Calls to HTTPS sites falling under filter action 'warn' always open the user portal

Question

Hi all, 
 opened a support ticket for this as well - however, as my last ticket is still open after 6 months with no reply at all I try my chances here. 
 It's not easy to describe the issue in a single sentence as subject line but the problem I experience is the following: 
 We have set up web filter action 'warn' for some categories (eg. games). Whenever a user tries to access such a website with http there is no problem. The warning page is shown, user clicks 'proceed', utm forwards to requested website, all are happy. However, if one tries to open such a website with https (eg. https://games.de ), the warning message lacks the images (broken images) and a click on the 'proceed' button always opens the user portal site of the utm. 
 I already figured out that the error possibly lies in the generated link behind the proceed button: the UTM seems to use the same protocol for the passthrough URL as the initially requested site. Meaning, that a call of http://games.de leads to 
 http://passthrough.myutm.domain.local/proceed?category=116&categoryname=Games&return=http://games.de/ (both http) 
 whereas a call of https://games.de leads to 
 https://passthrough.myutm.domain.local/proceed?category=116&categoryname=Games&return=https://games.de/ (both https). The second URL always opens the user portal which is configured for https ignoring all parameters in linked URL. 
 Switching the https to http in the UTM-URL link opens the requested https site as desired. 
 I hope I could made myself clear and you can help me to figure out if it's some misconfiguration on my side (maybe DNS or similar) or if it's something Sophos needs to explain. 
 Regards 
 Andreas

DouglasFoster · Answer

I remember now, but I cannot tell you where I read it (somewhere in this forum...) I think you will have the same problem in both transparent and standard proxy. 
 You need to export the UTM Proxy CA certificate and distribute it to your client devices, to handle the situation that caused your question. 
 Some intuition behind the requirement: 
 
 Because the web request was https, the reply has to be https. And it cannot be mixed http/https content because browsers are smart enough to raise alarms about mixed content. 
 UTM needs to point back to itself for the images, the proceed button, and the "create exception" link, so these need a special name and need to be https references. 
 It uses a made-up name, something like fw.passthru-notify.net, which it always intercepts. (This name is actually used whether the device has a CA certificate or not) 
 The references to the special name can only be signed by its own CA certificate. 
 So the clients need the CA certificate to validate the links. 
 
 It is actually surprisingly easy to distribute the CA root using group policies. You do NOT want the private key included in the distribution, because the client devices are going to be validating certificates with the root certificate, not issuing certificates. Distributing the private key would actually be a security risk. If you disable the proxy, the certificate should disappear from the client, because it is an Administrative Template policy, not a Preference, so it is not "tattooed". 
 As I said earlier, you can transition to standard proxy incrementally. Create a Filter Profile for Standard Proxy, define a source IP range (which can fully overlap with the Transparent Proxy range.) Then deploy standard proxy settings to whatever devices that you can (or whatever you dare) via GPO. Those that acquire the GPO setting will connect to UTM on port 8080 (or whatever port you choose) and use standard proxy, those that do not have the GPO setting will be processed by Transparent Proxy on ports 80 and 443. No packets will get processed twice because the target ports are different.