How configure SSL/TLS inspection settings for smartphone apps

Hello Naoki_I ,

Thank you for reaching out to the community, I would agree with rfcat_vk suggestion. 

> Under the FW rules for LAN to WAN enable the option "Use web proxy instead of DPI engine" under the Security Features. Ensure a web policy is applied before enabling the option.
> Install the SSL CA Certificate, you can find the guide here  - https://support.sophos.com/support/s/article/KB-000035645?language=en_US
> Also ensure the following option is also enabled "Scan HTTP and decrypted HTTPS" 
> Please find the FAQ for - HTTPS decrypt and scan here - https://support.sophos.com/support/s/article/KB-000038420?language=en_US

Android Smartphones will not work well with decrypting Proxy.

Even if you install the Proxy CA certificate on the phone, many system and 3rd party apps will not trust certificates in the user store. you cannot add CAs to the system store.

Apps like firefox allow you to install a custom certificate but many apps will not allow that or no not have an option for that.

You will need to disable decryption for smart phones to work correctly.

Thank you Herzog ,

> Android Smartphones will not work well with decrypting Proxy.

I have heard that it does not work properly for Android.

The majority of communications are SSL/TLS.
In particular, most communication at home comes from smartphones.
The use of smartphones and tablets is increasing in offices as well.
Is XG Firewall unable to handle encrypted communications from smartphones?
I would like to know how this situation is being addressed.
This is precisely the intent of our question.

Thank you.

i'tll probably work if you set tls profile decryption to disabled and only scan for the SNI (visited URL). you'll not be able to scan for malware then but still can allow or deny categoies of websites.

if you need decryption to scan the whole traffic, you'd need to apply manual exceptions for all apps they use. if you decide they use firefox or an other browser for normal sufing, then you can install your XG cert into the browser and can decrypt the whole traffic of that app on your firewall. all other apps of course, will have issues unless you whitelist their traffic for do-not-decrypt.

Thank you LHerzog ,

>i'tll probably work if you set tls profile decryption to disabled and only scan for the SNI (visited URL). you'll not be able to scan for malware then but still can allow or deny categoies of websites.

I agree with you. But it would mean that the XG Firewall would be less valuable to me.

> you'd need to apply manual exceptions for all apps they use. 

Yes. It is the question.

So in other words, I have no choice but to continue working as I am now.

I will keep thinking the balance between usability and security.

For smartphones, I can avoid the Firewall by switching to a mobile signal.
For PCs, I can avoid the firewall by tethering.
I guess it is an eternal problem.

Thank you,

Thank you LHerzog ,

>i'tll probably work if you set tls profile decryption to disabled and only scan for the SNI (visited URL). you'll not be able to scan for malware then but still can allow or deny categoies of websites.

I agree with you. But it would mean that the XG Firewall would be less valuable to me.

> you'd need to apply manual exceptions for all apps they use. 

Yes. It is the question.

So in other words, I have no choice but to continue working as I am now.

I will keep thinking the balance between usability and security.

For smartphones, I can avoid the Firewall by switching to a mobile signal.
For PCs, I can avoid the firewall by tethering.
I guess it is an eternal problem.

Thank you,

Hi,

any Apple devices that require access to Apple sites do not support decrypt and scans you will need exceptions for Apple.

Ian

Thank you rfcat_vk 

Ofcourse I added apple domain to whitelist.

https://support.apple.com/en-bh/HT210060

Regards,