Use Sophos Mobile to enable mobile devices to trust CA for HTTPS decryption

Mobile devices show a warning message or block traffic if the Certificate Authority (CA) for the certificate used in HTTPS traffic decryption by XG Firewall is not known to them.

Introduction

You must import the CA into mobile devices to make sure they trust XG Firewall during HTTPS decryption. This applies to decryption using the web proxy and the DPI engine.

XG Firewall is shipped with a CA certificate used in HTTPS inspection. You can install the CA in groups of mobile devices using a Mobile Device Management (MDM) solution, such as Sophos Mobile.

Apple recommends using an MDM solution or Apple Configurator to install the CA. If you do this, the CA is automatically trusted.

If you use Apple Configurator, you must create a configuration profile on a Mac. You can then connect one or more iOS devices and install the CA on them.

In this example, we show how to install the CA in iOS mobile devices enrolled with Sophos Mobile, our MDM solution. Using Sophos Mobile, you can install certificates and CAs on groups of Android and iOS mobile devices.

The configuration steps are as follows:

  • Download the CA.
  • Specify the CA for SSL/TLS inspection and decryption when using the DPI engine.
  • Specify the CA for HTTPS decryption and scanning when using XG Firewall as a web proxy.
  • Go to Sophos Mobile, and add the CA to your device policy. For details, see root certificate configuration for Android or iOS device policies in Sophos Mobile administrator help.
  • Confirm that the root CA is added to a registered mobile device.

Apply root CA for HTTPS decryption and download CA

Use the CA shipped with XG Firewall for HTTPS decryption.

You must select the CA for SSL/TLS inspection, which uses the DPI engine. You must select the CA for HTTPS decryption, which uses web proxy filtering. You must download the CA.

  1. Go to Certificates > Certificate authorities and click download Download connection button next to SecurityAppliance_SSL_CA.

    Alternatively, you can specify the settings of the Default CA, which is the self-signed CA shipped with XG Firewall, and download it. You can also import an external CA.

    Here's an example:


    Download Security Appliance CA
  2. Optional If you want users to add the CA manually, email the CA certificate to them.

    Alternatively, upload the CA to a server from which users can download the certificate to their mobile devices.

  3. To configure the CA for SSL/TLS inspection, which uses the DPI engine, do as follows:
    1. Go to Rules and policies > SSL/TLS inspection rules and select SSL/TLS inspection settings.
    2. Under Re-signing certificate authorities, select SecurityAppliance_SSL_CA (RSA) for Re-sign RSA with.

      Here's an example:


      Apply CA to SSL/TLS inspection settings
    3. Click Apply.
  4. To configure the CA for HTTPS decryption, which uses web proxy, go to Web > General settings. Under HTTPS decryption and scanning, select SecurityAppliance_SSL_CA for HTTPS scanning certificate authority (CA).

    Here's an example:


    Apply CA to HTTPS decryption with web proxy filtering

Install the root CA in mobile devices using Sophos Mobile

In Sophos Mobile, add the root CA to the policy that you've assigned to your mobile devices.

In this example, we add the root CA to an iOS and iPadOS device policy. Similarly, you can add the root certificate to an Android policy.

  1. In Sophos Mobile, go to Policies > iOS & iPadOS.
    iOS and iPadOS in the Policies menu
  2. Click the policy that you've assigned to the devices on which you want to install the root CA.
  3. On the Edit policy page, click Add > Root certificate.
    Root certificate option in the list of policy configurations
  4. On the Root certificate page, click Upload a file and select the certificate file.
    Upload a file option
  5. Click Apply to save the configuration.
  6. Click Save to save the policy.
    Save button
  7. In the policy list, click the Down arrow next to the policy and click Update devices.

    If the policy has no Update devices option, devices update automatically the next time they sync with Sophos Mobile.

    Update devices option for a policy