How configure SSL/TLS inspection settings for smartphone apps

Hello Naoki_I ,

Thank you for reaching out to the community, I would agree with rfcat_vk suggestion. 

> Under the FW rules for LAN to WAN enable the option "Use web proxy instead of DPI engine" under the Security Features. Ensure a web policy is applied before enabling the option.
> Install the SSL CA Certificate, you can find the guide here  - https://support.sophos.com/support/s/article/KB-000035645?language=en_US
> Also ensure the following option is also enabled "Scan HTTP and decrypted HTTPS" 
> Please find the FAQ for - HTTPS decrypt and scan here - https://support.sophos.com/support/s/article/KB-000038420?language=en_US

Thank you Vivek Jagad ,

After reading the document, I will reply again.

Regards,

Thank you Vivek Jagad 

I checked documents. But it can't solve my problem.

Whether I use dpi engine or Web proxy, I must maintain Local TLS exclusion list manually,

Thank you for your reply. Regards,

Hi,

if you use the web proxy you don’t need to add to the ssl/tls list, just create an exception in the web proxy. The ssl/tls exception list is overwritten by sophos updates where as the web exceptions are not.

ian

Thank you rfcat_vk 

Would that solve the "I don't want to spend time on whitelist maintenance" problem?

In an environment with many mobile devices - like home-, I think it difficult to use SSL/TLS inspection while respecting privacy. Because administrator must check SSL/TLS log for each problem like PayPal app.

I think problem is 

LHerzog said:

Even if you install the Proxy CA certificate on the phone, many system and 3rd party apps will not trust certificates in the user store. you cannot add CAs to the system store.

Apps like firefox allow you to install a custom certificate but many apps will not allow that or no not have an option for that.

You will need to disable decryption for smart phones to work correctly.

Could you tell me how to create an exception in the web proxy. I wanna try it.

Regards,

rfcat_vk said:

The ssl/tls exception list is overwritten by sophos updates where as the web exceptions are not.

If you use custom URL groups in the SSL/TLS Inspection Rules, they are never overwritten.

Thank you JasP 

You says about "Managed TLS exclusion list"? Yes. I use it. Still, Errors occur. So I maintain "Local TLS execution list".

HI,

I gave up on using SSL/TLS rules for my home devices, too many applications did not function. I use web proxy and exceptions. I found the easiest way to create exceptions was copy existing ones and replace the parts of each exception. The exceptions primarily use regex if you care to search the web for how to use regex.

My network consists of

various apple devices (7), printers, PCs in VMs, security cameras, light and power controllers, smart tvs and players etc.

Ian

HI,

I gave up on using SSL/TLS rules for my home devices, too many applications did not function. I use web proxy and exceptions. I found the easiest way to create exceptions was copy existing ones and replace the parts of each exception. The exceptions primarily use regex if you care to search the web for how to use regex.

My network consists of

various apple devices (7), printers, PCs in VMs, security cameras, light and power controllers, smart tvs and players etc.

Ian

Hello rfcat_vk 

Thank you for sharing your experience. I think ' give up on using SSL/TLS rules‘ is better too.

I created this discussion to know if there is some other way.

I will try web proxy. Thank you for sharing the easiest way to create exceptions.  

Regards,