Announcement

Collapse
No announcement yet.

Problems getting SSL Inspection working

Collapse
X
Collapse
 
  • Page of 1
  • Filter
  • Time
  • Show
Clear All
new posts
Previous template Next
  • #1

    Problems getting SSL Inspection working

    I followed this guide: https://support.untangle.com/hc/en-u...s/360034431274

    Click image for larger version Name: ssl no errors.png Views: 284 Size: 30.8 KB ID: 396064

    ....so far so good......... generated the cert and imported it into my browser but I can't reach Google: (or some other sites)


    Click image for larger version Name: ssl error.png Views: 238 Size: 44.2 KB ID: 396065

    Was searching the forum and saw similar posts about SSL inspection/cert problems and unless I'm wrong, lots of sites (Google in particular) just won't load when it detects any kind of tampering with the connection. In which case, go ahead and enable SSL Inspection and just create rules to bypass any and all sites that refuse to load? Or save myself some headaches and give up on this app?

    Tags: None
  • #2
    The self generated certs will never be trusted by the browser since the Certificate Authority (CA) is not recognized by the browser. If you want to avoid this screen, the CA needs to be installed on each PC behind the NGFW.
    Attention: Support and help on the Untangle Forums is provided by
    volunteers and community members like yourself.
    If you need Untangle support please call or email [email protected]

    Comment

    • #3
      This is the missing step. https://support.untangle.com/hc/en-u...-certificates-
      Attention: Support and help on the Untangle Forums is provided by
      volunteers and community members like yourself.
      If you need Untangle support please call or email [email protected]

      Comment

      • #4
        Originally posted by jcoffin View Post
        This is the missing step. https://support.untangle.com/hc/en-u...-certificates-
        I'm -almost- positive I did that but I'll re-do it here in a minute and let you know, thanks!

        EDIT: Yup, user error. Maybe I put it in Personal last time?! In any case, SSL Inspection is active and Google is working. Unfortunately, I think my SSL inspection journey is over as soon as it started. Looks like you can't enable this on Android devices and if I turn on SSL Inspection, my Android phones start having connection problems. I guess I could exclude them and still use it for the other devices? Now I'm starting to wonder if it's even worth it. Anyone else using it at home? Getting extra benefit from it?
        Last edited by road hazard; 02-07-2023, 05:33 PM.

        Comment

        • #5
          Originally posted by road hazard View Post
          Looks like you can't enable this on Android devices and if I turn on SSL Inspection, my Android phones start having connection problems.
          Yup. For a long time, the Android OS was hard-coded never to trust a self-signed certificate, so installing the root CA wouldn't have any effect. I don't think that's still the case, but Android and SSL Inspector still don't play nicely together. I think it's also very difficult or impossible to do this with iOS devices as well.

          Originally posted by road hazard also View Post
          Now I'm starting to wonder if it's even worth it. Anyone else using it at home? Getting extra benefit from it?
          In short: it's not, and you're not. SSLI only really improves a few things:
          • Spam Blocker & Phish Blocker: enables scanning of TLS-encrypted email. Unless you have an on-premise email server, you're not using these apps anyway.
          • Virus Blocker & VB Lite: enables scanning of TLS-encrypted traffic. This is slightly more beneficial, but virus blocking at the gateway is at best a complement to more specialized endpoint protection.
          • Web Filter: enables URI-based filtering (everything after the .com/ part of a URL). SSLI absolutely isn't necessary for Web Filter to do its thing; if I had to guess, I'd say upwards of 90% of NG Firewall installations run Web Filter without SSLI and do just fine.
          Given that using SSL Inspector requires a lot of additional criteria and effort, I often steer people away from it. It doesn't do very much any more, and what you get isn't (in my not-especially-humble-opinion) worth the significant extra hassle.
          Græme Ravenscroft • Technical Marketing Engineer
          ('gram', like the unit of measurement)
          he/him
          How can we make Arista ETM products better?

          Comment

          • #6
            Originally posted by gravenscroft View Post
            Yup. For a long time, the Android OS was hard-coded never to trust a self-signed certificate, so installing the root CA wouldn't have any effect. I don't think that's still the case, but Android and SSL Inspector still don't play nicely together. I think it's also very difficult or impossible to do this with iOS devices as well.


            In short: it's not, and you're not. SSLI only really improves a few things:
            • Spam Blocker & Phish Blocker: enables scanning of TLS-encrypted email. Unless you have an on-premise email server, you're not using these apps anyway.
            • Virus Blocker & VB Lite: enables scanning of TLS-encrypted traffic. This is slightly more beneficial, but virus blocking at the gateway is at best a complement to more specialized endpoint protection.
            • Web Filter: enables URI-based filtering (everything after the .com/ part of a URL). SSLI absolutely isn't necessary for Web Filter to do its thing; if I had to guess, I'd say upwards of 90% of NG Firewall installations run Web Filter without SSLI and do just fine.
            Given that using SSL Inspector requires a lot of additional criteria and effort, I often steer people away from it. It doesn't do very much any more, and what you get isn't (in my not-especially-humble-opinion) worth the significant extra hassle.
            Well, I guess it was a fun experiment while it lasted but those are great points. I guess I'll go ahead and disable it and won't bother. Thanks for the info!
            • 👍 1

            Comment

            Previous template Next
            Working...
            X
            😀
            🥰
            🤢
            😎
            😡
            👍
            👎