My small Sophos UTM filters HTTP traffic (Web Filter) and scans it for viruses and malware, which works quite reliably, unless the websites are encrypted (HTTPS). By default, the UTM cannot scan encrypted traffic and therefore cannot filter out viruses/malware.
However, this can be easily changed. In the Web Protection feature of the UTM, there is the option "Scan HTTPS (SSL) traffic" which can simply be ticked:
This is what happens:
When a user accesses an encrypted website, the UTM terminates the SSL connection, scans the data stream, re-encrypts the page and presents it to the client. To re-encrypt the website, the UTM requires a CA, which it conveniently provides directly
This example shows how the whole thing works:
First the call from Google without "SSL Traffic Scan"
The certificate comes from Google, is valid, no problem. Now with "SSL Traffic Scan" switched on:
Nothing works anymore. The background is as follows. The certificate of the Sophos UTM certification authority is not trusted by the client. The browser even recognizes that something is very wrong and reports a man-in-the-middle attack:
The security certificate problems may indicate an attempt to trick you or intercept data that you have sent to the server.
Now you could of course simply import the certificate of the Sophos CA on each client so that it is recognized as valid and no error message appears (see next picture), but that would only be half as nice, since I have already written so much about certificates and CAs in MS environments.
Since I have a CA on a Windows server anyway, I can also set up an intermediate certification authority directly on the UTM, which is signed by the Windows CA (my root CA). This gives me the advantage that I can also revoke the certificate of the UTM if there is a security problem, which would not be possible if I imported the certificate of the standard UTM CA on the clients. Since the UTM apparently cannot generate a certificate request for its CA (at least I have not found it), I generate the certificate on another server. More on this in a moment. First prepare the Windows CA.
Duplicate the "Subordinate certification authority" template in the certificate templates
Give the new template a nice name and check the "Publish certificate in AD" box
On the Security tab, give the Domain Admin and the computer account of the CA itself full access to the template
Publish the new template now
The CA is ready to create a sub-CA. Time to obtain the certificate for the subordinate CA by requesting a new certificate in the Certificates MMC on the CA
Then select the new template
If the template is ticked, click on the text below and add the values:
- General name
- Country
- Location
- Organization
- Organizational unit
- DNS (the external name of the UTM can be entered here)
Assign a display name on the "General" tab and click OK
Now register the certificate and it should look like this
The certificate for the sub-CA can now be found in the MMC
The certificate must now be exported
Important! The certificate must be exported twice, once with a private key, and once without. Here is the example with a private key:
Also export the extended properties in the next dialog
Then enter a password and save the certificate. Once the certificate has been exported, it can be deleted from the MMC. The certificate with the private key (PFX) is now imported to the Sophos UTM
If the import was successful, it looks like this:
You must now import the certificate _WITHOUT THE PRIVATE KEY_ (.CER) to the clients, best via GPO in the "Trusted Intermediate Certification Bodies"
As soon as this is done, you can check the "Scan HTTPS (SSL) Traffic" box and Google will look like this:
That's how I like it.