This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Web Protection - Filtering - SSL decryption and scan without certificate ? + Few more questions.

Hello everybody,

I'm currently trying the Web Protection. I understood how it works, transparent/standard mode, etc.

However, I noticed that lots of things don't work in case HTTPS is configured on "URL filtering" only (download scanning, download checks for blocking, etc). This is logic seems nearly everything now is working with HTTPS.

Our company has a lot of testing/development computers which must have Internet and there are not in a domain and not well secured. Since they are on WORKGROUP, it is annoying to have the need of a certificate to allow "Decrypt & Scan" feature on HTTPS.

1. Is there a way to have HTTPS configured on "Decrypt & Scan" mode without having the need of pushing the CA certificate on clients computers ?

I read the following KB:  support.sophos.com/.../KB-000034334

What about this: "In 9.2, SNI-based HTTPS filtering is possible, which allows you to filter HTTPS content without installing a certificate, but does not allow in-stream antivirus scanning of web traffic."

2. Is it a solution ? What must be done ?

So far, I'm testing the Web Protection in a lab environment with few machines. I'm a little bit afraid of the resources consumption with a production environment. We have two SG 210 on active-passive HA with around 150 computers.

3. Will it be ok with Web Protection for this company/computers sizes ?

4. Eventually, about transparent mode and SSO, is there a way to allow authentication immediately when a computer is booting ? Any workaround ? For the moment I have to do a HTTP request to make it work (as said in the documentation). I tried with a Powershell script (Invoke-WebRequest) but it didn't work.

Thank your for your time & help !

DeltaSM



This thread was automatically locked due to age.
Parents
  • Hey,

    1. Never tried without pushing the certificate to the clients.  It sounds like you could do blocking of HTTPS traffic, but no scanning for antivirus.  Let us know if Snort can "see" the unencrypted traffic.

    2. You don't say what things you have active in the UTM, but 150 computers sounds like the 210 is undersized - depending on what those computers are doing, 330s would be recommended if doing much more than firewalling and routing.

    3. Maybe, but I wouldn't have recommended the 210s to any of my customers with that many computers.

    4. I wonder if the Client Authentication Program couldn't be used for this.

    Please post your results.  Good luck!

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • Hey,

    1. Never tried without pushing the certificate to the clients.  It sounds like you could do blocking of HTTPS traffic, but no scanning for antivirus.  Let us know if Snort can "see" the unencrypted traffic.

    2. You don't say what things you have active in the UTM, but 150 computers sounds like the 210 is undersized - depending on what those computers are doing, 330s would be recommended if doing much more than firewalling and routing.

    3. Maybe, but I wouldn't have recommended the 210s to any of my customers with that many computers.

    4. I wonder if the Client Authentication Program couldn't be used for this.

    Please post your results.  Good luck!

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
  • i totally agree with bob... Some additional hints:

    1. scanning (need decryption) is not possible without pushing the UTM-CA-certificate.
    But simple URL-Filtering on HTTPs without decryption will create Block-/Warn-pages on HTTPS too ... and you will get the certificate-error here.

    2. 150 Users/PC may be a lot with AV-Scanning ... if many of the are active at the same time. . Compare:


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.