This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Can no longer log into central.sophos.com from Migration Tool.

I'm in the middle of migrating all of our endpoints to Sophos Cloud using the Migration Tool with 1000+ machines left to migrate.  Yesterday around 1pm EST I was kicked out of the tool and now it will no longer allow me to log in. What changed in yesterday's update to the website that is preventing login?  I cannot get into the migration tool, or into the sophos cloud website.  The server running SEC is 2003 R2 SP2 and we cannot seem to hit the website from any server running that flavor of OS now.



This thread was automatically locked due to age.
  • HI RoSt ,

    It seems there was a issue with the authentication on Sophos Central and we apologize for such inconvenience, I would advice you raise a Service request and please private message me the SR ID.

    Thanks and Regards 

    Aditya Patel  | Network and Security Engineer.

    Regards,

    Aditya Patel
    Global Escalation Support Engineer | Sophos Technical Support

    Knowledge Base  |  @SophosSupport | Sign up for SMS Alerts
    If a post solves your question use the 'This helped me' link.

  • After running Wireshark and looking at the logs I found the issue.  When Sophos updated their cloud site they disabled support for TLS 1.0 which is the only version 2003 R2 and XP support with IE8 installed.  They said they are supporting XP through Dec, and 2003 R2 until Feb, so I guess someone dropped the ball. Until they fix it on their end there isn't much you can do.  

    Our on premise license expired today, so rather then wait for them I'm going to stand up a new 2008 R2 VM, migrate the db and certificates to that, and install SEC.  Once that is done I should be able to resume the migration.  

    All this work will probably take less time then them getting around to enabling TLS 1.0 again.

    • Another solution... which is what we are doing now instead of dealing with the hassle of moving SEC to a new server, is to go into IE and adjust the proxy to point to a proxy server that can handle the TLS ciphers for the 2003 server.  My network guy installed Fiddler Proxy on a 2008 R2 server and as soon as I adjusted the settings in IE and added a cert to trust the proxy server I was up and running again.  Took about 15-20 minutes.

      • I tried this but the Migration Tool came up saying that it does not trust the Sophos certificate presented to it...

         

        I did trust it through the browser and checked the cert stores locally

      • For anyone else that has this issue follow the below to resolve this issue. This only applies to Server 2003 environments at this stage.

         

        1. Apply all available recommended Windows Updates
        2. Get the updated root certificate of GlobalSign by download and installing the R2 GlobalSign Root Certificate:

          https://support.globalsign.com/customer/portal/articles/1426602-globalsign-root-certificates
           

          Note:
           Thumbprint: 75:e0:ab:b6:13:85:12:27:1c:04:f8:5f:dd:de:38:e4:b7:24:2e:fe
        3. Download the Microsoft SHA256 support hotfix https://support.microsoft.com/en-us/kb/938397 and install it.
        4. Download the Microsoft AES support hotfix https://support.microsoft.com/en-gb/kb/948963 and install it.
        5. If this still does not work, please visit https://support.globalsign.com/customer/portal/articles/1434478-update-globalsign-root-certificate---windows-xp-windows-2000 and follow the Manual fix directions (It does not state 2003, but it is impacted and the instructions are the same).
        6. Visit https://www.digicert.com/digicert-root-certificates.htm and download and install the Digicert Assured ID Root CA as a Root Certification Authority.