Enable Android devices to connect to the internet
Some Android devices don't connect to the internet over wireless networks when SSL/TLS inspection is on.
Mobile devices on some Android versions are unable to connect to the internet when SSL/TLS inspection is on. They're also unable to download or update Google Play Store apps.
These Android clients use certificate pinning, which associates the host server with its public key and stores the certificate in the client. When clients check for internet connectivity, they try to establish a test connection. This connection requires the certificate to connect to Google servers.
When Sophos Firewall intercepts traffic for SSL/TLS inspection, it acts as a man-in-the-middle and negotiates with the destination server. Once the handshake is complete, Sophos Firewall uses a different certificate to negotiate with the Android client. The Android client can’t verify the pinned certificate directly with Google servers to complete its connectivity check.
This is a known issue with SSL/TLS inspection for mobile devices on Android.
To allow these devices to connect to the internet, you need to bypass SSL/TLS inspection when they try to access Google domains. To do so, you can use the following method:
- Create a VLAN or wireless network containing mobile devices. To ensure security, limit the allow list to a VLAN or wireless network and isolate these network segments from access to sensitive resources.
- Create an SSL/TLS inspection rule for not decrypting traffic between the VLAN or wireless network you created and Google domains. Alternatively, you can use a firewall rule with the web proxy selected.
The following example shows how to configure your wireless network and an SSL/TLS inspection to allow these domains.
Add the Google URLs
Create FQDN hosts for the URLs that the Android system contacts to test internet connectivity.
- Go to Hosts and services > FQDN host group, and click Add.
Create a new group definition to add Google URLs to.
If you want to add URLs to an existing Google group, go to the next step.
Go to Hosts and services > FQDN host, and click Add.
Create a host for each of the following FQDNs:
- Your local Google domain, for example
Make sure you select the FQDN host group you created in the earlier steps for the URLs to be added directly to the group.
Create a Wi-Fi network for mobile devices
Create a wireless network just for your mobile devices.
If you wish to allow mobile devices access on your corporate Wi-Fi network, you can skip the network creation, create the SSL/TLS inspection rule, and apply that to your corporate Wi-Fi.
- Go to Wireless > Wireless networks and click Add.
Enter the details of the Wi-Fi network you want to use for mobile devices to connect to. An example configuration is shown in the below image:
- Go to Hosts and services > IP host and click Add.
- Enter a name.
- Set IP version to IPv4.
- Set Type to Network.
Enter the network IP address and subnet mask for the wireless network you created earlier.
An example of the IP host settings is shown in the below screenshot:
Create an SSL/TLS inspection rule
Create an SSL/TLS inspection rule specifying no decryption for the Google domains.
- Go to Rules and policies > SSL/TLS inspection rules, and click Add.
- Select Don't decrypt for Action.
- Set Decryption profile to Maximum compatibility.
- Select Wi-Fi as Source zones.
- Select the wireless network IP host definition you created earlier for Source networks and devices.
- Select WAN for Destination zones.
- Select the Google IP host groups for Destination networks.
An example of the SSL/TLS inspection rule is shown in the below screenshot: