Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 7 replies
  • Subscribers 4 subscribers
  • Views 2097 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Deactivate proxy block page

terrzfor

We have the situation:

  • transparent proxy active
  • proxy CA not rolled out to clients
  • several applications blocked (i.e., unsanctioned cloud services)

Now, whenever a user attempts a connection to a blocked https site, the UTM acts as a MITM and generates an ad-hoc certificate for the blocked https site to display its warning message. Since we have not rolled out the proxy CA, this ad-hoc certificate is not trusted by our clients which then leads to certificate warnings.

Rolling out the proxy CA to our clients is not an option (in the near term), due to user privacy concerns, works council involvement, German labor laws, ...

Is there any way to configure the UTM to stop acting as MITM and to simply interrupt the https connection (FIN/RST?) instead?



This thread was automatically locked due to age.
Parents
  • 0

    Would BDSG prevent you from emailing the clients to tell them how to install the Proxy CA themselves?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    From a technical perspective, we could roll out the Proxy CA via GPO and be done with it. The problem is that installing it would enable our IT department to snoop on all encrypted traffic -- which is a can of worms that I'm not willing to open (yet).

    Of course, users could individually install the CA certificate to get rid of the warnings. But I prefer not to have our users mess with security settings, especially without understanding the full implications of modifying those settings (allow IT to snoop on encrypted traffic). Further, our users do not have (or at least: should not have) the necessary level of privilege to adjust those settings.

Reply
  • 0 in reply to BAlfson

    From a technical perspective, we could roll out the Proxy CA via GPO and be done with it. The problem is that installing it would enable our IT department to snoop on all encrypted traffic -- which is a can of worms that I'm not willing to open (yet).

    Of course, users could individually install the CA certificate to get rid of the warnings. But I prefer not to have our users mess with security settings, especially without understanding the full implications of modifying those settings (allow IT to snoop on encrypted traffic). Further, our users do not have (or at least: should not have) the necessary level of privilege to adjust those settings.

Children
  • 0 in reply to terrzfor

    How would installing the Proxy CA and enabling decrypt and scan allow the IT department to snoop encrypted traffic?  There's no facility in UTM that would enable that.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    That's just how PKIs work. If you trust a CA, you trust certificates issued by it. And that opens up our clients to MITM. Btw, even the hover text of "decrypt & scan" explicitly mentions MITM and doesn't attempt to conceal that fact.

    I understand that you're saying there is no dedicated feature that allows reading encrypted traffic. Granted. But control over the UTM means control over Internet connectivity, control over (non-intranet) DNS, control over the Proxy CA. Those three combined enable snooping encrypted traffic.

    I'm perfectly good with emmosophos' answer, who stated that this simply is not possible with UTM. I consider my question closed with that.

    I appreciate your effort, but at this point I believe you're attempting to solve a problem that I do not mean to solve ;-)

Unfiltered HTML