Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 10 replies
  • Subscribers 7 subscribers
  • Views 15115 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Android based mobile phones and Sophos UTM

TheExpert

Hi all,

after a long and happy time using Windows Phone I decided to go back to Android because there are no more updates for Windows Phone. Windows Phone worked fine with Sophos UTM and SSL inspection.

Know I'm thinking about using the Android phone with the web proxy of the Sophos UTM including SSL inspection. But I know from the past with older Android versions there were exceptions for the proxy rules and the installation of the proxy certificate didn't help to get access to TLS saved web sites. Actually the Android phone is completely excepted from using the Proxy butthis isn't a real good solution.

Can somone help me with getting the Sophos UTM proxy with SSL inspection work for Android based mobile phones? Actually I've running Sophos UTM 9.509-3 and Android Oreo (8.0) with the newest patches (Android One).



This thread was automatically locked due to age.
Parents
  • 0

    No problem with today's versions of Android: https://community.sophos.com/products/unified-threat-management/f/web-protection-web-filtering-application-visibility-control/45042/android-phone-ssl-traffic-filtering/161451#161451

    That worked with one I have.

    EDIT 2018-04-29: This did not work.  See below.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Hi BAlfson,

    thank you for this hint. This doesn't seem to work as expected:

    1. The certificate isn't trusted by Google Chrome and Microsoft Edge because of the error "NET::ERR_CERT_AUTHORITY_INVALID". And Chrome shows that the cipher suite is old.
    2. The android phone checks the WLAN connection for internet access. And it looks like it can't trust the proxy certificate when checking the internet connection and so the WLAN connection isn't working correctly. It looks like the mobile phone is calling https://www.google.com for checking the internet access. So you have to make an exception rule for SSL interception for this URL.
    3. Google Play Store isn't working any more. What are the exceptions for it to get it working?
    4. Google Maps isn't working.
    5. ...

    It looks like all the Google apps can't use the certificate. So there are a lot of exceptions needed. Is there a documentation for this from Sophos available?

    Kind Regards

    TheExpert

  • 0 in reply to TheExpert

    Hi all,

    I tried with a new proxy certificate but this doesn't change the behavior of not trusting the certificate. Maybe this is because of saving the certificate in the user and not in the trusted certificate store on the Android device.

    With some further investigations I found out that there are some more proxy exceptions needed for the Google Services (Play, Maps etc.). I configured these exceptions for not doing SSL related checks:

    and Matching these URLs: ^https?://([A-Za-z0-9.-]*\.)?googleapis\.com/
    ^https?://([A-Za-z0-9.-]*\.)?google\.com/
    ^https?://play\.googlezip\.net/
    ^https?://([A-Za-z0-9.-]*\.)?gvt1\.com/[A-Za-z0-9.-]*
    ^https?://app-measurement\.com/

    But I don't get all content: In YouTube the preview pictures aren't visible. The same is for Play Store. For some apps I see the icons for others not. I didn't find out yet which URLs are accessed for showing all of the content. At the moment I only see one of the URLs above.

    UPDATE: To import self signed certificates as trusted CA Android seems to need a special basic constraint extension. See https://stackoverflow.com/questions/37281958/how-to-trust-self-signed-certificate-on-android. Can you confirm this? And how do I add this to the existing proxy certificate?

    Kind Regards

    TheExpert

  • 0 in reply to TheExpert

    I noted in my post above that this didn't work for me.  For some reason, my tests from Chrome were going out over the LTE connection.  Sorry, I don't have time to play with this now.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • 0 in reply to TheExpert

    I noted in my post above that this didn't work for me.  For some reason, my tests from Chrome were going out over the LTE connection.  Sorry, I don't have time to play with this now.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
No Data
Unfiltered HTML