I am getting some strange behavior from the UTM running hte 9.192-8 firmware. In order to accomplish a request from a client, I had to enable HTTPS Decrypt and Scan filtering. I was getting certificate errors related to the UTM not being a Trust Root Authority, so I instlled the cert from the UTM as a trusted authority, andthat error went away. However, the new error I am getting indicates that certificates now have "Mismatched Names". After reviewing the certificates, the UTM is reissuing the certificates to the IP address of the requested site instead of the URL. If I input the IP address it issued the cert for, I get no certificate errors. I have attached some screenshots to show the issue.
azron, is your homepage https://google.com.au or is it Google (at which point your google settings will cause it to redirect to https). The behaviour may be different.
I'm thinking that this is an interaction between the AD SSO and the URL Filtering Only. What occurs is this: You visit https://google.com.au The UTM has no idea what user you are or whether you are allowed to go there. It must redirect you to an internal site first in order to do the authentication. In order to do a redirection of an https site it must enter itself into the SSL stream, and thereby passing you a certificate issued by itself. There is no way to authenticate a user without being part of the conversation, and there is no way to be part of an SSL conversation without full decryption. Ugly but necessary.
AD SOO in transparent mode will re-authenticate every five minutes. Which means you could be authenticated and busy visiting a bunch of HTTPS sites, then suddenly get an SSL certificate warning because it tried to re-authenticate.
azron, is your homepage https://google.com.au or is it Google (at which point your google settings will cause it to redirect to https). The behaviour may be different.
I'm thinking that this is an interaction between the AD SSO and the URL Filtering Only. What occurs is this: You visit https://google.com.au The UTM has no idea what user you are or whether you are allowed to go there. It must redirect you to an internal site first in order to do the authentication. In order to do a redirection of an https site it must enter itself into the SSL stream, and thereby passing you a certificate issued by itself. There is no way to authenticate a user without being part of the conversation, and there is no way to be part of an SSL conversation without full decryption. Ugly but necessary.
AD SOO in transparent mode will re-authenticate every five minutes. Which means you could be authenticated and busy visiting a bunch of HTTPS sites, then suddenly get an SSL certificate warning because it tried to re-authenticate.
