Sophos Central Endpoint and SEC: Computers fail/hang on boot after the Microsoft Windows April 9, 2019 update. Please follow knowledge base article 133945
Learn about the Benefits of Multi-Factor Authentication (MFA). Turn your MFA on now!
We'd love to hear about it! Click here to go to the product suggestion community
I am having trouble diagnosing this particular issue with Microsoft Teams. The messaging function isn't working as messages aren't sent ("Failed to send" error message). After checking the web filtering logs, i found this out:
2019:03:13-09:12:20 utm-bomare-2 httpproxy: id="0002" severity="info" sys="SecureWeb" sub="http" name="web request blocked" action="block"
method="CONNECT" srcip="192.168.1.168" dstip="22.214.171.124" user="" group="" ad_domain="" statuscode="500" cached="0"
profile="REF_HttProContaInterNetwo (VIP_Profile)" filteraction="REF_HttCffVipwhfilte (VIP_WHFilterAction)"
size="517" request="0x1b020c00" url="emea.ng.msg.teams.microsoft.com/" referer="" error="Connection timed out" authtime="0" dnstime="2"
cattime="128" avscantime="0" fullreqtime="127255911" device="0" auth="0" ua="" exceptions="application" category="122" reputation="neutral"
categoryname="Instant Messaging" application="micrsoft" app-id="1151"
Apparently, the request was blocked because of a connection time out error. I don't have AV scanning enabled on any of my filter actions. I tried skipping the proxy, same thing. I even disabled web filtering and application control, still same problem. Could it be a DNS issue? (we don't have an internal DNS server, we're using the UTM as gateway and DNS).
Check the Intrusion Protection log. A blocked reply will cause a browser timeout. The IPS entry can be two minutes earlier than the web log entry.
If you can get away with it, when I have Microsoft Issues I typically come in when no one is here and disbale web filtering, then country blocking, then application filtering, then IPS to determine which is the culprit. Another trick is run a test with nothing else running on the target workstation and do a TCP DUMP to see what is happening, might fill in the blanks.
In reply to badrobot:
This is one approach to debugging, but it should not be necessary. Any blocked packet should appear in a log, unless the administrator has created an exception that includes the option to disable logging of qualifying traffic. You are correct that there are multiple places to look.
In reply to DouglasFoster:
Nothing in there, I just checked.
Okay so i know i said on my post that i tried skipping the transparent proxy but it didn't work but somehow someway, this morning when i tried that again it worked, i was able to send and receive messages.
Do websites that i visit still get proxied and appear in the web filtering live log even when i'm on the Skip transparent proxy list? I'm saying this because it's still showing all of my traffic, and one thing i noticed is, that Microsoft Teams URL that gets blocked for a connection timeout does not appear on the log. Is it sort of an implicit "pass" action? I only see this line related to Microsoft Teams:
I went all over my Web Filtering configs but couldn't find what's really causing the issue. Keep in mind that as soon as i skip the proxy, Teams works fine.
In reply to Zak_B18 DZ:
Could this be a certificate issue?
Or maybe not the certificate but it did get me thinking, what is teams using for proxy/certificate settings, I found this with a quick search - docs.microsoft.com/.../connectivity-issues
If an access appears in the Web Filtering log, it did not qualify for the Skiplist. Since you weren't doing AV scanning, the only thing left was to skip the Proxy for the access to emea.ng.msg.teams.microsoft.com. I note that that FQDN has multiple DNS A-records, so you will want to use it in a DNS Group definition in the Skiplist instead of a DNS Host definition.
Cheers - Bob
In reply to BAlfson:
Hello and sorry for the late response,
I just tried adding that DNS Group definition to the Transparent Mode Skiplist... and it didn't work, still getting that same line on the web filtering log. MS Teams seems to be only working when my source IP is on that skiplist. Confusing.
OK, Zak, it sounds like you're using the Proxy in the Standard mode, so you'll need to add *.teams.microsoft.com to the Exceptions in [Advanced] after selecting to use the proxy explicitly in Internet Options > [Lan Settings]. Instead of the numeric IP of the UTM, you should use an FQDN that resolves to that IP - refer to Configuring HTTP/S proxy access with AD SSO.
I'm actually using the Proxy in Transparent mode, and have already tried adding MS Teams on the exceptions tab... still nothing.
If you're running in Transparent and the traffic still is handled by the Proxy, show us the Edit of the DNS Host/Group that you have in the Skiplist.
Cheers - Bob
Here it is :
That's perfect, Zak, so the issue is that the DNS Group is [unresolved] and your DNS configuration must need some attention. Does DNS best practice give you any help?