Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 5 replies
  • Answers 1 answer
  • Subscribers 40 subscribers
  • Views 3579 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Cert Error for Web Block Page

David Ashcroft

For BYOD we are not planning on forcing users to download the Sophos Cert, we are not performing any HTTPS packet inspection on our wireless networks so users should just be able to connect and browse. This appears to be working without issues apart from one thing.

We are still blocking some categories such as gambling, pornography etc. These sites are being blocked successfully, however instead of displaying the block page, it just comes up a certificate error. Is thee any way of getting the block page to show without having the Sophos Cert installed on the end user devices?

This is not a problem for our corporate network since we have the Sophos Cert pushed out via GPO, so everything displays correctly.



This thread was automatically locked due to age.
Parents
  • FormerMember
    0 FormerMember

    Hi David Ashcroft,

    If you are blocking a category such as Gambling and a user goes to https://www.pokerstars.com/ then you want that web request to be blocked. The web proxy sees that the client is trying to go somewhere they should not and wants to display a block page. In order to do so, they need to do man-in-the-middle decryption so that it can insert a block page that pretends to be www.pokerstars.com.

    Check out this KBA for more detail : HTTPS Decrypt and Scan FAQ.

    Thanks,

  • 0 in reply to FormerMember

    This does make sense, I think this is why we are receiving the the block page correctly on our corporate network - because we have pushed out the Sophos MITM cert. 

    However, I was wondering if there is a way around this for our wireless network. We get about 2.5k users connecting to our WiFi network and we would prefer to have them not download our cert. Can Sophos redirect the traffic to a standard block page or something and display it as HTTP instead of HTTPS? 

    Thanks

Reply
  • 0 in reply to FormerMember

    This does make sense, I think this is why we are receiving the the block page correctly on our corporate network - because we have pushed out the Sophos MITM cert. 

    However, I was wondering if there is a way around this for our wireless network. We get about 2.5k users connecting to our WiFi network and we would prefer to have them not download our cert. Can Sophos redirect the traffic to a standard block page or something and display it as HTTP instead of HTTPS? 

    Thanks

Children
Unfiltered HTML