Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 18 replies
  • Answers 4 answers
  • Subscribers 27 subscribers
  • Views 46950 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Certificate problem: XG puts it's own certificate as root for LAN zone computers

Rimas Baikauskas

Hi all,

 

we have an issue with using public certificates, when browsing from XG LAN zone PC's.

As an example we are using StartCom certificate for site https://xd.datakom.lt (I use IE browser).  From outside it is working, certificate is OK:

SSL checker gives a thumbs UP:

https://www.sslshopper.com/ssl-checker.html?hostname=https%3A%2F%2Fxd.datakom.lt

But if we try to access this from our XG LAN zone computer, we get a certificate error, page does not load properly at all and a CA is shown Sophos_SSL_CA_... (same for all browsers)

Our device - XG115w (SFOS 16.05.3 MR-3).  In Certificates -> Certificate Authorities there are StartCom Authorities added:

 

What could be wrong in this case? Maybe someone had simillar problems?

Please help.

 

BR, 

Rimas



This thread was automatically locked due to age.
Parents Reply
  • 0 in reply to Rimas Baikauskas

    Hi Rimas, 

    The host address of xd.datakom.lt resolved to a Public address. Could you check if that is the same case for your internal host resolution? I would recommend you to check WAN to WAN rule. It is possible the request would be bounced back to the WAN from DMZ. If the IP host resolves to be internal then LAN to DMZ would take place. Otherwise, it would traverse through LAN to WAN and WAN to DMZ.  

    Test traffic: console>tcpdump 'host <domain URL> and port 443 

    create WAN to WAN rule and test again.

Children