Hi guys, since some days I'm getting this error on a Sophos UTM:
This thread was automatically locked due to age.
Hi guys, since some days I'm getting this error on a Sophos UTM:
Marco, the Proxy CA is created automatically when you first install the UTM. You can download that on the 'Proxy CAs' tab of 'Web Protection >> Filtering Options'. It's strange that it would be within 30 days of expiration, so I bet that's a bug in 9.501 and that there's really nothing wrong.
Cheers - Bob
Hello!
Are you familiar if this is really a bug and if it is present in 9.502 because:
1 certificate(s) will expire within the next 30 days:
Proxy CA
--
System Uptime : 0 days 8 hours 8 minutes
System Load : 0.37
System Version : Sophos UTM 9.502-4
Please refer to the manual for detailed instructions.
Regards, Miha
BAlfson said:This appears to be a design change, Miha, and it wasn't very well publicized. If you're getting this message, you do need to go to the 'HTTPS CAs' tab of 'Filtering Options', [Regenerate], [Download] and then distribute to all users. See section 5A/B of Configuring HTTP/S proxy access with AD SSO.
Cheers - Bob
Sorry for bringing up an old thread, but I'm getting mail from an SG115 and an SG230. The license for Web Protection was never purchased by this client, so there's no obvious way for me to see how to generate a new cert. Can these mails be safely ignored until such time as the certs expire and, I hope, the mails stop coming?
Cheers,
trane
Please let us know if the messages do stop.
I've sent you a PM with a way to regenerate the Proxy CA if the messages don't stop.
Cheers - Bob
Bob,
I'd also like to have instructions on handling this.
Our SG230 started sending this come 10 days ago. As usual, unfortunately, our service provider/distributer does not react on the info by the UTM, nor on my e-mail requests.
We're already looking for a new service provider, along with extending our modules. Currently we have gear from other producers still active, but wanted to replace that gear by all-Sophos and obviously just had back luck with the service provider, but have to stick to this one for some months coming.
/ rant.
(sorry, but not getting reactions from fully maintenanced (and paid up) services is frustrating)
Nothing coming from one of the firewalls should be treated lightly, or else why would I need security gear anyway?
I never received documentation. Can you please provide a link explaining what the proxy CA is, why it is expiring, confirm that this is probably harmless and instruct on how to stop the informations? From reading this thread, the problem is all but new and also it is obviously not limited to a current update.
thanks,
André
Hallo André and welcome to the UTM Community!
The Proxy CA is used for Web Filtering. Without distributing it to all browsers, you will receive certificate warnings if you browse to an HTTPS web site. You can see where to download or regenerate it on the 'HTTPS CAs' tab of 'Web Protection >> Filtering Options'. If you aren't filtering HTTPS browsing, you can just regenerate and it will last another three years. If you already have distributed it to your users, you will want to repeat that process.
You might want to read Configuring HTTP/S proxy access with AD SSO. Although the article is aimed at Standard mode, 98% of it applies to Transparent mode, too.
My private message referred to above only had to do with a way to overcome the fact that he didn't have a Web Protection subscription.
Cheers - Bob
Thanks for the quick reply, Bob.
And sorry for not being clear enough from the beginning, but that's exactly my case as well. We do not have WebProtection as of yet.
Web protection so far is still done using a comparative solution on an inner firewall; so far we're only using the SG230 for protecting the outer DMZ by some minor packet filtering and to administrate the guest WLAN, which we have in the same zone as DMZ; switching more/all services to Sophos products is scheduled for this year.
So, I don't have web protection, but get the warnings about the certificate running out via administrative e-mail.
Thanks for further help in advance,
André
Trane, how do you know that? Did you open a Support case about this issue?
Cheers - Bob
Bob,
For me it was a simple matter of waiting and seeing. I had 2 boxes sending these mails starting on April 9. The last notification was received on May 7 and then glorious silence ensued. Operation of the boxes proceeded as normal. So, ultimately, regenerating these certs is only an issue for which the actual feature is being used, IMO.
Cheers,
trane