. … turns out merely BLOCKING the OS/5 machine from WAN access was insufficient to stop the redirect function.
. . .turns out I also had to change the STATIC IP of the device as well. (I suppose this makes sense; the “redirect” from 3rd party DDNS servers was still pointing to a valid address)
Edit: in changing IP address of the device, I suppose I momentarily unblocked the device to the internet. . . . .in under two minutes, there were 17 web access entries in the log. Things like time update, and a few related to Plex.
Edit: Hmmm. . . the static IP change worked for about an hour. Now the redirect “works” again. I want to know how to stop all internet communication from this device. . .short of unplugging it (which is my next step)
@WesternDigital-PSIRT,
Thank you for the post. Much appreciated. I have a couple of requests:
Could you please provide some guidance on how to re-enroll for the certificate. In my case, I believe the certificate enrollment happened automatically when I upgraded to OS 5. Since then, I have moved the device behind another router and factory reset it. However, it has not “auto-enrolled” for the certificate again.
Any chance WD is looking in to allowing admins to use their own certificates (for e.g., from an Enterprise CA)? If not, could this be considered in a future firmware update?
Thanks for the reply. Yes, it has internet connectivity and I can enable/disable cloud access without any issues. I can also access it from the cloud. I think this answers all of the questions you listed, but I am answering each question below for any additional clarity:
I do not get “no internet connection” in the Apps tab, instead I see apps listed.
I do not have a use case for any of the 3rd party apps at this time but I am confident that I can install them if needed.
Settings → network → status = “Internet access”
I can enable/disable Cloud Access without any issues.
Do you know the process for getting it re-enrolled for a new certificate? It doesn’t seem to be documented in the places that I have looked so far. If you find any resources, please share. Thanks again.
@SBrown@WDStaff and whoever else is supporting this unsupported monstrosity, do disable this functionality and let the user either enroll himself to let’s encrypt or provide self-signed certificates. There is no reason for WD to know the private ip of these boxes, revealing in the process part of my network topology.
Coupled with the inability to connect from another segment (we used our boxes in DMZ to be connected from LAN just fine in the previous OS), this is creating a user hell. If you were going to do it your way, you should have made sure that they work just fine in all possible scenarios (ie interfaces behind WPAD proxy, one on DMZ/one on LAN, etc) and not just having the boxes in a house lan doing active failover!
I have a multitude of issues, some of them critical on one of our 4 EX4100 boxes on which I have received no actual support/solution or pat on the shoulder (see the EX forum), even after opening a support ticket. Part of these problems stem from exactly this extremely bad implementation of this secure access idea.
Seriously now, get rid of this junk altogether, or for heaven’s sake provide an option to disable this thing altogether.
I took the plunge to OS5 now and not months ago, considering that it would be past its infantness. I was dead wrong!
@SBrown
First, I apologize for the delay. I received your first reply via email but never received your second reply, so I assumed that there was no follow up. Just discovered your answer today when I logged on to wd community.
Second, a BIG THANK YOU!!! you got me back on the right track. I was able to discover the common name using your instructions. Once I got that, it was just a matter of fixing name resolution for it. Again, Thank you! I appreciate your assistance.
Dear PM for PR4100 and @WesternDigital-PSIRT
TLS being accepted by the browser has a thousand methods. Not having an option in how I handle TLS is less than ideal. I manage my own CA and sign all of my devices with it, so now I cannot trust your device because it does whatever it wants to protect my end to end encryption on my LAN.
Most users won’t care about this “feature”, however I do. I even created this account so I could write this single post. Considering this device has access to critical data and it shares any information about my network with a third party it’s going to the shredder. What a blunder.
So - - - I heard a rumor that the lastest version of firmware allows us to make our systems more secure by disabling the HTTPS redirect “feature”.
Does anyone have any observations about this lastest improvement in the firmware?
I am a bit reluctant to update the firmware of my OS/5 machine. . . or even power it up at the moment. (I am waiting to understand the implications of EdgeRover to become apparent before I go to a more permanent solution (i.e. Update OS/5; Reload OS/3; Replace w/ other NAS)
