Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 4 replies
  • Subscribers 26 subscribers
  • Views 9775 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SophosXG SFOS 16.01.0 Decrypt & Scan HTTPS Issues

HammerRodx

Hello Folks, 

I wonder if someone will be able to help here with Decrypt & Scan HTTPS option in firewall rule, for google safe search it needs to be enabled, because without the option enabled I can browse any dirty image on the internet using chrome. When I enable Decrypt & Scan HTTPS & to browse some these websites like twitter, facebook, mbna I get SSL error ' Your connection is not Private' 'NET::ERR_CERT_AUTHORITY_INVALID'.

I installed the Sophos CA certificate on my laptop & mobile phone. That resolved the above issue on the above specific websites but then I started getting issues with outlook.com. If I browse the URL using chorme I get connection issue whilst if I browse the URL using IE 11 all is good. Now i can live with that assuming this is just a bug & will be resolved, but the andriod outlook app on my phone stops working too which I use all the time, it complains of no internet connection so does One Drive.

Is there anything I can try to fix the issue.

Many Thanks in advance.

Alam   



This thread was automatically locked due to age.
Parents
  • +1

    Alan,

    Can you share the error screenshot?

    For your mobile you can create an above rule where you allow mail to your email server where you disable decrypt and scan as workaround.

  • 0 in reply to lferrara

    Hi Luk,

    I am sorry, a bit embarrassing, I cannot reproduce the error on my PC.. seems ok. But on the phone I still have issue, outlook.com & Onedrive are both not working, says 'no internet'. Rest seems to be good, not sure why i was having the issue before I even cleared the cookies and browsing history. So I create a new rule similar to what I have but don't use decrypt & scan I will also have to move the user from the group 

     

     

Reply
  • 0 in reply to lferrara

    Hi Luk,

    I am sorry, a bit embarrassing, I cannot reproduce the error on my PC.. seems ok. But on the phone I still have issue, outlook.com & Onedrive are both not working, says 'no internet'. Rest seems to be good, not sure why i was having the issue before I even cleared the cookies and browsing history. So I create a new rule similar to what I have but don't use decrypt & scan I will also have to move the user from the group 

     

     

Children
  • 0 in reply to HammerRodx

    Hi Hammer,

    What mobile phone were you using? I am aware there are issues where the cert store for the phone is not accessible by some Apps and maintain their own (iOS + Chrome for instance).

    Emile

  • 0 in reply to Emile Belcourt

    Hi Emile,

    Thanks for your response, I like XG more than SG & want to keep it that way. But this is my problem now, in order to use safe search I have to use the gateway's certificate & in the firewall rule check the option decrypt & scan https else safe search in google doesn't work that is for sure.

    I have installed the Sophos network Agent on windows 10 PC's all seems good policies seems to be working and so does the safe search, that side is happy. On the flip side I have my mobile phone which is LG G4 Andriod, if I install the certificate all seems to work but the outlook app & one drive stops working and I use that heavily. Hence to rectify that I made a separate rule just for my mobile phone with decrypt & scan unchecked as suggested above my Luk. 

    On a separate note, if I install the Sophos Network Agent on my son's ipad mini 4 which is on IOS 10 because I want safe search to be enabled it does not even hit Authentication as I see in the firewall rule basically bypassing the restricted rule and can get to everything. If I do clientless authentication I then start getting HSTS error due to certificate, so all mobile devices now use same firewall rule with no decrypt & scan enabled. This keeps them away from porn sites but not browsing any porn photos in google images which kills the point

    I am now not sure how to really resolve this issue. May be next release will sort this out, If you have any better suggestions I am happy to give it whirl.  

    Alam