The Sophos UTM's Web Proxy can transparently filter HTTPS traffic. When this is activated, and set to Decrypt & Scan, secure sites will be prompted with a security warning in the client browser unless the UTM Proxy CA certificate is installed on the client browser.
The filtering of HTTPS connections in the UTM's Web Proxy is achieved by preserving the chain of trust between the client and the server with certificate exchanges between the client, the UTM, and the server being accessed.
In earlier versions there would be a single channel of encrypted traffic between the client and server, making it difficult to transparently filter traffic between client and server. Starting with the 7.400 release, the proxy initiates one connection with the server, and another with the client. Since the proxy performs the key exchange, it is able to read the traffic as plain text, which in turn allows the same content filtering capabilities as with HTTP traffic. It is necessary to import the Web Proxy's Signing Certificate Authority (CA) into the client browser, otherwise the SSL content encrypted by the proxy is not trusted.
Applies to the following Sophos products and versions Sophos UTM
The steps below are only required when using Decrypt & Scan. When using URL Filtering Only, a feature added in UTM 9.2, deploying the Proxy CA certificate is not required.
The Client browser will need to import or Trust the Proxy CA that exists on the Sophos UTM. There are three ways that administrators can deploy this CA to their users:
Note: Method #3 may be necessary for properly installing the UTM CA on Apple IPad devices. See Related information for additional steps for newer iOS and Android devices.
Once the CA has been deployed, you can verify the HTTPS scanning by using a harmless file which has been agreed by vendors to be reported as a malware/virus file. The site is www.eicar.org and a direct link to one of the files via HTTPS is https://secure.eicar.org/eicar_com.zip.
Note: While this file will be reported as a virus, it is harmless and used only for testing these systems.
If you've spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article. This is invaluable to us to ensure that we continually strive to give our customers the best information possible.
Every comment submitted here is read (by a human) but we do not reply to specific technical questions. For technical support post a question to the community. Or click here for new feature/product improvements. Alternatively for paid/licensed products open a support ticket.