To figure out how it works and test how good it is, I decided to do some testing on SNI and felt it worthwhile to document as Angelo's quick explanation doesn't serve it justice to how impresively powerful it can be.
The biggest thing to note is that access from transparent clients that do not support SNI are filtered and logged by destination IP and may result in being uncategorized.
The transparent proxy with SNI is about as powerful as the standard proxy with HTTPS scanning disabled. When the UTM sees the SNI, it performs a DNS lookup. If it fails, the UTM returns certificate by the IP address the client attempted to contact and a webpage stating host not found. If the DNS lookup succeeds, the UTM proxies the access to a matching IP address, even if the client attempts to contact a non-matching IP address. In example, a client thinks Example Domain is at 192.0.2.1 but the UTM can't resolve it, the UTM returns a certificate for 192.0.2.1 issued by the current internal CA and the typical "Host not found" block page. If the UTM instead resolves it to 198.51.100.1, the connection will be proxied to 198.51.100.1 and not 192.0.2.1.
RFC recommended IP addresses and domain name used above.
Guest User!
You are not Sophos Staff.
