This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SPX Encryption

Hello,

 

 I've read through many posts on this topic so I apologize if I'm simply overlooking something...

 

 I'm trying to enable SPX encryption on our UTM 9 firmware 9.503-4 and I've performed the following steps : 

 

  1. I've added our exchange server as the upstream host
  2. Our internal network for Host-Based Relay
  3. Enabled SPX Encryption Status to Enabled
  4. I've enabled a DLP phrase to trigger the encryption
  5. I've set up a send connector in our Exchange Server

 

The tried to send an e-mail using the trigger and I got an email back from the firewall : "a potentially confidential email has been blackholed and not delivered."

What am I missing in the configuration that's prompting this reply?

 

  Thanks. 



This thread was automatically locked due to age.
Parents
  • The Exchange server should not be in 'Upstream Hosts', rather, it should be in 'Host-based Relay'.  Does that resolve your issue?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Thanks for the reply.  That did not change the result. 

     

    What *should* be the address for the hostname?  

  • In the SPX configuration, the Hostname should be an FQDN that resolves to your public IP.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Thanks, Bob... when I put a FQDN in as the hostname, I am able to set a password and open it.  However, the site shows as unsecure... even though I have a wildcard certificate uploaded; what am I missing?

     

      Thanks!

  • Show a picture of the warning you get, tell us what FQDN you're browsing to and tell us the 'Hostname' defined in 'Management >> System Settings'.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • It's not so much an error as a warning : 

     

     

    The hostname is the 'Management-->System Settings' is NOT resolvable to public DNS and doesn't match the FQDN hostname I used for the SPX settings.  

  • A screenshot of the body of the browser with the cause of the warning would be more suitable for us to help you. Have you uploaded a certificate signed by a public CA in Webserver Protection > Certificate Management and selected this certificate to be used for HTTPS communication in Management > WebAdmin Settings >HTTPS Certificate? SPX portal will use the same certificate as WebAdmin/User Portal, and that certificate CN needs to match the FQDN you provided in "SPX Portal Settings". You said you are using a wildcard certificate, so as long as the domain matches and the certificate is publicly trusted, you should not see a warning anymore. 

    Regards,

    Giovani

Reply
  • A screenshot of the body of the browser with the cause of the warning would be more suitable for us to help you. Have you uploaded a certificate signed by a public CA in Webserver Protection > Certificate Management and selected this certificate to be used for HTTPS communication in Management > WebAdmin Settings >HTTPS Certificate? SPX portal will use the same certificate as WebAdmin/User Portal, and that certificate CN needs to match the FQDN you provided in "SPX Portal Settings". You said you are using a wildcard certificate, so as long as the domain matches and the certificate is publicly trusted, you should not see a warning anymore. 

    Regards,

    Giovani

Children
  • Ah... so the certificate in use there is the hostname used in Management-->Hostname.  It's the hostname that isn't available in public DNS.  If I change the HTTPS cert to be used to the wildcart cert, when someone visits using the other hostname (for management purposes), will they receive the cert error?  So for example, let's say the Hostname is listed as internal.domain.com but I entered the SPX hostname as external.domain.com because that actually resolves from public DNS.  If I change the HTTPS cert to wildcard, it shouldn't result in a bad cert error when visiting internal.domain.com (which resolves internally).  

    The browser warning : 

     

    giomoda said:

    A screenshot of the body of the browser with the cause of the warning would be more suitable for us to help you. Have you uploaded a certificate signed by a public CA in Webserver Protection > Certificate Management and selected this certificate to be used for HTTPS communication in Management > WebAdmin Settings >HTTPS Certificate? SPX portal will use the same certificate as WebAdmin/User Portal, and that certificate CN needs to match the FQDN you provided in "SPX Portal Settings". You said you are using a wildcard certificate, so as long as the domain matches and the certificate is publicly trusted, you should not see a warning anymore. 

    Regards,

    Giovani

     

  • You see, you have two warnings:

    - Certificate CN mismatch, meaning the SSL certificate CN does not match the URL. 

    - Untrusted CA, meaning you are probably using the auto-generated self-signed certificate 

    So, let's take some practical examples. Let's suppose you configured your UTM with a internal FQDN like utm.domain.local. The default for the UTM is to create a self-signed certificate for utm.domain.local and use it for encrypting WebAdmin sessions. That same certificate will be used for Webadmin, UserPortal and SPX. 

    So let's say you configured SPX hostname as spx.domain.com, which is publicly resolvable. When clients access that URL, the certificate presented is that auto-created self-signed certificate for utm.domain.local. That explains the warning: CN mismatch and untrusted CA, since the CN is utm.internal.local and no browser has the UTM's internal CA in their trusted CA list.

    The only way to resolve this is to buy a SSL certificate for a single domain signed by a public CA (they come as cheap as 5 bucks nowadays) with, for the sake of my example, spx.domain.com as the CN or to buy a wildcard certificate for *.domain.com (more expensive, but recommended). 

    If you buy a wildcard certificate (and I believe you already have one) and bind it to WebAdmin, you can access Webadmin, UserPortal and SPX using any URL as *.domain.com (as long as the FQDN resolves to your external interface) without any warning. But for management purposes, if you access the UTM by it's internal FQDN (utm.domain.local in my example), you will receive a warning because now the CN for the wildcard certificate (*.domain.com) does not match the internal URL (utm.domain.local).

    You can circumvent that by accessing WebAdmin, that should by now be protected by your wildcard certificate, by it's public interface and FQDN.

    I'd still follow Bob's suggestion to replace your UTM's hostname for a FQDN that's publicly resolvable. As stated in the zeroeth Rulz, that's the shortest way for a happy UTM.

    Regards,

    Giovani

  • Thank you for all the replies.  I understand what needs to be adjusted... unfortunately, there's some politics at work that currently preventing the necessary changes.

     

    I do have one more question... I currently have the the trigger set as 'Encrypt' using ^Encrypt... is there a way to set it to [Encrypt]?  When I entered ^[Encrypt], it never works.

     

      Thanks.