This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Outlook and certificate "issue".

Hello all,

As the UTM 9.705-7 we are using was setup by an MSP and at that time we had Exchange 2010, on premise as well. We've since moved to Exchange online and I handle all the Sophos items now.

Lately we have random users receiving the following pop up when connecting to Exchange through Outlook:

If I view the certificate it pops ups with:

Both the email address that is obscured is from the MSP that no longer exists (they were the original providers before the present MSP), and the CN is [redacted] Proxy CA, which is as far as I can find a cert generated by the UTM.

If I go into the cert manager and browse the users/device I find the same email address and almost the same issuer:

So my questions are:

1 - where should I be able to find the initial cert(s) showing the equivalent CN, supposedly issued by the UTM?


2 - Can I safely update the certificates for all my users and existing certs by recreating them with a "proper" email address?
          2a - If I update any/all the certs do my users and their devices need to re-download the cert?
          2b - Since we SSL VPN would users need to re-download their configurations?
          2c - how if at all, does this effect our RED and IPSec VPNs between UTMS and partners?


3 - We have have valid wildcard certs for our external domains, but our internal domain is a .local with a completely different name. If (and where can I) we add our   domain cert to the UTM so that the exceptions for users connecting to the portal aren't needed (external public IP address), will that break anything else?

Thanks all in advance,

Dave

( Sophos and Cert noob )



This thread was automatically locked due to age.
  • You have to enrol the "Proxy CA certificate" within trusted root CA-Store.

    You can get this certificate from SG or you MSP ... or directly from certificate message.

    I use GPO to import this CA Cert within trusted root at computer-level.


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

  • Thanks Dirk. I understand I can import the existing certificate (and I have a copy of it), however, I'm trying to find out where it originated from, where on the SG I can locate this certificate and regenerate it if required, and more importantly what the ramifications are of creating a new certificate and deploying it will have on all the systems/users mentioned in #2?

    Cheers,

    Dave

  • this certificate is a selfsigned CA-certificate ... build by the SG itself.

    At  Webprotection / Filteringoptions / HTTPs CAs you can recreate and download this Cert.

    With regenerating (or Upload) the new cert is used to resign the opened HTTPS connection immediately.

    So all clients at the network will get Certificate errors for scanned SSL-Connections.

    I download the cert and distribute this via GPO (to computer/trustet CA list)

    Next Morning all users are able to work without messages.


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

  • Thanks Dirk. How does this impact SSL VPN users if at all? We have some users who won't be in the office to get this via GPO.

  • GPO is refreshed multiple times a day. Should work with VPN too.

    ... or you search for another way to distribute the certificate.


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.