Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 7 replies
  • Answers 3 answers
  • Subscribers 39 subscribers
  • Views 3555 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How to get SSL certificate working for Web Filter notifications?

Discipulus

Hello there,

I just enabled a web filter policy to block various websites, but I'm having issues with the user notification options. I have installed a valid LetsEncrypt SSL certificate and it's working great for the user portal. However when a webpage is blocked, the page fails to load as the user is redirected to https://mydomain.com:8090 and the web browser just flops and loads nothing at all.

I can work around this by going to System > Administration > Admin and User Settings > Admin console and end-user interaction > Use the IP address of the first internal interface.

However then users get the typical browser certificate error because the blocked webpage notice is coming from an internal IP. How can I get internal users the ability to load https://mydomain.com:8090 and have it load properly in their web browser with a valid cert?



This thread was automatically locked due to age.
Parents Reply
  • 0 in reply to MayurMakvana

    Thank you for the response.

    Do you mean my firewall hostname should be something like xg230.mydomain.com, and my certificate should be wildcard to accommodate this? So it's a DNS problem then?

    Currently mydomain.com resolves to the WAN IP of my firewall, which has a custom hostname override of mydomain.com so they match. Do I need DNS to resolve my firewall hostname to an internal IP instead?

    Thanks,

Children
  • 0 in reply to Discipulus

    Build a split DNS and point to the internal IP address.

    Try it yourself with https://<IP>:8090/... If there is no RP_END_OF_FILE_ERROR, split DNS should work.

  • 0 in reply to somename

    Thank you for the reply. I configured a split DNS in my Active Directory server which points mydomain.com to the firewall internal IP.  Now users get the SSL certificate error in their browser, but can continue anyway and it loads the correct Sophos Block page. One step closer!  

    This is what users see when going to a blocked webpage:

    SSL Cert details of the blocked page:

    If they click continue it goes here successfully. No more RP_END_OF_FILE_ERROR, which is good.

    How could I prevent the Sophos from modifying the initial yahoo.com SSL certificate so that the users don't get the unsecured message?



    Edit: Sanitized image by removing private domain name.
    [edited by: Kevin Casper1 at 4:50 PM (GMT -8) on 3 Feb 2023]
  • +1 in reply to Discipulus

    For future reference, I found a solution to this problem.

    1. Download the Sophos SecurityAppliance_SSL_CA certificate from the firewall.
    2. Import the Cert to the local computer Trusted Root store
    3. Now everything works, but only in MS Edge and Chrome

    To get this working in Firefox, enable the setting "security.enterprise_roots.enabled"
    support.mozilla.org/.../setting-certificate-authorities-firefox

Unfiltered HTML