Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos XG web exceptions for Office 365 not working


We implemented the Office 365 exceptions by following this guide:

For example, one of those entries looks like this:

However, it seems not working because our users still have pop-ups coming from Outlook regarding the same URL:

From our understanding, the exception should avoid any SSL/TLS interception, even if it matches any firewall rule, is it correct or not ?

Did we do something wrong or missing some steps ?

Thanks a lot for your input.

This thread was automatically locked due to age.
  • Hello  ,

    Thank you for reaching out to the community, this looks like Sophos CA certificate is expired, To regenerate the SecurityAppliance_SSL_CA you need to go to System >> Certificates >> Certificate Authorities >> SecurtyAppliance_SSL_CA and click the gear icon, this will regenerate the SecurityAppliance_SSL_CA certificate.

    May we know the firmware used on the Firewall ? As there was also a known issue - Expired certificate in certcache are being used rather than generating new ones - NC-100265. If that is  the case then , the workaround is relatively simple. Web Service will be interrupted for a minute or two, so do this during off hours.  Non web traffic will not be affected.

    touch /var/certcache/.clear_all_certs_on_reload
    service -ds nosync awarrenhttp:restart

    If this does not resolve the problem it may be a different cause - complicated by the fact that you have XG, RED, and EP all potentially trying to do HTTPS decryption.

    Thanks & Regards,

    Vivek Jagad | Team Lead, Global Support & Services 

    Log a Support Case | Sophos Service Guide
    Best Practices – Support Case

    Sophos Community | Product Documentation | Sophos Techvids | SMS
    If a post solves your question please use the 'Verify Answer' button.

  • Thank you four your suggestions.

    The certificate is valid until 2037, so I suspect your solution may be helpful. Our firmware is SFOS 19.0.1 MR-1-Build365.

    We will try this as soon as possible and give a feedback here.

Reply Children
No Data