Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 2 replies
  • Subscribers 4 subscribers
  • Views 3153 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SPX Encrypted Email and Certificates

ETFan

I'm having issue figuring out how to set this up correctly. Admittedly, I'm not very confident in my understanding or application of SSL certificates. I asked a similar question, but feel it was a little too in-depth so I'm trying again, just the basics.

We have a SG330, UTM 9.3, we use web filtering with active directory - standard mode. Our appliance is in bridged mode. Web filtering has worked fine, it was setup by the original admin. We want to use SPX encryption with the reply and set-your-own password option.

Issue: Certificate warnings. Internally and externally when clicking the link to register a new password when you get an SPX email.

Defeats the purpose of sending a "secure" email if the recipient gets a security warning... doesn't feel too safe. 

To complicate matters we have an old domain of company.local. So our browsers and what-not point to sophos.company.local 

Internally we've setup another "sophos.company.com" hostname in DNS that points to the appliance also. On the WWW, sophos.company.com resolves to our external IP that then gets directed to the sophos.company.local (IP) device (if it came in on the SPX port). So, reaching the device from in/out is no issue. The SPX "hostname" setting is sophos.company.com. Our actual devices hostname is sophos.company.local.

How and where do we assign a certificate that secures that "sophos.company.com" hostname so users of the SPX portal don't get certificate errors?

I hope that makes sense.



This thread was automatically locked due to age.
Parents
  • 0

    I'm not aware of any way to accomplish this at the command line or in WebAdmin as there is with some proxies - I think there's no way except changing the host name.  Before doing the following, you should confirm this with Sophos Support.

    Use the trick referred to in The Zeroeth Rule in Rulz to change the host name of your UTM.  This will cause a regeneration of all of your certificates and require you to re-distribute any Remote Access configurations using certificates (usually SSL VPN and Cisco Client).  Site-to-Ste connections using X509 certs similarly will be affected.

    You should be able to avoid having to redistribute the HTTPS Signing CA by downloading it prior to the re-naming and uploading it after.

    Cheers - Bob

Reply
  • 0

    I'm not aware of any way to accomplish this at the command line or in WebAdmin as there is with some proxies - I think there's no way except changing the host name.  Before doing the following, you should confirm this with Sophos Support.

    Use the trick referred to in The Zeroeth Rule in Rulz to change the host name of your UTM.  This will cause a regeneration of all of your certificates and require you to re-distribute any Remote Access configurations using certificates (usually SSL VPN and Cisco Client).  Site-to-Ste connections using X509 certs similarly will be affected.

    You should be able to avoid having to redistribute the HTTPS Signing CA by downloading it prior to the re-naming and uploading it after.

    Cheers - Bob

Children
  • 0 in reply to BAlfson

    Digging this back up, I ended up finding a very easy fix to this, no hostname change required. It was pretty much a "duh!" moment once I fully understood how and which features we were using.

    We us AD and Standard filtering. So, we set IE proxy with GPOs. We don't inspect HTTPS traffic, so we don't use a certificate there...

    Therefore, our UTM only presents certificates to people accessing the webadmin or SPX portal. Well TADA! As long as the utm.company.org name directs to the device, a certificate issued to that name will work without issue. The proxy users can hum along happily with the utm.company.local name of the device.

    No need to change the hostname. So much simpler than I was making it.

    For people who find this thread in the future, we:

    1. Generated a certificate signing request and key with openssl, sent CSR text to Namecheap for a $9 SSL cert

    2. Downloaded the cert, it comes in P7B format

    3. Used openssl to convert this to P12

    4. Uploaded to certificate management as p12 with password (specified in step 1.)

    5. Set Webadmin to use the new cert (and in turn this makes SPX use it)

     

    I think allowing different cert usage, especially for things like SPX, would be really beneficial.