Your connection is not Private

Hello Trev,

Thanks for reaching out to Sophos Community and hope you are well. 

Was this happening to all sites? or just large number of them but not all? If Decryt HTTPS is Not enabled/not checked but the site they are trying to reach is configured to be blocked by a Web Filter policy this is the expected behavior.

In this example I blocked the category "Anonymizers" then I tried going to an anonymizer category listed website and this is the expected default block page if an HTTPS site gets blocked by a Web Filter Rule. If this is the case kindly review your Web filtering rule and kindly check if those sites are configured to be block, you can also verify this when users try to access under Log Viewer > Web Filter and see if a filter policy is blocking the access. 

And kindly tick the 'Log Firewall Traffic' on the specific firewall rule

-If your Decrypt HTTPS checked/enabled under Firewall Rule > Web Filtering you will also face the same error page and what you need to do on this case is upload the Firewall's self-signed certificate on the devices 

Downloading the signing CA: https://docs.sophos.com/nsg/sophos-firewall/19.5/Help/en-us/webhelp/onlinehelp/AdministratorHelp/Web/HowToArticles/WebProxyDPITLSDecryption/index.html#decryption-ca

Installing CA to endpoints: https://docs.sophos.com/nsg/sophos-firewall/19.5/Help/en-us/webhelp/onlinehelp/AdministratorHelp/Certificates/HowToArticles/CertificatesAddCAManually/index.html

Hope this helps and thank you for choosing Sophos.

Cheers,

Hi Raphael

Thanks for the reply, I will certainly look into all these points. 

I do think a lot of them are blocked sites as more general sites are accessible.

Is there any way around the certificate installation as a lot of our WiFi users are casual users and will not know how to install a certificate themselves.

They are members of the public who attend short classes on a short term basis and others just come to use the public WiFi.

Is there an auto install?

We dont have this problem on our Sophos SG230 device and all blocked sites show the correct sophos message and users dont get the "Your connection is Not Privsate" message.

regards

Trev

You should consider excluding "external" devices from SSL-decryption.
Depends on access rights to vulnerable resources.

Thank you. I will try that too.

Users have no access to any resources on our system, The XGS2100 device is only used for them to access the internet and browse sites for personal use on their own devices or on tabkets in our Public access area.

Currently all users get a message saying  "Could not verify server identity" "Appliance certificate not trusted"  Cancel or Connect.

If they connect, they then see our Terms and conditions page to access the Public internet.  Is there anyway of not seeing this meesage?

I have updated the Web access policy and now all general sites seem to be available. 

thank you

Trev

You need a trusted certificate for your "Terms and conditions page" too.

The only one I can select from the HotSpot Settings Page is the ApplianceCertificate, is there aother one I need to add or create somewhere?

You need to add/import a  trusted certificate

Please read
Sophos Firewall: HTTPS Decrypt and Scan FAQ

You have two choices:
Decrypt traffic - all HTTPS sites will be decrypted and any user without the CA will get the browser warning for all HTTPS sites.

Do not decrypt traffic - only HTTPS that we need to display a block page will get the browser warning before the block page

I am pretty sure you want the latter.  If you want you can configure the proxy so that HTTPS blocks will just drop the connection rather than display a block page (signed with the CA).

Hi, appreciate all the help given for this.

Do you know where I can find instructions on how to "add/import a  trusted certificate"  please?

Trev