This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos Firewall SSL VPN - prevent users from seeing a certificate error

Hi all,

We have a Sophos XGS firewall and we have imported a self signed certificate from our organization to the firewall which is used for the admin console and user portal under Admin console and end-user interaction -> certificate. We have also created a provisioning file for our SSL VPN and would like to prevent users from seeing a certificate error when they import the file. We changed the SSL server certificate in the SSL VPN Global Setting to the same certificate instead of ApplianceCertificate but the certificate error is still shown when the provisioning file is imported. Is there a way to make this work? Is preventing the certificate error in SSL VPN only possible using the default certificate?

This thread was automatically locked due to age.

0 emmosophos over 1 year ago

Hello Farhood,

Thank you for contacting the Sophos Community.

What is the error you are seeing? Are you referring to the error users see when importing the .pro file and connecting for the first time?

Please share a screenshot.

Regards,

Emmanuel (EmmoSophos)

Technical Team Lead, Global Community Support
Sophos Support Videos | Product Documentation | @SophosSupport | Sign up for SMS Alerts
If a post solves your question use the 'Verify Answer' link.
Cancel
Vote Up 0 Vote Down

Cancel
0 Farhood Norouzizadeh over 1 year ago in reply to emmosophos

Hi Emmanuel,

Yes, that's exactly what I'm talkin about.
Cancel
Vote Up 0 Vote Down

Cancel
0 dirkkotte over 1 year ago in reply to Farhood Norouzizadeh

You may install the CA of portal-certificate as "trusted" within client-cert-store or use a trusted (or public) certificate.

https://docs.sophos.com/nsg/sophos-firewall/17.5/Help/en-us/webhelp/onlinehelp/nsg/sfos/concepts/SConProvisioningFile.html

Because this is a security concern, i think there is no hidden switch within the provisioning file.

Dirk

Systema Gesellschaft für angewandte Datentechnik mbH // Sophos Platinum Partner
Sophos Solution Partner since 2003
If a post solves your question, click the 'Verify Answer' link at this post.
Cancel
Vote Up 0 Vote Down

Cancel
0 Farhood Norouzizadeh over 1 year ago in reply to dirkkotte

I have already created a certificate from my AD CS and imported it to Sophos firewall which is being used for the web admin console and the root CA from my AD CS is imported on all computers via GPO. It works fine for web admin console but not for provisioning file
Cancel
Vote Up 0 Vote Down

Cancel
0 dirkkotte over 1 year ago in reply to Farhood Norouzizadeh

Provisioning use the user-portal.
if you use an IP within the provisioning file, you need the IP within the certificate too.

Are there some details within the error message? (behind the black bar)

Dirk

Systema Gesellschaft für angewandte Datentechnik mbH // Sophos Platinum Partner
Sophos Solution Partner since 2003
If a post solves your question, click the 'Verify Answer' link at this post.
Cancel
Vote Up 0 Vote Down

Cancel
0 Farhood Norouzizadeh over 1 year ago in reply to dirkkotte

Yea I know but I'm not using any IP within the provisioning file, just a dns name which is used in the certificate as well.
There are no errors shown at all and I can connect successfully after clicking "Continue to server [unsafe]".

Behind the hidden black bar is just my dns name.
Cancel
Vote Up 0 Vote Down

Cancel