Thread Info
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Removing the "Not secure" in browsers in Captive portal

Kandarp Desai1

 Hi,

We have a Sophos XG 330 firewall and want that captive portal should not have "Not Secure" mark in the browser. We do not want to upload a certificate into each and every endpoint system. What are the options available for us ?

- Self signed certificate would involve importing into each browser

- Is this possible by buying a SSL certificate from trusted authority like GOdaddy. ( The users access captive portal using HTTP currently, we can change that to HTTPS if needed)
(Users access the captive portal using a private IP like 172.16.16.16:8090)



This thread was automatically locked due to age.
  • 0

    Hi  

    Please refer to the article- https://community.sophos.com/kb/en-us/132678

    The article will explain the scenario in detail.

    Regards,

    Keyur
    Community Support Engineer | Sophos Support
    Sophos Support VideosKnowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'This helped me' link

    • 0 in reply to Keyur

      Hi Keyur thanks for the response. I actually went thru the article before posting my query here.

      Could you let me know if what we want is possible if we go with a Trusted SSL vendor like Godaddy?

      • 0 in reply to Kandarp Desai1

        Hi  

        As you have checked the article, you have referred the second method which is "Use a signed certificate by a trusted CA", it means you can use you any Trusted CA (Certificate Authority).

        There are 2 options to get Certificate from Trusted CA.

        1. Generate Certificate Signing Request (CSR) from the XG Firewall and send it to a Certificate Authority provider such as Verisign or Go daddy to sign it for you. The main benefit from this option is the customer chooses his certificate's private key (Not the CA provider). The private key has to be stored securely and never divulged.  
        2. Ask the Certificate Authority provider to generate a CSR and sign it for you. With this option, the CA provider chooses your certificate's private key on your behalf and send it to you along with its passphrase (if there is any) when your certificate is signed.

        You can opt any of the methods, you can share the article with Godaddy and explain them with the situation.

        The Certificate Authority should send you back your signed certificate with all required subordinate certificate (if there is any) to maintain the chain of trust.

        The private key and its passphrase downloaded earlier must be used when uploading the certificate. Once you complete the process, you can use the certificate for Captive Portal as well as Web admin console.

        Regards,

        Keyur
        Community Support Engineer | Sophos Support
        Sophos Support VideosKnowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
        If a post solves your question use the 'This helped me' link

        • 0 in reply to Keyur

          Just to be sure, you are not talking about the SSL Inspection feature.

          https://community.sophos.com/kb/en-us/132997

           

          __________________________________________________________________________________________________________________

          • 0 in reply to LuCar Toni

            Hi Keyur and Lucar , I am referring to this article as well ( https://community.sophos.com/kb/en-us/132058)

            • 0 in reply to Kandarp Desai1

              The steps involved would be as follows ( please correct if wrong ) 

              - Change the hostname of the Sophos XG firewall to an FQDN

              -Use this FQDN to get a certificate from a trusted root authority

              - Upload this certificate to the Sophos XG firewall to replace Appliance Certificate

              - Now I configure one DNS host entry that will resolve the FQDN:8090 to the internal IP

              - Captive portal now opens without any Certificate errors .

               

              Am i missing any steps ? Is this correct ?

              • +1 in reply to Kandarp Desai1

                You need to look up the difference between a FQDN and a Hostname. 

                https://serverfault.com/questions/269838/what-is-the-difference-between-a-hostname-and-a-fully-qualified-domain-name

                 

                Basically XG should be only a hostname. 

                For example "XG". 

                Your Domain is "domain.com". 

                The FQDN would be xg.domain.com. 

                Your Certificate would be for xg.domain.com. 

                Your DNS would have a record for xg to your local IP Address. 

                 

                __________________________________________________________________________________________________________________

                • 0 in reply to LuCar Toni

                  Thanks Lucar,

                  That cleared a lot of things up. My main aim to do all these above things (going with Trusted CA) , is to avoid uploading of this certificate to each browser on each host ( there are a LOT of  systems in the premises) :) !!!