Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 8 replies
  • Answers 1 answer
  • Subscribers 3 subscribers
  • Views 28260 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos EndPoint & Barracuda Web Filter

mrcjc

I am attempting a post before contacting technical support directly to see if anyone else is having this issue or might know a fix. Currently we run about 400 AV's in our enviorment and use a front end web filter from Barracuda. I created a specifc account for sophos to manage/install updates for all the clients, I am running an update client at every physical location, with a updating policy pointing to the apporpiate update nodes per site.

Everything works great, our issue is this. When Sophos client reaches out for updates "Assuming that is what this is" in our barracuda we see "SUM" this is the user I made in AD for accessing the update node per out AV clients "PC's". At first this didnt seem like an issue. However after further use, it appeared that once Sophos EndPoint used this account via Active Directoy, it gave our users wide open access to the internet "By passing our barracuda" In fact the traffic still goes through the Barracuda it just shows the user as "SUM" when in reality we know it is an actual user based on the clients IP from any specifc location with in our company.

My question is, why does my AV client reach out to Sophos online if I have it configured to only talk to the Update node on site?

Here is an address it reaches out too:

http://http.00.s.sophosxl.net/V3/01/86.37.194.173.ip/

What is this and how can I stop the clients from trying to talk to sophos directly. I only want them to get their updates via our specifed nodes.

Here is another example:

I have a user blocked from facebook but the computer reaches out that ‘‘‘‘sophos proxy above’’’’ and then it finds the IP.  Which pretty much renders our web barracuda useless.  It doesn’’’’t do it all the time though. So it almost uses Sophos as a proxy and then redirects to the web address.

Any help on this would be greatly appricated! As of right now some of our users have figured out there is some sort of loop hole in our web filter and are abusing the heck out of the internet! Even with managers warning them it doesnt appear to be enough, we need to get a solution for this and quickly.

Thank you,

Chris

:51458


This thread was automatically locked due to age.
Parents
  • 0

    I appricate the reply, Allow me to explain in further detail.

    We have 2 different scenarios here

    Scenario 1:

    We have a web proxy in place (barracuda) and blocks users based on websites, categories, etc.  So while ‘‘‘‘facebook.com’’’’ is blocked a user is not allowed access into that website.  With the install of Sophos AV, we noticed that users are randomly allowed access into the facebook website.  After looking at the proxy web logs, it shows the user going to this website

    http://http.00.s.sophosxl.net/V3/01/79.208.201.54.ip/ (just grabbed a random example but same concept).  If that were the facebook IP at the end, our AV has essentially ‘‘‘‘bypassed’’’’ our web proxy and allowed them through to the website.  Basically our web proxy doesn’’’’t see anything wrong with a sophosxl.net web request and just allows the site through after it passes any spyware/virus checks.  It pretty much deems our web proxy useless.  There doesn’’’’t seem to be a fix for this but is there an option to turn this off this live checking in the console?

    Scenario 2:  We set up a username in our AD environment called ‘‘‘‘SUM’’’’.  In our updating we set the computers to update every 10 hours to an appropriate Update Manager (Local).  So as a computer checks in, it uses the username ‘‘‘‘SUM’’’’ to download updates from the Update Manager.  Which is all fine and dandy but it essentially opens up the window for 10-20 minutes while the SUM username is active.  Once it is finished doing what it needs to do, the web proxy sees the computer switch back to the original AD username.  At the end of the day, we see this SUM username rack up about 2-4GB of internet download as a cumulative across the board.  If we set the computers to update every 2 hours, the total internet download comes out to 15-20GB a day.  It’’’’s not like a user knows when that window opens up but if they happen to ‘‘‘‘catch’’’’ the window then it is a free for all again.  Because it has to switch to this special username to update, it wreaks havoc for us behind the scenes using a proxy.  A typically user with no access shows like this:

    Rharris:  facebook.com blocked

    Rharris:  msn.com blocked

    SUM:  youtube.com allowed

    SUM:  espn.com allowed

    Rharris:  youtube.com blocked

    I hope this is more clear cut than my previeous explenation.

    Thank you,

    :51568
Reply
  • 0

    I appricate the reply, Allow me to explain in further detail.

    We have 2 different scenarios here

    Scenario 1:

    We have a web proxy in place (barracuda) and blocks users based on websites, categories, etc.  So while ‘‘‘‘facebook.com’’’’ is blocked a user is not allowed access into that website.  With the install of Sophos AV, we noticed that users are randomly allowed access into the facebook website.  After looking at the proxy web logs, it shows the user going to this website

    http://http.00.s.sophosxl.net/V3/01/79.208.201.54.ip/ (just grabbed a random example but same concept).  If that were the facebook IP at the end, our AV has essentially ‘‘‘‘bypassed’’’’ our web proxy and allowed them through to the website.  Basically our web proxy doesn’’’’t see anything wrong with a sophosxl.net web request and just allows the site through after it passes any spyware/virus checks.  It pretty much deems our web proxy useless.  There doesn’’’’t seem to be a fix for this but is there an option to turn this off this live checking in the console?

    Scenario 2:  We set up a username in our AD environment called ‘‘‘‘SUM’’’’.  In our updating we set the computers to update every 10 hours to an appropriate Update Manager (Local).  So as a computer checks in, it uses the username ‘‘‘‘SUM’’’’ to download updates from the Update Manager.  Which is all fine and dandy but it essentially opens up the window for 10-20 minutes while the SUM username is active.  Once it is finished doing what it needs to do, the web proxy sees the computer switch back to the original AD username.  At the end of the day, we see this SUM username rack up about 2-4GB of internet download as a cumulative across the board.  If we set the computers to update every 2 hours, the total internet download comes out to 15-20GB a day.  It’’’’s not like a user knows when that window opens up but if they happen to ‘‘‘‘catch’’’’ the window then it is a free for all again.  Because it has to switch to this special username to update, it wreaks havoc for us behind the scenes using a proxy.  A typically user with no access shows like this:

    Rharris:  facebook.com blocked

    Rharris:  msn.com blocked

    SUM:  youtube.com allowed

    SUM:  espn.com allowed

    Rharris:  youtube.com blocked

    I hope this is more clear cut than my previeous explenation.

    Thank you,

    :51568
Children
No Data
Unfiltered HTML