Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 47 replies
  • Subscribers 47 subscribers
  • Views 176820 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos XG breaks SSL when connecting to Outlook Anywhere

MatthiasHess

Hi, I have setup a virtual XG firewall at home. I have have created an "allow all" policy for the web filter and have switched off the "Scan HTTPS" Feature. In my web browsers, this works fine and I see the SSL certificates of all the websites I visit.

When I start Outlook and connect to the mailbox of my company, I get a certificate warning from Outlook 2013 that shows the Sophos CA. Obviously, the XG appliance is breaking SSL for the connection to Outlook Anywhere. The company is running Exchange Server 2013.

When I connect to another Exchange 2013 system, the certificate warning does not appear, which totally confuses me. I assume this issue might be related to Exchange 2013 autodiscover, but I am sure it is related to Sophos XG as well. I did not have this problem with UTM 9 that I have been using before migrating to XG.

Do you have any ideas on how to resolve this issue?

Kind regards, Matthias



This thread was automatically locked due to age.
Parents
  • 0

    Hi Mathias,

     

    I was trawling through this thread, trying in vain to get a result, and discovered one thing I didn't check - DNS records.

    For our organisation, we had an autodiscover CNAME record set to autodiscover-s.outlook.com. This was all very well and ensured autodiscover worked, but it kept giving the certificate issue. This was even with the SSL appliance cert pushed out to all clients.


    I found that removing the CNAME record and exchanging it for an SRV record ( _tcp, port 443) on our DCs resolved our issues completely.

    Might be obvious to some, but it's another place to look if you do get stuck!

Reply
  • 0

    Hi Mathias,

     

    I was trawling through this thread, trying in vain to get a result, and discovered one thing I didn't check - DNS records.

    For our organisation, we had an autodiscover CNAME record set to autodiscover-s.outlook.com. This was all very well and ensured autodiscover worked, but it kept giving the certificate issue. This was even with the SSL appliance cert pushed out to all clients.


    I found that removing the CNAME record and exchanging it for an SRV record ( _tcp, port 443) on our DCs resolved our issues completely.

    Might be obvious to some, but it's another place to look if you do get stuck!

Children
No Data