Results 1 to 10 of 10
  1. #1
    Newbie
    Join Date
    Dec 2016
    Posts
    12

    Default SSL Inspector w/ Internal web e-mail server

    Guys/Gals,
    I have NGINX running my email web server. My certs and configs are all verified and good to go. However when I turn on SSL Inspector with the "Enable HTTPS Traffic Processing" on it utilizes my internal Untangle web cert. When I visit my page I get https errors due to the intermediary not appearing because of the SSL inspector repackaging the request with the internal cert. When I turn "Enable HTTPS Traffic Processing" off I see the proper comodo intermediary and the cert is seen.. I've attempted to make ignore rules in SSL Inspector for that server ONLY but to no avail... Question. are any of these a better way?
    1. Should I purchase another cert using the Untangle CSR to get a valid cert
    2. Should/ Could I take the cert from my email server and reissue it to untangle ( I have 2 domains within my NGINX config so this may be a entirely separate issue all along since i can only use one config to process https traffic)to be able to process the web server traffic to the e-mail server as well as use that cert for my outbound SSL repackaging of traffic?

    If none of those are valid options I just would like to have a rule to allow for all traffic coming to and from my email server to happen without it being repackaged with the untangled locally generated cert.

    Hopefully I explained this properly and any help would be greatly appreciated.
    -Jay

  2. #2
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    23,989

    Default

    SSL Inspector only inspects specific things by default.

    My question to you is, what do you hope to gain by inspecting your own SSL service? I'd just exempt the thing and move on.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  3. #3
    Untangler jcoffin's Avatar
    Join Date
    Aug 2008
    Location
    Sunnyvale, CA
    Posts
    8,352

    Default

    You need a rule in SSL Inspector to ignore web traffic from your server, otherwise users going to the site will need to accept the MITM certificate from the Untangle.
    Attention: Support and help on the Untangle Forums is provided by
    volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  4. #4
    Newbie
    Join Date
    Dec 2016
    Posts
    12

    Default

    I do agree! This is what I am saying I wanted to exempt the server and move on... However when I attempt to do that the server still seems to be going thru SSL inspector. In this case HTTPS traffic to the Email web server.

  5. #5
    Untangler jcoffin's Avatar
    Join Date
    Aug 2008
    Location
    Sunnyvale, CA
    Posts
    8,352

    Default

    Post your rule.
    Attention: Support and help on the Untangle Forums is provided by
    volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  6. #6
    Newbie
    Join Date
    Dec 2016
    Posts
    12

    Default

    Here (minus my public IP) is my rule that i have set that does not work.. Believe me I started simple and worked my way up to this rule.bypass.png

  7. #7
    Untangler jcoffin's Avatar
    Join Date
    Aug 2008
    Location
    Sunnyvale, CA
    Posts
    8,352

    Default

    The more conditions, the more chances of the rule not matching as all the conditions in a rules are AND logical operations.

    Remove Destination and Source Interface conditions. The source is not the web server as the session is initiated by outside PCs so change Destination Address to the IP of the LAN address of the web server. Remove the Source address condition also.
    Attention: Support and help on the Untangle Forums is provided by
    volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  8. #8
    Newbie
    Join Date
    Dec 2016
    Posts
    12

    Default

    Quote Originally Posted by jcoffin View Post
    The more conditions, the more chances of the rule not matching as all the conditions in a rules are AND logical operations.

    Remove Destination and Source Interface conditions. The source is not the web server as the session is initiated by outside PCs so change Destination Address to the IP of the LAN address of the web server. Remove the Source address condition also.
    Simple Definitely came out! I swore I did set it like this to begin with. Frustration began to set in as more rules got set. Thank you its working exactly like I wanted it too... What I do believe I did was put my public IP for this email server instead of the internal IP as the destination.simplesetup.png

  9. #9
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    23,989

    Default

    I was going to say your problem was that source address condition, you need destination. The rest would have likely been fine.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  10. #10
    Newbie
    Join Date
    Dec 2016
    Posts
    12

    Default

    Super Appreciate it guys! Thanks again!

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2