noob here. Which one do i download?

  • 0 in reply to BenA

    Hi Ben,


    This is the certificate you want to download and install as a trusted root certificate on your computers:

    Hope that helps,

    Emile

Reply Children
  • 0 in reply to Emile Belcourt

    Emile,

    I cannot agree with you that installing the Sophos SSL CA is a solution and it is the only solution.  This is not acceptable.

    I have different vendors visit my office all the time.  A lot of them use Office 365 emails.  How am I going to accommodate these visitors?  This is very embarrassing when I had to explain the issue to each of them.  These vendors might find my work unprofessional or suspect our firewall is lacking protection.

    More importantly.  How do I know if this SSL certificate issue will not break other things?

    I currently have to set the Web filter to None in order to avoid warning messages on my office staff's Outlook.  This work around is no good.

    I agree with Matthias that there is a bug within the XG's web filtering module.

    Ben