I'm sitting behind a UTM 9.4 firewall(1) with HTTPS Decrypt and scan enabled.
I'm trying to SSL VPN into another UTM 9.4 firewall(2) using a publicly addressable FQDN via OpenVPN on a Linux Mint 18.3 laptop.
Firewall1 will not allow the SSL VPN to establish a connection to Firewall2 with the following error:
2017:02:04-16:08:31 lerrnet httpproxy[5817]: id="0002" severity="info" sys="SecureWeb" sub="http" name="web request blocked" action="block" method="CONNECT" srcip="192.168.0.126" dstip="xxx.xxx.xxx.xxx" user="" group="" ad_domain="" statuscode="502" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="0" request="0xdc047200" url="https://xxx.xxx.xxx.xxx/" referer="" error="Failed to verify server certificate" authtime="0" dnstime="1" cattime="452" avscantime="0" fullreqtime="1165094" device="0" auth="0" ua="" exceptions="" category="9998" reputation="unverified" categoryname="Uncategorized" country="United States"
I've imported every certificate (bypass, WebAdmin, Local, User, VPN Signing, Proxy Signing CA) into Firewall1 but still get the above block from Web Protection. If I set to URL Only filtering on Firewall1, connection si established and works fine.
I noticed in the log the URL is reported and an https://ip address rather than the FQDN. Oh, BTW, I did follow Rulez#0.
So a couple of questions:
- Am I on the right path with importing Firewall2 certificates?
- If so, which one?
- It appears that since the URL in the log is not the same as the FQDN URL being used to address the site, none of the certificates would match, is this a correct conclusion?
- Do you suppose the OpenVPN client is resolving the name first, then using the IP to attempt to connect the VPN? (wrong forum, I know...)
Thanks in advance for any help.
This thread was automatically locked due to age.
