Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 5 replies
  • Answers 1 answer
  • Subscribers 5 subscribers
  • Views 2597 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos UTM 9 HTTPS Blocking Behaviour

Joel Heenan

I am evaluating a Sophos 9.601-5 appliance using AWS AMI Marketplace. The goal is to replace a Squid proxy solution.

For blocked HTTPS pages, the desire is that when the client issues the HTTP Connect method they are immediately returned a 403 Forbidden. When I setup the Sophos UTM device the behaviour is to return back a self-signed certificate and a block page. The problem is this self-signed certificate will break clients and there is no easy way to roll out a root CA.

Is there any way to change this behaviour?

Thanks for your help.



This thread was automatically locked due to age.
  • +1

    What you want is not possible.

    If you browser sends a query to server1, it will accept a reply from server1, but it will ignore an unsolicited response from server2.   If the browsers worked otherwise, we would be dealing with a bunch of different attack methods.

    Http requires no authentication, so any device can claim to be server1 and send a reply.   UTM can display those block pages without any problems.

    Https requires authentication, so blocking the traffic requires impersonation.   UTM generates the certificate to impersonate.  If the browser does not trust the certificate, it will display a certificate warning page or other error. You have limited options:

    • Distribute the UTM CA Root so that UTM can impersonate successfully.

    • Do not distribute the certificate, but teach your users that a certificate warning might mean that the page was blocked.  If they click through the warning, they will see the block method.  On the other hand, we also need to teach users to be wary of certificate warnings, as it could mean that they have been misdirected to a hostile site.

    • Switch to XG, which has an option to drop the packet silently, which will cause the browser to display a timeout error after its wait timer expires.   If you are blocking Web Ads, as I do, I would expect silent block to create pernicious delays on many sites, delays that I expect users would find unacceptable.  I have not used XG, the option was discussed in another recent post asking similar questions.

     

     

  • 0

    Hi Joel and welcome to the UTM Community!

    Doug already gave an excellent answer, but I'm a bit confused by your question - is this what you want when the client tries to access a page with HTTP when only HTTPS is allowed?  Where are the clients?  Are they your coworkers or is this a service?  Are you looking for the functionality of Webserver Protection and have just tested Web Filtering?

    Cheers - Bob
    PS Moving this thread to the Web Protection forum.

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Hi Bob and Doug,


    Thanks for your replies. Yes the behaviour we were trying to emulate was that when the client asks the proxy for a HTTP Connect to a resource that is denied it is immediately given a "403 Forbidden".


    This is how Squid's behave.

    Client talks to squid port 3128 (HTTP)

    Client requests "HTTP Connect" (HTTP)

    Squid responds "403 Forbidden" (HTTP)

    This is before the SSL connection is established.

     

    Can Sophos UTM or Sophos XG support this behaviour?

  • 0 in reply to Joel Heenan

    We still don't know where the clients and web servers are Joel.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to Joel Heenan

    Hi Joel,

    This can be done but that is ONLY if the client sends the HTTP GET before the SSL session is established (it always sends the request on HTTP first). 

    An example of this is if you block domain.com, in your browser typing http://domain.com will give you a sophos block page, if you type https://domain.com you will get a certificate error (if you didn't push the CA). 

Unfiltered HTML