This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Deactivate proxy block page

We have the situation:

  • transparent proxy active
  • proxy CA not rolled out to clients
  • several applications blocked (i.e., unsanctioned cloud services)

Now, whenever a user attempts a connection to a blocked https site, the UTM acts as a MITM and generates an ad-hoc certificate for the blocked https site to display its warning message. Since we have not rolled out the proxy CA, this ad-hoc certificate is not trusted by our clients which then leads to certificate warnings.

Rolling out the proxy CA to our clients is not an option (in the near term), due to user privacy concerns, works council involvement, German labor laws, ...

Is there any way to configure the UTM to stop acting as MITM and to simply interrupt the https connection (FIN/RST?) instead?



This thread was automatically locked due to age.
  • Hello terrzfor,

    Thank you for contacting the Sophos Community!

    You can configure the UTM not to do Decrypt & Scan for specific networks and only do URL Filtering.

    Or bypass specific networks from the Web Filter for Transparent mode. Under the Web Protection >> Filtering Options >> Misc >> Skip transparent mode Source.

    Or you are looking for a way to avoid users without the certificate to be able to navigate any HTTPS web site?

    Regards,

     


     
    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
  • We do not use decrypt and scan, we only use URL filtering. But whenever an URL is blocked, the UTM tries to inform the user via a notification web site. The problem with that notification web site is that it needs to impersonate the client's desired destination, thus acting as a man-in-the-middle "attacker".

    I'd like to replace the "display proxy block notification web site" with "RST client's tcp connection" (or something similar).

    If our users cannot navigate to legitimate sites (required for their job functions), they'll let us know anyways (regardless of whether or not they saw the proxy notification web site).

  • Hello terrzfor,

    I see, no unfortunately this is not possible in the UTM at the moment. The XG has this option to Drop connections without user notification. 

    Regards,


     
    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
  • Would BDSG prevent you from emailing the clients to tell them how to install the Proxy CA themselves?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • From a technical perspective, we could roll out the Proxy CA via GPO and be done with it. The problem is that installing it would enable our IT department to snoop on all encrypted traffic -- which is a can of worms that I'm not willing to open (yet).

    Of course, users could individually install the CA certificate to get rid of the warnings. But I prefer not to have our users mess with security settings, especially without understanding the full implications of modifying those settings (allow IT to snoop on encrypted traffic). Further, our users do not have (or at least: should not have) the necessary level of privilege to adjust those settings.

  • How would installing the Proxy CA and enabling decrypt and scan allow the IT department to snoop encrypted traffic?  There's no facility in UTM that would enable that.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • That's just how PKIs work. If you trust a CA, you trust certificates issued by it. And that opens up our clients to MITM. Btw, even the hover text of "decrypt & scan" explicitly mentions MITM and doesn't attempt to conceal that fact.

    I understand that you're saying there is no dedicated feature that allows reading encrypted traffic. Granted. But control over the UTM means control over Internet connectivity, control over (non-intranet) DNS, control over the Proxy CA. Those three combined enable snooping encrypted traffic.

    I'm perfectly good with emmosophos' answer, who stated that this simply is not possible with UTM. I consider my question closed with that.

    I appreciate your effort, but at this point I believe you're attempting to solve a problem that I do not mean to solve ;-)