Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".

Issue with Client DPI-SSL configuration.

I'm attempting to slowly enable Client DPI-SSL on my NSA2700, running the latest FW as of 5/24. I've pushed out the Cert to all computers, via GPO, and enabled DPI SSL Client on my 2 "Trusted" LAN Zones. I created a Address Group with 3 IPs and added it to the DPI-SSL > Client SSL > Object > ADDRESS OBJECT/GROUP "Include" field; all other fields are default. I then "Enable SSL Client Inspection", Intrusion Prevention, Gateway AV/Anti-Spyware, and App FW. Finally setting "Audit new default exclusion domain names prior to being added for exclusion". The 3 servers seem to work fine; I can see in Chrome/Edge the Cert is replaced by the SonicWall cert as expected and all other apps on those computers function perfectly. The issue I can't seem to figure out is…all other computers, not in that Address Group, can no longer send emails with attachments, via Outlook, or upload files to websites. I've tried multiple setting changes, including adding specific servers to the ADDRESS OBJECT/GROUP "Exclude" field. Nothing seems to fix it. Once is turn off Client DPI-SSL, I can attach and send or upload the files. I'm sure I'm missing a configuration setting, but I can't seem to figure it out…any assistance would be appreciated.

Category: Firewall Security Services
Reply

Best Answer

  • CORRECT ANSWER
    TKWITSTKWITS Community Legend ✭✭✭✭✭
    edited May 28 Answer ✓

    "I've tried multiple setting changes, including adding specific servers to the ADDRESS OBJECT/GROUP "Exclude" field."

    I would try flipping your configuration:

    Include set to all. Exclude set to an address group that includes everything except the 3 servers you are testing with.

    Hint: exclude your DHCP range, static set printers and non-windows devices.

    Start there, see what happens.

Answers

  • Simon_WeelSimon_Weel Enthusiast ✭✭
    edited June 6

    I'm not sure exactly how certificates work, but I think it's either one-way or two-way. Correct me if I'm wrong.

    With the one-way method, the client checks if the certificate is valid. If ok, then connect. With the two-way method, the client checks if the certificate is valid and then the remote site checks the clients certificate information.

    With DPI-SSL, for the two-way method, the client certificate information (the injected Sonicwall certificate) differs from the certificate the server issued, so the connection will be blocked.

  • SteveBodoczySteveBodoczy Newbie ✭

    As recommended, I flipped the configuration (included all and excluded selected IPs); after some testing that does seem to be working better. Additionally, I opened a support ticket with SonicWall on this issue. They confirmed that my original configuration was setup as documented, and the SonicWall was not performing as it should. They mentioned additional DPI fixes coming with the next OS release…so we'll see. Thank you for the suggestions.

Sign In or Register to comment.