Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 8 replies
  • Subscribers 40 subscribers
  • Views 3131 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Web Server with HTTPS encryption showing different responses from both internal and external network

Jason Roble

We have a new SSL certificate installed in Sophos for a website we are hosting. When I configure the web server with an HTTP encryption, there is no issue. But when I change it to HTTPS encryption, these are the issues we are having:

From internal network, it shows: 

Proxy Error

The proxy server could not handle the request

Reason: Error during SSL Handshake with remote server

From external network, it shows:

This site can’t provide a secure connection

domain.com sent an invalid response.
ERR_SSL_PROTOCOL_ERROR

What are we missing out something to make this work properly?



This thread was automatically locked due to age.
  • 0

    Hello,

    is this new certificate showing up as "trusted" under Certificates in the Sophos System?

    Mit freundlichem Gruß, best regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to PhilippRusch

    Yes it has a green check on the Trusted column.

  • 0 in reply to Jason Roble

    Are we talking about WAF here?

    Can you show us your rules?

    Mit freundlichem Gruß, best regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to PhilippRusch

    Yes this is about WAF. This is the WAF configuration

    and this is the Web Server config

  • +1 in reply to Jason Roble

    Does the downstream Web Server (IP_DMZ_CSI-SVR03) also supports HTTPS?

    Looking by the error given by WAF, the downstream Web Server is only available through plain-text HTTP.

    I recommend you to change from HTTPS to HTTP on the Web Server configuration. (Maintaining the same port 8080.)

    Jason Roble said:
    When I configure the web server with an HTTP encryption, there is no issue. But when I change it to HTTPS encryption, these are the issues we are having:

    It's because the downstream Web Server (IP_DMZ_CSI-SVR03) doesn't support HTTPS.

    You should leave the WAF to handle the encryption with the client and send the traffic to downstream though plain-text HTTP. (There's no need for the WAF to encrypt all traffic again with downstream, unless you don't trust your own internal network.)

    If a post solves your question use the 'Verify Answer' button.

    Ryzen 5600U + I226-V (KVM) v21 GA @ Home

    Sophos ZTNA (KVM) @ Home

  • 0 in reply to Prism

    Regarding the downstream web server, I am not sure but I guess it doesn't support HTTPS.

    So as long as the WAF's encryption method is HTTPS, the Web Server's encryption type is insignificant if the server is internal? I thought I need to make both WAF and Web Server's encryption method to be HTTPS to make it secured.

  • 0 in reply to Jason Roble

    It highly depends on how your current network is configured, and on what compliance's you need to meet.

    It's common to have a WAF terminating TLS on the edge then transmitting data through plain-text for higher performance (and caching on some other scenarios), but depending on how your internal network is currently configured this can be either insecure or secure.

    The important part for you is having a secure connection between the client and the WAF.

    PS; If the connection from the WAF to the Web Server is encrypted through HTTPS, the IPS will have no effect as It can't inspect the encrypted data, making It useless.

    If a post solves your question use the 'Verify Answer' button.

    Ryzen 5600U + I226-V (KVM) v21 GA @ Home

    Sophos ZTNA (KVM) @ Home

  • 0 in reply to Prism

    Got it. Thank you for the clarification ! Slight smile

Unfiltered HTML