This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SSL scanning implementation / Best practise (errorhandling....)

I´m interesting in your experiences with activating the ssl scanning feature. I implemented and activated it in an environment serving about 4000 users.Just to imagine, there are (per day) 11820 unique domains and 2300 unique users.

Many different webpages are visited and my experience is, that many sites are broken or not visible after activation. I have to create a lots of exceptions for ssl scanning and some for the certificate check. Sometimes I face problems with certificates, that seems to be ok (no problems with direct internet connection, works good with the same browser). What can cause this? Could it be, that the utm doesn´t know all public trusted root CAs?

So I´m interested in your experience, how to handle all this... Do you completely disable the certificate checks (because you might think the enduser would skip all the security warnings anyway? ) ? Or do you also prefer to create exceptions?

Ciao

Sebastian



This thread was automatically locked due to age.
Parents
  • Sebastian, I like to roll out SSL scanning gradually, applying it to different groups selectively. You can accomplish this with GPOs applied to different Active Directory groups so that only a few have their Internet Settings configured to use the UTM Standard mode. The trick is that a Standard-mode Profile can capture traffic before a Transparent one can.

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • Sebastian, I like to roll out SSL scanning gradually, applying it to different groups selectively. You can accomplish this with GPOs applied to different Active Directory groups so that only a few have their Internet Settings configured to use the UTM Standard mode. The trick is that a Standard-mode Profile can capture traffic before a Transparent one can.

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children