Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 5 replies
  • Subscribers 5 subscribers
  • Views 10599 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Web Filtering: Standard mode

RichardHughes1

Hi,

Identified some strange behavior today, where Apple devices refuse to browse secure websites when the proxy settings are manually set or set by a PAC file on the device. If I try to visit a secure website, I will receive a huge explanation that the website I'm trying to access uses HSTS and that the website sent back unusual and incorrect credentials. If I change the UTM from "Standard mode" to "Transparent mode", I can once again access secure websites on Apple devices. If I change it back to "Standard mode", then the annoying error's return?

Has anybody else experienced this? It was working perfectly fine yesterday and nothing has changed?

Any help would be greatly appreciated... I'd much prefer not to enable Transparent mode...

Cheers,
Richard



This thread was automatically locked due to age.
  • 0

    This now appears to be affecting Windows clients, mostly when in use with the Chrome web browser. If I change to Transparent mode, then the problem disappears.

  • +1 in reply to RichardHughes1

    Okay, a couple of things to look at

    1/. chrome and FF both implemented a new CA checking process to meet the new RFC.

    2/. In transparent mode you don't setup any ports and you probably do not have scan https enabled whereas in Standard mode you have to setup the ports and add certificates.

    XG115W - v19.5.1 mr-1 - Home

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to rfcat_vk

    Hi rfcat_vk,

    Thank's for your response and for your advise on this issue. I'm stumped as to what is going on, this is a home install and nothing was changed at my end... it just randomly took a fit. That is interesting, the new CA checking process, if this is the issue, is there a work around? Would purchasing a certificate from a verified publisher help?

    I've done some work on the UTM today, but I just can't work out what is wrong. HTTPS scanning (Decrypt and scan) is set for both Standard / Transparent. I've had Standard set for years, and it's just worked. When changing to Transparent, it works slightly better but not perfect... As a test, I disabled authentication (AD SSO) and then tried visiting https://www.google.co.uk. The browser threw up the Sophos UTM web protection block page, with the error "Reputation limit". I unblocked the domain, and Google then loaded successfully (Instead of the annoying error I've been getting with authentication enabled).

    I'm thinking something is going a little crazy in regards to authentication, what do you think? I've rebooted both AD servers, but the problem is still on-going. I also noticed that "Standard" mode is no longer throwing up the prompt to authenticate when using a non-domain device, the webpage just keeps trying to load but doesn't get any where.

    Thanks again for your help.

    Regards,
    Richard

  • +1 in reply to RichardHughes1

    Richard, the problem is the new policy in Chrome, just as rfcat_vk said.  The easiest solution is to apply the 9.413 Up2Date.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Hi Bob,

    Apologies for the delayed response. The 9.413 Up2Date did the trick, although this update didn't appear to be available to me prior to my last post. Thanks to you and rfcat_vk for your help with this matter, the headache is finally gone! :)

    Cheers,
    Richard

Unfiltered HTML