This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Your connection is not Private

Hi, 

purchased an XGS2100 to replace our SG230 for our Public WiFi connection.

The device is not on a domain and has its own internet connection. It is only used for members of the public to get access to the internet on their own  personal devices, mobiles, laptops and tablets etc. We have APX320 access points connected to the device. 

Using the default Web Policy with Source Any Zone Any Host, and Destination Wan Any host   Any Service

Have a hotspot set up with Terms and conditions front page sign in.

A user can connect to the Wifi, then a screen pops up.

SSL Certificate Not Trusted. The security certificate for this network is not from a trusted authority. We do not recommend that you connect to this network.

They can continue and accept the terms and conditions.

After that, a large number of webites show up with the Error, Your connection is not Private. Attackers  etc.  CERT-Authority-Invalid

Is it because their device doesnt have the SSL installed ? if so, how do I get their device to do this so they can acess the internet?

or is it the message we get when trying to access blocked sites and the Blocked site message doesnt show?

Thanks

Trev



This thread was automatically locked due to age.
  • Hello Trev,

    Thanks for reaching out to Sophos Community and hope you are well. 

    Was this happening to all sites? or just large number of them but not all? If Decryt HTTPS is Not enabled/not checked but the site they are trying to reach is configured to be blocked by a Web Filter policy this is the expected behavior.

    In this example I blocked the category "Anonymizers" then I tried going to an anonymizer category listed website and this is the expected default block page if an HTTPS site gets blocked by a Web Filter Rule. If this is the case kindly review your Web filtering rule and kindly check if those sites are configured to be block, you can also verify this when users try to access under Log Viewer > Web Filter and see if a filter policy is blocking the access. 

    And kindly tick the 'Log Firewall Traffic' on the specific firewall rule

    -If your Decrypt HTTPS checked/enabled under Firewall Rule > Web Filtering you will also face the same error page and what you need to do on this case is upload the Firewall's self-signed certificate on the devices 

    Downloading the signing CA: https://docs.sophos.com/nsg/sophos-firewall/19.5/Help/en-us/webhelp/onlinehelp/AdministratorHelp/Web/HowToArticles/WebProxyDPITLSDecryption/index.html#decryption-ca

    Installing CA to endpoints: https://docs.sophos.com/nsg/sophos-firewall/19.5/Help/en-us/webhelp/onlinehelp/AdministratorHelp/Certificates/HowToArticles/CertificatesAddCAManually/index.html

    Hope this helps and thank you for choosing Sophos.

    Cheers,

    Raphael Alganes
    Community Support Engineer | Sophos Technical Support
    Sophos Support Videos Product Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.

  • Hi Raphael

    Thanks for the reply, I will certainly look into all these points. 

    I do think a lot of them are blocked sites as more general sites are accessible.

    Is there any way around the certificate installation as a lot of our WiFi users are casual users and will not know how to install a certificate themselves.

    They are members of the public who attend short classes on a short term basis and others just come to use the public WiFi.

    Is there an auto install?

    We dont have this problem on our Sophos SG230 device and all blocked sites show the correct sophos message and users dont get the "Your connection is Not Privsate" message.

    regards

    Trev

  • You should consider excluding "external" devices from SSL-decryption.
    Depends on access rights to vulnerable resources.


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

  • Thank you. I will try that too.

    Users have no access to any resources on our system, The XGS2100 device is only used for them to access the internet and browse sites for personal use on their own devices or on tabkets in our Public access area.


    Currently all users get a message saying  "Could not verify server identity" "Appliance certificate not trusted"  Cancel or Connect.

    If they connect, they then see our Terms and conditions page to access the Public internet.  Is there anyway of not seeing this meesage?

    I have updated the Web access policy and now all general sites seem to be available. 

    thank you

    Trev

  • You need a trusted certificate for your "Terms and conditions page" too.


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

  • The only one I can select from the HotSpot Settings Page is the ApplianceCertificate, is there aother one I need to add or create somewhere?

  • You need to add/import a  trusted certificate


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

  • Please read
    Sophos Firewall: HTTPS Decrypt and Scan FAQ

    You have two choices:
    Decrypt traffic - all HTTPS sites will be decrypted and any user without the CA will get the browser warning for all HTTPS sites.

    Do not decrypt traffic - only HTTPS that we need to display a block page will get the browser warning before the block page

    I am pretty sure you want the latter.  If you want you can configure the proxy so that HTTPS blocks will just drop the connection rather than display a block page (signed with the CA).

  • Hi, appreciate all the help given for this.

    Do you know where I can find instructions on how to "add/import a  trusted certificate"  please?

    Trev