This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos EndPoint & Barracuda Web Filter

I am attempting a post before contacting technical support directly to see if anyone else is having this issue or might know a fix. Currently we run about 400 AV's in our enviorment and use a front end web filter from Barracuda. I created a specifc account for sophos to manage/install updates for all the clients, I am running an update client at every physical location, with a updating policy pointing to the apporpiate update nodes per site.

Everything works great, our issue is this. When Sophos client reaches out for updates "Assuming that is what this is" in our barracuda we see "SUM" this is the user I made in AD for accessing the update node per out AV clients "PC's". At first this didnt seem like an issue. However after further use, it appeared that once Sophos EndPoint used this account via Active Directoy, it gave our users wide open access to the internet "By passing our barracuda" In fact the traffic still goes through the Barracuda it just shows the user as "SUM" when in reality we know it is an actual user based on the clients IP from any specifc location with in our company.

My question is, why does my AV client reach out to Sophos online if I have it configured to only talk to the Update node on site?

Here is an address it reaches out too:

http://http.00.s.sophosxl.net/V3/01/86.37.194.173.ip/

What is this and how can I stop the clients from trying to talk to sophos directly. I only want them to get their updates via our specifed nodes.

Here is another example:

I have a user blocked from facebook but the computer reaches out that ‘‘‘‘sophos proxy above’’’’ and then it finds the IP.  Which pretty much renders our web barracuda useless.  It doesn’’’’t do it all the time though. So it almost uses Sophos as a proxy and then redirects to the web address.

Any help on this would be greatly appricated! As of right now some of our users have figured out there is some sort of loop hole in our web filter and are abusing the heck out of the internet! Even with managers warning them it doesnt appear to be enough, we need to get a solution for this and quickly.

Thank you,

Chris

:51458


This thread was automatically locked due to age.
Parents
  • There may actually be a super simple answer to this... We ran into the exact issue but with Meraki Content filtering... The SophosUpdateMrg service account kept triggering logon events that were then causing end user PC's to show the SophosUpdateMgr as the logged in user.

     

    We just created a local account on the Sophos Server which is not a DC in our case, and changed the update policy to user servername\SophosUpdateMgr instead of domain\SophosUpdateMgr. Now updates still happen but the stupid service no longer interferes with 3rd party web filtering.

     

    Also make sure to update the share and NTFS permission on the UpdateManager directory to match.

     

    Hopefully this continues to work in the long term, but seems good for now.

Reply
  • There may actually be a super simple answer to this... We ran into the exact issue but with Meraki Content filtering... The SophosUpdateMrg service account kept triggering logon events that were then causing end user PC's to show the SophosUpdateMgr as the logged in user.

     

    We just created a local account on the Sophos Server which is not a DC in our case, and changed the update policy to user servername\SophosUpdateMgr instead of domain\SophosUpdateMgr. Now updates still happen but the stupid service no longer interferes with 3rd party web filtering.

     

    Also make sure to update the share and NTFS permission on the UpdateManager directory to match.

     

    Hopefully this continues to work in the long term, but seems good for now.

Children
  • Hello Steve Congdon,

    I'd not call the service stupid - if you don't want the share to be public a common ("service") account has to be used as the endpoint has to be able to update without a user being logged on. "Smart" web filtering came much later and arguably it's a shortcoming of the guess-who's-logged-on logic.

    Christian