HTTPS inspection is being enabled by default for devices in the EAP now that the roll out has finished, (both Endpoint and Server).
When users visit websites via browsers the Sophos endpoint will decrypt HTTPS network traffic for the purposes of applying your Threat Protection policy. This decryption allows for deeper and more complete protection, and is recommended for best protection. This inspection technique may, under some circumstances, interfere with successful browsing activity, including for internal websites.
Controls for enabling or disabling HTTPS inspection can be found in Sophos Central under the Global Settings page, in the Endpoint Protection section.
Look for the option “SSL/TLS decryption of HTTPS websites”. This new page offers important controls for managing the HTTPS inspection policy:
There are a few important reasons you may wish to modify those settings:
Several additional situations merit mention:
There will be further updates to enhance the feature over the next few months before we start releasing it to devices outside of the Early Access Program.
Please review the devices you have enrolled in the Early Access Programs and, based on the information above, consider if you need to remove any or make any exclusions via the Settings page.
As always, we welcome your feedback about this enhancements and ask that you provide details of your experience so that we can continue to improve the features and your experience of the product.
I have been testing the SSL decryption on my desktop system and so far things are working well. Had to add an exception for a video camera system doing streaming over SSl, which seems reasonable. But, I also had to add one for our timecard/payroll system, which seems pretty odd. Something in the SSO logic gets broken when the SSL decryption is enabled.
I am functional with the exception, but is there any desire to gather data to determine what might be going on? I tried opening a ticket, but was directed here.
Hi all, we've posted a new Announcement about new policy settings for HTTPs Decryption here: community.sophos.com/.../https-policy-changes
Nice article - and more permanent solution than my bandaid. Thanks bobcook
Going to revise my original comment to avoid confusion.
Its actually better to enable the security.enterprise_roots.enabled setting in Firefox. This article has some good advice. The endpoint will regularly regenerate its root keys used for decryption (unique to each endpoint) as a security precaution. By enabling this Enterprise feature the browser can automatically find the current root certificate even when it changes.
Hi Sophos User5179 & onward
As @bobcook indicated, follow this article: https://support.mozilla.org/en-US/kb/setting-certificate-authorities-firefox
Firefox ADMX templates here for anyone using AD: https://github.com/mozilla/policy-templates/releases