Options

Certificate für incoming proxies

MBockMBock
in Firebox - Certificates

Hello,
I have two domains in www with a wildcard certificate. *.mycompany.net and *.mycompany.de.
I have webservers which are accessible from www with the .mycompany.de domain. The https-proxy is working and the certificate is correct.
And I have a smtp-proxy which is reachable ober .mycompany.net. The wildcard certificate is on the firebox the same as the *.mycompany.de certificate.
Where can I configure which proxy should use which certificate? Becaus the starttls check says that the smtp-proxy is using the *.mycompany.de certificate which is the wrong one.

Thanks

Comments

  • Options
    Bruce_BriggsBruce_Briggs

    From Ralph's (WG) comments:
    "For SMTP, the proxy uses the Proxy Server certificate for TLS. This can be the default Proxy Server certificate or one from the SMTP server (recommended)."
    "Whatever the Proxy Server certificate is, that's what the SMTP proxy will use for TLS."

    For incoming HTTPS:
    "Via Content / Proxy actions...you can now select which Proxy Server certificate you want to use."

    both from:
    SMTP with TLS
    https://community.watchguard.com/watchguard-community/discussion/comment/3500

    My best guess is that the 1st Proxy Server certificate imported becomes the default one.

  • Options
    MBockMBock
    edited September 2020

    That's true. The 1st Proxy-Server certificate is the default certificate which one the stmp-proxy uses.
    But when I import a new Proxy Server Cert and delete the Watchguard self-signed cert, internet communication is not working.
    I have distributed the Wachguard Fireware certificate to the clients for SSL DPI.

  • Options
    Bruce_BriggsBruce_Briggs

    The cert used for client HTTPS Inspect needs to be able to re-sign packets.
    Standard commercial certs can't do this.
    You need a cert from your own Certificate Authority or the one from the firewall - either of which can re-sign.

    "A public CA certificate does not support the re-signing actions the HTTPS-proxy must perform when content inspection is enabled on your Firebox. We recommend that you use a certificate signed by your own internal CA."

    However, the client HTTPS Inspect cert is a "Proxy Authority" cert, not a "Proxy Server" cert.
    "When you enable content inspection in the HTTPS proxy, the Firebox uses the default self-signed Proxy Authority CA certificate to re-encrypt the traffic."
    Make sure that you are replacing the correct one.

    from here:
    Use Certificates with HTTPS Proxy Content Inspection
    https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/certificates/cert_https_proxy_resign_c.html

Sign In to comment.