We'd love to hear about it! Click here to go to the product suggestion community
We have a Sophos XG 330 firewall and want that captive portal should not have "Not Secure" mark in the browser. We do not want to upload a certificate into each and every endpoint system. What are the options available for us ?
- Self signed certificate would involve importing into each browser
- Is this possible by buying a SSL certificate from trusted authority like GOdaddy. ( The users access captive portal using HTTP currently, we can change that to HTTPS if needed)(Users access the captive portal using a private IP like 172.16.16.16:8090)
Hi Kandarp Desai1 Please refer to the article- https://community.sophos.com/kb/en-us/132678The article will explain the scenario in detail.
In reply to Keyur:
Hi Keyur thanks for the response. I actually went thru the article before posting my query here.
Could you let me know if what we want is possible if we go with a Trusted SSL vendor like Godaddy?
In reply to Kandarp Desai1:
Hi Kandarp Desai1 As you have checked the article, you have referred the second method which is "Use a signed certificate by a trusted CA", it means you can use you any Trusted CA (Certificate Authority).There are 2 options to get Certificate from Trusted CA.
You can opt any of the methods, you can share the article with Godaddy and explain them with the situation.The Certificate Authority should send you back your signed certificate with all required subordinate certificate (if there is any) to maintain the chain of trust.The private key and its passphrase downloaded earlier must be used when uploading the certificate. Once you complete the process, you can use the certificate for Captive Portal as well as Web admin console.
Just to be sure, you are not talking about the SSL Inspection feature.
In reply to LuCar Toni:
Hi Keyur and Lucar , I am referring to this article as well ( https://community.sophos.com/kb/en-us/132058)
The steps involved would be as follows ( please correct if wrong )
- Change the hostname of the Sophos XG firewall to an FQDN
-Use this FQDN to get a certificate from a trusted root authority
- Upload this certificate to the Sophos XG firewall to replace Appliance Certificate
- Now I configure one DNS host entry that will resolve the FQDN:8090 to the internal IP
- Captive portal now opens without any Certificate errors .
Am i missing any steps ? Is this correct ?
You need to look up the difference between a FQDN and a Hostname.
Basically XG should be only a hostname.
For example "XG".
Your Domain is "domain.com".
The FQDN would be xg.domain.com.
Your Certificate would be for xg.domain.com.
Your DNS would have a record for xg to your local IP Address.
That cleared a lot of things up. My main aim to do all these above things (going with Trusted CA) , is to avoid uploading of this certificate to each browser on each host ( there are a LOT of systems in the premises) :) !!!