Sophos Intercept X (Endpoint), Sophos XG and iBoss Web Filtering

* Posting here as it touches multiple Sophos products *

We currently have a client that are experiencing significant issues since early last week whereby users of the VPN are being intermittently disconnected and a 'cypher' error detailed within the Sophos Connect client log.

For clarity, they have Sophos Intercept X deployed on all endpoints, and use Sophos Connect to access the corporate network via VPN. The VPN has a split tunnel configuration, with all traffic not destined for corporate internal IP addresses 'sent out' via their local internet breakout, with the traffic protected by iBoss Web Filtering.

Within the local network there have been no changes, and up until this point both Sophos and iBoss have been unable to identify root cause. From initial testing, disabling the iBoss Service appears to 'resolve' the issue. This has been fed back to iBoss, and in turn they said that 'there is an outstanding issue with iBoss and Sophos AV that we are waiting on Sophos to resolve'. Now I don't know how true this is, but is anyone else using this, or a similar, configuration and experiencing similar issues?

Parents Reply Children
  • Ian, I've had confirmation from our Technical Account Manager that there is a known issue between iBoss and Sophos. Sophos' development team are currently working on a resolution, but there are apparently two workarounds available. One has been shared higher in this chain, the other I am waiting on details for. As soon as I have these I'll share them with you.

  • Yes, they escalated our case to the development team.  The only things I've found that have solved the issues so far, though, are uninstalling Sophos (disabling services doesn't seem to do anything), or stopping the IBSA service.  I've temporarily deployed a script to all our machines disabling the IBSA service and scheduling a task to set it back to Automatic in two weeks while we wait for a resolution from Sophos.

  • Hi Ian,

    Out of interest, are you still experiencing the issue? If so, does disabling Network Threat Protection within Sophos ‘resolve’ the issue? We’ve been doing some testing and this doesn’t temporarily resolve it, so wondering if there is a further Sophos issue that feeds into their wider iBoss compatibility issue. 

  • Tom,

    Yes, we are still experiencing the issue, and no, disabling network threat protection doesn't appear to resolve the issue.  We have had to temporarily disable the iBoss service on all our machines, which is obviously not ideal.  In my testing, even if I disabled all Sophos services via the endpoint client on a test machine, the issue persisted.  The only thing I could do on the Sophos end of things that would temporarily resolve the issue was uninstall it from the test machine.

    Thanks,

    Ian

  • Actually, just discovered something that makes me feel a little silly.  If you turn off the service via the endpoint agent (after turning off tamper protection), it doesn't do anything; HOWEVER, if you then go and stop the Sophos Network Protection Service via services.mmc (or CLI), that DOES temporarily resolve the issue.  Not sure why I never thought to test that way.