This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Web Protection appears to be causing certain web requests to time out

Hello.

I have a computer used as a network monitor, which displays a web page console with health statistics on web and SQL servers.  Since deploying Sophos, one of the computers is experiencing repeated timeout errors when it tries to load this console.  Rebooting the computer will temporarily resolve the problem, but it invariably returns in about 90 minutes.  I see this status in Firefox several times while the console is loading.

The problem occurs in Chrome as well.  With similar hardware, the other computer is not experiencing the problem. The computer where the console works correctly also reports in Sophos Enterprise Console that Web Protection is not working.  Here is what the Sophos Enterprise Console shows.

I believe what is happening is Sophos web protection is causing a delay during the loading of the web console, which intermittently causes the browser to time out before the console can completely load.  I have created a policy to remove Web Protection from these computers, and that did not seem to help.

How can I configure Sophos to allow this web console to load without problems?



This thread was automatically locked due to age.
  • HI,

    For the computer that is failing to refresh the page, what OS is it?

    If you're interested in troubleshooting the errors about web protection no longer being functional, what OS is that computer?

    The reason for asking is web protection on Windows 7 is very different to say Windows 10 for example.

    Regards,

    Jak

     

     

  • Hi Jak.

    Both computers have Windows 10 64-bit, Creators 1703 update. 

    For the error about web protection being no longer functional, it seems about 20% of the computers I have deployed Sophos to are reporting this error.  There does not seem to be any rhyme or reason to which ones have the error and which ones don't - the group policies for all the computers are identical.

     

    Thanks.

    Bryan

  • Thank you for the reply, one thing I would try is to exclude the remote address by IP.  

    You can authorise the IP of the remote site in the AV part of the policy.

    I assume noc.eccoviasolutions.com is the domain your connecting to.  As a test, if you determine the IP of this, maybe they have a range but I assume it's fixed at least for a test.  Does it work without issue?

    Regards,

    Jak

  • Thanks for the suggestion.  I made the change this morning.  I will monitor for a while and report the results.

  • I've configured exceptions for the web site first by the IP address, and the problem returned after a couple hours.  I configured another exception for noc.eccoviasolutions.com and rebooted the computer, and the problem returned after a couple hours.

    It appears this had no effect on the problem.

  • The reason I suggested the IP exclusion is that with web protection enabled you get this scenario:

    chrome.exe -> swi_fc.exe -> webserver

    I.e. the traffic is proxied locally by Sophos.  With an IP exclusions the traffic is sent as before, i.e. totally bypassed:

    chrome.exe -> webserver

    I guess as long as all traffic for this site has taken this route, IP addresses haven't changed then that is surprising.

    Can you confirm with Process Explorer (TCP tab of the browser process, e.g. Chrome.exe), that the traffic in question is going direct to the webserver rather than to swi_fc.exe and then out?

    Regards,

    Jak

  • I see.  Here is the data from Process Explorer.  This seems to suggest that the browser is still using some local process as a proxy (please correct me if I am reading this incorrectly).

  • If you bring up the TCP tab of the swi_fc.exe process I assume you can pair up the connections from Firefox.exe.

    I assume that you would see swi_fc.exe listening on port 49685 and then connecting out to the internet.

    If this is the case, then the IP exclusion isn't having any effect.  You should see the IP excluded connections go straight from the browser process to the upstream server.

    Regards,

    Jak

  • Ok, I checked the same info for the swi_fc.exe process.  I can see the connections for the NOC monitor passing through this.

     

    Here is the configuration for the exceptions.

  • That is a web control exclusion, you need to authorize the site in the AV part of the policy.  

    Regards,

    Jak