Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Sophos Firewall: SSL/TLS Inspection on Mobile Devices

Disclaimer: This information is provided as-is for the benefit of the Community. Please contact Sophos Professional Services if you require assistance with your specific environment.


Overview

This recommended read describes the TLS/SSL inspection for Smart Devices.

What is TLS/SSL Inspection?

SSL inspection intercepts and reviews SSL-encrypted internet communication between clients and servers.

How it works

When the connection is made over HTTPS, SSL/TLS inspection intercepts all traffic and decrypts. After decrypting secure web content, Sophos Firewall encrypts the content again using certificates signed by the CA.

Configuration

Applying SSL/TLS Inspection on Mobile Devices

So, the question is, does it work for mobile devices? It can work. However, there are more cons than pros to using it.

Smartphones don’t work well with decryption for several reasons. Even if you install a Proxy CA on the phones, many systems and 3rd party applications won’t trust certificates in the user store. They’ll cause more applications to not function properly.

Also, you can’t add CAs on the system Store (Google Store/Apple Store) as TLS/SSL using CA.

You may install a custom certificate for applications such as Firefox and Chrome, but many applications won’t allow it and don't have any options.

It’ll work if you set the “TLS profile decryption to be disabled”. However, this can only scan SNI.

Upon setting the TLS profile to “do not decrypt”, this won’t turn on the “scan for malware “but can still allow or deny categories of Websites. To scan all traffic with decryption, you must manually apply exceptions for all the applications.

Certificate Pinning

This is also one reason why SSL/TLS inspection won’t work well with mobile devices. Some websites and applications are using this approach to prevent Man-in-the-middle Attacks. A website or an application doesn’t trust the TLS decrypting and scanning of certificates, which, in this case, is presented by the firewall. Because of this, SSL/TLS inspection won’t work properly, resulting in a broken connection, garbled website output, inconsistent application behavior, and so on.

Web Proxy

When using DPI Engine, you will need to manually maintain a local SSL/TLS list. Upon update, the SSL/TLS exception list will be overwritten. To bypass this, you may use the Custom URL group in the SSL/TLS inspection rule so it won’t be overwritten.

One workaround is to use “web proxy

Use “Transparent with direct mode (hybrid).”

Then confirm that under the FW rules for LAN to WAN, you’ve turned on the option "Use web proxy instead of DPI engine" then > under the Security Features. Ensure a web policy is applied before enabling the option. Also, ensure the following option is turned on: "Scan HTTP and decrypted HTTPS."

Then Install Firewall CA:

Installing the Firewall Certificate into Mobile Devices using Sophos Mobile (Optional)

Using Sophos Mobile, our MDM solution, you can install certificates and CAs on groups of Android and iOS mobile devices instead of manually installing them on individual devices.

Application Control

Configuring application control policies is another simple solution for working on websites and mobile applications. 

Suppose your use case is to control unwanted traffic from mobile devices and guest/mobile networks. In that case, you can configure app control, as this feature can allow and deny specified applications from the network without the need to decrypt the traffic and have the firewall's certificate installed on mobile devices. Again, kindly note that this activity does not perform “Decryption,” so it can’t scan for viruses; it’s only an option to work on controlling unwanted and usable applications allowed on the network.




Revamped
[edited by: Erick Jan at 3:02 AM (GMT -8) on 24 Dec 2024]