Allow Sophos Central Installation & Update through Sophos UTM

Question

Hi All, 
 We are having a difficulty both installing and updating Cloud Endpoints that are on our LAN, behind a Sophos UTM. 
 Currently we dont have Firewall ports open to an ANY destination, all browsing is through the Sophos UTM Proxy. We have exceptions as per https://community.sophos.com/kb/en-us/121936 set up in both Web Protection > Filtering Options > Exceptions (All exceptions selected). Domains appear like this in Sophos UTM: 
 ^https?://[A-Za-z0-9.-]*\.sophosupd\.com/ ^https?://[A-Za-z0-9.-]*\.sophosupd\.net/ ^https?://[A-Za-z0-9.-]*\.sophosxl\.net/ ^https?://[A-Za-z0-9.-]*\.sophos\.com/ ^https?://[A-Za-z0-9.-]*\.globalsign\.com/ 
 I have also added a Firewall rule, LAN > HTTP & HTTPS > [DNS Groups with above domains] 
 But still not working. 
 The systems have the proxy configured OK, when running netsh winhttp show proxy the correct proxy does come up... but still no installation...

RStokes · Accepted Answer

Thanks, the above is step 1, then you have another 1 or 2 steps, depending on network config: 
 
 2nd after the above: Exactly as above, but you also have to skip caching too in addition to HTTPS scanning. With caching on (ie that box untcked ) new installs will fail 
 Additionally, if you have proxy auto discover by DNS & WPAD in Windows Server 2003 or newer, you will need to remove WPAD from this entry: 
 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\DNS\Parameters 
 See support.microsoft.com/.../2003485 for info re above. 
 Then you need to do (or wait for) IPconfig /release and then ipconfig /renew 
 Once this is done, all solved. 
 Remember: Fixed IP machines (fixed from server or from windows client), they will need refreashing too.

Aditya Patel · Answer

HI RStrokes, 
 I have tested the scenario and found that the Update would fail if there HTTPS Decryption/Scanning Enabled on the Firewall rule and Tested with ALLOW ALL policy . The update would require unaltered Communication using Certificate installed on Sophos Endpoint, not Sophos XG appliance . I would recommend you to create Category "Sophos Central" and add the keywords "sophosupd","sophosxl","sophos" and "globalsign". The next step is to Bypass the category under HTTPS scanning exceptions . 
 To Bypass the category please refer the Article 123360 https://community.sophos.com/kb/en-us/123360 . If i does not work out then you may check the log Viewer for any website/signature blocked by Policy . 
 Thanks and Regards 
 Aditya Patel | Network and Security Engineer.