How to configure the AD Sync Util to use a proxyserver

Hi,

we have a standardproxy that also handels the DNS requests for connections to the internet.
After configuration the AD Sync Utility tries to contact https://cloud.sophos.com but cannot get a DNS resolution for this URL.

I have not found any option to configure a proxyserver inside the utility and it apparently does not use the one set as system default.

Can somebody please give me a hint how to solve the problem ang get the AD Sync working.

  • Hi,

    As it's a .Net application and running Process Explorer reveals that it's the service (C:\Program Files (x86)\Sophos\Cloud\AD Sync\SophosADSyncService.exe) that contacts the internet.  I assume you can just create a .config file, e.g. "SophosADSyncService.exe.config" in the same directory as the exe to configure it. The following content should configure the proxy:

    <configuration>
    <system.net>
    <defaultProxy>
    <proxy
    usesystemdefault="true"
    proxyaddress="http://proxy:8080"
    bypassonlocal="true"
    />
    <bypasslist/>
    </defaultProxy>
    </system.net>
    </configuration>

    as per: https://msdn.microsoft.com/en-us/library/kd3cf2ex(v=vs.110).aspx, adjust as needed.

    I would suggest checking with Support though as this seems a little hacky and an update might blow it away.

    Regards,

    Jak

  • Hi,

     

    The problem could also be that the Active Directory Sync tool runs as a service account and not a user account. I had a customer with a similar problem.

    I ran this command - netsh winhttp import proxy source =ie. This the same command that an Endpoint may require. This still didn't fix the problem until I changed the service account to run as a user. If you use a standard domain user than the account will need these permissions.

    Domain user account will need the following permissions. Test with an admin account first. The configuration will be reset when you change accounts
     
    • On the system where ad sync is installed
      • Rights to logon as a service
      • Rights to interactive logon
      • Rights to log on as a batch
      • NTFS full permissions on c:\programdata\sophos\sophos cloud ad sync

    As a quick test you could use a Domain Admin account. Every time you change the service account the Active Directory Sync tool will need to be reconfigured

     

    Best wishes

    Michael

     

  • In reply to jak:

    Hi,

    that solved the problem. I didn't even know it was possible to use config files for .Net applications.
    We will use this as a temporary workaround and get back to this when I get a reply from the Sophos support.

     

    Thank you very much for the great workaround!

    Kai

  • Hello,

    I have an answer from the Sophos support team.

    Apparently there are a few workarounds sor this problem

    • Changing the log on account from System to a user account (as suggested by Michael)
    • The solution that Jak pointet out. Note that we would suggest they keep a backup of that .config file, in the event the next AD Sync version update removes it.
    • Adding *.sophos.com/* as an authentication exception to the proxy itself for that system running the AD sync utility. (which i dont think would work in our case because we cannot get an DNS resolution)

    The Support also pointet out that they addresed the problem to development but could not say if or when this may result in changes to the application.

  • In reply to KaiHofmann:

    Do we have am update on when this may happen, I see that this post was almost a year ago but still nothing in the tool to enter Auth:Proxy details.