Results 1 to 9 of 9
  1. #1
    Newbie
    Join Date
    Jan 2022
    Posts
    4

    Lightbulb Force Untangle web filter to use hostname instead of IP

    Hello, My untangle FW is configured in bridge mode with multi vlan interfaces.

    ex:
    WAN1v60 gateway > 192.168.60.254
    WAN1v61 gateway > 192.168.61.254

    The SSL certificate is already singed by 3rd party CA to avoid security warnings page to appear to the users browser. Currently, untangle is using the gateway IP address of each VALN (WAN interface) to show the block page, which cause mismatch with the certificate SAN hostname.

    I need to force untangle to only use the hostname when redirecting user to web filter block page.

    Thank you,

  2. #2
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    26,488

    Default

    Waste of time, the only thing a real certificate does on Untangle is stop certificate warnings when you're connecting to the admin interface.

    Given that you've posted this in the Web Filter forum, I'm assuming that you're trying to stop the TLS warnings that happen when Web Filter blocks something. This will NEVER HAPPEN, because your users are connecting to an TLS protected web asset, and being forcibly redirected elsewhere. TLS will notice this and complain. Your Untangle certificate will never be authoritative for every single website in existence, so you will always have that warning.

    Welcome to TLS.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  3. #3
    Newbie
    Join Date
    Jan 2022
    Posts
    4

    Default

    you right but in my case, I'm using SSL Inspector (CA certificate is installed on the client PC) so the firewall will be the initiator for all TLS sessions.

  4. #4
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    26,488

    Default

    Quote Originally Posted by mosawi View Post
    you right but in my case, I'm using SSL Inspector (CA certificate is installed on the client PC) so the firewall will be the initiator for all TLS sessions.
    Then you have to manually install the CA certificate Untangle generates into all of the machines that are behind Untangle. You cannot have a "valid" certificate for this process.

    And smart web browsers wills till see it, and still complain because HSTS. I repeat, welcome to TLS.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  5. #5
    Newbie
    Join Date
    Jan 2022
    Posts
    4

    Default

    I'm using the same feature with FortiGate and cisco with no issues.
    When both SSL-inspector and web filter are on, I assume that untangle will pass the HSTS header as its to the client browser. and since the firewall decrypt the HTTPS request with ssl inspector, it should use same the https session to display web filter warning page instead of redirecting to HTTP page.

  6. #6
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    26,488

    Default

    Then you've installed the CA certificates from those platforms into your browser, and neglected to do the same for Untangle. There is no other way for this to work.
    dashpuppy likes this.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  7. #7
    Master Untangler
    Join Date
    Jul 2010
    Location
    Nanaimo B.C
    Posts
    708

    Default

    Quote Originally Posted by mosawi View Post
    I'm using the same feature with FortiGate and cisco with no issues.
    When both SSL-inspector and web filter are on, I assume that untangle will pass the HSTS header as its to the client browser. and since the firewall decrypt the HTTPS request with ssl inspector, it should use same the https session to display web filter warning page instead of redirecting to HTTP page.
    When i tried this, my issue was i put the cert in the wrong folder Is yours in the correct folder ?
    Started Youtube Channel, Have a question about Untangle Ask me : jason @ jasonslab.ca
    https://www.youtube.com/c/jasonslabvideos << Please like and subscribe, helps me out !!

  8. #8
    Newbie
    Join Date
    Jan 2022
    Posts
    4

    Default

    I uploaded the trusted certificate from admin console > config > Certificate > Import signing request Certificate, for SSL inspector, CA certificate installed manually to the trusted root certificate folder (on windows).

    3rd party Certificate.PNG
    secure portal.PNG
    SSLInspector Config.PNG
    SSL-Inspector.PNG
    multiVlan Interface.PNG

  9. #9
    Master Untangler
    Join Date
    Jul 2010
    Location
    Nanaimo B.C
    Posts
    708

    Default

    Quote Originally Posted by mosawi View Post
    I uploaded the trusted certificate from admin console > config > Certificate > Import signing request Certificate, for SSL inspector, CA certificate installed manually to the trusted root certificate folder (on windows).
    What in the heck are you doing with all those ports ? why not just use a simple switch and vlans or something ?
    Started Youtube Channel, Have a question about Untangle Ask me : jason @ jasonslab.ca
    https://www.youtube.com/c/jasonslabvideos << Please like and subscribe, helps me out !!

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2