The Quarantine Digest Email settings only let you select an IP address based on Port/Alias, instead of allowing you to specify a hostname. This causes a certificate error when clicking the "My Account" or "Release" links in the email.
The admin console and user portal have the same SSL certificate applied. Using a self-signed certificate with the IP address as the common name results in the User Portal (and by extension, the links in the Quarantine Digest email) working internally without a certificate warning, provided that the appliance CA has been added to the Trusted Root Certificates on all domain computers. This is fine if the User Portal does not need to be accessed externally. If your users need to access the User Portal from the WAN, say for downloading the VPN client or accessing Clientless bookmarks, they will get a certificate warning and possibly be blocked from bypassing it. Even adding the appliance CA to the Trusted Root Certificates won't work because the IP is different and they are probably using a DNS hostname...
Using a third-party SSL certificate with the hostname, or wildcard, will work for external access via the DNS hostname, and even internal access if split DNS is configured; but the links in the Quarantine Digest only use IP addresses, which will lead to the certificate warning when clicked...
The workaround we've settled on for now is a $300 SSL certificate... DigiCert allows you to buy a multi-domain certificate which supports external IP addresses. So I set the Quarantine Digest email to use the WAN IP, and purchased the certificate with that IP as the common name and the subdomain hostnames we use as subject alternate names. DigiCert support was great and I had my certificate within 10 minutes of ordering. The Quarantine Digest emails now work as expected.
Downsides:
- $300/yr certificate
- Already had a wildcard certificate for use elsewhere
- Must enable WAN HTTPS Device Access for the Release link to work externally
- Should not be necessary!
Upsides:
- It works
Sophos, please, let us set a hostname for these links! Or just tell me what files to modify in the advanced console to change it manually. There is already a feature request for hostname support and I have upvoted it.
This thread was automatically locked due to age.
