How to connect to Sophos Central via proxy that requires authentication

Hi

We have just moved to a new Proxy system that requires authentication and our servers stopped communicating with Sophos Central and stopped downloading updates.

I have already checked https://community.sophos.com/kb/en-us/119263 and it will not work for us as we dont have an option to exclude particular sites from the proxy (or rather we cannot open our firewall for particular sites). I have noticed though an option for proxy credentials in config.xml file so I am wandering if we can use that to authenticate an endpoint to our proxy so it can communicate with Sophos Central and download updates.

Thanks

   

  • Hi Roman,

    In your Sophos Central account, you should have an option to configure proxies in the Global Settings area:

    Proxy Configuration

    Enable devices to connect to Sophos Central or download Sophos software updates through a proxy server
     
    This will allow you to input the proxy details, as well as any credentials that are required for authentication
     
    Stephen
  • In reply to StephenMcKay:

    Thanks for the reply Stephen

    And how can I apply it to the endpoint if it cannot get proxy settings from the Sophos Central as it needs proxy to communicate?

    Thanks 

  • In reply to Roman Korchak:

    Hi Roman,

    You can use the installer with command line arguments to specify the proxy and authentication: https://community.sophos.com/kb/en-us/127045 

    Once the endpoint has registered it will then pull down the proxy settings that you have specified in the account.

    Stephen

  • In reply to StephenMcKay:

    StephenMcKay

    Hi Roman,

    You can use the installer with command line arguments to specify the proxy and authentication: https://community.sophos.com/kb/en-us/127045 

    Once the endpoint has registered it will then pull down the proxy settings that you have specified in the account.

    Stephen

     

    Does that mean I will have to uninstall it on all endpoints?

  • In reply to Roman Korchak:

    Sorry, I overlooked the detail; you installed pre proxy. 

    I think you have a couple of options:

    1) bypass the proxy so that you can pick up the proxy information from Sophos Central

    2) re-install the agent using the command line arguments so that endpoints are able to reach Sophos Central via the authenticated proxy 

    It would be worth testing the installation option with one device and if that is successful continue to re-install devices

    Stephen

  • In reply to StephenMcKay:

    Not sure if I am doing it right - would that be a command:

    SophosSetup.exe --proxyaddress=proxyaddress.co.uk:8080 --proxyusername=domain\username --proxypassword=Mypassword

    ?

    Thanks

  • In reply to Roman Korchak:

    Hi Roman,

    I'll be honest, i've not tested with an authenticated proxy, but yes, that looks correct.

    Stephen

  • In reply to Roman Korchak:

    Roman Korchak

    Not sure if I am doing it right - would that be a command:

    SophosSetup.exe --proxyaddress=proxyaddress.co.uk:8080 --proxyusername=domain\username --proxypassword=Mypassword

    ?

    Thanks

     

    Did this command with running TCPView and noticed that Setup is still trying to talk directly to the internet ( https-172-79-251-10.lcy.llnw.net:https) rather than via proxy

  • In reply to Roman Korchak:

    What does your install log show?

    Testing this mine shows:

     

    2018-04-04T12:55:06.7462315Z INFO : Attempting to connect using proxy 'proxyserver:8080' of type 'Proxy'.

    2018-04-04T12:55:06.7462315Z INFO : Set security protocol: 00000800

    2018-04-04T12:55:06.7462315Z INFO : Opening connection to downloads.sophos.com

    2018-04-04T12:55:06.7462315Z INFO : Opened connection to downloads.sophos.com

    2018-04-04T12:55:06.7462315Z INFO : Request content size: 0

    2018-04-04T12:55:06.8719892Z INFO : Sending request

    2018-04-04T12:55:06.8868942Z INFO : Request sent

    2018-04-04T12:55:07.2618615Z INFO : Response status code: 200

    2018-04-04T12:55:07.2618615Z INFO : Response data size: 1674811

  • In reply to StephenMcKay:

    I checked the install log and found the following error:

    Failed to connect using proxy 'ourproxyserveraddress:8080' with error: Bad response from new connection: status code=407

    which, I believe, means "Proxy authentication required" although I am definitely providing a correct user name and password in a command.

     

  • In reply to Roman Korchak:

    I have the same problem:

    2018-04-17T19:43:32.6584701Z WARNING : WinHttpGetProxyForUrl returned: 12180
    2018-04-17T19:43:32.6584701Z INFO : Attempting to connect using proxy 'proxyserver:3128' of type 'Customer'.
    2018-04-17T19:43:32.6584701Z INFO : Set security protocol: 00000800
    2018-04-17T19:43:32.6584701Z INFO : Opening connection to downloads.sophos.com
    2018-04-17T19:43:32.6584701Z INFO : Opened connection to downloads.sophos.com
    2018-04-17T19:43:32.6584701Z INFO : Request content size: 0
    2018-04-17T19:43:32.7208702Z INFO : Request sent
    2018-04-17T19:43:32.7988703Z INFO : Response status code: 407
    2018-04-17T19:43:32.7988703Z INFO : Response data size: 0
    2018-04-17T19:43:32.7988703Z WARNING : Basic authentication was offered by the proxy server.
    2018-04-17T19:43:32.7988703Z INFO : Failed to connect using proxy 'proxyserver:3128' with error: No supported proxy authentication schemes.

  • In reply to benny4982:

    Please can I ask that you log a support ticket (bottom right of this page) and then send me the case ID?

    It looks like you are sending the correct commands to the installer, but there is something not quite right. I can pass the logs to the development team for review.

    Stephen

  • In reply to StephenMcKay:

    Hi Stephen,

    i send you a private message with the case id.

    Benjamin

  • In reply to benny4982:

    Hi Benjamin,

    I have your case, i will escalate this.

    Many thanks.

    Stephen

  • In reply to StephenMcKay:

    There is a good chance that Basic auth is not supported due to being insecure.

    Regards,

    Jak