This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

HTTPS Scan ohne Zertifikatimport möglich?

Hallo Miteinander,

Ich habe die Befürchtung die Antwort ist ein einfaches "NEIN", aber ich frage trotzdem mal ;-)

Wir nutzen hier im Unternehmen einen UTM-HA Cluster und versuchen nun https zu scannen, das geht natürlich wenn die CA von Sophos importiert wurde.

Da wir in einer Domäne sind wäre das auch ansich kein Problem (Verteilung übers AD), allerdings ist das Problem eher im Bereich Ipad, Iphone, Android usw. oder sonstiger Geräte die nicht Mitglied der Domäne sind, aber aus Gründen im internen Netz hängen. Dazu kommt der Firefox den wir teilweise nutzen - dieser hat ja ebenfalls eigene Zertifikate die von der GPO nicht berührt werden. Damit wäre ein Mehrfachimport notwendig und letztendlich auf jedem Gerät mit Firefox.

Ist es also irgendwie möglich die CA der Firewall zu nutzen ohne die Geräte selbst "anzufassen"?
Wir haben für unsere Domäne ein https-Wildcard-Zertifikat. Dieses deckt auch unsere UTM (firewall.*domain*.de) ab, ein Import in den Webfilter zu den HTTPS-CAs ist nicht hilfreich. Weder für die Signierung noch für Verifizierungs-CAs als lokale Verifizierungs-CA. 

Gibts einen anderen Weg? Ich würde halt ungern auf jedem Gerät was hier ins Netz kommt zuerst mal das Zertifikat der FW installieren müssen (ausser nat. den AD Geräten).
So ist es nicht möglich das wir https scannen - die importiererei würde unsere Geschäftsleitung nur leidlich bis garnicht akzeptieren.

Gruß,
Matthias



This thread was automatically locked due to age.
Parents
  • Another strategy is to deploy Standard Mode with HTTPS inspection enabled for the GPO-compliant devices.  Then enable Transparent Mode without HTTPS inspection for everything that does not implement Standard Mode.   This captures domain PCs being used with a local login, captures non-browser applications on domain PCs, and captures fat client applications that ignore the Standard Mode proxy settings.

    However, UTM has to emulate the remote web server to display anytime that it needs to display a block or warn page.   As a result, it is best to deploy the certificate to all devices, even without https inspection, because some HTTPS pages will probably be blocked.   Devices without the root certificate will see a certificate error page.   If they click through the error, they will see the block page.

  • Want to link this KBA here.

    https://community.sophos.com/kb/en-us/132997

    It explains everything. 

    __________________________________________________________________________________________________________________

  • Thanks guys for the explanation. 
    I was guessing so - but maybe there could have been a way to Prevent us from doing all that stuff which I did not find myself.

    Personally I appreciate the idea to only decrypt HTTPS for AD devices. Which makes perfect sense, since also only can Access our servers. The others are just mobiles & stuff which are getting emails a lot faster due to not having them to download them from the Internet (Server-->internet-->Public_Wifi/Cell_Network-->device but instead: Server-->Internal_network-->device).

    So can anyone give me an idea how to configure / distinguish between devices which are the one HTTPS is broken up for?

    Regards,

    Matthias

  • Alright, I guess I made it. 
    I added two profiles:

    a) HTTPS scan, applies to AD devices, authenticated by AD-SSO and for Windows the same, AD-SSO (so both times on the Right side AD-SSO is enabled)
    b) HTTPS no-scan, applies to Internal Network, authentication is on the upper right = None and on the lower right I've chosen  Windows, IOS, Android & Linux with "None" each.

    Seems to work, do you guys think this is correct?
    The only thing which is quite anoying is Firefox, this stupid Thing does use ist own certificates. So I have to manually import the CER-file by hand.

    Regards,
    Matthias

  • Filter Profile selection is only based on source IP and connection type (Standard or Transparent).   The device-specific options only affect which authentication method will be used when the Filter Profile is matched.   So if you want to distinguish  between AD and non-AD devices, you either need different modes or different subnets.

    That is why I recommended creating a Standard Mode profile.  Deploying Standard Mode settings to Windows devices is pretty easy with Group Policy.   Using two different modes will allow you to have AD and non-AD devices on the same subnets.

  • Well, seemed to work so far.
    But there is some other issue - which might be related, but I can not be sure:

    When the HTTPS-filtering is on, all HTTP (unencrypted) content stops to work. As soon as I turn off the rule for HTTPS, any HTTP starts to work.
    I can not even find an option to not-allow unencrypted content. What is already allowed, is "uncategorized", so this can be accessed and is not blocked.

    Regards,
    Matthias

Reply
  • Well, seemed to work so far.
    But there is some other issue - which might be related, but I can not be sure:

    When the HTTPS-filtering is on, all HTTP (unencrypted) content stops to work. As soon as I turn off the rule for HTTPS, any HTTP starts to work.
    I can not even find an option to not-allow unencrypted content. What is already allowed, is "uncategorized", so this can be accessed and is not blocked.

    Regards,
    Matthias

Children