Web filtering issues using Microsoft Edge

Have run into a weird issue and wonder if anyone has seen this.

 

On our domain joined machines (only domain joined, issue does not present if not domain joined), we have been having issues accessing corporate URLs when using Edge.

 

The pages fail to load with the generic "Hmmm...can't reach this page" error from Edge.

 

After a long search it was discovered that the sites would load if the Sophos Web Filter service was stopped.  If you stopped this service, loaded any of the sites, you could then start the service and all would be well, even following reboot.

This led us to the discovery that stopping the service allowed for the writing of this reg key:

 

[HKEY_CURRENT_USER\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TabProcConfig]

"corporatedomain.com=dword:00000179

 

This works within Windows 10, but not Windows 7.

 

Any ideas how to resolve this issue?

  • In reply to Lori Linehan:

    Hi Everyone,

    The reported issue in this thread is being actively investigated internally and I currently do not have any major update on it. If you are facing the similar issue, please raise a case with the support and DM me the case details so that I can have it tagged to the current Investigation.

    Reference ID: WINEP-14780

  • Is anyone able to test if running the following command from an admin prompt:

    CheckNetIsolation LoopbackExempt -a -n="Microsoft.MicrosoftEdge_8wekyb3d8bbwe"

    helps, where the "MicrosoftEdge_8wekyb3d8bbwe" comes from the path to edge, e.g.

    C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe



    Regards,
    Jak

  • We're also seeing this issue on our domain machines but only those that have 1709+ installed. Had a 2 hour webex with a developer last week in order to try and move things forward. Whitelisting the IP address of one site seems to mean that users can visit any site after visiting that one site. 

  • In reply to MrSoapsud:

    Does it help to add the URLs in IE to the trusted site list?


    Also, given the information here:
    https://blogs.msdn.microsoft.com/ieinternals/2012/06/05/the-intranet-zone/

    about how IE classifies the intranet zone.  If the problematic site is a.b.c.com for example, which resolves to 10.1.1.1, then you might expect that both:
    http://a.b.c.com and http://10.1.1.1 would both fail.  However to resolve the site without any '.' (dot) then a hosts file mapping of say:

    10.1.1.1 test

    Would then http://test work if it is then classified as local intranet.

    Regards,
    Jak

  • In reply to jak:

    I've been experiencing the same issues.  Randomly thought it was a TLS Edge issue since it was all fine in Chrome/IE.  However, I did notice that the Edge DevTools showed the connection as Pending.  This suggested to me that the connection was blocked before it even got going and wireshark seemed to agree.  I didn't realise at that point that Web Control installed a local proxy.

    Having disabled Web Control, Edge starts working again fine.  One of my developers also noted that when she moved to the guest WiFi instead of our domain network, any website she was having a problem with magically started working.

  • In reply to MrSoapsud:

    HI,

    if you disable the webfilter for a minute, or whitelist the IP, then have the machine visit the blocked site, Sophos will write a registry key here:

     

    [HKEY_CURRENT_USER\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TabProcConfig]

     

    With an entry of <your domain> and a value of dword:00000179

     

    Once that registry key is in place, removing the whitelist, or re-enabling the webfliter will not affect the machine ... it can view the formerly blocked sites without issue.

     

    Although this represents a workaround (you can push out the reg key, or whitelist as needed), a workaround is not a solution.

  • In reply to MatthewEllis:

    I don't think that Sophos controls that key in any way.  If you look who writes it, it's MicrosoftEdge.exe and it's read by MicrosoftEdgeCP.exe and MicrosoftEdge.exe.



    Did adding the site to the trusted or intranet zone help as it did in my test?

    Regards,
    Jak

  • In reply to jak:

    What I found I had to do was under AV & HIPS -> Web Protection set the first two options to off.  With that done, websites started working again in Edge.

     

    This means I may have had a slightly different issue.

  • In reply to Mark Brugnoli-Vinten:

    With those 2 "web protection" options disabled AND if you're not using Web Control, then the browser traffic goes back to being direct to the upstream device/server, rather than proxied locally by swi_fc.exe so that makes sense.

  • In reply to jak:

    jak

    Does it help to add the URLs in IE to the trusted site list?

    That does indeed help. However we have sites for research groups etc being added by the day and the list would be unmanageable.

    The developer I was webex'ing with has now replicated the problem in his environment which is a start...

    Creating the reg key seems the best "workaround" for the time being...

    Thanks

    Martin

  • In reply to MrSoapsud:

    What about using a wildcard for the parent domain, e.g. *.domain.com?

    Regards,
    Jak

  • In reply to jak:

    This is still an ongoing case for us as well. We have tried to make exclusions to our affected sites, but that does not work. Rawcap or disabling the web control service is the only thing that allows the connection. Our case has been open for over a month now and our users are still unable to use edge with internal resources. This is occurring for us on all versions of Windows 10 (1607, 1709, 1803). 

  • In reply to Mackenzie Meier:

    Does is not help to add the sites to the intranet or trusted zone in IE settings?