How to get SSL certificate working for Web Filter notifications?

You have to enable Captive portal in the zone you are coming from.

Hello,

Greetings,

You need to assign hostname to the firewall and your certificate should be wildcard and should include the hostname given to the firewall to avoid this. You may refer to the below KBA:

support.sophos.com/.../KB-000038295

Thank you for the response, Captive portal is enabled in the LAN zone already.

Thank you for the response.

Do you mean my firewall hostname should be something like xg230.mydomain.com, and my certificate should be wildcard to accommodate this? So it's a DNS problem then?

Currently mydomain.com resolves to the WAN IP of my firewall, which has a custom hostname override of mydomain.com so they match. Do I need DNS to resolve my firewall hostname to an internal IP instead?

Thanks,

Build a split DNS and point to the internal IP address.

Try it yourself with https://<IP>:8090/... If there is no RP_END_OF_FILE_ERROR, split DNS should work.

Thank you for the reply. I configured a split DNS in my Active Directory server which points mydomain.com to the firewall internal IP.  Now users get the SSL certificate error in their browser, but can continue anyway and it loads the correct Sophos Block page. One step closer!  

This is what users see when going to a blocked webpage:

SSL Cert details of the blocked page:

If they click continue it goes here successfully. No more RP_END_OF_FILE_ERROR, which is good.

How could I prevent the Sophos from modifying the initial yahoo.com SSL certificate so that the users don't get the unsecured message?

For future reference, I found a solution to this problem.

1. Download the Sophos SecurityAppliance_SSL_CA certificate from the firewall.
2. Import the Cert to the local computer Trusted Root store
3. Now everything works, but only in MS Edge and Chrome

To get this working in Firefox, enable the setting "security.enterprise_roots.enabled"
support.mozilla.org/.../setting-certificate-authorities-firefox