Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 25 replies
  • Answers 2 answers
  • Subscribers 43 subscribers
  • Views 8150 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How configure SSL/TLS inspection settings for smartphone apps

Naoki_I

Hello there.
I am using XG firewall home edition in my house.
Some of the iOS apps are not available with SSL/TLS inspection enabled. When disabled, they can be used.

I checked LogViewer and in some cases it is Error and in other cases it is not Error.
I am checking LogViewer and iOS apps one by one. If necessary, I add them to the Local TLS exclusion list.

But this is hard work. And I want to respect the children's privacy, so we would like to keep LogViewer checks to a minimum.

How do you configure SSL/TLS inspection settings for mobile devices?

Regards,

XG135

HomeEdition(SFOS 19.0.1 MR-1-Build365)



This thread was automatically locked due to age.
Parents Reply Children
  • +1 in reply to Vivek Jagad

    Android Smartphones will not work well with decrypting Proxy.

    Even if you install the Proxy CA certificate on the phone, many system and 3rd party apps will not trust certificates in the user store. you cannot add CAs to the system store.

    Apps like firefox allow you to install a custom certificate but many apps will not allow that or no not have an option for that.

    You will need to disable decryption for smart phones to work correctly.

  • 0 in reply to LHerzog

    Thank you  ,

    > Android Smartphones will not work well with decrypting Proxy.

    I have heard that it does not work properly for Android.

    The majority of communications are SSL/TLS.
    In particular, most communication at home comes from smartphones.
    The use of smartphones and tablets is increasing in offices as well.
    Is XG Firewall unable to handle encrypted communications from smartphones?
    I would like to know how this situation is being addressed.
    This is precisely the intent of our question.

    Thank you.

  • 0 in reply to Vivek Jagad

    Thank you  ,

    After reading the document, I will reply again.

    Regards,

  • 0 in reply to Naoki_I

    i'tll probably work if you set tls profile decryption to disabled and only scan for the SNI (visited URL). you'll not be able to scan for malware then but still can allow or deny categoies of websites.

    if you need decryption to scan the whole traffic, you'd need to apply manual exceptions for all apps they use. if you decide they use firefox or an other browser for normal sufing, then you can install your XG cert into the browser and can decrypt the whole traffic of that app on your firewall. all other apps of course, will have issues unless you whitelist their traffic for do-not-decrypt.

  • 0 in reply to LHerzog

    Thank you  ,

    >i'tll probably work if you set tls profile decryption to disabled and only scan for the SNI (visited URL). you'll not be able to scan for malware then but still can allow or deny categoies of websites.

    I agree with you. But it would mean that the XG Firewall would be less valuable to me.

    > you'd need to apply manual exceptions for all apps they use. 

    Yes. It is the question.

    So in other words, I have no choice but to continue working as I am now.

    I will keep thinking the balance between usability and security.

    For smartphones, I can avoid the Firewall by switching to a mobile signal.
    For PCs, I can avoid the firewall by tethering.
    I guess it is an eternal problem.

    Thank you,

  • 0 in reply to Naoki_I

    Hi,

    any Apple devices that require access to Apple sites do not support decrypt and scans you will need exceptions for Apple.

    Ian

    XG115W - v20.0.3 MR-3 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to Naoki_I

    The problem is due to certificate pinning that Google uses to prevent man-in-the-middle "Attacks". It's not really an attack, but Google's sites do not trust the TLS decrypt and scan certificate, because of this SSL/TLS inspection cannot occur.

    What is certificate pinning?

  • 0 in reply to Naoki_I

    Thank you  

    I checked documents. But it can't solve my problem.

    Whether I use dpi engine or Web proxy, I must maintain Local TLS exclusion list manually,

    Thank you for your reply. Regards,

  • 0 in reply to alan weir

    Thank you  ,

    You says about android or chrome OS? Yeah, I think they are the best solution to escape from network administrator who want to use ssl inspection.

    Regards,

  • 0 in reply to rfcat_vk

    Thank you  

    Ofcourse I added apple domain to whitelist.

    https://support.apple.com/en-bh/HT210060

    Regards,

Unfiltered HTML