Thread Info
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Blocked and warning message site for https url and certificate name problem?

IT_Chemes

I have on Sophos XG trusted certifikate for XG hostname (example xg.mycompany.com). When i access admin web or user portal i have no warrnings accesing this sites. But when i access some https page that is with web filtered, blocked or only warned, then internet browser block me or warn me that name of my trusted certificate on XG is different that is in inserted URL. Is no possibilitty that if https url is blocked and warned, XG show site with mesaage of blocking asked URL but with own url like https://xg.mycompany.com/blockmessage.html and no certificate naming problem? If warning message page after clicking on proceed URL in brovser again change to initialy asked URL. In this state blocking and warning message pages for https sites are totaly unusefull.



This thread was automatically locked due to age.
  • FormerMember
    0 FormerMember

    Hi  

    Have you already installed the Firewall's SSL CA Certificate on your local machines?

    Please refer to: Sophos XG Firewall: SSL CA certificate installation guide

    Regards,

    • 0 in reply to FormerMember

      I know what you mean but i dont want go this way. I dont purchease trusted certificate for XG domain name that i have to distribute CA to all local machines.I need that block and warning page from XG present to browser as user portal or admin pages using in URL XG domain name corensponding with CN in my world wide trusted certificate. I was happy looking forward in version 17.5 for option Administration->Admin settings->Admin console and end-user interaction->When redirecting users to the captive portal or other interactive pages ->Use the firewall's configured hostname: xg.mycompany.com. But i see this option is totaly unusefull for XG blocking page. For redistributing CA to local machines i dont need trusted certificate and therefore thats not solution for me. If not resolution in XG at this time i want implement solution to near version of XG. For what is trusted certificate on my XG if a cant use his benefits? Option mentionet above is misleading for me.

      • 0 in reply to IT_Chemes

        The Point is, XG uses the Datastream of the Client request page and fill in the blockpage instead of using a redirect to an own user facing page.

        https://community.sophos.com/kb/en-us/132997

         

        So you need a man - in the middle. 

        __________________________________________________________________________________________________________________

        • 0 in reply to LuCar Toni

          Yes, this is what i want. If url blocked i need redirect to XG own user facing page wit url begin with XG hostanme. Mentioned option on Xg from version 17.5 word by wor say "Admin console and end-user interaction - When redirecting users to the captive portal or other interactive pages: - Use the firewall's configured hostname:... ". And i want that XG working as is writing in this option.  And ther Check settings button, what passed for me but in real scenario is this irrelevant. I dont go to downgrade to confirm, but i remeber than in 17.1 version blocking page have in URL XG LAN IP address and not hostname of client reguested page (but maybe only with http reguest and not https?...i dont remember). If only XG LAN IP was changed to XG hostname, then everything OK. I don go manage man-in the middle i want fix XG function from Sophos.

          • 0 in reply to IT_Chemes

            But how should XG intercept this Traffic, if it is encrypted? 

            This is not possible - there is no technical approach to resolve this. 

            __________________________________________________________________________________________________________________

            • 0 in reply to LuCar Toni

              Then option as is writed is totaly missleading.

              • 0 in reply to IT_Chemes

                The Option will be used for every user faced Page. 

                And this is still correct / true.

                You have to provide the technical prerequisite to use all features. 

                 

                In fact, this new Feature in the webadmin is to help to configure everything properly for the certificate management. 

                __________________________________________________________________________________________________________________

                • 0 in reply to LuCar Toni

                  OK...maybe some additional info in text to be aware that trusted certificate is not enough for this option. I am not network specialist then was not clear all about this.

                  • 0 in reply to IT_Chemes

                    Just to be sure, you should think about getting HTTPs Scanning working in your company. 

                    There are a lot of advantages from security prospektive. 

                    __________________________________________________________________________________________________________________

                    • 0 in reply to IT_Chemes

                      Unknown said:

                      OK...maybe some additional info in text to be aware that trusted certificate is not enough for this option. I am not network specialist then was not clear all about this.

                       

                      That is the intention of this FAQ:

                      https://community.sophos.com/kb/en-us/132997

                       

                      However in short - the new option in 17.5 allows you to use a use your purchased certificate whenever the browser address bar has your XG in it.

                      If your browser bar has someillegalsite.com then the XG must continue to use the Certificate Authority to show the block page.

                      If your browser bar has someillegalsite.com and you wanted to XG to redirect to show a block page hosted by the XG, it would need to use the Certificate Authority to do the redirection, and then be able to show the block page using your purchased certificate.

                       

                      Among other things, HTTPS is a way that users are assured that they are going to the site they intended to go.  You cannot interrupt HTTPS without users agreeing - either by installing a CA or by accepting a warning.

                       

                      There is also an option in Web, General Settings to just drop the connection rather than using the CA to display a block page.