Intercept x with EDR VPN Issue

Hey there,

we have a problem with the VPN clients, with Sophos.

this VPN client is Juniper Pulse Secure Client. But we also have a client from NCP Secure Entry Client, but this case only occurred with the Pulse .. client, which is why we had to uninstall Sophos again.

Problem Description: if the VPN client is switched on, the Internet is cut off from the PC with Sophos. We did a cross test by turning off Sophos, after which the internet was back. also backwards. Unfortunately, we were unable to switch off various individual options and then switch the Internet back on.

Could you please help us with this? 

has anyone ever had problems with VPN connections?
Which settings do I have to make?

thanks for your help

Vicky
  • HI Vicky,

    Does the vpn error out or do you just not get any data when requesting a website? Is it a split tunnel? Does all network traffic stop or just stuff to the other end of the vpn?

    RichardP

    Snr. New Product Introduction Engineer | CISSP | Sophos Technical Support
    Support Videos | Product Documentation | @SophosSupport | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.

  • Hi Richard,

    I'm the user of the affected PC. Let me try to explain: Everything is working well with the Sophos Client installed as long as I don't open and connect the Pulse Secure Client. After launching and connecting the Pulse Secure Client, I can ping other network ressources i.e. our internal router or a webservice, but I'm not able to open any website, including internal ones like the router or Jira, Confluence, etc... The requests simply timeout. I only can access Websites if I then disable all services of the Sophos Client. I was not able to test, which one causes the problem or if it is related to a single component. What I'm not really happy with is, that the Sophos Client seems to block something, but doesn't log anything anywhere. I would expect to see something related to that at least in the central alert for example. So for now I worked around this issue by uninstalling the Sophos Client. The good thing is: This seems to be a very special issue related to Pulse Secure VPN, so none of our customers should be affected. Slight smile

    Thank you for your support!

    Best,

     Markus

  • In the Threat protection policy that is applied to the computer/user, if you disable:

    • Scan downloads in progress
    • Block access to malicious websites

    Then in the Web Control policy if enabled, disable that.

    I assume everything then works. You will need to close all browser processes down.

    Another option might be, does Pulse secure give you the option to use a legacy non-WFP driver?  

    I suspect this is a WFP conflict.

  • https://docs.pulsesecure.net/WebHelp/PDC/9.1R5/pdc-admin-guide/Overview/Overview.htm

    Details that you might be able to configure it to use TDI rather than WFP.  You could possibly try this mode with the above 3 Sophos features re-enabled to see if that works in combination.

  • If it was blocking it would be noting a detection. It is more likely that the web filter element of our product is interacting with the vpn element and there is a data interference or something that is causing the VPN to drop the packet. A wireshark would be good here to see what is happening. I assume that it will show the packet not even leaving the box. So, to test this, turn off the web protection elements in the threat protection policy. If that doesn't resolve the issue - turn off the sophos NTP service and see if that stops the issue. Once we know if it is policy or a direct driver conflict - we can look at a proper solution for you.

    RichardP

    Snr. New Product Introduction Engineer | CISSP | Sophos Technical Support
    Support Videos | Product Documentation | @SophosSupport | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.

  • What I'm not really happy with is, that the Sophos Client seems to block something, but doesn't log anything anywhere. I would expect to see something related to that at least in the central alert for example.

    I can confirm this. Sophos Client can log a lot but it is all locally in some text files, only accessible after disabling protection and/or enabling debugging. In Windows Eventlogs or in Central you will only find malware detections or loss of connectivity events.

    About the VPN issue - we've recently had a computer where the user installed an other secure VPN client (Forcepoint) because one remote organization required it. The VPN software that had something similar like Sophos Heartbeat integrated. So the VPN Client communicated some health data of the client computer to cloud servers where the VPN gateway of the organization checked the healt status of a client and a VPN to this client can - in theory - only be established if it's reported as healthy. In the end this VPN software killed all other VPN clients on the computer so it could not connect to any other VPN with any VPN client anymore until the Forcepoint software had been uninstalled. This computer also had Intercept X installed. So maybe there are side effects when using Secure VPN clients with Intercept X and it's HTTPS interception.