Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 9 replies
  • Subscribers 1 subscriber
  • Views 60640 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Https Strict Transport Security (HSTS) sites break transparent browser authentication

rahman
Hi,

We are evaluating transparent browser authentication with https filter only scanning.

The problem is if user opens a HSTS enabled site, chrome and firefox throws certificate errors and refuse to continue or add a security exeption. So user does not see UTM login page.

If the user opens a http or non HSTS https site first, he can login then the HSTS sites without any certificate errors.

Btw Under Web Protection->Misc->Certificate for End-User Pages ->Use a custom certificate for HTTPS pages is selected. Under there hosname is setted to artvin.edu.tr and use uploaded our wildcard valid certificate. Also in our dns server we have passthrough.artvin.edu.tr.         IN      A     213.144.15.19
So our users dont get certificate errors on passthrough.artvin.edu.tr pages.


This thread was automatically locked due to age.
Parents
  • 0
    (Apologies for another necromancing of this thread)

    This issue just came up in a major way for a client with a large body of users and BYOD devices on their network which can't install the CA Certificate.

    I can confirm that even installing the proxy signing CA does not fix the HSTS issue as the connection is initiated through the proxy to the target and then is redirected by the UTM once the HTTP traffic starts. This problem occurs with URL filtering only and Decrypt and Scan. Once the user is authenticated, no problems occur but leading up to the authentication will cause a large support call overhead when users can't browse to bookface, google or hotmail (to name a few) and don't know or understand why.

    Hopefully either resolving this issue or changing the working method is on the books as HSTS will be a growing thing as it's an easy implementation for site security.
  • 0 in reply to Emile Belcourt

    (Also apologies for further necromancy....)

    But I spent ages trying to get this working on a UTM SG. If you find yourself wondering how to address it, you might try creating in:

    Web Protection -> Filtering Options -> Exceptions

    New Exception:

    Tick all HTTPS Scanning options, for all requests matching these URLs:

    ^https?://([A-Za-z0-9.-]+\.)*facebook\.com/

    HTH

Reply
  • 0 in reply to Emile Belcourt

    (Also apologies for further necromancy....)

    But I spent ages trying to get this working on a UTM SG. If you find yourself wondering how to address it, you might try creating in:

    Web Protection -> Filtering Options -> Exceptions

    New Exception:

    Tick all HTTPS Scanning options, for all requests matching these URLs:

    ^https?://([A-Za-z0-9.-]+\.)*facebook\.com/

    HTH

Children
  • 0 in reply to itsNeil

    I made it working with the following settings.  Hope it can help others.

     

    Web Protection -> Filtering Options -> Exceptions

    New Exception:

    Tick all HTTPS Scanning options, for all requests matching these URLs:

    ^https?://([A-Za-z0-9.-]+\.)*google\.com/

      

     

Unfiltered HTML