Hi,when using the DPI engine instead of proxy mode, my browser displays a NOT SECURE icon at the top. This happens even when the site is in the exclusion list for DPI like the sophos community page:
The certificate used is not from the appliance:
On Instagram for example the icon is normal, even when it uses the appliance certificate:
But most sites like Youtube and others got the same NOT SECURE icon.
Does this happen in all browsers?
If in Chrome, can you hit F12, go to Security tab and reload page.
This happens on all devices using Google Chrome.With other browsers I can not reproduce this issue. But I remember there is another open problem with firefox when using DPI mode. Maybe this is caused by the same problem?
Since yesterday I updated my Smartphone chrome browser and now there is the same NOT SECURE icon with my phone. The phone is in DPI rule group with no decryption enabled but the SSL error occurs the same way like on my other client with decryption rule enabled.
Without knowing what specifically Chrome is complaining about, there is not more I can do. F12, Security tab.
Hi,
here are some screenshots. Maybe you can identify the problem:
The second image show that it is trying to load things that are blocked due to category. The DPI mode cannot directly do a 403 with a block page. Instead is does a redirect to the XG and uses that to display the block page.
Googling "chrome active content with certificate errors" suggests that this can come from two causes. One is that the page you are loading in turn loads other resources from other domains and those have certificate problems, the other is that there is a problem with the Chrome certificate cache. The latter is more likely if you have switched from accessing the site directly to now accessing it with decryption.
Try the steps here:stackoverflow.com/.../chrome-active-content-with-certificate-errors
I tried the steps but it didn't help in my case:
The cache was already empty.
Maybe the DPI mode mess up the cross-site-scripting?
Try changing to an Allow All web policy so that you should not be getting any category blocks. Does that help?
Yes that worked. But when I switched back and looked closer in my firewall rule, I saw the following warning:
I think my web policy is responsible for the error because I defined categories being blocked and warned. I guess when you enable DPI mode it can’t display warn pages anymore. Is that correct?
EDIT:
The warning in my firewall rule was just a hint that google safe search was enabled in my web policy.
This error seems to be corrected with EAP3 refresh 1.[H]
EDIT: Now it's back again... [:(]
Now i really solved the problem. [H]
It occured because in DPI mode the browser classified the canceled connection originated from the user portal as insecure. This was caused by the local default certificate (ApplianceCertificate). But when you install the certificate in the local root certificate store the error is gone: