Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 8 replies
  • Answers 1 answer
  • Subscribers 3 subscribers
  • Views 28256 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos EndPoint & Barracuda Web Filter

mrcjc

I am attempting a post before contacting technical support directly to see if anyone else is having this issue or might know a fix. Currently we run about 400 AV's in our enviorment and use a front end web filter from Barracuda. I created a specifc account for sophos to manage/install updates for all the clients, I am running an update client at every physical location, with a updating policy pointing to the apporpiate update nodes per site.

Everything works great, our issue is this. When Sophos client reaches out for updates "Assuming that is what this is" in our barracuda we see "SUM" this is the user I made in AD for accessing the update node per out AV clients "PC's". At first this didnt seem like an issue. However after further use, it appeared that once Sophos EndPoint used this account via Active Directoy, it gave our users wide open access to the internet "By passing our barracuda" In fact the traffic still goes through the Barracuda it just shows the user as "SUM" when in reality we know it is an actual user based on the clients IP from any specifc location with in our company.

My question is, why does my AV client reach out to Sophos online if I have it configured to only talk to the Update node on site?

Here is an address it reaches out too:

http://http.00.s.sophosxl.net/V3/01/86.37.194.173.ip/

What is this and how can I stop the clients from trying to talk to sophos directly. I only want them to get their updates via our specifed nodes.

Here is another example:

I have a user blocked from facebook but the computer reaches out that ‘‘‘‘sophos proxy above’’’’ and then it finds the IP.  Which pretty much renders our web barracuda useless.  It doesn’’’’t do it all the time though. So it almost uses Sophos as a proxy and then redirects to the web address.

Any help on this would be greatly appricated! As of right now some of our users have figured out there is some sort of loop hole in our web filter and are abusing the heck out of the internet! Even with managers warning them it doesnt appear to be enough, we need to get a solution for this and quickly.

Thank you,

Chris

:51458


This thread was automatically locked due to age.
Parents
  • 0

    Hello mrcjc,

    you're using a flowery language rather than giving a technical description (no offence meant) so I'm not sure I understand you correctly. Maybe you can rephrase and restructure your presentation of the issue.

    In the hope it is of some help I'll try to explain what the software on the endpoint does (and does not):

    • Updating: Assuming the endpoints update from a Web CID they make a connection to port 80 on the specified server, if necessary (when requested by the server) authenticating with the username and password in the policy. If a(n explicit) proxy is required it has to be configured in the policy, the Internet Options proxy setting is ignored.

    Now to this SXL stuff, to quote from the GlossaryClient machines will performed (sic!) SXL lookups to Sophos hosted SXL servers. The servers contain an expanded data set that may be checked by clients for different reasons. Live protection uses SXL lookups to check if there is any additional information about a file SAV is scanning. SXL lookups are also used for Web Protection (to determine if a high risk website is being requested), Web Control (to determined (sic!) the web category of the requested website) and SAV Whitelisting.

    Live Protection (part of AV-scanning) uses DNS for queries and optionally (and if required) HTTP for uploads. There is no authentication involved.

    Web Protection makes HTTP requests (as the one you've quoted) to asses the potential risk of a site (name or IP) or URI requested by the browser. AFAIK it uses (on Windows) the Internet Options proxy settings. Depending on the response received It either allows the browser to proceed or blocks the request (presenting an appropriate error page when applicable). Note that it just intercepts the browser request, it neither performs a lookup on behalf of the browser nor does it redirect (or proxy) the traffic. 

    Can't see what should enable the user to bypass the Barracuda. I'd rather suspect an inappropriate configuration of the Barracuda - but then, I have no knowledge of these (and in addition I might have misread you).

    Christian   

    :51522
Reply
  • 0

    Hello mrcjc,

    you're using a flowery language rather than giving a technical description (no offence meant) so I'm not sure I understand you correctly. Maybe you can rephrase and restructure your presentation of the issue.

    In the hope it is of some help I'll try to explain what the software on the endpoint does (and does not):

    • Updating: Assuming the endpoints update from a Web CID they make a connection to port 80 on the specified server, if necessary (when requested by the server) authenticating with the username and password in the policy. If a(n explicit) proxy is required it has to be configured in the policy, the Internet Options proxy setting is ignored.

    Now to this SXL stuff, to quote from the GlossaryClient machines will performed (sic!) SXL lookups to Sophos hosted SXL servers. The servers contain an expanded data set that may be checked by clients for different reasons. Live protection uses SXL lookups to check if there is any additional information about a file SAV is scanning. SXL lookups are also used for Web Protection (to determine if a high risk website is being requested), Web Control (to determined (sic!) the web category of the requested website) and SAV Whitelisting.

    Live Protection (part of AV-scanning) uses DNS for queries and optionally (and if required) HTTP for uploads. There is no authentication involved.

    Web Protection makes HTTP requests (as the one you've quoted) to asses the potential risk of a site (name or IP) or URI requested by the browser. AFAIK it uses (on Windows) the Internet Options proxy settings. Depending on the response received It either allows the browser to proceed or blocks the request (presenting an appropriate error page when applicable). Note that it just intercepts the browser request, it neither performs a lookup on behalf of the browser nor does it redirect (or proxy) the traffic. 

    Can't see what should enable the user to bypass the Barracuda. I'd rather suspect an inappropriate configuration of the Barracuda - but then, I have no knowledge of these (and in addition I might have misread you).

    Christian   

    :51522
Children
No Data
Unfiltered HTML