Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 7 replies
  • Answers 1 answer
  • Subscribers 28 subscribers
  • Views 19774 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Some URLs are blocked when using HTTPS Inspection

Peter Lapornik

We are facing an issue of blocked requests when using the "Decrypt & Scan HTTPS" option for certain sites.

Here is an example:

https://channel9.msdn.com/ works

https://channel9.msdn.com/blogs works (it gets redirected to https://channel9.msdn.com/Browse/Blogs )

https://channel9.msdn.com/blogs/ea.azure.com results in a blocked request

 

If we turn off the "Decrypt & Scan HTTPS" option then the blocked site works.

Regarding HTTPS Inspection, the "Block unrecognized SSL protocols" and "Block invalid certificates" options are both not selected (i.e. disabled).

We are running SFOS 16.01.3 MR-2

 

Is anyone else facing this issue? Is there a solution?



This thread was automatically locked due to age.
  • +1

    Peter,

    I am able to surf on all the 3 sites and I have SSL Enabled. It depends on what filters you have enabled. You can check why the website is blocked using the Log Viewer > Web Log Filter

    Thanks.

     

  • 0 in reply to lferrara

    Hi,

    to test access I enabled https scanning on my XG. Using Firefox all attempts failed because the site is incorrectly configured and uses htst so FF cannot add an exception.

    Tried to connect using Safari and all connections went through without an error.

    XG115W - v19.5.1 mr-1 - Home

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to rfcat_vk

    In order to get HTTPS working you have to import the SSL_Appliance CA. Some sites like google, facebook will not work and a HSTS error will appear. I am using HTTPS Scanning since last October and it works with no issue (apart Dropbox where you have to create an web filter exception).

    Regards

  • 0 in reply to lferrara

    I added a certificate to FF on the mac and all sites work.

    I added the certificate to the ipad and facebook is still broken.

     

    I will have to check the logs for clarification.

     

    It is not the XG blocking facebook, but facebook on the ipad not talking.

    XG115W - v19.5.1 mr-1 - Home

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to lferrara

    Thanks to everyone that tested the URLs that I posted and were able to tell me if they worked in their environment. Good feedback can be invaluable when trying to solve issues such as this.

    After more testing we worked out that the problem was the default Not Suitable for the Office user activity. In particular, the Not Suitable for the Office user activity includes the Executable Files file type. This file type includes .com files.

    This is what was causing sites like the one I posted above to be blocked.

  • 0 in reply to Peter Lapornik

    Hi,

    Sorry but i havent understand your solution. Coul you please explain it better?

    One url example: https://www.deepl.com/translator, or download chrome, or a lot of https urls.

    The error is not show in the log, it seems a navigator's error when i have installed the sophos certificate.

    Please i need help.

    Best regards.

     

     

     

  • 0 in reply to Ivan Hernanz

    Hi Ivan,

    The issue that we had was that the "Not suitable for the Office" user activity includes the "Executable Files" file type which blocks ".com" files.

    A URL such as  the following would be incorrectly treated as a .com file and be blocked:

    https://channel9.msdn.com/blogs/ea.azure.com

Cookie Information Banner