Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Matlu
Advisor

Connection Flow.

Hello,

I have a question.
I have a FW in version R81.10 with JHF Take 110.

In my LAN I have a Mail Server (On Premise) published to the Internet.

The Server Certificate has been updated.

When the users from the LAN try to access the Mail Server, everything flows fine (they don't get the alert in the browser that "The connection is not secure".

On the other hand, when we try to access from the Internet to the mail server, pointing to the domain, the result is that "THE CONNECTION IS NOT SECURE".

In this kind of scenarios, it is necessary and mandatory, to "import" the certificate in the Firewall, from the SmartDashboard Legacy, referring to the HTTPS Inspection?

CA1.png

Greetings.

0 Kudos
8 Replies
Lesley
Leader Leader
Leader

Sounds like public dns record issue. Do nslookup of the domain the output should match the public ip that you use on the firewall for this server. If dns record ip does not match you get warning 

-------
If you like this post please give a thumbs up(kudo)! 🙂
0 Kudos
Matlu
Advisor

Hello,

In my case, it does match.

CA2.png

When from the Internet, I do a NSLOOKUP to the domain, if I resolve the Public IP that has been designated in the Firewall, for the connection to the mail server.

Is it necessary to import the certificate of the mail server, to the Firewall, to avoid these "alerts" from the Internet connections?

Greetings.

0 Kudos
the_rock
Legend
Legend

Hey bro, cert is only needed if you are doing INBOUND https inspection, otherwise, no need to import it into smart console. Same as if you were doing outbound ssl inspection, cert has to be uploaded to users, so those warnings dont show up.

Andy

0 Kudos
the_rock
Legend
Legend

Ola bro,

Happy New Year : - )

I dont think importing that cert has anything to do with it, that simply related to inbound https inspection.

What @Lesley said makes sense to me as well.

Andy

0 Kudos
Matlu
Advisor

Buddy,

This type of scenario is when the FIREWALL acts as a "WAF", isn't it?

Most of my client's rules only had rules based on "OUTBOUND" traffic

They have HTTPS Inspection enabled, but only for LAN -> WAN traffic, not the other way around.

The problem that I get in the browser, the message "The connection is not secure" from the Internet, when I try to access the published mail server, it would be an issue to check with the DNS provider of the client, right?

Cheers. 🙂

0 Kudos
the_rock
Legend
Legend

I got ya. You can try that, wont make it worse, see if it makes any difference.

Andy

0 Kudos
Matlu
Advisor

I have done some research.

Apparently it's a "registration" problem at the "DNS service" level.

I understand that to prevent Internet users from getting the certificate error "The connection is not secure", you have to publish the domain in a MX record of my DNS service ... at least something like that is what I have understood.

Does this make sense?

 

0 Kudos
the_rock
Legend
Legend

100% makes sense

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events