Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 25 replies
  • Answers 2 answers
  • Subscribers 42 subscribers
  • Views 6129 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How configure SSL/TLS inspection settings for smartphone apps

Naoki_I

Hello there.
I am using XG firewall home edition in my house.
Some of the iOS apps are not available with SSL/TLS inspection enabled. When disabled, they can be used.

I checked LogViewer and in some cases it is Error and in other cases it is not Error.
I am checking LogViewer and iOS apps one by one. If necessary, I add them to the Local TLS exclusion list.

But this is hard work. And I want to respect the children's privacy, so we would like to keep LogViewer checks to a minimum.

How do you configure SSL/TLS inspection settings for mobile devices?

Regards,

XG135

HomeEdition(SFOS 19.0.1 MR-1-Build365)



This thread was automatically locked due to age.
Parents Reply Children
  • 0 in reply to Naoki_I

    Hi,

    if you use the web proxy you don’t need to add to the ssl/tls list, just create an exception in the web proxy. The ssl/tls exception list is overwritten by sophos updates where as the web exceptions are not.

    ian

    XG115W - v20 GA - Home

    XG on VM 8 - v20 GA

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to rfcat_vk

    Thank you  

    Would that solve the "I don't want to spend time on whitelist maintenance" problem?

    In an environment with many mobile devices - like home-, I think it difficult to use SSL/TLS inspection while respecting privacy. Because administrator must check SSL/TLS log for each problem like PayPal app.

    I think problem is 

    LHerzog said:

    Even if you install the Proxy CA certificate on the phone, many system and 3rd party apps will not trust certificates in the user store. you cannot add CAs to the system store.

    Apps like firefox allow you to install a custom certificate but many apps will not allow that or no not have an option for that.

    You will need to disable decryption for smart phones to work correctly.

    Could you tell me how to create an exception in the web proxy. I wanna try it.

    Regards,

  • 0 in reply to rfcat_vk
    rfcat_vk said:
    The ssl/tls exception list is overwritten by sophos updates where as the web exceptions are not.

    If you use custom URL groups in the SSL/TLS Inspection Rules, they are never overwritten.

  • 0 in reply to JasP

    Thank you  

    You says about "Managed TLS exclusion list"? Yes. I use it. Still, Errors occur. So I maintain "Local TLS execution list".

  • 0 in reply to Naoki_I

    HI,

    I gave up on using SSL/TLS rules for my home devices, too many applications did not function. I use web proxy and exceptions. I found the easiest way to create exceptions was copy existing ones and replace the parts of each exception. The exceptions primarily use regex if you care to search the web for how to use regex.

    My network consists of

    various apple devices (7), printers, PCs in VMs, security cameras, light and power controllers, smart tvs and players etc.

    Ian

    XG115W - v20 GA - Home

    XG on VM 8 - v20 GA

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to rfcat_vk

    Hello  

    Thank you for sharing your experience. I think ' give up on using SSL/TLS rules‘ is better too.

    I created this discussion to know if there is some other way.

    I will try web proxy. Thank you for sharing the easiest way to create exceptions.  

    Regards,

Unfiltered HTML