Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 4 replies
  • Answers 1 answer
  • Subscribers 15 subscribers
  • Views 14432 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Allow Sophos Central Installation & Update through Sophos UTM

RStokes

Hi All,

We are having a difficulty both installing and updating Cloud Endpoints that are on our LAN, behind a Sophos UTM.

Currently we dont have Firewall ports open to an ANY destination, all browsing is through the Sophos UTM Proxy. We have exceptions as per https://community.sophos.com/kb/en-us/121936 set up in both Web Protection > Filtering Options > Exceptions (All exceptions selected). Domains appear like this in Sophos UTM:

^https?://[A-Za-z0-9.-]*\.sophosupd\.com/
^https?://[A-Za-z0-9.-]*\.sophosupd\.net/
^https?://[A-Za-z0-9.-]*\.sophosxl\.net/
^https?://[A-Za-z0-9.-]*\.sophos\.com/
^https?://[A-Za-z0-9.-]*\.globalsign\.com/

I have also added a Firewall rule, LAN > HTTP & HTTPS > [DNS Groups with above domains]

But still not working.

The systems have the proxy configured OK, when running netsh winhttp show proxy the correct proxy does come up... but still no installation...



This thread was automatically locked due to age.
Parents
  • 0

    HI RStrokes, 

    I have tested the scenario and found that the Update would fail if there HTTPS Decryption/Scanning Enabled on the Firewall rule  and Tested with ALLOW ALL policy . The update would require unaltered Communication using Certificate installed on Sophos Endpoint, not Sophos XG appliance . I would recommend you to create Category "Sophos Central"  and add the keywords "sophosupd","sophosxl","sophos" and "globalsign".  The next step is to Bypass the category under HTTPS scanning exceptions .

    To Bypass the category please refer the Article 123360 https://community.sophos.com/kb/en-us/123360 . If i does not work out then you may check the log Viewer for any website/signature blocked by Policy .

    Thanks and Regards 

    Aditya Patel | Network and Security Engineer.

    Regards,

    Aditya Patel
    Global Escalation Support Engineer | Sophos Technical Support
    Knowledge Base  |  @SophosSupport | Sign up for SMS Alerts
    If a post solves your question use the 'This helped me' link.

  • 0 in reply to Aditya Patel

    Thanks, the above is step 1, then you have another 1 or 2 steps, depending on network config:

    2nd after the above: Exactly as above, but you also have to skip caching too in addition to HTTPS scanning. With caching on (ie that box untcked) new installs will fail


    Additionally, if you have proxy auto discover by DNS & WPAD in Windows Server 2003 or newer, you will need to remove WPAD from this entry:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\DNS\Parameters

    See support.microsoft.com/.../2003485 for info re above.

    Then you need to do (or wait for) IPconfig /release and then ipconfig /renew

    Once this is done, all solved.

    Remember: Fixed IP machines (fixed from server or from windows client), they will need refreashing too.

Reply
  • 0 in reply to Aditya Patel

    Thanks, the above is step 1, then you have another 1 or 2 steps, depending on network config:

    2nd after the above: Exactly as above, but you also have to skip caching too in addition to HTTPS scanning. With caching on (ie that box untcked) new installs will fail


    Additionally, if you have proxy auto discover by DNS & WPAD in Windows Server 2003 or newer, you will need to remove WPAD from this entry:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\DNS\Parameters

    See support.microsoft.com/.../2003485 for info re above.

    Then you need to do (or wait for) IPconfig /release and then ipconfig /renew

    Once this is done, all solved.

    Remember: Fixed IP machines (fixed from server or from windows client), they will need refreashing too.

Children
No Data
Unfiltered HTML