This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Intercept X for server install fails - trying to connect to api-cloudstation-eu-central-1.prod.hydra.sophos.com

The Intercept X Thin Installer for Server is trying to download from api-cloudstation-eu-central-1.prod.hydra.sophos.com and fails due to firewall blocking this request.

api-cloudstation-eu-central-1.prod.hydra.sophos.com
resolves to
api-spinnaker-2098312200.eu-central-1.elb.amazonaws.com
 [18.157.100.246] 

found it in the installer logs in here:

%ProgramData%\Sophos\CloudInstaller\Logs\

Sending HTTP 'POST' request to: api/download/stage2-details/df6f4312-eda5-43e8-ac02-6207693632ab
2021-11-18T13:50:44.3309692Z INFO : Did not discover an URL for a PAC file
2021-11-18T13:50:44.3309692Z INFO : Attempting to connect using proxy '' of type 'Empty Proxy'.
2021-11-18T13:50:44.3309692Z INFO : Set security protocol: 00000800
2021-11-18T13:50:44.3309692Z INFO : Opening connection to api-cloudstation-eu-central-1.prod.hydra.sophos.com
2021-11-18T13:50:44.3309692Z INFO : Request content size: 31
2021-11-18T13:51:47.4005030Z ERROR : WinHttpSendRequest failed with error 12002
2021-11-18T13:51:47.4005030Z INFO : Failed to connect using proxy '' with error: WinHttpSendRequest failed
2021-11-18T13:51:47.4005030Z INFO : Cleaning up extracted files

We only allow access to the FQDN allowed here.

https://docs.sophos.com/central/Customer/help/en-us/central/Customer/concepts/DomainsPorts.html

This FQDN is not listed on the KB

For a test I allowed this FQDN and as a result the installer succeeds.

Is this URL request intended for intercept X installer? if yes, could you please update the documentation and explain the new URL?



This thread was automatically locked due to age.
Parents
  • Hello LHerzog,

    Thank you for reaching out to the Sophos Community. 

    Regarding your question, I can see an explanation present in the link you provided. For situations where you can't use wild-cards for exclusions:

    If your proxy or firewall doesn't support wildcards, you must identify the exact Sophos domains you need, then enter them manually.
    You need to identify the server address that Sophos Management Communication System uses to communicate with Sophos Central Admin securely.

    On Windows devices, do as follows:

    1. Open SophosCloudInstaller.log. You can find it in C:\ProgramData\Sophos\CloudInstaller\Logs.
    2. Look for the following lines:
      • line starting Model::server value changed to:
      • line starting Opening connection to

      They should have a value that looks like one of the following:

      • dzr-mcs-amzn-eu-west-1-9af7.upe.p.hmr.sophos.com
      • mcs2-cloudstation-us-east-2.prod.hydra.sophos.com
      • mcs.stn100yul.ctr.sophos.com
      • mcs2.stn100yul.ctr.sophos.com

    Let me know if this helps.

    Kushal Lakhan
    Team Lead, Global Community Support
    Connect with Sophos Support, get alerted, and be informed.
    If a post solves your question, please use the "Verify Answer" button.
    The New Home of Sophos Support Videos!  Visit Sophos Techvids
  • Thanks for your reply. We have these exclusions already on XG which is supposed to support wildcards.

    As you can see, there is a *.sophos.com at the top. In fact this is not working as needed all the time. At the bottom you find the api host, I entered yesterday.

    In some support cases, I have been suggested to use wild cards at a more specific URL level. They were aware of issues with wildcards at the root or second level domain.

       
    Select host    
        *.sophos.com
        *.sophosupd.com
        *.sophosupd.net
        *.sophosxl.net
        ocsp.globalsign.com
        ocsp2.globalsign.com
        crl.globalsign.com
        crl.globalsign.net
        ocsp.digicert.com
        crl3.digicert.com
        crl4.digicert.com
        tf-edr-message-upload-eu-central-1-prod-bucket.s3.amazonaws.
        tf-edr-message-upload-eu-west-1-prod-bucket.s3.amazonaws.com
        tf-edr-message-upload-us-east-2-prod-bucket.s3.amazonaws.com
        tf-edr-message-upload-us-west-2-prod-bucket.s3.amazonaws.com
        kinesis.us-west-2.amazonaws.com
        prod.endpointintel.darkbytes.io
        mcs2-cloudstation-eu-central-1.prod.hydra.sophos.com
        mcs2-cloudstation-eu-west-1.prod.hydra.sophos.com
        mcs2-cloudstation-us-east-2.prod.hydra.sophos.com
        mcs2-cloudstation-us-west-2.prod.hydra.sophos.com
        dzr-mcs-amzn-eu-west-1-9af7.upe.p.hmr.sophos.com
        dzr-mcs-amzn-us-west-2-fa88.upe.p.hmr.sophos.com
        mcs-cloudstation-eu-central-1.prod.hydra.sophos.com
        mcs-cloudstation-eu-west-1.prod.hydra.sophos.com
        mcs-cloudstation-us-east-2.prod.hydra.sophos.com
        mcs-cloudstation-us-west-2.prod.hydra.sophos.com
        mcs.stn100syd.ctr.sophos.com
        mcs.stn100yul.ctr.sophos.com
        mcs.stn100hnd.ctr.sophos.com
        mcs2.stn100syd.ctr.sophos.com
        mcs2.stn100yul.ctr.sophos.com
        mcs2.stn100hnd.ctr.sophos.com
        live-terminal-eu-west-1.prod.hydra.sophos.com
        live-terminal-eu-central-1.prod.hydra.sophos.com
        live-terminal-us-west-2.prod.hydra.sophos.com
        live-terminal-us-east-2.prod.hydra.sophos.com
        live-terminal.stn100yul.ctr.sophos.com
        live-terminal.stn100syd.ctr.sophos.com
        live-terminal.stn100hnd.ctr.sophos.com
        *.mcs-push-server-eu-west-1.prod.hydra.sophos.com
        *.mcs-push-server-eu-central-1.prod.hydra.sophos.com
        *.mcs-push-server-us-west-2.prod.hydra.sophos.com
        *.mcs-push-server-us-east-2.prod.hydra.sophos.com
        *.mcs-push-server.stn100yul.ctr.sophos.com
        *.mcs-push-server.stn100syd.ctr.sophos.com
        *.mcs-push-server.stn100hnd.ctr.sophos.com
        dci.sophosupd.com
        d1.sophosupd.com
        d2.sophosupd.com
        d3.sophosupd.com
        d1.sophosupd.net
        d2.sophosupd.net
        d3.sophosupd.net
        t1.sophosupd.com
        sus.sophosupd.com
        sus.sophosupd.net
        sdds3.sophosupd.com
        sdds3.sophosupd.net
        sdu-feedback.sophos.com
        sophosxl.net
        4.sophosxl.net
        samples.sophosxl.net
        cloud.sophos.com
        id.sophos.com
        central.sophos.com
        downloads.sophos.com
        api-cloudstation-eu-central-1.prod.hydra.sophos.com

Reply
  • Thanks for your reply. We have these exclusions already on XG which is supposed to support wildcards.

    As you can see, there is a *.sophos.com at the top. In fact this is not working as needed all the time. At the bottom you find the api host, I entered yesterday.

    In some support cases, I have been suggested to use wild cards at a more specific URL level. They were aware of issues with wildcards at the root or second level domain.

       
    Select host    
        *.sophos.com
        *.sophosupd.com
        *.sophosupd.net
        *.sophosxl.net
        ocsp.globalsign.com
        ocsp2.globalsign.com
        crl.globalsign.com
        crl.globalsign.net
        ocsp.digicert.com
        crl3.digicert.com
        crl4.digicert.com
        tf-edr-message-upload-eu-central-1-prod-bucket.s3.amazonaws.
        tf-edr-message-upload-eu-west-1-prod-bucket.s3.amazonaws.com
        tf-edr-message-upload-us-east-2-prod-bucket.s3.amazonaws.com
        tf-edr-message-upload-us-west-2-prod-bucket.s3.amazonaws.com
        kinesis.us-west-2.amazonaws.com
        prod.endpointintel.darkbytes.io
        mcs2-cloudstation-eu-central-1.prod.hydra.sophos.com
        mcs2-cloudstation-eu-west-1.prod.hydra.sophos.com
        mcs2-cloudstation-us-east-2.prod.hydra.sophos.com
        mcs2-cloudstation-us-west-2.prod.hydra.sophos.com
        dzr-mcs-amzn-eu-west-1-9af7.upe.p.hmr.sophos.com
        dzr-mcs-amzn-us-west-2-fa88.upe.p.hmr.sophos.com
        mcs-cloudstation-eu-central-1.prod.hydra.sophos.com
        mcs-cloudstation-eu-west-1.prod.hydra.sophos.com
        mcs-cloudstation-us-east-2.prod.hydra.sophos.com
        mcs-cloudstation-us-west-2.prod.hydra.sophos.com
        mcs.stn100syd.ctr.sophos.com
        mcs.stn100yul.ctr.sophos.com
        mcs.stn100hnd.ctr.sophos.com
        mcs2.stn100syd.ctr.sophos.com
        mcs2.stn100yul.ctr.sophos.com
        mcs2.stn100hnd.ctr.sophos.com
        live-terminal-eu-west-1.prod.hydra.sophos.com
        live-terminal-eu-central-1.prod.hydra.sophos.com
        live-terminal-us-west-2.prod.hydra.sophos.com
        live-terminal-us-east-2.prod.hydra.sophos.com
        live-terminal.stn100yul.ctr.sophos.com
        live-terminal.stn100syd.ctr.sophos.com
        live-terminal.stn100hnd.ctr.sophos.com
        *.mcs-push-server-eu-west-1.prod.hydra.sophos.com
        *.mcs-push-server-eu-central-1.prod.hydra.sophos.com
        *.mcs-push-server-us-west-2.prod.hydra.sophos.com
        *.mcs-push-server-us-east-2.prod.hydra.sophos.com
        *.mcs-push-server.stn100yul.ctr.sophos.com
        *.mcs-push-server.stn100syd.ctr.sophos.com
        *.mcs-push-server.stn100hnd.ctr.sophos.com
        dci.sophosupd.com
        d1.sophosupd.com
        d2.sophosupd.com
        d3.sophosupd.com
        d1.sophosupd.net
        d2.sophosupd.net
        d3.sophosupd.net
        t1.sophosupd.com
        sus.sophosupd.com
        sus.sophosupd.net
        sdds3.sophosupd.com
        sdds3.sophosupd.net
        sdu-feedback.sophos.com
        sophosxl.net
        4.sophosxl.net
        samples.sophosxl.net
        cloud.sophos.com
        id.sophos.com
        central.sophos.com
        downloads.sophos.com
        api-cloudstation-eu-central-1.prod.hydra.sophos.com

Children