PLEASE READ Advisory: Kernel memory issue affecting multiple OS (aka F**CKWIT, KAISER, KPTI, Meltdown & Spectre) for the latest updates.
We'd love to hear about it! Click here to go to the product suggestion community
hello after installing Sophos UTM , mail clients (outlook 2010) started getting a new certificate issued by the UTM instead of the one issued by the exchange server
each time a user opens his outlook he has to accept 3 certificate warning : mail.domain - autodiscovery.domain and mail.domain or he will not receive any mails
even if i install this certificate in the authority place i still get them every time i open outlook
please advise what to do
please note i did not change the certificate generated by the XG
it is used in active directory environment .
In reply to TarekHalloun:
sounds like the client is using the proxy for all, maybe put the mailserver in the bypass list on the ?
In reply to JasonFell:
yes they are on the proxy .. is there a way to bypass it for everyone on the sophos level ? or should it be done from internet explorer ?
if youy are using the FW as an active proxy; you can add bypass here within internet options
hope this helps
and what is i have more than 300 users ? is there something to be done from the firewall ?
If you are having certificate warnings, you need to install the certificate authority onto the client machines. Note that Windows/Internet Explorer/Chrome use the same list of authorities but that FireFox has its own. After confirming this works on one machine, you can use AD to push the certificate to all machines.
The alternative is to bypass the proxy. There are different methods depending on your configuration.
If you are using transparent mode, then create a higher level firewall rule with your mail server as the destination, set for service HTTP/HTTPS and don't turn on Malware Scanning for HTTP/HTTPS and leave the policy None.
If you are using standard/explicit mode and have every client configured to use the proxy, you can use AD push to give every client a new configuration not to do so for that address (see above).
If you are using standard/explicit mode and are using auto-discovery such as WPAD, then you need to change the config file that WPAD is pushing.
In reply to Michael Dunn:
exactly what I would have said, except mine would have been longer ...
how can i tell what mode i am using ?!
In standard mode, also called explicit mode, every browser is configured to use a web proxy. In your browser settings, you'll find proxy settings, typically going out to the XG on port 3128.
In transparent mode, the browser does not know anything about the proxy. However due to network design the packets naturally flow over the XG as they do for any other firewalled packet. The XG sends all port 80 and 443 traffic through the proxy.
This is all based on how you first set up your network.