Hi,
I have enabled blocking webmail from the endpoint agent through a web control policy. When a user attempts to go to gmail or hotmail they get an SSL error in their browser rather than a sophos block page or some sort. How can I fix this to give the end user a meaningful error that does not look like something is broken but rather that what they are attempting to do is disabled by admin and not allowed via company policy?
Hi Brian Straka
A notification pop-up will be displayed or the browser will show a page detailing the content that has been blocked or warned. HTTPS websites will show a message Website cannot be found
Website cannot be found
The current web protection/control component at the endpoint only replaces the page for HTTP traffic as it doesn't do any man-in-the-middle for HTTPS. For HTTPS, the domain name being accessed is obtained from SNI record in the handshake and used for the cloud lookups. This result s used as the basis for the allow/block action. Without this inspection, it's not possible to inject a replacement page,
As far as I understand it, there is a new endpoint web protection feature being developed which is due to go into an EAP reasonable soon. That will have full SSL inspection and then will be able to present a block/warn page for HTTPS in the browser.
The XG firewall can man-in-the-middle HTTPS traffic and can therefore present the user with in browser messaging.
It is a little tricky even then, you might have a domain good.com, which is responsible for all the content, apart from one URL which presents say a banner add. If you block that one banner image from being fetched, would you want to replace then entire page with a block or just prevent an image loading for the add. In this case it feels like a silent block for that one main resource is the right thing to do, Of course there is quite a spectrum of use cases for that.
Hope it helps.
I had to learn from Sophos User930 recently that Intercept-X is not capable of presenting a meaningful block message with https sites.
https://community.sophos.com/intercept-x-endpoint/f/discussions/124493/blocked-https-websites-only-show-ssl_error_rx_record_too_long-when-web-control-is-enabled
I wonder why this has not been fixed. This is really old-fashioned and hard to explain to users that this is "works as designed". And this is a high price Enterprise product - in fact I cannot really believe it.
Today I had to learn that not even XG firewall is capable of presenting a block page when it blocks an application (not a website). In fact this "application" is just a website request.
https://community.sophos.com/xg-firewall/f/discussions/126014/xg-blocks-application-without-block-message-only-pr_end_of_file_error-or-this-page-can-t-be-displayed
Sophos is at low level when it comes to blocking websites.
As I say, keep an eye on the upcoming endpoint EAP releases. The main thing is it blocks all the bad stuff. All events are logged in the UI and to a log file. Also looking forward to the next version of web protection/control.
Unfortunately I am finding out that Sophos lacks the fit and finish of a truly enterprise product. The stuff works, but the follow through is just not there.