This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Certificate for End-User pages problem

I've got a problem with the end-user pages.  I'm talking about the settings at Web Protection -> Filtering Options -> Misc -> Certificate for End-User pages.

From what I remember, it worked fine when I was using the UTM as the DNS/DHCP server.  However, I've moved DNS off to another machine in the network and now this doesn't work correctly.

So if I turn off the "use custom certificate" box, then regular HTTP sites that get block gives a correct content blocked page using passthrough.fw-notify.net.  However, HTTP sites give a broken blocked page without formatting or graphics.

If I turn on the "use custom certificate box and put my domain (carpenter.cx) there, and select a certificate made for passthrough.carpenter.cx, both HTTP and HTTPS break, although the page source shows it is using the correct hostname that I set.

I have a CNAME in my DNS server from passthrough.carpenter.cx to the hostname of the UTM, which does resolve.  The only other bit of info that may make a difference is that I run the WebAdmin interface on a different port than the default.

What am I missing on the DNS side?  Is there something else I need to be setting in the firewall or somewhere that allows this to work correctly?

Thanks



This thread was automatically locked due to age.
Parents
  • The passthrough does not resolve to the same hostname address of the UTM. It resolves to an ip address which can be found in network definitions for passthrough.carpenter.cx. This is a magic IP that Sophos owns and the UTM knows that data with this destination IP are for the UTM. You need to update your internal DNS with that IP as an A record and not the hostname of the UTM in a CNAME.

    This won't fix your problem with the broken HTTP pages however, not sure what that could be. Are you using a custom passthrough page?
  • Thanks! I found the necessary IP in the host definitions and it fixed the regular http case, but I haven't been able to verify the https case yet. I notice that when I try to access one of the graphical elements directly, I get a ERR_CONNECTION_CLOSED error in Chrome (I did clear cache), and I see a number of connections open on the special IP, port 443, when I try to connect, but they are in TIME_WAIT state. It's possible it's something with my laptop because I was able to use wget to the same URL and it downloaded the PNG file (albeit with a certificate warning)
  • Just a follow-up. I was able to test on a laptop behind the UTM. It is working for content, but the https pages are still giving cert errors, even though I've installed the UTM CA into the Windows certificate store. There's plenty of help around for me to try and figure that one out. This is for a website that was blocked due to categorization.

    However, the root of my original question has been answered.

  • Glad to have helped!

    Hmm, still a little bit odd, but are you using browser based authentication for transparent web filtering?
Reply Children