Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 6 replies
  • Answers 1 answer
  • Subscribers 2 subscribers
  • Views 7627 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Passthrough SSL Certificate Warning With Browser Authentication

colly72

We have some BYOD devices, that I have set up to use browser authentication.  They are working OK, except that we are getting a certificate warning, to say that the certificate is not trusted, when non-domain devices authenticate.  I realise that I can distribute the the certificate for the passthrough.fw-notify splash page via group policy for domain joined devices but how do I resolve if for BYOD/non domain devices?  Can I just purchase a 3rd party certificate?

Thanks in advance,

Michael



This thread was automatically locked due to age.
Parents
  • 0

    Hi Michael,

    The certificate error will splash up until the devices have UTM's CA installed. Even if you buy a third party certificate you must have the CA in the trusted roots.

    Thanks

    Sachin Gurung
    Team Lead | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

  • 0 in reply to sachingurung

    What Sachin is saying is that you need to obtain a certificate for which all Androids, iPhones and laptops will all already have the related CA already in their cert store.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    So there's no way around the warning, other than have all devices manually install the CA?  It's not a seamless approach for BYOD devices which is a bit disappointing.

  • 0 in reply to colly72

    There is not really any way to avoid this.  You cannot get a public CA record that is globally trusted that can act on behalf of every domain you visit.  If you think about it a little bit, you can see why this would be a bad idea.  Every SSL scanning product I have used requires you to install a trusted CA of their own device in order to accomplish it.

  • +1 in reply to darrellr

    Resurrecting this from a few months ago.  I've recently purchase a wildcard ssl cert and uploaded this to the UTM.  It's working well for some of my web apps with WAF.  I've been looking at the Customer Certificate for End User Pages option in Web Protection --> Filtering Options --> Misc and I've changed the default ssl to my wildcard one, then created forward lookup zones in my DNS for passthrough.basedomain and passthrough6.basedomain so they point to 213.144.15.19, as suggested in the help.  I now seem to be able to have BYOD devices that can authenticate, via the splash page, without any trust issues/insecure certificates.

  • 0 in reply to colly72

    Even though both Sachin and I said it would work, it's nice that you confirmed that for others here, Michael.  I marked your post as the answer - thanks!

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • 0 in reply to colly72

    Even though both Sachin and I said it would work, it's nice that you confirmed that for others here, Michael.  I marked your post as the answer - thanks!

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
No Data
Unfiltered HTML