From my understanding, when you update a certificate for SSL communication on the SafeGuard Management Center then you have to update it on each of the MAC clients. We get our certificates from an official authority (not self-signed) but they are only…

One of my certificates expired that's in use in several places. When I go to edit the certificate and upload the new, it fails with the following error at the top center of the screen: Certificate could not be updated as it is already used by HTTP…

Hi All, Hope all of you are doing well. I am just trying to secure my user portal by assigning a url and applying a SSL Wildcard Certificate on the Sophos XG 330. I was able to convert the PFX and private key that the RAPID SSL gave me and applied…

Dear All, I am looking for the possibility to adjust the SSL VPN configuration on the Sophos XG Firewall. I do know it is possible to adjust it on the local machine (for instance Windows). It this something already in-place or is this something…

Hi! I can't get my SSL-VPN to work, I followed Sophos own guide for setting this up, only changing the port. See below for settings. The log outputs the following: 2017:11:10-14:47:05 openvpn[25581]: TCP connection established with [AF_INET…

I guess Sophos UTM can do inbound SSL decryption, not able to find in the configuration guide. Can some one please advice how to configure this. Thanks, Steve

Dear All I recently upgraded my MacBooks to OS X 10.13. Since I do not connect to my XG every day (or even week), I am not absolutely sure, if the issues at hand are related to OS X 10.13. Safari now reports: This connection is not private The Sophos_CA_…

Hi there, Just been nmap'in the WAN port of an XG, with pretty much the default configuration and no DNAT/SNAT or any services in the protected zone opened at all. The scan reveals the port 8094/tcp and further reveals that the service SSL certificate…

Hi, since I am using XG, I'am getting always IPS alerts, and I am concerned about, because I don't know the reason of these alerts. Are IPS alerts a alert about accessing websites with vulnerabilities or outdated software, or means an IPS alert…

How does one best set up firewall rules for iDrive backup solution? Problem: A network I am working on uses iDrive backup solution. iDrive connections are prevents when using the XG Firewall inline. I've likely narrowed down the issue to when "Prevent…

I assume I have to install the SSL cert (new, purchased, not self signed) into IIS (duh) and presumably into the keychains into system on the Mac OS client. I don't really recall this from my Architect so apologies if this has been covered. Does anyone…

Hi Guys We recognized an anomaly after updating the UTM to 9.412-2 from 9.405-5 (I don't know when this came up - at least in 9.412-2): SSL-VPN usage with AD-Group auth + OTP auth. -> Worked fine for 150 users in the past. Now: Users created and…

I am having issues which consist of an inability to save SSL VPN settings (They always revert to default) and downloading the SSL client for windows. After doing some research it seems my Default CA may be the issue, and when I check the Default CA it…

The Quarantine Digest Email settings only let you select an IP address based on Port/Alias, instead of allowing you to specify a hostname. This causes a certificate error when clicking the "My Account" or "Release" links in the email. The admin console…

Hello, This has been going on for a little over a month now and seems to be getting worse. We have a RED 50 connected to our UTM 220 and following recent firmware upgrades (I think) it has become unstable. I see lots of other similar cases out there…

Hi All, We have a new XG + Sophos central/interceptX. I have the firewall setup with a copy of LAN-WAN IPS with all but windows clients/servers removed, SSL decrypt+scan and yellow or above heartbeat policy setup. Is this how we should go or does…

We are using the regular SSL VPN client for our home office users. The users can use their regular windows username and password to use the SSL VPN because we are syncing some groups to the backend. Since we are using full UPN as c norris@roundhouse…

Hi, Thawte create a new CA. now i get a "B" within SSL-Server-test. Problem message is "This server's certificate chain is incomplete. Grade capped to B. " Must i import the new CA certificate only or the SUB-CA certificate too.

Hello, we are currently using SMC with a StartSSL-Certificate which is expiring soon, so we need to have an alternative. One option would be to put SMC behind a apache reverse proxy which is using lets encrypt certificates. The exchange of the certificate…

I just install a new (my first) Sophos XG. Installed on Azure using market place image. After setup I configured SSL-VPN client and clientless. I logged into the site and downloaded the client and configuration for windows. However when I try…

Hello Sophos Community; I have spent the better part of a day trying to find a definitive guide/answer on the use of External SSL Certificates from Commercial CA's when you have 1 or more internal web servers running HTTPS behind an XG, and no luck…

I'm sitting behind a UTM 9.4 firewall(1) with HTTPS Decrypt and scan enabled. I'm trying to SSL VPN into another UTM 9.4 firewall(2) using a publicly addressable FQDN via OpenVPN on a Linux Mint 18.3 laptop. Firewall1 will not allow the SSL VPN to…

Is SNI supported by XG Firewall? I have multiple SSL certs for multiple domains and one IP and I would like to be able to route traffic to virtual web servers based on this host name inspection. Web servers like Apache, nginx, and IIS as well as every…

After looking through the UTM 9 features it looks like Web Filtering and Web Application Firewall offer a SSL inspection. It's my (potentially flawed) understanding that WAF and Web Filtering do not equal IPS. Is IPS blind to SSL traffic or is there…

We are starting to get Certificate alerts in outlook for users that are accessing office 365 or google calendar directly i Outlook 2016/2013. Under Web Protection - Web Filtering - HTTPS we have URL filtering only marked. Any suggestions on how to…