certificate issue

hello after installing Sophos UTM , mail clients (outlook 2010) started getting a new certificate issued by the UTM instead of the one issued by the exchange server 

each time a user opens his outlook he has to accept 3 certificate warning : mail.domain - autodiscovery.domain and mail.domain or he will not receive any mails

even if i install this certificate in the authority place i still get them every time i open outlook 

please advise what to do 

  • please note i did not change the certificate generated by the XG 

    it is used in active directory environment .

    please advise

  • In reply to TarekHalloun:

    sounds like the client is using the proxy for all, maybe put the mailserver in the bypass list on the ?

  • In reply to Argo:

    hello Jason 

    yes they are on the proxy .. is there a way to bypass it for everyone on the sophos level ? or should it be done from internet explorer ?

  • In reply to TarekHalloun:

    Hi Tarek,

    if youy are using the FW as an active proxy; you can add bypass here within internet options


    hope this helps

  • In reply to Argo:

    and what is i have more than 300 users ? is there something to be done from the firewall ?

  • If you are having certificate warnings, you need to install the certificate authority onto the client machines.  Note that Windows/Internet Explorer/Chrome use the same list of authorities but that FireFox has its own.  After confirming this works on one machine, you can use AD to push the certificate to all machines.

    The alternative is to bypass the proxy.  There are different methods depending on your configuration.  

    If you are using transparent mode, then create a higher level firewall rule with your mail server as the destination, set for service HTTP/HTTPS and don't turn on Malware Scanning for HTTP/HTTPS and leave the policy None.

    If you are using standard/explicit mode and have every client configured to use the proxy, you can use AD push to give every client a new configuration not to do so for that address (see above).

    If you are using standard/explicit mode and are using auto-discovery such as WPAD, then you need to change the config file that WPAD is pushing.

  • In reply to Michael Dunn:

    exactly what I would have said, except mine would have been longer ...

  • In reply to Michael Dunn:

    hello Michael 

    how can i tell what mode i am using ?!

  • In reply to TarekHalloun:

    In standard mode, also called explicit mode, every browser is configured to use a web proxy.  In your browser settings, you'll find proxy settings, typically going out to the XG on port 3128.

    In transparent mode, the browser does not know anything about the proxy.  However due to network design the packets naturally flow over the XG as they do for any other firewalled packet.  The XG sends all port 80 and 443 traffic through the proxy.


    This is all based on how you first set up your network.