IE Slow Behind Sophos

I can appreciate your frustration.   For the sake of those who might read your post and panic, I can say that I have not seen this problem during our two years running UTM, and we have used it with a mix of IE versions (and other browsers) during that time.

I assume that you have checked the dashboard and do not see a CPU, memory, or disk space problem.   If you had a CPU issue, it would seem that disabling those items would have resolved the problem by now.

You probably need to explain how your proxy is configured:   proxy script in browser, proxy redirect in browser, or in-line transparent proxy.  

• If you have transparent proxy enabled, you probably want to ensure that the browser is not also connecting directly using automatic configuration, proxy script, or proxy redirection (Internet Options... Connections... LAN Settings).   I don't know that redundant settings are a problem, but I can imagine that they might be.
  
  
• If your most important sites are also highly trusted, you could try bypassing the proxy for only those sites.  The problem may be specific to your target sites.
  • If you use a proxy script, put the exception sites into the script.
  • If you use transparent modes, put the exception sites into Web Protection... Misc... Transparent Mode (Destination) Skip List.

Then test to see if the less important sites behave comparably between IE and Chrome.

Hope that helps some.

Hello,

Thanks for the quick reply. 

I have tried running IE with auto config on/off - no difference. 

We don't run a proxy script. We try to keep things very simple here.

It occurs with all websites. Sometimes it even shows "Page cannot be displayed". I've tried windows "Fix connection issues" tool but its never able to see an issue. 

I can ping google just fine with quick responses but if I try to browse to google, IE hangs. 

Brandon

Hi Brandon,

some ideas to identify from which component the problem comes from:

- Disable WebProtection and allow one or all clients in the firewall to access the web. If it's fast then, the problem has to do with the WebProtection. Check the WebProtection log for a request, which takes a long time to load, and post it here.

- Start IE and press F12 to open the DevTools. Try to open a page and take a look to the "Network" tab, which contains all requests and their needed times to load. Is there a request with abnormal long time?

- Start IE without AddOns.

- Reset settings of IE

Jas

Hello,

I tried doing that. Turned off web filtering and application control - no difference. 

I did the test with IE. It holds on "Waiting for "Title of Webpage". The connection times that appear below don't show anything abnormal. IE just hangs for awhile like its waiting to connect, then once it connects the page appears very quick!

Tried resetting the settings and running without addons. No difference.

Thanks

Brandon

What is your mechanism for authentication?   Perhaps the authentication process is failing with IE.    Start Live Log and look for user="value" and addomain="value", to see whether both browser are successfully identifying you.   If the fields are blank, then you are getting through anonymously, and you need to investigate why.

If that does not show a smoking gun, then I suggest download WireShark (from wireshark.org) and capturing the actual packets.  See what is different between the two browser sessions.  Then, turn off web filtering and capture test logs as well.   See if IE has significantly different traffic with and without UTM.  If HTTPS inspection is disabled and you are not telling it to block stuff, the logs should be pretty similar with U"TM on or off.   Others can corre3ct me if I am wrong here.)

One possibility is that IE is having trouble with completing the connections needed to perform certificate validation.

If you are using unqualified names with default search suffixes, IE might be attempting WINS lookups before using DNS.

You also have not mentioned which version(s) of IE have been tested.   Each one seems to be unique.   I think of the recent editions (8 to 11), version 9 is hardest to love.   I have not tested Edge with UTM.

Web Protection -> Web Filtering: Operation Mode is Transparent and Default Authentication is NONE. Block access on authentication failure is unchecked and greyed out. 

HTTPS: URL Filtering Only

We have no unique policies. Only the Base Policy with Default Content Filter Action. 

IE 11

If the problem also occures when you disabled WebProtection, authentication or URL filtering could not be the problem. With disabled WebProtection the traffic goes straigth through the firewall.
BTW: How did you disabled WebProtection? With the "big" switch, or with an exception? If you use an exception, please be sure that it matched!

My first thought was DNS, but as you wrote other browsers on the same client are working, and they are using the same DNS settings.

I also thought about the proxy settings in IE, but you wrote that everything is disabled like here (but maybe in another language :) )

Change your tool, which needs the IE, something in the settings of IE? What happend when you trie to open the web page by IP address (like IBMs site: http://129.42.38.1 )? Is there a function in IE which analyze the URL in the cloud before loading it? Maybe this cloud service is blocked by your UTM. Then you should see blocked requests in the firewall log.

Another blind shoot: try to reset the websocket of your client. Open an administrative command line and execute

netsh winsock reset

Jas

To be clear, you will be your own hero here, and learn a lot in the process.   We are giving hints, but you will be doing the detective work.

You may find my post in this other thread useful for the section about using Live Log.   Your interest will be different, because you need to focus on the target URLs that are different between the two browsers, and especially for the URLs that had HTTP errors,   Look for log entries where ' status="code" ' has a value of 400 and higher representing errors.   A web search can give you thte text for each code.  There are also four time fields, which have never been very useful to me, but might be useful in your situation.   

https://community.sophos.com/products/unified-threat-management/f/web-protection-web-filtering-application-visibility-control/89746/setting-up-policy-from-block-all-to-allow-specific-sites-but-filter-them/326458#326458

The critical issue for your situation is: "What happens differently between IE and Chrome".   The logs should tell you that.  Are both browsers going through UTM?   Are both browsers authenticating to the same user?   Are both browsers resolving to the same Profile, FilterAction, and Exceptions?  Are both browsers going to the same list of URLs and obtaining the same status code?  Somewhere in this list, the answer is almost certainly no.

Also, it may be useful to note, as the logs will indicate, that when suggested sites are turned on, every keystroke creates a round-trip packet exchange to request and receive the current suggestion list.

Douglas,

he wrote that the issue also occures, when he disables WebProtection. Therefore I think he will not find any problem in the logs. It seems that the URL request is hold back by IE, or IE is waiting for something. And it must be something which is on all client the same, like a local AV scanner with HTTP scanning functions or another program.

Your idea to capture the traffic with Wireshark was good. I guess this can bring light into the darkness :)

Jas

Hello,

So I've tinkered with even more complex settings and reviewed additional logs on the UTM and it appears IPS was blocking some DNS requests from and to our local AD DNS servers. So i disabled IPS and it seems like the issue went away but now instead of IE displaying "Waiting for "Web Page Title", we receive a Sophos UTM page with the error message "Host cannot be found". It doesn't happen as often as the IE issue did but it is frequent. This is happening on ALL machines and ALL web browsers.

Below is a snap shot of whats currently turned on on the UTM.

At least now I'm getting an error message as compared to nothing! Any thoughts?