This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Slow Outlook start when using proxy

Hi, there,

on a customer's site I have a SG 210 running 9.605 (current). I used to use the webfilter proxy (running in standard mode) to control outgoing web traffic, worked fine for over a year. The customer also uses an internaly hosted Exchange server, there's a split DNS set up, so autodiscover.domain.tld and all the other domains resolve to internal IP addresses.

A few weeks ago I had to add another network for a sister company that moved in, they now also use the same UTM. This also worked fine ...but... since then, starting Outlook takes ages. On some PCs, it also takes 5 minutes to start Outlook. After that, everything is fine, and web surfing generally is not affected.

The problem disappears as soon as I open the relevant ports in Network Protection and switch off the proxy (via removing the WPAD hostname in the internal DNS).

I added several exceptions to Microsoft sites in the Web Protection exceptions, to no avail. As soon as I use the proxy Outlook slows down.

Has anyone here met the same problems? Any advice would be welcome

Thanks in advance

Dirk

This thread was automatically locked due to age.

Parents

0 ThorstenSult over 4 years ago

Hi,

you have to skip these URLS in the Internetsettings on the clients!
Cancel
Vote Up 0 Vote Down

Cancel
0 Dirk Bonengel1 over 4 years ago in reply to ThorstenSult

Thorsten,

I did that - even twice, once as exception on the UTM itself, and then also within the wpad.dat, to no avail.

I'll add the wpad.dat to this post. According to https://app.thorsen.pm/proxyforurl it's syntactically correct.

If I use the wpad.dat, Outlook requires about 1:30 to start Outlook. Without proxy, it's less than 5 seconds
Cancel
Vote Up 0 Vote Down

Cancel
0 Alexander Busch over 4 years ago in reply to Dirk Bonengel1

Hi Dirk

does the delay occur if you specify the proxy on the client machine manually (with exception for your exchange server) too?

Maybe you could tell us what url your exclusion was? Autodiscover.xyz.com should be one I guess.

Best regards

Alex

-
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 Alexander Busch over 4 years ago in reply to Dirk Bonengel1

Hi Dirk

does the delay occur if you specify the proxy on the client machine manually (with exception for your exchange server) too?

Maybe you could tell us what url your exclusion was? Autodiscover.xyz.com should be one I guess.

Best regards

Alex

-
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 Dirk Bonengel1 over 4 years ago in reply to Alexander Busch

Hi Alexander,

ist does occur then as well. Below I added my wpad.dat. autodiscover.domain.tld does locally resolve to a 192.168.100.x/24 address. I don't see any requests for that (or for the Exchange server generally) on the proxy log.

function FindProxyForURL(url, host)
{
   myip = myIpAddress();
   // Convert everything to lower case.
   var lhost = host.toLowerCase();
   host = lhost;
   // Erstmal entscheiden, wann ich _nicht_ über den Proxy gehe
   // Allgemeine Ausnahmen
   //hier werden alle Hosts ohne DNS Suffix ohne Proxy angesprochen: z.B. http://Nagios/
   if (isPlainHostName(host))
       return "DIRECT";

   //lokale Domäne. Beispiel: nagios.domain.local
   else if (shExpMatch(host, "*.local"))
       return "DIRECT";

   // lokale IPs / private Netzwerke
   else if (isInNet(host, "10.0.0.0", "255.0.0.0") ||
       isInNet(host, "172.16.0.0", "255.240.0.0") ||
       isInNet(host, "192.168.0.0", "255.255.0.0"))
       return "DIRECT";

   //localhost
   else if (localHostOrDomainIs(host, "127.0.0.1"))
       return "DIRECT";

   // If IP of the requested host falls within any of the ranges specified, send direct.

   if (isInNet(dnsResolve(host), "10.0.0.0", "255.0.0.0") ||
       isInNet(dnsResolve(host), "172.16.0.0", "255.240.0.0") ||
       isInNet(dnsResolve(host), "192.168.0.0", "255.255.0.0") ||
       isInNet(dnsResolve(host), "127.0.0.0", "255.255.255.0"))
    return "DIRECT";

if (shExpMatch(url, "*.office365.com"))
        return "DIRECT";
if (shExpMatch(url, "*.outlook.com"))
        return "DIRECT";
if (shExpMatch(url, "*.microsoft.com"))
        return "DIRECT";
if (dnsDomainIs(url, "*.live.com"))
        return "DIRECT";
if (shExpMatch(url, "*.microsoftonline.com"))
        return "DIRECT";
if (shExpMatch(url, "*.bing.com"))
        return "DIRECT";
if (shExpMatch(url, "*.office.net"))
        return "DIRECT";

   return "PROXY 192.168.100.254:8080";
//       return "DIRECT";
}
Cancel
Vote Up 0 Vote Down

Cancel
0 Alexander Busch over 4 years ago in reply to Dirk Bonengel1

Okay, other way around. Does the UTM resolve autodiscover.domain.tld to the internal or external IP?

You can test this on the UTM, in the support menu.

Best regards

Alex

-
Cancel
Vote Up 0 Vote Down

Cancel
0 Dirk Bonengel1 over 4 years ago in reply to Alexander Busch

Alex,

all DNS requests to domain.tld resolve to the internal IP address. Just checked.

Also, the client should contact the internal DC (DNS) first, that one also has the internal IP set up
Cancel
Vote Up 0 Vote Down

Cancel
0 Alexander Busch over 4 years ago in reply to Dirk Bonengel1

If a proxy is set, the name resolution is done at the proxy not at the client. That was my concern.

Sorry if you checked that already, I am out of ideas.

Best regards

Alex

-
Cancel
Vote Up 0 Vote Down

Cancel
0 ThorstenSult over 4 years ago in reply to Dirk Bonengel1

Whats about the URL of the Clientaccesserver?

Get-ClientAccessServer | fl autodiscover*

Is this URL in the exceptions configured?
Cancel
Vote Up 0 Vote Down

Cancel
0 Dirk Bonengel1 over 4 years ago in reply to Alexander Busch

Danke, Axel!
Cancel
Vote Up 0 Vote Down

Cancel
0 Dirk Bonengel1 over 4 years ago in reply to ThorstenSult

Thorsten, Axel,

what strike me that although I have configured exceptions / rules in my wpad.dat, I still see requests going through the proxy server:

2019:09:19-15:06:46 hi-fw01-2 httpproxy[21737]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="192.168.100.146" dstip="52.109.28.22" user="" group="" ad_domain="" statuscode="200" cached="0" profile="REF_HttProContaInterNetwo2 (Customer)" filteraction="REF_DefaultHTTPCFFBlockAction (Default content filter block action)" size="0" request="0xdc8f0e00" url="odc.officeapps.live.com/.../federationProvider referer="" error="" authtime="0" dnstime="483" aptptime="0" cattime="235" avscantime="0" fullreqtime="60092283" device="0" auth="0" ua="Microsoft Office/16.0 (Windows NT 10.0; Microsoft Outlook 16.0.11929; Pro)" exceptions="av,auth,content,url,ssl,certcheck,certdate,mime,cache,fileextension"

I assume this has to do with a federated sharing we have set up with another company. Still according to the wpad.dat dat those request should never hit the proxy.

Same goes for login.microsoftonline.com/.../

I have now placed a call with Microsoft
Cancel
Vote Up 0 Vote Down

Cancel
0 ThorstenSult over 4 years ago in reply to Dirk Bonengel1

Set the proxy settings on a client manually including the exceptions. What happens then?
Cancel
Vote Up 0 Vote Down

Cancel
0 Alexander Busch over 4 years ago in reply to Dirk Bonengel1

Dirk Bonengel1 said:

...

I have now placed a call with Microsoft

It would be nice if you tell us what’s the outcome. I am very keen on that.

BTW which Outlook version are you using? And which OS version?

-
Cancel
Vote Up 0 Vote Down

Cancel
0 BAlfson over 4 years ago in reply to Dirk Bonengel1

Should .100.146 have traffic processed by profile="REF_HttProContaInterNetwo2 (Customer)" filteraction="REF_DefaultHTTPCFFBlockAction (Default content filter block action)" ?

Please show us the content of 'Exceptions' in 'LAN Settings' 'Advanced' in that PC.

Cheers - Bob

Sophos UTM Community Moderator
Sophos Certified Architect - UTM
Sophos Certified Engineer - XG
Gold Solution Partner since 2005

MediaSoft, Inc. USA
Cancel
Vote Up 0 Vote Down

Cancel