Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 2 replies
  • Subscribers 14 subscribers
  • Views 10987 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos MCS Client connection problems

waynecutler

We are getting this error on laptop that has not checked in for 3 days.  This is from the mcsclient.log.  We are also running iboss client.

2016-08-01T12:14:42.888Z [ 2304] INFO [connect] trying server dzr-mcs-amzn-us-west-2-fa88.upe.p.hmr.sophos.com/.../ep
2016-08-01T12:14:42.888Z [ 2304] INFO [connect: system proxy] trying direct connection without a proxy
2016-08-01T12:14:42.888Z [ 2304] INFO GET dzr-mcs-amzn-us-west-2-fa88.upe.p.hmr.sophos.com:443/.../ep
2016-08-01T12:14:43.108Z [ 2304] ERROR 2014: server certificate failed validation [subject GB, Oxfordshire, Sophos Ltd, SaaS, *.prod.hydra.sophos.com ]
2016-08-01T12:14:43.108Z [ 2304] ERROR 2014: server certificate failed validation [issuer EN, iBossSecurity 2 ]
2016-08-01T12:14:43.108Z [ 2304] ERROR Request: WinHttpSendRequest failed: 12017 (dzr-mcs-amzn-us-west-2-fa88.upe.p.hmr.sophos.com:443)
2016-08-01T12:14:43.124Z [ 2304] INFO [connect: autodiscovered proxy] discovering proxy autoconfig url
2016-08-01T12:14:43.124Z [ 2304] INFO [connect: direct] trying direct connection without a proxy
2016-08-01T12:14:43.124Z [ 2304] INFO GET dzr-mcs-amzn-us-west-2-fa88.upe.p.hmr.sophos.com:443/.../ep
2016-08-01T12:14:43.331Z [ 2304] ERROR 2014: server certificate failed validation [subject GB, Oxfordshire, Sophos Ltd, SaaS, *.prod.hydra.sophos.com ]
2016-08-01T12:14:43.331Z [ 2304] ERROR 2014: server certificate failed validation [issuer EN, iBossSecurity 2 ]
2016-08-01T12:14:43.331Z [ 2304] ERROR Request: WinHttpSendRequest failed: 12017 (dzr-mcs-amzn-us-west-2-fa88.upe.p.hmr.sophos.com:443)
2016-08-01T12:14:43.331Z [ 2304] WARN [connect] no configured servers working; falling back to last known good server
2016-08-01T12:14:43.331Z [ 2304] INFO [connect] trying server dzr-mcs-amzn-us-west-2-fa88.upe.p.hmr.sophos.com/.../ep
2016-08-01T12:14:43.331Z [ 2304] INFO [connect: direct] trying direct connection without a proxy
2016-08-01T12:14:43.331Z [ 2304] INFO GET dzr-mcs-amzn-us-west-2-fa88.upe.p.hmr.sophos.com:443/.../ep
2016-08-01T12:14:43.535Z [ 2304] ERROR 2014: server certificate failed validation [subject GB, Oxfordshire, Sophos Ltd, SaaS, *.prod.hydra.sophos.com ]
2016-08-01T12:14:43.535Z [ 2304] ERROR 2014: server certificate failed validation [issuer EN, iBossSecurity 2 ]
2016-08-01T12:14:43.535Z [ 2304] ERROR Request: WinHttpSendRequest failed: 12017 (dzr-mcs-amzn-us-west-2-fa88.upe.p.hmr.sophos.com:443)
2016-08-01T12:14:43.535Z [ 2304] WARN [connect] no working servers
2016-08-01T12:14:43.535Z [ 2304] INFO [backoff] waiting 1800s after failures: 119

get this when going to the website listed on that computer.

dzr-mcs-amzn-us-west-2-fa88.upe.p.hmr.sophos.com/.../ep
This XML file does not appear to have any style information associated with it. The document tree is shown below.
<ns:server xmlns:ns="www.sophos.com/.../>


This thread was automatically locked due to age.
Parents
  • 0

    Is the traffic going through this iBoss device being decrypted?  i.e. man in the middled for inspection?  It looks like it if the MCS client is getting back [issuer EN, iBossSecurity 2 ].

    If so, can you bypass the decryption for *.hmr.sophos.com or *.sophos.com?  

    If it's IP only for exclusions, if you nslookup dzr-mcs-amzn-us-west-2-fa88.upe.p.hmr.sophos.com a few times, clearing the resolver cache, to get a few IPs, does it work? This would at least prove that iBoss is the cause.

    Regards,

    Jak

Reply
  • 0

    Is the traffic going through this iBoss device being decrypted?  i.e. man in the middled for inspection?  It looks like it if the MCS client is getting back [issuer EN, iBossSecurity 2 ].

    If so, can you bypass the decryption for *.hmr.sophos.com or *.sophos.com?  

    If it's IP only for exclusions, if you nslookup dzr-mcs-amzn-us-west-2-fa88.upe.p.hmr.sophos.com a few times, clearing the resolver cache, to get a few IPs, does it work? This would at least prove that iBoss is the cause.

    Regards,

    Jak

Children
  • 0 in reply to jak

    thanks for the info.  Yes i found the iboss was doing gateway ssl decryption.  Hopefully I have figured out how to allow sophos mcs client to talk properly.

    info from iboss manual

    The following steps are taken by the iboss decryption engine to perform an SSL interception:

    1. Client computer requests SSL site (i.e. https://www.facebook.com)

    2. iboss intercepts request. iboss then connects to the destination the SSL connection was intended for and fetches the SSL certificate.

    3. iboss creates a spoofed SSL certificate and presents it to the client computer based on the original SSL certificate that was sent by the destination server.

    4. Client communicates with iboss over the encrypted connection established and forwards requests and responses over the newly established connection between the iboss and the server

Unfiltered HTML