Sophos UTM – SSL Web Proxy Scanning Configuration and GPO Deployment
Post date: Jul 20, 2018 3:38:51 PM
This article comes from TCPTechs. Copied here for my own reference.
This document will provide instructions on how to implement SSL Scanning to filter websites that use HTTPS on a Sophos UTM firewall.
– Access to manage the Sophos UTM
– A test computer on the network subnet that SSL Scanning is being enabled for.
– Access to the Active Directory Server and GPO management.
Log into the clients Sophos Router https://SophosIPAddr:4444
Use your credentials to log in
Go to Web Protection, Web Filtering, HTTPS CAs and click on Download under Signing CA
DO NOT CLICK REGENERATE. If you do then the existing certificate deployment will fail and you will have to do this all over again.
Use export type PEM. Click Download.
Now that we have the SSL certificate that is needed to enable HTTPS scanning we will need to import it into group policy. Open Group policy and edit the default domain policy if you want it to apply to the entire domain. Or you can create a new GPO and link it to whatever OU you want it to apply to.
Go to Computer Configuration, Policies, Windows Settings, Security Settings, Public Key Policies, Trusted Root Certification Authorities
Here you can see I already have a Proxy CA certificate. Yours might be called something else but it will have the word proxy in it. Since I need to reimport it, so I will go ahead and update this. If you need to update it, first Delete the existing Proxy CA. Then right click and select import.
Click Next and browse for the certificate you just downloaded. When you browse you may have to select All Files to see the certificate. Use the date modified to your advantage because sometimes you might have multiple certificates show up.
Make sure Trusted Root Certification Authorities is selected and click next.
Now we have the Proxy CA
Verify all the Domain Controllers replicate this.
Now we need to check and make sure they do not have block inheritance on any OUs with computers. Typically people don’t use this but you need to double check and make sure. Here you can see the blue exclamation marks which means they have block inheritance on. That means these OUs will not get the default domain policy. DO NOT CHANGE ANY OU settings. Do not use Enforced settings. Just make the changes explained in this document that need to be made to get the certificate installed. Do not make any changes that can impact users.
So in this example, Netbooks, Student, Tablets, Windows 8, need to have the newly created group policy linked. Fo each OU and Link the new Install Proxy Certificate. Remember this certificate is install on the computer level not user level. So the Students OU wouldn’t matter since it just contains student accounts.
Now that we have the certificate deployed to Active Directory we need to have all computers restarted. When they restart they will install the certificate. Restart your test computer. Alternatively you can run gpupdate /force from command line.
Now we need to enable SSL scanning. In the Sophos UTM, go to Web Protection, Web Filtering Profiles, Filter Profiles.
Edit All of the profiles and select HTTPs and select Decrypt and Scan and click Save.
Make sure you enabled Scan HTTPS for all of the profiles. Now on the test computer open up internet explorer and go to https://www.bankofamerica.com. If you get a certificate not trusted warning then you need to restart.
If you are using a Standard Proxy instead of Transparent, you need to make sure you have a “FallBack” filter profile. This profile is used to ensure that anyone without proxy settings at least gets filtered transparently. So under Webfiltering Proxy Profiles in this screen shot you can see that there is a proxy fallback profile.
If you don’t have one then follow these steps
Click New Proxy Profile
The name should be called fallback. The position should be bottom. We want this to be very last. The network should be the LAN internal Network
Make sure Fallback action is set to the most restrictive Filter. This is important! Then make sure operation mode is transparent. Authentication type is none. Full transparent is UN-CHECKED. Make sure Decrypt and Scan is checked in HTTPs tab.
So now if you go to a device that does not have proxy settings in internet explorer and view the Sophos Live Log you should see that device profile listed as fallback.
Now if you need to install the certificate on the IPADs then go to http://passthrough.fw-notify.net/cacert.pem. When the IPAD tries to access that site behind the Sophos it will pop up with an option to install the certificate. Note an IPAD may require the PKCS cert exported from step 2.
The client should do some extensive testing to ensure the sites the need to access work.
This article comes from TCPTechs.
Importing the Certificate on Mac OS X
Follow the steps below to manually import the certificate on Mac OS X.
Open the Keychain Access application - Use the spotlight search to easily find this app.
Click the lock symbol to unlock the key chain for changes.
Open the File menu and select Import Items.
Select the CA certificate exported from the UTM. (At this point you should see the certificate in the keychain with the message "This root certificate is not trusted")
Double click the certificate and expand the trust section of the dialog box. In the first dropdown box called "When using this certificate" select always trust.
Close the dialog boxes and exit the keychain access application.
Open Certificates (local computer)
Trust Root Certification Authorities
Right Click, Import Certificate, browse to cert and accept defaults