Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".

Options

Issue with Client DPI-SSL configuration.

I'm attempting to slowly enable Client DPI-SSL on my NSA2700, running the latest FW as of 5/24. I've pushed out the Cert to all computers, via GPO, and enabled DPI SSL Client on my 2 "Trusted" LAN Zones. I created a Address Group with 3 IPs and added it to the DPI-SSL > Client SSL > Object > ADDRESS OBJECT/GROUP "Include" field; all other fields are default. I then "Enable SSL Client Inspection", Intrusion Prevention, Gateway AV/Anti-Spyware, and App FW. Finally setting "Audit new default exclusion domain names prior to being added for exclusion". The 3 servers seem to work fine; I can see in Chrome/Edge the Cert is replaced by the SonicWall cert as expected and all other apps on those computers function perfectly. The issue I can't seem to figure out is…all other computers, not in that Address Group, can no longer send emails with attachments, via Outlook, or upload files to websites. I've tried multiple setting changes, including adding specific servers to the ADDRESS OBJECT/GROUP "Exclude" field. Nothing seems to fix it. Once is turn off Client DPI-SSL, I can attach and send or upload the files. I'm sure I'm missing a configuration setting, but I can't seem to figure it out…any assistance would be appreciated.

Category: Firewall Security Services
Reply

Answers

  • Options
    TKWITSTKWITS Community Legend ✭✭✭✭✭
    edited 8:49PM

    "I've tried multiple setting changes, including adding specific servers to the ADDRESS OBJECT/GROUP "Exclude" field."

    I would try flipping your configuration:

    Include set to all. Exclude set to an address group that includes everything except the 3 servers you are testing with.

    Hint: exclude your DHCP range, static set printers and non-windows devices.

    Start there, see what happens.

Sign In or Register to comment.