Certificate problem: XG puts it's own certificate as root for LAN zone computers

Rimas,

are you using decrypt and scan on LAN to WAN firewall rule or whatever zone where the Server is placed?

Thanks

Hi, 

web server is in DMZ zone and decrypt and scan is not used:

Should it be used? 

BR, 

Rimas

Rimas,

try to disable the micro-app scanning from console:

system application_classification microapp-discovery off

and try again. If it fails, restart tomcat from XG advanced shell:

service tomcat:restart -dsnosync

Make sure you clear the browser cache.

Regards

Hi Luk, 

thanks for your reply.

I'd disabled  micro-app scanning, restarted tomcat and cleared browser's cache. Situation is the same, XG still put it's own sertificate when accessing from LAN..

Any more ideas?

BR, 

Rimas

Rimas,

thanks for the feedback. Are you access the website by ip or by fqdn?

Hi Rimas, 

The host address of xd.datakom.lt resolved to a Public address. Could you check if that is the same case for your internal host resolution? I would recommend you to check WAN to WAN rule. It is possible the request would be bounced back to the WAN from DMZ. If the IP host resolves to be internal then LAN to DMZ would take place. Otherwise, it would traverse through LAN to WAN and WAN to DMZ.  

Test traffic: console>tcpdump 'host <domain URL> and port 443 

create WAN to WAN rule and test again.

Hi Aditya, 

thanks for your reply.  I quess you are right. From LAN I'm able to open page using internal server IP, traffic goes by LAN to DMZ rule. Certificate is still by Sophos:

Tcpdump looks like this:

I cannot realize, how WAN to WAN rule would help in this situation. How it will force traffic to go LAN to WAN ant then WAN to DMZ? Could you explain a bit more?

Thanks!

BR, 

Rimas

Hi Luk, 

from LAN I an able to access using only internal IP of the server. External IP and FQDN is not working. Something is worng in my firewall rules, I quess..:(

BR, 

Rimas

Rimas,

Who is your default gateway? Using internal ip you still receive the XG certificate as I saw from the screenshot.

Please give us more info about your network.

Regards

Hi Rimas, 

As per the logs I suspect that you are using XG as a Proxy, if that is the case then you may need bypass the resolved address in Proxy settings. Could you check that would work ? If so you may push the policy via GPO to all systems in the domain.