Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 25 replies
  • Answers 2 answers
  • Subscribers 43 subscribers
  • Views 8149 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How configure SSL/TLS inspection settings for smartphone apps

Naoki_I

Hello there.
I am using XG firewall home edition in my house.
Some of the iOS apps are not available with SSL/TLS inspection enabled. When disabled, they can be used.

I checked LogViewer and in some cases it is Error and in other cases it is not Error.
I am checking LogViewer and iOS apps one by one. If necessary, I add them to the Local TLS exclusion list.

But this is hard work. And I want to respect the children's privacy, so we would like to keep LogViewer checks to a minimum.

How do you configure SSL/TLS inspection settings for mobile devices?

Regards,

XG135

HomeEdition(SFOS 19.0.1 MR-1-Build365)



This thread was automatically locked due to age.
  • 0 in reply to Naoki_I

    Hi,

    any Apple devices that require access to Apple sites do not support decrypt and scans you will need exceptions for Apple.

    Ian

    XG115W - v20.0.3 MR-3 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to Naoki_I

    The problem is due to certificate pinning that Google uses to prevent man-in-the-middle "Attacks". It's not really an attack, but Google's sites do not trust the TLS decrypt and scan certificate, because of this SSL/TLS inspection cannot occur.

    What is certificate pinning?

  • 0 in reply to Naoki_I

    Thank you  

    I checked documents. But it can't solve my problem.

    Whether I use dpi engine or Web proxy, I must maintain Local TLS exclusion list manually,

    Thank you for your reply. Regards,

  • 0 in reply to alan weir

    Thank you  ,

    You says about android or chrome OS? Yeah, I think they are the best solution to escape from network administrator who want to use ssl inspection.

    Regards,

  • 0 in reply to rfcat_vk

    Thank you  

    Ofcourse I added apple domain to whitelist.

    https://support.apple.com/en-bh/HT210060

    Regards,

  • 0 in reply to Naoki_I

    Hi,

    if you use the web proxy you don’t need to add to the ssl/tls list, just create an exception in the web proxy. The ssl/tls exception list is overwritten by sophos updates where as the web exceptions are not.

    ian

    XG115W - v20.0.3 MR-3 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to rfcat_vk

    Thank you  

    Would that solve the "I don't want to spend time on whitelist maintenance" problem?

    In an environment with many mobile devices - like home-, I think it difficult to use SSL/TLS inspection while respecting privacy. Because administrator must check SSL/TLS log for each problem like PayPal app.

    I think problem is 

    LHerzog said:

    Even if you install the Proxy CA certificate on the phone, many system and 3rd party apps will not trust certificates in the user store. you cannot add CAs to the system store.

    Apps like firefox allow you to install a custom certificate but many apps will not allow that or no not have an option for that.

    You will need to disable decryption for smart phones to work correctly.

    Could you tell me how to create an exception in the web proxy. I wanna try it.

    Regards,

  • 0 in reply to rfcat_vk
    rfcat_vk said:
    The ssl/tls exception list is overwritten by sophos updates where as the web exceptions are not.

    If you use custom URL groups in the SSL/TLS Inspection Rules, they are never overwritten.

  • 0
    Naoki_I said:
    I use XG as a dedicated firewall unit in order to have the devices play different roles.

    Can you explain what this means? I'm trying to understand what you are trying to achieve as there may be a better way to configure your network to achieve what you want while respecting the privacy of your children.

    We deal with this issue both with businesses and at home. There isn't a perfect answer. In all situations we have a guest wifi that is segregated from the main network. Where people just need internet access, they connect to the guest network which has no TLS/SSL scanning. This is the same level of security as using their mobile phone signal for internet but protects the rest of your network. This may work for you at home but it depends what your exact requirements are.

  • 0

    Setting up TLS inspection on Chrome OS Devices

    Updated hosts that you need to "bypass SSL inspection" for. I don't know if this will work for Android devices or not.

Unfiltered HTML