Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 8 replies
  • Subscribers 7 subscribers
  • Views 13446 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Question regarding certificates generated by Astaro...

Shaun Raven

Hi,

I've published my exchange server through UTM successfully. 

Sometimes my users will get an outlook error regarding an untrusted certificate if they connect/disconnct a VPN session.  That certificate has the following netscape comment...

 

"Generated by Astaro HTTP Proxy"

 

Can anyone tell me why this might happen?



This thread was automatically locked due to age.
  • 0

    Not sure, but it looks like once you connect through VPN your client's HTTPS traffic is decrypted and scanned and thus it will send traffic back using its proxy certificate.

    Managing several Sophos UTMs and Sophos XGs both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

    Sometimes I post some useful tips on my blog, see blog.pijnappels.eu/category/sophos/ for Sophos related posts.

  • 0

    Shaun, can you get a screencap to show us?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    I'll try and post a screen cap later.

    I'm wondering if this is a WPAD/Proxyconfig.pac issue.  We use both on our internal network so that sites (like our exchange servers) are connected to directly - this works fine for us.  Our VPN clients get their IP's either using a static IP set on their domain account, or assigned by UTM from the VPN L2TP pool.  My question: in this situation, when a client connects via VPN would the WPAD.DAT or PROXYCONFIG.PAC scripts be obeyed?

     

  • 0 in reply to BAlfson

    Here's the promised screencap...

     

  • 0 in reply to Shaun Raven

    Do you use Exchange 365?

    I had an issue which bugged me for weeks, until I found out that this was an issue as Microsoft were changing a few settings, and this exact error would appear.

    it appears every now and again when using Outlook, it is usually when (back-end) servers change and the certificate is not trusted.

    XG & UTM Architect (Systems: XG v18 & UTM 9.7 - Virtual, HW & SW)
    Curious enough to take it apart, skilled enough to put it back together, Clever enough to hide the extra parts when I'm Done!

  • 0 in reply to Argo

    Sorry no - our exchange is on premisis, and I know the certs are fine.  As I said, this ONLY happens when a user intiates or drops a VPN connection to the company network.

  • 0

    Hi Shaun,

    Please refer the guide, Sophos UTM for Microsoft Exchange services and verify the configuration. Also, which VPN type do you use here? Is this an intermittent issue that is caused to some users?

    Thanks

    Sachin Gurung
    Team Lead | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

  • 0 in reply to sachingurung

    I'm happy with my Exchange publishing.  My users are currently using outlook from both outside and inside the office with no problems.

    The ONLY time I see this is when a user is connected to Exchange, either via the internet or via VPN to the company.  If the user either connects or disconnects from a VPN session to the company through UTM, THEN the message MAY be displayed.  The users are connecting through UTM using standard microsoft L2TP VPN connections

    I can't shake the idea that this happens because of a change of connection.  If an outlook client is connected via the external publishing, and then the user Initiates a VPN connection, the traffic flow changes from standard to tunneled - maybe it becomes subject to the HTTPS detection at that point?  Same thing happens in reverse when the connection drops.  At those points, would UTM supply it's own certificate rather than the one in the publishing rule?

Cookie Information Banner