This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

UTM9 vs Autodiscover - strange certificate popup

Hello forum,

I have a working UTM9 cluster with no (relevant) issues. I created the exactly same configuration on a "test" UTM9 cluster (same exceptions, same configuration, same everything). I use my valid account and my test account on the test environment. Everything works like on the production one except one thing. If my valid user starts his Outlook client (mailbox in Office365) I receive a security warning about untrusted certificate. Which is odd due some settings: 1: there is an exception list regarding O365, 2: no HTTPS scanning is enabled, 3: the domain certificate added to the UTM (Web Protection -> HTTPS CAs -> Local verification CAs - my domain wide CA is added and enabled)

If I log in with my test account the popup never appear. I checked (I think) everything on the AD level and the two account are the same (same OU, same GPO settings, same AD group membership, etc).

If I click on the Yes or on No on the security popup, the popup disappear and Outlook client works like a charm with no issues. BUT that's not the expected way of working.

I checked back and forth but didn't found the root cause. found no differences between the production and the test environment.

And as an addendum the "problematic" site is not exists so see no reason why UTM want to apply a certificate for this (there is a companyname.mail.onmicrosoft.com site which not exists and an autodiscover.companyname.mail.onmicrosoft.com which is working)

2017:03:03-11:14:33 dubproxy02 httpproxy[6888]: id="0002" severity="info" sys="SecureWeb" sub="http" name="web request blocked" action="block" method="CONNECT" srcip="10.64.242.16" dstip="" user="" group="" ad_domain="" statuscode="502" cached="0" profile="REF_HttProContaInterNetwo (DUBPROXY.users)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="2512" request="0x1459a600" url="comapnyname.mail.onmicrosoft.com/" referer="" error="Host not found" authtime="0" dnstime="975" cattime="0" avscantime="0" fullreqtime="210213" device="0" auth="2" ua="" exceptions="av,auth,content,url,ssl,certcheck,certdate,mime,cache,fileextension,size" 



This thread was automatically locked due to age.
Parents
  • Hi Tamas,

    I moved your post from the UTM Manager forum to this one because your question involves the HTTP Proxy.

    Since you have an Exception for AV but you still got statuscode="502"and assuming that the Proxy is configured in Transparent mode, you must add a DNS Group based on this FQDN to the Destination Skiplist on the 'Misc' tab in 'Filtering Options'.

    Since you have AD, you might be interested in Configuring HTTP/S proxy access with AD SSO.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hello Bob,

    No, the server is configured with Standard mode / Default authentication: Active Directory SSO and HTTPS scan settings is URL filtering only

Reply Children
  • AD-SSO - why was the user not identified?  You might want to check your configuration against the link I gave above.

    I should have read the complete log line instead of stopping at the "502" statuscode.   error="Host not found" makes it look like you might have a DNS problem.  Check your configuration against DNS best practice.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA