Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 18 replies
  • Answers 3 answers
  • Subscribers 9 subscribers
  • Views 47104 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Online Grammar Checker - Issue

isoffice

Hi all,

We have a pair of SG450 UTM Appliances (Firmware version 9.405-5) running in Hot Standby Mode.

We have several users attempting to access a site (https://www.grammarly.com). This site allows the upload of passages of text to be checked for grammar etc. However, after logging on to the site an error message is shown which states:

"Your network configuration blocks Grammarly services on this computer. To troubleshoot this issue, click here"

Clicking 'here' opens a link to a diagnostic test between the user PC and the site itself.

A screenshot of the result is shown below:

I cannot see anything in the logs to indicate what the issue may be here and was wondering if anyone has encountered something like this.

Many thanks for your time and assistance in this matter.

John P



This thread was automatically locked due to age.
  • 0

    Hi all,

    Just a quick update. I referred this issue to Sophos who advised me to bypass the UTM for the site concerned to ensure that it was indeed the UTM that was the problem here.

    Not surprisingly, when I reverted to our old Microsoft TMG 2010 to access the site, everything worked OK.

    I believe it to be websocket issue and have seen on several posts in this forum that other users have had issues similar to this (I won't expose my ignorance on the topic of websockets at this particular time though). Also I have seen a Feature Request with 700+ votes to get the UTM to handle websockets. As of yet Sophos haven't indicated if they are going to address this particular problem.

    In the end I had to disable SSL Scanning for the site in question and all appears to be working fine now. Not my ideal solution, but in the absence of anything from Sophos, will have to do.

    Best regards,

    John P

    2 x SG450 (Version 9.714-4)

    HA = Active-Passive

  • 0

    Hi John,

    Check #1 in the guide here. Any catch with that?

    Thanks

    Sachin Gurung
    Team Lead | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

  • 0 in reply to isoffice

    HI isoffice ,

    Seems that with SSL encryption the issue occurs with the connection on HTTPS (TCP:443.), These are apps that would associate with Google Chrome / Mozilla and in some cases when SSL Scanning is Enabled , issue occurs when the server (remote end ) does not comply with UTM certificate .  At this point,  your only option would need to Bypass the sites from SSL scanning exceptions . 

    To work reliably, Grammarly needs a stable Internet connection. Either message can indicate a problem with your local network, your ISP, or your computer settings.

    • Your network or system administrator must ensure that your antivirus and (or) firewall software allows access to the following Internet addresses by adding exception rules for the following addresses to your firewall and/or antivirus software:
      1. capi.grammarly.com (ports 80 and 443)
      2. api.mixpanel.com (ports 80 and 443)
      3. api.parse.com (ports 80 and 443)
      4. auth.grammarly.com (ports 80 and 443)

    Taken from the website https://support.grammarly.com/hc/en-us/articles/206120167-Error-Connecting-to-the-Grammarly-server-message-or-Not-connected-notification-pop-up-What-should-I-do-

    Thanks and Regards 

    Aditya Patel | Network and Security Engineer.

    Regards,

    Aditya Patel
    Global Escalation Support Engineer | Sophos Technical Support
    Knowledge Base  |  @SophosSupport | Sign up for SMS Alerts
    If a post solves your question use the 'This helped me' link.

  • 0 in reply to Aditya Patel

    Hi Guys,

    Thank you for the additional information, it has proved quite useful.

    Sachingurung, I have checked the logs specified in #1 of Rulz and cannot see anything untoward there.

    Aditya, I have created an exception (for SSL Scanning) based on the addresses mentioned in your post. All appears to be working now.

    However, the article to which you referred to also states, "If you use a proxy, please verify that it supports WebSocket protocol."

    Am I wrong in thinking that the UTM does not support the WebSocket Protocol?

    Best regards,

    John P

    2 x SG450 (Version 9.714-4)

    HA = Active-Passive

  • 0 in reply to isoffice

    Hi all,

    I had raised a call with Sophos Support on this and they have confirmed:

    "Unfortunately right now Sophos UTM is unable to handle web socket traffic for web application firewall. So for the mean time you may add exemption for the the destination domain from SSL inspection".

    They go on to say that I should add my vote (already done) to the feature request that might resolve this issue (http://ideas.sophos.com/forums/17359-utm-formerly-asg-feature-requests/suggestions/4849021-websocket-support-for-waf).

    However, given that the initial feature request was made almost 3 years ago, it looks like my exemption will be in place for the foreseeable future. 

    Thank you for your kind assistance.

    John P

    2 x SG450 (Version 9.714-4)

    HA = Active-Passive

  • 0 in reply to isoffice

    Hi John 

    Could you share your Service Request so I may look into it  ? , Kindly Message me and do not post it for Public viewing. 

    Thanks and Regards 

    Aditya Patel 

    Network and Security Engineer.

    Regards,

    Aditya Patel
    Global Escalation Support Engineer | Sophos Technical Support
    Knowledge Base  |  @SophosSupport | Sign up for SMS Alerts
    If a post solves your question use the 'This helped me' link.

  • 0 in reply to Aditya Patel

    Hi Aditya,

    I have forwarded those details that you requested.

    Best regards,

    John Perry

    2 x SG450 (Version 9.714-4)

    HA = Active-Passive

  • 0

    Hi,

    I have the similar problem with grammarly add-in users with using Sophos antivirus

    How can i get SSL exception for the sophos AV users?

     

     

     

     

     

  • 0 in reply to Rasli Ramlan

    Hi Rasli,

    To exempt the Grammarly website from SSL checking, I simply created a new Exception in Web Protection > Filtering Options > Exceptions. I skipped SSL Scanning/Certificate Trust Check and Certificate Date Check for all requests Matching these URLs: Target Domain^https?://([A-Za-z0-9.-]*\.)?grammarly\.com/

    This seems to work for me.

    Best regards,

    John P.

    2 x SG450 (Version 9.714-4)

    HA = Active-Passive

  • 0 in reply to isoffice

    That the web application firewall cannot do web socket traffic doesn't mean that the Web Filtering Proxy cannot.

    The solution is skipping SSL scanning, as Aditya mentions.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Unfiltered HTML