Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Stop! This website is blocked

Hello everyone, 

Recently i noticed a bunch of tickets regarding the following.

i want to go on facebook, but facebook is blocked.

instead of the blocked page i get Error code: SEC_ERROR_UNKNOWN_ISSUER(firefox) or NET::ERR_CERT_AUTHORITY_INVALID(chrome)

it works fine if i install the sophos certificate.

I understand that the certificate must be pushed to end devices,  however i can not ask guest users to install the sophos certificate. 

I also understand that that this can be secured with a public cert.

This seems so random, as for some customers works just fine, but for others not.


I can not ask 200+ customers to buy a certificate to display a blocked page on guest networks. 

Can anyone advise?

Kind regards,

Dragos



This thread was automatically locked due to age.
Parents
  • Technically speaking -  that's impossible.

    If a block page appears while accessing "facebook.com" this page will displayed under the URL "facebook.com".

    But you won't get a valid certificate for the domain "facebook.com" for obvious reasons.

    If you import the sophos firewall CA, it will happily create and sign such a certificate "on the fly", but it is trusted only for those clients that have the sophos ca set as trusted - not your guests. Not saying it will working in all cases - there are mechanisms like cert pinning which will even this cert mark as falsification (it has the wrong issuer and wrong hash) but it works in most cases today.

    For guests you have the option to modify the built-in domain "passthrough.fw-notify.net" to something like "passthrough.<your company>.com" for which you may get (and probably even have) a wildcard certificate "*.<your company>.com". Note that there is also "passthrough6" for IPv6.

    This however dose not solve the redirecting from "facebook.com" to "passthrough.fw-notify.net".

  • Please note that passthrough.fw-notify.net is for the Sophos SG / UTM and not for Sophos XG.

    When a user is blocked going to an HTTPS  site by category there are two options:
    1) We could decrypt the HTTPS and display a block page.  If they do not have the CA they will get a browser warning.
    2) We could drop the connection.  The browser will display an error saying cannot connect

    You can configure the behavior under Web > General Settings > 
    For errors and block/warn policy actions on HTTPS connections when Decrypt & Scan is disabled.

  • Hi Michael and Alan,

    Myself, i understand the reasoning behind this, yet is very hard to explain a lot of customers what happens, as i see an influx of tickets regarding this.

    Many thanks for your prompt and on point answers.

  • One of the things I have found to be useful is to describe on their terms.

    HTTPS was designed to be secure. The people who made the standard and the people who create the browsers intend it to display warnings to make sure the end user is aware that the site they want to go to is not the site that is displaying the page. They want end users to know that even though they went to facebook.com and that is what is on their address bar, the block page they are seeing is not from facebook.com.

    If you went to a coffee shop and used their free WiFi, you could then access your bank via HTTPS and know that the coffee shop is not stealing your banking information. Even if the coffee shop used an XG, they could not interfere with your connection to the bank without you knowing it. The safety that is provided by the browsers by throwing up a warning is a good thing that protects you as an end user - even if it is annoying for you as an administrator.

Reply
  • One of the things I have found to be useful is to describe on their terms.

    HTTPS was designed to be secure. The people who made the standard and the people who create the browsers intend it to display warnings to make sure the end user is aware that the site they want to go to is not the site that is displaying the page. They want end users to know that even though they went to facebook.com and that is what is on their address bar, the block page they are seeing is not from facebook.com.

    If you went to a coffee shop and used their free WiFi, you could then access your bank via HTTPS and know that the coffee shop is not stealing your banking information. Even if the coffee shop used an XG, they could not interfere with your connection to the bank without you knowing it. The safety that is provided by the browsers by throwing up a warning is a good thing that protects you as an end user - even if it is annoying for you as an administrator.

Children
  • Hi,

    So managed to get things moving forward. 

    i have my guest vlan. and this has a basic web policy. Anybody is not allowed certain categories. 

    I managed to test with a public certificate, and i dont think this will do the trick. 

    The firewall page is secured, user portal is secured but, yet the blocked page is asking for Sophs SSL_CA.



    Next i will look into modifing the built in domain as Alan suggested. 

    "For guests you have the option to modify the built-in domain "passthrough.fw-notify.net" to something like "passthrough.<your company>.com" for which you may get (and probably even have) a wildcard certificate "*.<your company>.com". Note that there is also "passthrough6" for IPv6."

    Many thanks for your help.

  • That is expected.  The block page is displayed using a certificate generated from the Sophos SSL CA.
    In essence the browser is saying "I want to go to pornhub.com".
    They get back a page that says "I am pornhub.com and I can prove it because Sophos SSL CA says it is true."
    If the browser has the CA installed it will say "I believe you, lets see the page",  
    If the browser does not have the CA installed it will say "I'm not sure about this, better check with the human"
    Once you see the page, you will see it a block page.

    Alan's reply about passthrough is about the UTM, a different product.  The UTM needs both the CA and also passthrough.