Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 2 replies
  • Subscribers 2 subscribers
  • Views 4484 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos SSL VPN and SSL Scanning

Pedulla

I'm sitting behind a UTM 9.4 firewall(1) with HTTPS Decrypt and scan enabled.

I'm trying to SSL VPN into another UTM 9.4 firewall(2) using a publicly addressable FQDN via OpenVPN on a Linux Mint 18.3 laptop.

Firewall1 will not allow the SSL VPN to establish a connection to Firewall2 with the following error:

2017:02:04-16:08:31 lerrnet httpproxy[5817]: id="0002" severity="info" sys="SecureWeb" sub="http" name="web request blocked" action="block" method="CONNECT" srcip="192.168.0.126" dstip="xxx.xxx.xxx.xxx" user="" group="" ad_domain="" statuscode="502" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="0" request="0xdc047200" url="https://xxx.xxx.xxx.xxx/" referer="" error="Failed to verify server certificate" authtime="0" dnstime="1" cattime="452" avscantime="0" fullreqtime="1165094" device="0" auth="0" ua="" exceptions="" category="9998" reputation="unverified" categoryname="Uncategorized" country="United States"

I've imported every certificate (bypass, WebAdmin, Local, User, VPN Signing, Proxy Signing CA) into Firewall1 but still get the above block from Web Protection.  If I set to URL Only filtering on Firewall1, connection si established and works fine.

I noticed in the log the URL is reported and an https://ip address rather than the FQDN.  Oh, BTW, I did follow Rulez#0.

So a couple of questions:

  1. Am I on the right path with importing Firewall2 certificates?
  2. If so, which one?  
  3. It appears that since the URL in the log is not the same as the FQDN  URL being used to address the site, none of the certificates would match, is this a correct conclusion?
  4. Do you suppose the OpenVPN client is resolving the name first, then using the IP to attempt to connect the VPN? (wrong forum, I know...)

 

Thanks in advance for any help.

 

 



This thread was automatically locked due to age.
  • 0

    I'm just about as confused as you are about whether this is a Remote Access SSL VPN issue or a Web Protection issue.  An OpenVPN access should not be going via the Web Proxy - I've never seen that!

    What happens if you disable the Transparent Proxy?

    Does #1 in Rulz provide a clue?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Hi BAlfson,

    Sorry for the delayed response; I'm a weekend warrior when it comes to this stuff...

    With Transparent Proxy disabled on Firewall1 allows the SSL VPN connection to Firewall2.

    Yes, I did check Firewall, Intrusion.., and App Control logs, nothing.

    I think it has something to do with the fact that the "URL=" in the log line identifies an IP address rather than an actual URL.  When Firewall1 goes to verify the certificate of Firewall2, there is no FQDN match because Firewall1 is seeing an IP address rather than an FQDN.  Just my theory.

    I think this is coming from the OpenVPN client I'll have to wireshark it I guess to know for sure, or find another SSL VPN client.

    Any other trouble shooting suggestions or theory's?

Unfiltered HTML