Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 26 replies
  • Answers 1 answer
  • Subscribers 27 subscribers
  • Views 33005 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

HTTPS errors accessing web sites from SSL VPN after v15 to v16 upgrade

MiroslavCacija

After upgrade form latest v15 to latest v16 ( SFOS 16.01.1 ), when connected remotely via SSL VPN, and trying to access any HTTPS site in remote network, I'm getting errors and cannot access any site. HTTPS scanning is disabled for VPN connections, but Sophos still intercepts HTTPS traffic when comming from VPN. Am I missing something ?

In v15 this was working normally, never had a problem with this.



This thread was automatically locked due to age.
  • 0 in reply to sachingurung

    Thanks but you are adding confusion...

    A LAN to VPN is needed....why? It is like, in order to be able to surf on internet a LAN to WAN and WAN to LAN rules are needed.

    Also, if the match know user is not needed because the authentication is already done by another process, make sure to:

    • remove the match know user option when VPN zone is inside the rule or
    • leave the option enabled (so even if the users enabled it) the rule works

    Dear Saching, on UTM9 everything was working as expected...on XG sometimes "strange" rules and behaviour are happening and this adds a lot of confusion to young XG users but even to expert users.

    This is an implicit aspect that XG has to improve a lot! I do not like this at all! Because I am used to think about logically before implementing any new configuration/modification on every appliance (Cisco, Fortinet, Sophos, etc...). Here the logic does not work anymore.

    Without your intervention, no one were able to find the right configuration (maybe drop-packet capture would help the troubleshooting).

    So make sure to guide users using the UI alerts/messages or KB ( I have wrote this many times here on community) and make sure that XG uses the same logical view like other Leaders UTM products.

    This will improve our sales and consideration on Sophos XG. The strengthness of UTM9 was the semplicity and logical workflow...on XG is still missing.

    So please make sure to pass this concept internally. We are waiting for better product on v17.

  • 0 in reply to lferrara

    I feel we are going in wrong direction. VPN works perfectly fine with this set of rules ( and it was working exactly I wanted to in previous firmware ), even now I can access any server via RDP, I can access network shares, I can browse HTTP web on remote network, but ONLY when I try to browse HTTPS site, I'm unable to !

    HTTPS is the problem, Sophos intercepts HTTPS traffic in VPN, and there is no obvious reason for it to do that !

  • 0 in reply to MiroslavCacija

    What's the fuzz about "bi-directional rule requirement" ?
    If packets didn't make it back, TS simply wouldn't get a certificate error.

    Why is the masquerade required on the VPN->LAN rule ? Try without it.
    Also try adding in "Web -> Exceptions" an https decryption exception for internal server name.

  • 0 in reply to MiroslavCacija

    Hi ,

     

    I see you you have selected "Match Known Users" in Firewall Rule, so it is trying to throw a captive portal or Denied Message before accessing the bookmark.

     

    Can you disable it and check ?

    Also you can disable HTTPS redirection of captive portal from Configure --> Authentication --> Services --> Captive Portal Uses  HTTPS 

  • 0 in reply to sixteen again

    sixteen again said:
    Why is the masquerade required on the VPN->LAN rule ? Try without it.
    Also try adding in "Web -> Exceptions" an https decryption exception for internal server name.

     

    Tried, but still the same... thx.

  • 0 in reply to prateek.singh

    prateek.singh said:

    Hi ,

     

    I see you you have selected "Match Known Users" in Firewall Rule, so it is trying to throw a captive portal or Denied Message before accessing the bookmark.

     

    Can you disable it and check ?

    Also you can disable HTTPS redirection of captive portal from Configure --> Authentication --> Services --> Captive Portal Uses  HTTPS 

     

     

    Tried, still the same ... very strange.

    Didn't have a single problem with it in previous firmware ...