We are in the process of testing out the SSL/TLS Decryption in our Endpoint policies. I have recently come across an issue with a site our users access that requires a certificate to authenticate properly. I have exempted this site's URL in the global settings > SSL/TLS decryption of HTTPS websites > Websites excluded from HTTPS Decryption section, however I still see that the Root CA for the sites is replaced with the Sophos Root RSA one. When this policy is applied the user is unable to authenticate and is brought to a screen that you would see if you did not have the cert present on the device. I have ensured that the root CA cert is present in the proper trusted root certs store on their PCs, and no warnings are encountered prior to accessing the site. Has anyone else had any success with testing SSL/TLS decryption policies for Endpoints on machines that access resources that use Certificate-based/SmartCard authentication?
Thanks for reaching out to the Sophos Community Forum.
Can you confirm that the endpoint device has received the policy successfully? You can verify this by checking the following registry location. - HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\Management\Policy\ThreatProtection\######\web_protection
The entry "https_decrypt_excluded_sites" will state the exclusions that are applied. You may want to close and re-open the browser for this exclusion to apply fully.
Yes, I can see the excluded sites list is present in the registry and contains the site we are experiencing issues with.