This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Deactivate proxy block page

We have the situation:

  • transparent proxy active
  • proxy CA not rolled out to clients
  • several applications blocked (i.e., unsanctioned cloud services)

Now, whenever a user attempts a connection to a blocked https site, the UTM acts as a MITM and generates an ad-hoc certificate for the blocked https site to display its warning message. Since we have not rolled out the proxy CA, this ad-hoc certificate is not trusted by our clients which then leads to certificate warnings.

Rolling out the proxy CA to our clients is not an option (in the near term), due to user privacy concerns, works council involvement, German labor laws, ...

Is there any way to configure the UTM to stop acting as MITM and to simply interrupt the https connection (FIN/RST?) instead?



This thread was automatically locked due to age.
Parents
  • Hello terrzfor,

    Thank you for contacting the Sophos Community!

    You can configure the UTM not to do Decrypt & Scan for specific networks and only do URL Filtering.

    Or bypass specific networks from the Web Filter for Transparent mode. Under the Web Protection >> Filtering Options >> Misc >> Skip transparent mode Source.

    Or you are looking for a way to avoid users without the certificate to be able to navigate any HTTPS web site?

    Regards,

     


     
    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
Reply
  • Hello terrzfor,

    Thank you for contacting the Sophos Community!

    You can configure the UTM not to do Decrypt & Scan for specific networks and only do URL Filtering.

    Or bypass specific networks from the Web Filter for Transparent mode. Under the Web Protection >> Filtering Options >> Misc >> Skip transparent mode Source.

    Or you are looking for a way to avoid users without the certificate to be able to navigate any HTTPS web site?

    Regards,

     


     
    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
Children
  • We do not use decrypt and scan, we only use URL filtering. But whenever an URL is blocked, the UTM tries to inform the user via a notification web site. The problem with that notification web site is that it needs to impersonate the client's desired destination, thus acting as a man-in-the-middle "attacker".

    I'd like to replace the "display proxy block notification web site" with "RST client's tcp connection" (or something similar).

    If our users cannot navigate to legitimate sites (required for their job functions), they'll let us know anyways (regardless of whether or not they saw the proxy notification web site).

  • Hello terrzfor,

    I see, no unfortunately this is not possible in the UTM at the moment. The XG has this option to Drop connections without user notification. 

    Regards,


     
    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.