Blocked page certificate behavior (IOS vs Windows)

Question

Returned to Sophos after coming from Untangle and have a question regarding the Block page that is shown to clients where content is restricted by the Web Filter, ie Adult content etc. 
 - I have a LetsEncrypt Certificate correctly set up and using that internally resolvable FQDN to access the firewall web console. Tested working fine and trusted on all devices. 
 - Adminstration -> Admin and user Settings : "When redirecting users...." is set to "different hostname" and is set to the same FQDN I use above and as per the LetsEncrypt certificate. 
 
 On my windows PC's, when I browse to a website that is blocked by a web category, i'm redirected to the FQDN above and correctly see the blocked page without any certificate warnings. 
 On my IOS devices when attempting the same as above via the same firewall rule and web filter policy they are blocked however receive a certificate warning and the certificate that is presented is the Firewalls original SecurityAppliance certificate, not the LetsEncrypt certificate? 
 I am trying to understand why the difference in behavior when using the same rules/filters? My goal is to have IOS devices redirected to the block page however have the LetsEncrypt certificate used instead because that is trusted by all devices without me having to push to devices manually. When visitors etc come to my house and use my WiFi, I know they will all most likely natively trust the LetsEncrypt cert so rather that be used so they see the blocked page without manual intervention. 
 I hope I've explained that ok and maybe i'm missing something obvious? 
 Thanks!

Michael Dunn · Accepted Answer

Read Sophos Firewall: HTTPS Decrypt and Scan FAQ

I assume you are using DPI mode.

There are two issues:

Lets say you want to block poker.com

Browser goes to HTTP poker.com. Sophos redirects you to HTTPS myxg that presents the LetsEncrypt certificate for myxg.

Browser goes to HTTPS poker.com. If order for Sophos to redirects you it need to decrypt the HTTPS so that it can insert its own content. It uses the configured Scanning Certificate Authority to create a fake certificate for poker.com on the fly. If the browser trusts certificates creates by that CA, then it accepts the connection. It get the redirection and is sent to HTTPS myxg that presents the LetsEncrypt certificate for myxg.

Most likely your Windows computers have the CA installed and IOS does not. Or your test on Windows is HTTP and test in IOS is HTTPS.

You can configure that blocks should drop rather than decrypt in Web > General Settings.

Michael Dunn · Answer

In the firewall rule is "use proxy instead of dpi mode" selected?

What appears in the address bar on the windows computer vs ios device?

Is the website you are visiting HTTP or HTTPS?

Here is an example why things COULD be different, not saying this is the reason.

Browser 1 (Windows):
Type in "example.com" in the address bar. The browser makes a request to HTTP example.com which immediately does a redirect to HTTPS example.com. The user sees an HTTPS page.

Browser 2 (ios):
Type in "example.com" in the address bar. The browser makes a request to HTTPS example.com. The user sees an HTTPS page.

Now if Sophos Firewall were to block, in Browser 1 it is actually blocking HTTP while Browser 2 is blocking HTTPS. Different behaviour. The devil is in the details. If you really want to know, you need to be looking at debug log files, or F12 Network request, or tcpdump. Find out what the actual requests are.

Sophos Firewall is not changing behaviour based on Windows or IOS. It is that different client behave differently.

Blocked page certificate behavior (IOS vs Windows)

Top Replies