Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

ERR_SSL_PROTOCOL_ERROR

We installed a Sophos virtual appliance in bridge mode in front of a pfsense firewall in order to intercept all traffic within the LAN infrastructure of our network for reporting purposes.

This is what our current topology looks like:
LAN --> sophos xg --> pfsense --> ISP.

- The pfsense being the existing firewall which filters web access for all users.

- Sophos only acts as a gateway with a bridge interface for traffic coming from the LAN to the WAN. All filtering and SSL Description are disabled at the Sophos level.

Our problem is that with this topology, no page opens with the error "ERR_SSL_PROTOCOL_ERROR". Whereas when we remove the sophos in the current topology all the pages open fine.



This thread was automatically locked due to age.
Parents
  • Hello  ,

    Thanks for reaching out to Sophos Community. 

    Was this setup previously worked before? what SFOS version are you currently running? And are all users in the network affected or only isolated cases? 

    When this issue is happening are all websites affected? Could you please also share the LogViewer result when you are reproducing the traffic?

    Could you also share your FW rule for the traffic and Web Filter rule? 

    Thanks for your time and patience and thank you for choosing Sophos. 

    Regards,

    Raphael Alganes
    Community Support Engineer | Sophos Technical Support
    Sophos Support Videos Product Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.

  • It's a virtual appliance that we just installed and it hasn't worked since. And all users are impacted. I'm using SFVUNL version (SFOS 19.5.3 MR-3-Build652).

    The problem occurs on any site. On Sophos I put no filtering since we just use it to intercept incoming and outgoing traffic in order to report on it. I even disabled all the decryption rules but it still causes the same problem. 

    you can see attached the rule that I put in the sophosfirewall rules

  • Not sure, but could it be that since your are bridging and the pfsense is at the perimeter that you need both interfaces in the Sophos in LAN and in the firewall rule LAN zone for both source and dest?


    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

  • I only have one LAN and WAN interface member of the bridge interface on the Sophos with the same IP address range as the pfSense as shown in the capture. With this configuration, all LAN traffic to the Internet passes without problem except that we cannot open any https pages.bridge interface

  • You would need to disable ssl/tls scanning which is not recommended, but only for testing.

    Ian

    XG115W - v20.0.2 MR-2 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

  • in fact, while investigating in pfsense, I found that the SSL MITM (man in the middle) functionality was also enabled in its setting. So, I deactivated it and the page opening problem was resolved.

    This means that even if I disabled TLS/SSL decryption on Sophos, it continued to modify the certificate on https traffic which causes the error on the client browser.

    So my question, how to configure Sophos transparently so that it no longer modifies SSL traffic and so that we can reactivate the SSL MITM functionality on the pfsense.

Reply
  • in fact, while investigating in pfsense, I found that the SSL MITM (man in the middle) functionality was also enabled in its setting. So, I deactivated it and the page opening problem was resolved.

    This means that even if I disabled TLS/SSL decryption on Sophos, it continued to modify the certificate on https traffic which causes the error on the client browser.

    So my question, how to configure Sophos transparently so that it no longer modifies SSL traffic and so that we can reactivate the SSL MITM functionality on the pfsense.

Children
  • You would need to add the MITM certificate from pfsense to the trusted certificates from Sophos.


    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

  • I already did it by modifying all the related parameters but that did not resolve the problem. The only solution is to deactivate the SSL MITM on the pfsense, a solution which is not adequate given that the web proxy is activated on the pfsense.