The Intercept X Thin Installer for Server is trying to download from api-cloudstation-eu-central-1.prod.hydra.sophos.com and fails due to firewall blocking this request.
found it in the installer logs in here:
Sending HTTP 'POST' request to: api/download/stage2-details/df6f4312-eda5-43e8-ac02-6207693632ab
2021-11-18T13:50:44.3309692Z INFO : Did not discover an URL for a PAC file
2021-11-18T13:50:44.3309692Z INFO : Attempting to connect using proxy '' of type 'Empty Proxy'.
2021-11-18T13:50:44.3309692Z INFO : Set security protocol: 00000800
2021-11-18T13:50:44.3309692Z INFO : Opening connection to api-cloudstation-eu-central-1.prod.hydra.sophos.com
2021-11-18T13:50:44.3309692Z INFO : Request content size: 31
2021-11-18T13:51:47.4005030Z ERROR : WinHttpSendRequest failed with error 12002
2021-11-18T13:51:47.4005030Z INFO : Failed to connect using proxy '' with error: WinHttpSendRequest failed
2021-11-18T13:51:47.4005030Z INFO : Cleaning up extracted files
We only allow access to the FQDN allowed here.
This FQDN is not listed on the KB
For a test I allowed this FQDN and as a result the installer succeeds.
Is this URL request intended for intercept X installer? if yes, could you please update the documentation and explain the new URL?
Thank you for clarifying.
Do you know if there’s a support case opened regarding the wildcards not working? If so, please send me a DM with the case ID so that I may follow up on it.
Thank you for reaching out to the Sophos Community.
Regarding your question, I can see an explanation present in the link you provided. For situations where you can't use wild-cards for exclusions:
If your proxy or firewall doesn't support wildcards, you must identify the exact Sophos domains you need, then enter them manually.You need to identify the server address that Sophos Management Communication System uses to communicate with Sophos Central Admin securely.
On Windows devices, do as follows:
Model::server value changed to:
Opening connection to
They should have a value that looks like one of the following:
Let me know if this helps.
Thanks for your reply. We have these exclusions already on XG which is supposed to support wildcards.
As you can see, there is a *.sophos.com at the top. In fact this is not working as needed all the time. At the bottom you find the api host, I entered yesterday.
In some support cases, I have been suggested to use wild cards at a more specific URL level. They were aware of issues with wildcards at the root or second level domain.
Select host *.sophos.com *.sophosupd.com *.sophosupd.net *.sophosxl.net ocsp.globalsign.com ocsp2.globalsign.com crl.globalsign.com crl.globalsign.net ocsp.digicert.com crl3.digicert.com crl4.digicert.com tf-edr-message-upload-eu-central-1-prod-bucket.s3.amazonaws. tf-edr-message-upload-eu-west-1-prod-bucket.s3.amazonaws.com tf-edr-message-upload-us-east-2-prod-bucket.s3.amazonaws.com tf-edr-message-upload-us-west-2-prod-bucket.s3.amazonaws.com kinesis.us-west-2.amazonaws.com prod.endpointintel.darkbytes.io mcs2-cloudstation-eu-central-1.prod.hydra.sophos.com mcs2-cloudstation-eu-west-1.prod.hydra.sophos.com mcs2-cloudstation-us-east-2.prod.hydra.sophos.com mcs2-cloudstation-us-west-2.prod.hydra.sophos.com dzr-mcs-amzn-eu-west-1-9af7.upe.p.hmr.sophos.com dzr-mcs-amzn-us-west-2-fa88.upe.p.hmr.sophos.com mcs-cloudstation-eu-central-1.prod.hydra.sophos.com mcs-cloudstation-eu-west-1.prod.hydra.sophos.com mcs-cloudstation-us-east-2.prod.hydra.sophos.com mcs-cloudstation-us-west-2.prod.hydra.sophos.com mcs.stn100syd.ctr.sophos.com mcs.stn100yul.ctr.sophos.com mcs.stn100hnd.ctr.sophos.com mcs2.stn100syd.ctr.sophos.com mcs2.stn100yul.ctr.sophos.com mcs2.stn100hnd.ctr.sophos.com live-terminal-eu-west-1.prod.hydra.sophos.com live-terminal-eu-central-1.prod.hydra.sophos.com live-terminal-us-west-2.prod.hydra.sophos.com live-terminal-us-east-2.prod.hydra.sophos.com live-terminal.stn100yul.ctr.sophos.com live-terminal.stn100syd.ctr.sophos.com live-terminal.stn100hnd.ctr.sophos.com *.mcs-push-server-eu-west-1.prod.hydra.sophos.com *.mcs-push-server-eu-central-1.prod.hydra.sophos.com *.mcs-push-server-us-west-2.prod.hydra.sophos.com *.mcs-push-server-us-east-2.prod.hydra.sophos.com *.mcs-push-server.stn100yul.ctr.sophos.com *.mcs-push-server.stn100syd.ctr.sophos.com *.mcs-push-server.stn100hnd.ctr.sophos.com dci.sophosupd.com d1.sophosupd.com d2.sophosupd.com d3.sophosupd.com d1.sophosupd.net d2.sophosupd.net d3.sophosupd.net t1.sophosupd.com sus.sophosupd.com sus.sophosupd.net sdds3.sophosupd.com sdds3.sophosupd.net sdu-feedback.sophos.com sophosxl.net 4.sophosxl.net samples.sophosxl.net cloud.sophos.com id.sophos.com central.sophos.com downloads.sophos.com api-cloudstation-eu-central-1.prod.hydra.sophos.com
This has been discussed here: https://community.sophos.com/sophos-xg-firewall/f/discussions/128737/https-mcs2-cloudstation-eu-central-1-prod-hydra-sophos-com-response-code-502
Found nothing more in my mails. Helped there. And here again:
we have *.sophos.com in our exclusion. so it should cover the FQDN api-cloudstation-eu-central-1.prod.hydra.sophos.com
But it didn't until adding the full hostname.
Today by chance I found in your documentation:
there you write:
For help with setting up your firewall or proxy to communicate between Sophos Central Admin and your managed devices, see Domains and ports to allow.
The address shows the geographical location of the data center:
but in https://docs.sophos.com/central/Customer/help/en-us/central/Customer/concepts/DomainsPorts.html
there is nothing written about the new api hosts.
something probably for DominicRemigio from the DocTeam
Do you know if either of the following two options are turned on, on your XG device? - Select "Web" in the left-hand panel listed under "Protect."- Select "General settings," the right-most tab at the top of the page
This may also be playing a part in things. I want to rule this out first, if possible. Let me know once you get a chance to check on this.
these options are both disabled.
btw. the error
ERROR : WinHttpSendRequest failed with error 12002
has been discussed here a few times but I have not found useful information from those threads.
I appreciate the feedback!
I have raised a request with our KBA team to have the "Domains and ports to allow" DOC updated with the "Regional Datacenter locations".
Thank you for bringing this to our attention.