Sophos UTM: Decommissioning of obsolete URL categorization services CFFS. Click here for important info.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SSL/TLS Decryption with Smartcard or Certificate based authentication

We are in the process of testing out the SSL/TLS Decryption in our Endpoint policies. I have recently come across an issue with a site our users access that requires a certificate to authenticate properly. I have exempted this site's URL in the global settings > SSL/TLS decryption of HTTPS websites > Websites excluded from HTTPS Decryption section, however I still see that the Root CA for the sites is replaced with the Sophos Root RSA one. When this policy is applied the user is unable to authenticate and is brought to a screen that you would see if you did not have the cert present on the device. I have ensured that the root CA cert is present in the proper trusted root certs store on their PCs, and no warnings are encountered prior to accessing the site. Has anyone else had any success with testing SSL/TLS decryption policies for Endpoints on machines that access resources that use Certificate-based/SmartCard authentication?

This thread was automatically locked due to age.
  • Hi mthi0591,

    Thanks for reaching out to the Sophos Community Forum. 

    Can you confirm that the endpoint device has received the policy successfully? You can verify this by checking the following registry location. 
    - HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\Management\Policy\ThreatProtection\######\web_protection

    The entry "https_decrypt_excluded_sites" will state the exclusions that are applied. You may want to close and re-open the browser for this exclusion to apply fully.

    Kushal Lakhan
    Team Lead, Global Community Support
    Connect with Sophos Support, get alerted, and be informed.
    If a post solves your question, please use the "Verify Answer" button.
    The New Home of Sophos Support Videos!  Visit Sophos Techvids
  • Yes, I can see the excluded sites list is present in the registry and contains the site we are experiencing issues with.