[CONFIRMED] [7.350] Disabled Exeptions are still active

Hi Astaro-Team,

sorry till now I don't get your magic flow right into my brain. -have had a long day...
To scan the https-content you need a kind of Man-In-The-Middle scenario.

I've done a simple Setup:
Internal Workstation using HTTPS Proxy => ASG V7350 => WWW => FIREWALL ONLY ALLOW OUTSIDE BETA ASG IP => Apache SSL running on WWWIP:443

This won't work, I only get a blank page.
-How do you deal with self signed certificates?
-Could you forward me a Netflow diagram?

Remote administration throug the proxy won't work beacause the WebAdmin Certs are all self signed.

Parents

0 Gert Hansen over 16 years ago

Hi ToDo,

in order to trust self signed certificates you need to create an exception and use the option 'skip Certificate Trust Check' and add the hostnames or ip addresses of the devices you want to connect to and which you trust.

As an alternative you can also upload the certificates from the trusted servers, even self signed, than the proxy also trusts these certs.

i hope that helps to win back you school it. [:)]

Sorry kids ...
Regards
Gert
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel

Reply

0 Gert Hansen over 16 years ago

Hi ToDo,

in order to trust self signed certificates you need to create an exception and use the option 'skip Certificate Trust Check' and add the hostnames or ip addresses of the devices you want to connect to and which you trust.

As an alternative you can also upload the certificates from the trusted servers, even self signed, than the proxy also trusts these certs.

i hope that helps to win back you school it. [:)]

Sorry kids ...
Regards
Gert
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel

Children

0 ToDo over 16 years ago in reply to Gert Hansen

Hi Gerd,

I missed the Certificate Trust Check button on the exception page.
Thank you for your kind briefing and schooling.

This caused us to another bug report:
Disabled Exeptions are still active.

Nice weekend!
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 ToDo over 16 years ago in reply to ToDo

I hope you will take care of this...

If we got an error in the backend it would be nice to forward this to the end user which is opening the page.
Sample: error="unable to get local issuer certificate" => blank page
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 ToDo over 16 years ago in reply to ToDo

Do you have further information about the (Add exception for this URL) Button?

If I would allow "host.domain.local/.../demo.png" what will happen

Kind Regards

ToDo
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 svens over 16 years ago in reply to ToDo

The exception is won't work for https://host.domain.local/image/demo.png, because it only matches for https://host.domain.local/official-demo/index.pl (and URLs below that). If you want to create an exception for the complete Host, you have to

a) either browse to https://host.domain.local/ and click 'Add exception for this URL'

or

b) Add an exception in WebAdmin manually.

Cheers,

Sven.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 ToDo over 16 years ago in reply to svens

Hi Seven, thank you...

Any user is able to add an exception?

Just disabled the exceptions created by HTTP Proxy in WebAdmin.
Was the main bugreport fixed in version 7.380, because this doesn't enforce the change?
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 jasggomes over 16 years ago in reply to ToDo

HI, is this related to this:
https://community.sophos.com/products/unified-threat-management/astaroorg/f/95/t/67104 ?

if i understood this correctly should I enter the URL for instance "webmail.mydom.com" in the exception?

The presence of an "^" on the beginning of the exception is making things not working. Needed to edit manually.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel