Finally I'm trying web content filtering.
I have deployed on every client on my network the sophos certificate, except the mobile clients, and I have activated two basic rules in this order:
- Authenticated user -> Lan -> Wan -> HTTP and HTTPS scan -> no explicit content web filter
- All user -> Lan -> Wan -> no scan -> deny all content filter
So the not authenticated user will be redirected to authentication portal as per captive portal configuration.
The problem is Chrome + Google
When an unauthenticated client (for example a mobile device) opens chrome (that, for Android mobile devices, is the most common browser) it gives the untrusted certificate page, but doesn't allow to continue in order to redirect user to a login page.
With Internet Explorer, that doesn't yet support HSTS the untrusted certificate appear but in the bottom there is the link to continue, and after that it loads login page.
With Firefox you must trust first the modified google/sophos certificate, and after the sophos appliance certificate, and, after that, you are on the login page.
So the problem is only Chrome, but as sayd, for Android devices it is not a small problem.
With Chrome also if I go to a website with HTTPS and no HSTS or to an HTTP page all works perfectly, with sophos login page correctly showed. The only problem is if, as user are used to do, I search on the browser bar, that bar sends me to HTTPS://google.com that have HSTS enabled.
Is there a way to solve this issue?
I know that sophos use the MITM tecnique to popup login page for unhautorized websites, but in my case I want to block ALL websites if user are not authorized/authenticated. For do that I have used Web Content Filter with Deny All. There is a configuration to do this without Web Content Filter? This could be a workaround for my specific case.
Many thanks
Manuel
Edited Tags
[edited by: Erick Jan at 11:19 PM (GMT -7) on 15 Sep 2022]
