Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 10 replies
  • Subscribers 8 subscribers
  • Views 15687 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Android based mobile phones and Sophos UTM

TheExpert

Hi all,

after a long and happy time using Windows Phone I decided to go back to Android because there are no more updates for Windows Phone. Windows Phone worked fine with Sophos UTM and SSL inspection.

Know I'm thinking about using the Android phone with the web proxy of the Sophos UTM including SSL inspection. But I know from the past with older Android versions there were exceptions for the proxy rules and the installation of the proxy certificate didn't help to get access to TLS saved web sites. Actually the Android phone is completely excepted from using the Proxy butthis isn't a real good solution.

Can somone help me with getting the Sophos UTM proxy with SSL inspection work for Android based mobile phones? Actually I've running Sophos UTM 9.509-3 and Android Oreo (8.0) with the newest patches (Android One).



This thread was automatically locked due to age.
  • 0

    Hi "TheExpert",
    hi all!

    I have the same issue with Sophos UTM 9.509-3 and Android Oreo (8.0).
    I generated a 'ca-flag:true'-certificate with openssl, but it doesn't work. CAdoid says always that the ca-flag is false. Does anyone have any hints how to get Android running with the UTM proxy certificate and SSL inspection (Web Protection)?
    It would be really nice.

    Best regards
    Manfred

  • 0

    No problem with today's versions of Android: https://community.sophos.com/products/unified-threat-management/f/web-protection-web-filtering-application-visibility-control/45042/android-phone-ssl-traffic-filtering/161451#161451

    That worked with one I have.

    EDIT 2018-04-29: This did not work.  See below.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Hi BAlfson,

    thank you for this hint. This doesn't seem to work as expected:

    1. The certificate isn't trusted by Google Chrome and Microsoft Edge because of the error "NET::ERR_CERT_AUTHORITY_INVALID". And Chrome shows that the cipher suite is old.
    2. The android phone checks the WLAN connection for internet access. And it looks like it can't trust the proxy certificate when checking the internet connection and so the WLAN connection isn't working correctly. It looks like the mobile phone is calling https://www.google.com for checking the internet access. So you have to make an exception rule for SSL interception for this URL.
    3. Google Play Store isn't working any more. What are the exceptions for it to get it working?
    4. Google Maps isn't working.
    5. ...

    It looks like all the Google apps can't use the certificate. So there are a lot of exceptions needed. Is there a documentation for this from Sophos available?

    Kind Regards

    TheExpert

  • 0 in reply to TheExpert

    Hi all,

    I tried with a new proxy certificate but this doesn't change the behavior of not trusting the certificate. Maybe this is because of saving the certificate in the user and not in the trusted certificate store on the Android device.

    With some further investigations I found out that there are some more proxy exceptions needed for the Google Services (Play, Maps etc.). I configured these exceptions for not doing SSL related checks:

    and Matching these URLs: ^https?://([A-Za-z0-9.-]*\.)?googleapis\.com/
    ^https?://([A-Za-z0-9.-]*\.)?google\.com/
    ^https?://play\.googlezip\.net/
    ^https?://([A-Za-z0-9.-]*\.)?gvt1\.com/[A-Za-z0-9.-]*
    ^https?://app-measurement\.com/

    But I don't get all content: In YouTube the preview pictures aren't visible. The same is for Play Store. For some apps I see the icons for others not. I didn't find out yet which URLs are accessed for showing all of the content. At the moment I only see one of the URLs above.

    UPDATE: To import self signed certificates as trusted CA Android seems to need a special basic constraint extension. See https://stackoverflow.com/questions/37281958/how-to-trust-self-signed-certificate-on-android. Can you confirm this? And how do I add this to the existing proxy certificate?

    Kind Regards

    TheExpert

  • 0 in reply to TheExpert

    I noted in my post above that this didn't work for me.  For some reason, my tests from Chrome were going out over the LTE connection.  Sorry, I don't have time to play with this now.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to TheExpert

    Hi The expert,

    This special basic constraint extension is already present in the proxy ca certificate. Android 8 don't accept private root CAs. That's a big problem with all android 8 devices.

    I've also not found a solution for this behavior.

    Regards mod

  • 0 in reply to mod2402

    Hi mod2402,

    that's very interesting. But why is there a user section within the trusted CA certificate store on Android 8? Is this for future use? How can I check if this special basic constraint extension is already present in the proxy CA certificate?

    So the only two options are

    1. skipping transparent proxy for Android devices or
    2. disabling the SSL related checks of the proxy for these devices?

    That's not really good :-( I know that these devices don't have the security of a proxy when they are outside of my network. But I wan't to see the traffic when they are inside my network. When SSL inspection is disabled the most part of the traffic won't be visible.

    Kind Regards

    TheExpert

  • 0 in reply to TheExpert

    So is there basically no way of filtering Andoid phones with Android 8 through UTM 9? No matter what I try, my android phone just gets right past all filters. Even when my desktop browsers complain about untrusted certificates the android phone isn't filtered at all.

  • 0 in reply to JLunch

    Did you try the link above in the post where I said it works on mine?  Show a line from the Web Filtering log where your phone was able to reach something where it should have been blocked.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Ok found it. I had the device listed under "Skip Transparent Mode". Fixed now. Thanks.

Unfiltered HTML