This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SSL Scanning Exception

I having issues with SSL Scan and Decrypt.  I would like to create an SSL Scanning exception for a number of sites but I can’t seem to get it working correctly.

I have created for example purposes the following exception for www.google.de

 

However when I activate it, I receive  a Content Blocked message from my UTM.  When I deactivate the exception rule I can access www.google.de without any problems.

 

Exception Activated

2017:05:24-17:48:16 astaro-1 httpproxy[6953]: id="0002" severity="info" sys="SecureWeb" sub="http" name="web request blocked" action="block" method="CONNECT" srcip="10.0.140.165" dstip="" user="kcronin" group="ITB_Internet" ad_domain="" statuscode="403" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_HttCffPvsEdv (ITB Internet)" size="3202" request="0xb4485e00" url="https://www.google.de/" referer="" error="" authtime="4" dnstime="0" cattime="92" avscantime="0" fullreqtime="205530" device="0" auth="3" ua="Mozilla/5.0 (Windows NT 6.1; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0" exceptions="ssl,certcheck,certdate,cache"

 

Exception Deactivated

2017:05:24-17:49:41 astaro-1 httpproxy[6953]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="10.0.140.165" dstip="172.217.22.35" user="kcronin" group="ITB_Internet" ad_domain="" statuscode="200" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_HttCffPvsEdv (ITB Internet)" size="61917" request="0xb4866400" url="www.google.de/ referer="" error="" authtime="8" dnstime="5" cattime="218" avscantime="42696" fullreqtime="214161" device="0" auth="3" ua="Mozilla/5.0 (Windows NT 6.1; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0" exceptions="" category="145" reputation="neutral" categoryname="Search Engines" content-type="text/html" application="google" app-id="182" sandbox="-"

 

Any ideas what I'm missing here



This thread was automatically locked due to age.
  • Sounds like you ha e a firewall rule which is blocking the connecton when UTM is not involved.  If Web Proxy was blocking you, the error="" clause would not be empty.  

  • As far as I can tell UTM is involved as otherwise I wouldn't be seeing entries in the http logs for the SSL connection/blocking.  With my exception I only tried to deactivate SSL scanning  but not Category filtering, so I would expect the Web Proxy to still be involved in the establishment of the connection.

    Having said that I will run a few tests later and check for any unexpected drops due to firewall rules.

  • Hi, Kenneth, and welcome to the UTM Community!

    The first access is a CONNECT that wasn't allowed ("403"), but I don't see why.  How was user="kcronin" authenticated?  Is Google SafeSearch activated?

    The second access is a successful GET, which makes me wonder why you want to skip 'Decrypt and scan' for this FQDN.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hi Bob,

    The user kcronin is an eDirectory user and is Authenticated using eDirectory SSO. Google SafeSearch is not activated. I actually don’t want to skip 'Decrypt and Scan' for FQDN www.google.de, but am using it in order to test my rules.  I need the exception for a few Applications (Elster, UPS Worldship etc.) which have not being working properly since we activated Decrypt and Scan.  I have also tested the exception using other Domains but have had the same results.

    Regards, Ken

  • Hi Douglas,

    I ran a few test but have not detected any unexpected drops due to firewall rules. I even went as far as allowing my test client to directly access the internet.  This however made no change, as I still could not access the https pages when I manually activated the proxy in my web client.

     

    Regards, Ken

  • Hi Kenneth,

    The issue might be caused due to proxy as the first method to connect to the web proxy will be a connect request. What happens when you delete the conntrack for the source IP address and clear cache from the web browser?

    Finally, give a restart to httpproxy. Take SSH to the UTM and execute, /var/mdw/scripts/httpproxy restart

    Any help?

    Sachin Gurung
    Team Lead | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

  • Hi Sachingurung

    Unfortunately this didn't help. I'm still seeing the blocked web requests after following your advice.

    Thanks, Ken

  • You certainly have a curious problem.   I have had no surprises with SSL exceptions.

    I note that the URLs are not identical in your initial post.   One is explicitly connecting to https:, the other omits a protocol, which should mean that it tries to connect on http, after which Google will redirect it to https.  Do you have another rule which blocks uncenrypted HTTP traffic under certain circumstances?

    It does not seem to be an authentication problem, because it has your userid and auth method in both entries, and the error code would be 407 (authentication required) instead of 403 (forbidden).

    The other anomaly is that the destination IP is not in the log entry for the Connect.   A successful Connect is logged with ID=0003 and very little useful information, but I think the IP is included.  Could there be a DNS issue being exposed by this?  I think at this point you need a Sophos Support call.

  • I just spent the last hour or so troubleshooting this problem with our Sophos Reseller.  They couldn't find the cause of the problem but are going to open a Sophos Support Call for us.

    I will post the results here.

  • Provide us some information about the network setup and which is the firmware version on the UTM. 

    Thanks

    Sachin Gurung
    Team Lead | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.