HTTPS Scan ohne Zertifikatimport möglich?

Hallo Miteinander,

Ich habe die Befürchtung die Antwort ist ein einfaches "NEIN", aber ich frage trotzdem mal ;-)

Wir nutzen hier im Unternehmen einen UTM-HA Cluster und versuchen nun https zu scannen, das geht natürlich wenn die CA von Sophos importiert wurde.

Da wir in einer Domäne sind wäre das auch ansich kein Problem (Verteilung übers AD), allerdings ist das Problem eher im Bereich Ipad, Iphone, Android usw. oder sonstiger Geräte die nicht Mitglied der Domäne sind, aber aus Gründen im internen Netz hängen. Dazu kommt der Firefox den wir teilweise nutzen - dieser hat ja ebenfalls eigene Zertifikate die von der GPO nicht berührt werden. Damit wäre ein Mehrfachimport notwendig und letztendlich auf jedem Gerät mit Firefox.

Ist es also irgendwie möglich die CA der Firewall zu nutzen ohne die Geräte selbst "anzufassen"?
Wir haben für unsere Domäne ein https-Wildcard-Zertifikat. Dieses deckt auch unsere UTM (firewall.*domain*.de) ab, ein Import in den Webfilter zu den HTTPS-CAs ist nicht hilfreich. Weder für die Signierung noch für Verifizierungs-CAs als lokale Verifizierungs-CA. 

Gibts einen anderen Weg? Ich würde halt ungern auf jedem Gerät was hier ins Netz kommt zuerst mal das Zertifikat der FW installieren müssen (ausser nat. den AD Geräten).
So ist es nicht möglich das wir https scannen - die importiererei würde unsere Geschäftsleitung nur leidlich bis garnicht akzeptieren.


  • Nein, https-scan ohne Proxyzertifikat, das ist nicht möglich.


    Ich hatte mal eine Anleitung bzgl. der Webprotection gebastelt. Dort sind auch Verweise, wie man das Zertifikat an die Clients verteilen kann:


    Vielleicht hilft Dir das weiter!


  • has a solution for this problem, by helping you distribute the certificate to these other devices. They provide enhancements to GPO to cover non-domain devices and off-domain devices. They also enable GPO-based control for non-compliant applications like Firefox and Java.  Their solution does require installing their software on the devices. 

    I do not know which mobile devices they support, as that was not a priority when I talked to them. I was very impressed with the product, but management did not share my interest. I do not know anyone else doing what they do.


  • Another strategy is to deploy Standard Mode with HTTPS inspection enabled for the GPO-compliant devices.  Then enable Transparent Mode without HTTPS inspection for everything that does not implement Standard Mode.   This captures domain PCs being used with a local login, captures non-browser applications on domain PCs, and captures fat client applications that ignore the Standard Mode proxy settings.

    However, UTM has to emulate the remote web server to display anytime that it needs to display a block or warn page.   As a result, it is best to deploy the certificate to all devices, even without https inspection, because some HTTPS pages will probably be blocked.   Devices without the root certificate will see a certificate error page.   If they click through the error, they will see the block page.

  • In reply to DouglasFoster:

    Want to link this KBA here.

    It explains everything. 

  • In reply to LuCar Toni:

    Thanks guys for the explanation. 
    I was guessing so - but maybe there could have been a way to Prevent us from doing all that stuff which I did not find myself.

    Personally I appreciate the idea to only decrypt HTTPS for AD devices. Which makes perfect sense, since also only can Access our servers. The others are just mobiles & stuff which are getting emails a lot faster due to not having them to download them from the Internet (Server-->internet-->Public_Wifi/Cell_Network-->device but instead: Server-->Internal_network-->device).

    So can anyone give me an idea how to configure / distinguish between devices which are the one HTTPS is broken up for?



  • In reply to MatthiasGinster:

    Alright, I guess I made it. 
    I added two profiles:

    a) HTTPS scan, applies to AD devices, authenticated by AD-SSO and for Windows the same, AD-SSO (so both times on the Right side AD-SSO is enabled)
    b) HTTPS no-scan, applies to Internal Network, authentication is on the upper right = None and on the lower right I've chosen  Windows, IOS, Android & Linux with "None" each.

    Seems to work, do you guys think this is correct?
    The only thing which is quite anoying is Firefox, this stupid Thing does use ist own certificates. So I have to manually import the CER-file by hand.


  • In reply to MatthiasGinster:

    Filter Profile selection is only based on source IP and connection type (Standard or Transparent).   The device-specific options only affect which authentication method will be used when the Filter Profile is matched.   So if you want to distinguish  between AD and non-AD devices, you either need different modes or different subnets.

    That is why I recommended creating a Standard Mode profile.  Deploying Standard Mode settings to Windows devices is pretty easy with Group Policy.   Using two different modes will allow you to have AD and non-AD devices on the same subnets.

  • In reply to DouglasFoster:

    Well, seemed to work so far.
    But there is some other issue - which might be related, but I can not be sure:

    When the HTTPS-filtering is on, all HTTP (unencrypted) content stops to work. As soon as I turn off the rule for HTTPS, any HTTP starts to work.
    I can not even find an option to not-allow unencrypted content. What is already allowed, is "uncategorized", so this can be accessed and is not blocked.


  • In reply to MatthiasGinster:

    Hallo Matthias,

    What do you see in the Web Filtering log when this block occurs?  Also, show a picture of the Edit of "the rule for HTTPS."

    Cheers - Bob

  • In reply to BAlfson:

    Hi Balfson,

    here are the Pictures.
    One set with scan (two pictures, first and second page of the rules) and one set without scan( also the two pages).


    Without scan

    Without scan


    With scan

    With scan

  • In reply to MatthiasGinster:

    OK,I see the problem now, Matthias...

    In fact, the "(User Network)" and "(User Group Network)" objects are not populated unless the user is logged into Remote Access or the Sophos Authentication Agent or you have installed STAS.

    I think the easiest would be to use Doug's suggestion to configure a Web Filtering Profile in Standard mode with the default Profile in Transparent for the non-domain devices.  See Configuring HTTP/S proxy access with AD SSO.

    MfG - Bob (Bitte auf Deutsch weiterhin.)