Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 6 replies
  • Answers 1 answer
  • Subscribers 2 subscribers
  • Views 9716 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos Endpoint with Enterprise Console couldn't control internet traffic on Firewall with LDAP integration

Chan NyeinKo Ko

I have an on prem enterprise console and not using Web filter. After integrated my firewall "FortiGate" with LDAP for users internet traffic filtering to log the user traffic activities. Currently what I see on my firewall is not actual username from individual computer, instead all the traffic going through showing as a Sophos update manager service account which I use to install Sophos Endpoint. I was investigating this phenomenon why the user traffics are not showing correctly and found out that there are 2 services running background "Sophos Web Control" & "Sophos Web Intelligence". After stopped that 2 services, the firewall starts showing the user traffic correctly with according to the username login to that particular computer. I don't use these 2 services and already disable/turn off those features on enterprise console. I tried to disable these 2 services but it always back to enable state after the updates are installed.



This thread was automatically locked due to age.
  • 0

    Hello Chan NyeinKo Ko,

    the two services run as Local System and have no knowledge of or relation with the update manager account. The SUM account is used by AutoUpdate to access a UNC update share, it impersonates the local SophosSAUcomputernameaaa account, then makes the SMB connection with the SUM account credentials. Do you update via UNC or HTTP?

    I assume there's a Fortigate agent on the endpoints?

    Christian

  • 0 in reply to QC

    I assume there's a Fortigate agent on the endpoints? Nope, FortiGate agent is not installed and I don't use it. I feel Sophos Endpoint alone is good enough.

     

    The update is via UNC \\Server\SophosUpdate and smb is selected. I don't use Secondary Server either. Is there anyway to disable the two services permanently?

  • 0 in reply to Chan NyeinKo Ko

    Hello Chan NyeinKo Ko,

    any way to disable the two services
    none that I'm aware of - but as said I don't see how these two services could be associated with the SUM user, they don't authenticate.

    I assume the Fortigate monitors AD logons - is your SUM user a domain user? It's AutoUpdate that knows and uses this account - no other component.

    Christian

  • 0 in reply to QC

    My SUM user is a domain user and I found that it authenticates using kerberos every time accessing the shared folder \\server\SophosUpdate.

    Event ID 4624 on the Console server and Event ID 4768 on the DC.

    Event ID 4768 is also monitored by FortiGate Agent and it unintentionally assumes that the computer is logged in under the SUM user account.

    Is it advisable if I don't use SUM user as a domain account and change to alternative method to access the shared folder?

  • 0 in reply to Chan NyeinKo Ko

    Hello Chan NyeinKo Ko,

    if you management server isn't a DC you can use a local account.

    Christian

  • 0 in reply to QC

    I changed my SUM account to local account and now my 200 endpoints are updated well.

    The firewall is also showing the user traffic properly now.

Unfiltered HTML