Sophos Intercept X (Endpoint), Sophos XG and iBoss Web Filtering

* Posting here as it touches multiple Sophos products *

We currently have a client that are experiencing significant issues since early last week whereby users of the VPN are being intermittently disconnected and a 'cypher' error detailed within the Sophos Connect client log.

For clarity, they have Sophos Intercept X deployed on all endpoints, and use Sophos Connect to access the corporate network via VPN. The VPN has a split tunnel configuration, with all traffic not destined for corporate internal IP addresses 'sent out' via their local internet breakout, with the traffic protected by iBoss Web Filtering.

Within the local network there have been no changes, and up until this point both Sophos and iBoss have been unable to identify root cause. From initial testing, disabling the iBoss Service appears to 'resolve' the issue. This has been fed back to iBoss, and in turn they said that 'there is an outstanding issue with iBoss and Sophos AV that we are waiting on Sophos to resolve'. Now I don't know how true this is, but is anyone else using this, or a similar, configuration and experiencing similar issues?

Parents
  • Tom,

    We are experiencing similar issues, but we use the FortiClient VPN client.  It seems to have started mid-week last week.  Other things have also been affected, though, including:


    Getting "Failed - Network error" when attempting to download large files from SharePoint Online/OneDrive (also accompanied by "Windows Defender SmartScreen is downloading from OneDrive" notification in Windows.

    Getting errors when trying to open synced files in a user's OneDrive.  One of the errors we've seen is "The cloud operation was not completed before the time-out period expired."

    Getting a "Security Certificate was revoked" for outlook.office365.com message when opening Outlook

    All these issues seem to be temporarily resolved by stopping the IBSA service, but only occur if Sophos is installed and updated.  The versions we have observed are:

    IBSA Version: 5.3.120
    Sophos Core Agent: 2022.2.1.9
    Sophos Intercept X: 2022.1.1.11
    Sophos Endpoint Protection: 10.8.11.4
    Sophos Device Encryption: 2022.1.0.58
    Sophos XDR: 2022.2.1.9

  • Thank you Ian, this is very interesting. Have Sophos and/or iBoss been able to identify any root cause or provide guidance for further investigation?

    I am awaiting contact from our Sophos Technical Account Manager to clarify the (unverified) claim from iBoss that there is a ‘known issue’ between the two software. 

  • Not yet.  I just now put in the ticket, because we've only just narrowed the issue down to Sophos (a machine running ONLY iBoss functions correctly).  I did run across this similar known issue that made me suspect Sophos in the first place, however:  support.sophos.com/.../KB-000044388

  • That’s an interesting find, thanks for sharing. If you wouldn’t mind could you please update the thread with any breakthroughs from Sophos support and I’ll do likewise. 

  • For sure!  We just got this from our ticket with iBoss:

    "Thank you for contacting iboss support. At this time our solution is to place the ibsa (iboss Windows connector service name) onto the Sophos global exclusion list. Additionally we  recommend bypassing your iboss cloud gateway public IP addresses in Sophos as well. The devices will most likely need to be restarted for them to pull the latest update(s) from Sophos. Please let us know if you have any questions or concerns."

Reply
  • For sure!  We just got this from our ticket with iBoss:

    "Thank you for contacting iboss support. At this time our solution is to place the ibsa (iboss Windows connector service name) onto the Sophos global exclusion list. Additionally we  recommend bypassing your iboss cloud gateway public IP addresses in Sophos as well. The devices will most likely need to be restarted for them to pull the latest update(s) from Sophos. Please let us know if you have any questions or concerns."

Children