Intercept X for server install fails - trying to connect to api-cloudstation-eu-central-1.prod.hydra.sophos.com

The Intercept X Thin Installer for Server is trying to download from api-cloudstation-eu-central-1.prod.hydra.sophos.com and fails due to firewall blocking this request.

api-cloudstation-eu-central-1.prod.hydra.sophos.com
resolves to
api-spinnaker-2098312200.eu-central-1.elb.amazonaws.com
 [18.157.100.246] 

found it in the installer logs in here:

%ProgramData%\Sophos\CloudInstaller\Logs\

Sending HTTP 'POST' request to: api/download/stage2-details/df6f4312-eda5-43e8-ac02-6207693632ab
2021-11-18T13:50:44.3309692Z INFO : Did not discover an URL for a PAC file
2021-11-18T13:50:44.3309692Z INFO : Attempting to connect using proxy '' of type 'Empty Proxy'.
2021-11-18T13:50:44.3309692Z INFO : Set security protocol: 00000800
2021-11-18T13:50:44.3309692Z INFO : Opening connection to api-cloudstation-eu-central-1.prod.hydra.sophos.com
2021-11-18T13:50:44.3309692Z INFO : Request content size: 31
2021-11-18T13:51:47.4005030Z ERROR : WinHttpSendRequest failed with error 12002
2021-11-18T13:51:47.4005030Z INFO : Failed to connect using proxy '' with error: WinHttpSendRequest failed
2021-11-18T13:51:47.4005030Z INFO : Cleaning up extracted files

We only allow access to the FQDN allowed here.

https://docs.sophos.com/central/Customer/help/en-us/central/Customer/concepts/DomainsPorts.html

This FQDN is not listed on the KB

For a test I allowed this FQDN and as a result the installer succeeds.

Is this URL request intended for intercept X installer? if yes, could you please update the documentation and explain the new URL?



typo
[bearbeitet von: LHerzog um 2:17 PM (GMT -8) am 18 Nov 2021]
  • Hello LHerzog,

    Thank you for reaching out to the Sophos Community. 

    Regarding your question, I can see an explanation present in the link you provided. For situations where you can't use wild-cards for exclusions:

    If your proxy or firewall doesn't support wildcards, you must identify the exact Sophos domains you need, then enter them manually.
    You need to identify the server address that Sophos Management Communication System uses to communicate with Sophos Central Admin securely.

    On Windows devices, do as follows:

    1. Open SophosCloudInstaller.log. You can find it in C:\ProgramData\Sophos\CloudInstaller\Logs.
    2. Look for the following lines:
      • line starting Model::server value changed to:
      • line starting Opening connection to

      They should have a value that looks like one of the following:

      • dzr-mcs-amzn-eu-west-1-9af7.upe.p.hmr.sophos.com
      • mcs2-cloudstation-us-east-2.prod.hydra.sophos.com
      • mcs.stn100yul.ctr.sophos.com
      • mcs2.stn100yul.ctr.sophos.com

    Let me know if this helps.

    Kushal Lakhan
    Global Community Support Engineer
    Are you a Sophos Partner? | Product Documentation | @SophosSupport | Sign up for SMS Alerts
    If a post solves your question, please use the "Verify Answer" button.
    The New Home of Sophos Support Videos!  Visit Sophos Techvids
  • Thanks for your reply. We have these exclusions already on XG which is supposed to support wildcards.

    As you can see, there is a *.sophos.com at the top. In fact this is not working as needed all the time. At the bottom you find the api host, I entered yesterday.

    In some support cases, I have been suggested to use wild cards at a more specific URL level. They were aware of issues with wildcards at the root or second level domain.

       
    Select host    
        *.sophos.com
        *.sophosupd.com
        *.sophosupd.net
        *.sophosxl.net
        ocsp.globalsign.com
        ocsp2.globalsign.com
        crl.globalsign.com
        crl.globalsign.net
        ocsp.digicert.com
        crl3.digicert.com
        crl4.digicert.com
        tf-edr-message-upload-eu-central-1-prod-bucket.s3.amazonaws.
        tf-edr-message-upload-eu-west-1-prod-bucket.s3.amazonaws.com
        tf-edr-message-upload-us-east-2-prod-bucket.s3.amazonaws.com
        tf-edr-message-upload-us-west-2-prod-bucket.s3.amazonaws.com
        kinesis.us-west-2.amazonaws.com
        prod.endpointintel.darkbytes.io
        mcs2-cloudstation-eu-central-1.prod.hydra.sophos.com
        mcs2-cloudstation-eu-west-1.prod.hydra.sophos.com
        mcs2-cloudstation-us-east-2.prod.hydra.sophos.com
        mcs2-cloudstation-us-west-2.prod.hydra.sophos.com
        dzr-mcs-amzn-eu-west-1-9af7.upe.p.hmr.sophos.com
        dzr-mcs-amzn-us-west-2-fa88.upe.p.hmr.sophos.com
        mcs-cloudstation-eu-central-1.prod.hydra.sophos.com
        mcs-cloudstation-eu-west-1.prod.hydra.sophos.com
        mcs-cloudstation-us-east-2.prod.hydra.sophos.com
        mcs-cloudstation-us-west-2.prod.hydra.sophos.com
        mcs.stn100syd.ctr.sophos.com
        mcs.stn100yul.ctr.sophos.com
        mcs.stn100hnd.ctr.sophos.com
        mcs2.stn100syd.ctr.sophos.com
        mcs2.stn100yul.ctr.sophos.com
        mcs2.stn100hnd.ctr.sophos.com
        live-terminal-eu-west-1.prod.hydra.sophos.com
        live-terminal-eu-central-1.prod.hydra.sophos.com
        live-terminal-us-west-2.prod.hydra.sophos.com
        live-terminal-us-east-2.prod.hydra.sophos.com
        live-terminal.stn100yul.ctr.sophos.com
        live-terminal.stn100syd.ctr.sophos.com
        live-terminal.stn100hnd.ctr.sophos.com
        *.mcs-push-server-eu-west-1.prod.hydra.sophos.com
        *.mcs-push-server-eu-central-1.prod.hydra.sophos.com
        *.mcs-push-server-us-west-2.prod.hydra.sophos.com
        *.mcs-push-server-us-east-2.prod.hydra.sophos.com
        *.mcs-push-server.stn100yul.ctr.sophos.com
        *.mcs-push-server.stn100syd.ctr.sophos.com
        *.mcs-push-server.stn100hnd.ctr.sophos.com
        dci.sophosupd.com
        d1.sophosupd.com
        d2.sophosupd.com
        d3.sophosupd.com
        d1.sophosupd.net
        d2.sophosupd.net
        d3.sophosupd.net
        t1.sophosupd.com
        sus.sophosupd.com
        sus.sophosupd.net
        sdds3.sophosupd.com
        sdds3.sophosupd.net
        sdu-feedback.sophos.com
        sophosxl.net
        4.sophosxl.net
        samples.sophosxl.net
        cloud.sophos.com
        id.sophos.com
        central.sophos.com
        downloads.sophos.com
        api-cloudstation-eu-central-1.prod.hydra.sophos.com

  • Thank you for clarifying.

    Do you know if there’s a support case opened regarding the wildcards not working? If so, please send me a DM with the case ID so that I may follow up on it.

    Kushal Lakhan
    Global Community Support Engineer
    Are you a Sophos Partner? | Product Documentation | @SophosSupport | Sign up for SMS Alerts
    If a post solves your question, please use the "Verify Answer" button.
    The New Home of Sophos Support Videos!  Visit Sophos Techvids
  • This has been discussed here: https://community.sophos.com/sophos-xg-firewall/f/discussions/128737/https-mcs2-cloudstation-eu-central-1-prod-hydra-sophos-com-response-code-502

    Found nothing more in my mails. Helped there. And here again:

    we have *.sophos.com in our exclusion. so it should cover the FQDN api-cloudstation-eu-central-1.prod.hydra.sophos.com

    But it didn't until adding the full hostname.

    Today by chance I found in your documentation:

    https://docs.sophos.com/central/Customer/help/en-us/central/Customer/concepts/DownloadInstallers.html

    there you write:

    For help with setting up your firewall or proxy to communicate between Sophos Central Admin and your managed devices, see Domains and ports to allow.

    The address shows the geographical location of the data center:

    ...

    https://api-cloudstation-eu-central-1-prod.hydra.sophos.com

    Frankfurt, Germany

    but in https://docs.sophos.com/central/Customer/help/en-us/central/Customer/concepts/DomainsPorts.html

    there is nothing written about the new api hosts.

    something probably for  from the DocTeam

  • Do you know if either of the following two options are turned on, on your XG device? 
    - Select "Web" in the left-hand panel listed under "Protect."
    - Select "General settings," the right-most tab at the top of the page

    This may also be playing a part in things. I want to rule this out first, if possible. Let me know once you get a chance to check on this.

    Cheers,

    Kushal Lakhan
    Global Community Support Engineer
    Are you a Sophos Partner? | Product Documentation | @SophosSupport | Sign up for SMS Alerts
    If a post solves your question, please use the "Verify Answer" button.
    The New Home of Sophos Support Videos!  Visit Sophos Techvids
  • thanks 

    these options are both disabled.

  • btw. the error

    ERROR : WinHttpSendRequest failed with error 12002

    has been discussed here a few times but I have not found useful information from those threads.

  • I appreciate the feedback! 

    I have raised a request with our KBA team to have the "Domains and ports to allow" DOC updated with the "Regional Datacenter locations".

    Thank you for bringing this to our attention. 

    Kushal Lakhan
    Global Community Support Engineer
    Are you a Sophos Partner? | Product Documentation | @SophosSupport | Sign up for SMS Alerts
    If a post solves your question, please use the "Verify Answer" button.
    The New Home of Sophos Support Videos!  Visit Sophos Techvids