Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 2 replies
  • Answers 2 answers
  • Subscribers 40 subscribers
  • Views 9876 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Remote Web Admin/Portal access problem by "FQDN" not "IP"

ArtL

I have a XG box with issues accessing web admin/portal pages externally by domain name.  It works by IP, however browsers seem to complain about the certificate and will NOT allow you to bypass.  IE is the only one that will, however Chrome and Firefox will not allow an exception.  I find it usually because usually you can bypass self-signed certificate issues.

Firefox

site.com:4443 uses an invalid security certificate. The certificate is not trusted because the issuer certificate is unknown. The server might not be sending the appropriate intermediate certificates. An additional root certificate may need to be imported. The certificate is only valid for SophosApplianceCertificate_"SerialNumber"(Error code: sec_error_unknown_issuer)

 

Chrome

Attackers might be trying to steal your information from site.com (for example, passwords, messages, or credit cards).

NET::ERR_CERT_AUTHORITY_INVALID


Any ideas?



This thread was automatically locked due to age.
Parents
  • 0

    It is possible to change the certificate used for the Admin Portal, the default certificate is issued by the internal self signed authority on the appliance and will not match the external domain name. Certificate selection can be made via "System > Administration > Settings" This is effectively the same discussion you might have around SSL VPN configuration.

    Via "Objects > Identity > Certificate", You can either

    1. Upload a certificate from a already trusted certificate provider that matches your external domain name

    2. in some cases you may be able to "Generate a Self Signed Certificate" that matches the external domain name (as this is not issued by an authority you trust you may get an error in the browser, but you should be able to click through)

    Please note the certificate used for the Admin portal is the same for internal and external connections.

    As mentioned in earlier comments on the topic, best practice would be not to allow remote access to the Admin Portal or SSH directly on the WAN but to place access behind a VPN session. If you are allowing direct access please ensure you use strong passwords and consider additional controls such as those that only allow external access via certain IP Addresses.

    Finally check your Certificate Store, on occasion I have seen various iterations of certificates for the same server name on a PC. this could account for it being OK with one browser and not another. You might benefit from deleting the Appliance Certificates from the various certificate stores and trying again. This will force you to re-accept the exception but it might clear old certificates that are causing you issues.

    Leon Friend

    Sophos Sales Engineer

    Sophos XG Firewall - Certified Architect, Sophos Certified Engineer, Cyberoam CCNSE, Cyberoam CCNSP

Reply
  • 0

    It is possible to change the certificate used for the Admin Portal, the default certificate is issued by the internal self signed authority on the appliance and will not match the external domain name. Certificate selection can be made via "System > Administration > Settings" This is effectively the same discussion you might have around SSL VPN configuration.

    Via "Objects > Identity > Certificate", You can either

    1. Upload a certificate from a already trusted certificate provider that matches your external domain name

    2. in some cases you may be able to "Generate a Self Signed Certificate" that matches the external domain name (as this is not issued by an authority you trust you may get an error in the browser, but you should be able to click through)

    Please note the certificate used for the Admin portal is the same for internal and external connections.

    As mentioned in earlier comments on the topic, best practice would be not to allow remote access to the Admin Portal or SSH directly on the WAN but to place access behind a VPN session. If you are allowing direct access please ensure you use strong passwords and consider additional controls such as those that only allow external access via certain IP Addresses.

    Finally check your Certificate Store, on occasion I have seen various iterations of certificates for the same server name on a PC. this could account for it being OK with one browser and not another. You might benefit from deleting the Appliance Certificates from the various certificate stores and trying again. This will force you to re-accept the exception but it might clear old certificates that are causing you issues.

    Leon Friend

    Sophos Sales Engineer

    Sophos XG Firewall - Certified Architect, Sophos Certified Engineer, Cyberoam CCNSE, Cyberoam CCNSP

Children
No Data
Unfiltered HTML