Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 5 replies
  • Subscribers 4 subscribers
  • Views 11267 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

StatusCode 407 Errors on 9.502-4 and 9.503-4

TimBoggs

This is similar/same as a previous thread from 2015, but something I just noticed on our firewalls. The logs are full of 407 errors, almost one for every 200 code when I crunch the numbers.

Standard Proxy with AD SSO

DHCP autoproxy configuration option 252 = http://sophos.internal.com:8080/wpad.dat

Group created in Definitions and Users for domain users.

Authentication configured and tested.

 

We get the same result with all browsers (IE, Edge, Chrome, Firefox) whether they are configured with "Automatic Discovery" (DHCP - Except Firefox which doesn't support DHCP discovery), "Automatic Proxy Configuration" (http://sophos.internal.com:8080/wpad.dat) or "Manual Proxy" (http://sophos.internal.com:8080).



This thread was automatically locked due to age.
Parents
  • 0

    Your browsers are configured to use "standard mode" proxy via WPAD.  I don't think that your problem is related to this.  If your really want to, manually configure a browser to use the proxy (rather than auto discover) and see if the problem continues to occur.

     

    407 indicates that something is asking to authenticate.  There are times that the proxy will send a 407 back to the client browser.  But if I recall correctly we don't log it when we are generating the 407.

    Is is possible you have another device (such as an upstream proxy) that is trying to authenticate?

     

    Can you post a sample log line?

  • 0 in reply to Michael Dunn

    The Sophos is internet facing, so no upstream proxies. I have tried manual proxy configuration and still get the 407's.

     

    2017:09:22-13:45:49 sophostn-2 httpproxy[25718]: id="0003" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="10.50.1.34" dstip="" user="" group="" ad_domain="" statuscode="407" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction=" ()" size="2540" request="0xd9192400" url="ocsp.godaddy.com/.../MEgwRjBEMEIwQDAJBgUrDgMCGgUABBS2CA1fbGt26xPkOKX4ZguoUjM0TgQUQMK9J47MNIMwojPX+2yz8LQsgM4CBwQw+RaCaUs=" referer="" error="" authtime="1" dnstime="0" cattime="0" avscantime="0" fullreqtime="168" device="1" auth="2" ua="Microsoft-CryptoAPI/10.0" exceptions=""
    2017:09:22-13:45:49 sophostn-2 httpproxy[25718]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="10.50.1.34" dstip="50.63.243.230" user="user.name" group="" ad_domain="CORP" statuscode="200" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_HttCffTcsDefault (TCS Default)" size="1775" request="0xd9192400" url="ocsp.godaddy.com/.../MEgwRjBEMEIwQDAJBgUrDgMCGgUABBS2CA1fbGt26xPkOKX4ZguoUjM0TgQUQMK9J47MNIMwojPX+2yz8LQsgM4CBwQw+RaCaUs=" referer="" error="" authtime="594" dnstime="65896" cattime="30519" avscantime="983" fullreqtime="145170" device="1" auth="2" ua="Microsoft-CryptoAPI/10.0" exceptions="" category="178" reputation="neutral" categoryname="Internet Services" country="United States" application="ocsp" app-id="835" sandbox="-" content-type="application/x-x509-ca-cert"
     
    A lot of them seem to be service related:
     
    2017:09:22-13:50:51 sophostn-2 httpproxy[25718]: id="0003" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="CONNECT" srcip="10.50.1.34" dstip="" user="" group="" ad_domain="" statuscode="407" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction=" ()" size="2548" request="0xd905e000" url="bn3sch020020841.wns.windows.com/" referer="" error="" authtime="1" dnstime="0" cattime="0" avscantime="0" fullreqtime="134" device="1" auth="2" ua="" exceptions=""
    2017:09:22-13:50:51 sophostn-2 httpproxy[25718]: id="0003" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="CONNECT" srcip="10.50.1.38" dstip="" user="" group="" ad_domain="" statuscode="407" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction=" ()" size="2548" request="0xd8ef8600" url="yqlmailapps.query.yahoo.com/" referer="" error="" authtime="1" dnstime="0" cattime="0" avscantime="0" fullreqtime="180" device="1" auth="2" ua="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36" exceptions=""
    2017:09:22-13:50:52 sophostn-2 httpproxy[25718]: id="0003" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="CONNECT" srcip="10.50.1.38" dstip="" user="" group="" ad_domain="" statuscode="407" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction=" ()" size="2548" request="0xc21de00" url="https://www.yahoo.com/" referer="" error="" authtime="1" dnstime="0" cattime="0" avscantime="0" fullreqtime="126" device="1" auth="2" ua="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36" exceptions=""
    2017:09:22-13:50:53 sophostn-2 httpproxy[25718]: id="0003" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="CONNECT" srcip="10.50.1.38" dstip="" user="" group="" ad_domain="" statuscode="407" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction=" ()" size="2548" request="0xbb8ac00" url="scontent-mia3-1.xx.fbcdn.net/" referer="" error="" authtime="1" dnstime="0" cattime="0" avscantime="0" fullreqtime="140" device="1" auth="2" ua="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36" exceptions=""
     
    But there are also a lot where you will see it fail first, then authenticate the second time with the same URL like the first example. This is happening on two of our UTM's, one is the default route out of the company at a remote site and the other at the main site is not set as the default route. Our third UTM is in transparent mode at a colocation facility without any users.
Reply
  • 0 in reply to Michael Dunn

    The Sophos is internet facing, so no upstream proxies. I have tried manual proxy configuration and still get the 407's.

     

    2017:09:22-13:45:49 sophostn-2 httpproxy[25718]: id="0003" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="10.50.1.34" dstip="" user="" group="" ad_domain="" statuscode="407" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction=" ()" size="2540" request="0xd9192400" url="ocsp.godaddy.com/.../MEgwRjBEMEIwQDAJBgUrDgMCGgUABBS2CA1fbGt26xPkOKX4ZguoUjM0TgQUQMK9J47MNIMwojPX+2yz8LQsgM4CBwQw+RaCaUs=" referer="" error="" authtime="1" dnstime="0" cattime="0" avscantime="0" fullreqtime="168" device="1" auth="2" ua="Microsoft-CryptoAPI/10.0" exceptions=""
    2017:09:22-13:45:49 sophostn-2 httpproxy[25718]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="10.50.1.34" dstip="50.63.243.230" user="user.name" group="" ad_domain="CORP" statuscode="200" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_HttCffTcsDefault (TCS Default)" size="1775" request="0xd9192400" url="ocsp.godaddy.com/.../MEgwRjBEMEIwQDAJBgUrDgMCGgUABBS2CA1fbGt26xPkOKX4ZguoUjM0TgQUQMK9J47MNIMwojPX+2yz8LQsgM4CBwQw+RaCaUs=" referer="" error="" authtime="594" dnstime="65896" cattime="30519" avscantime="983" fullreqtime="145170" device="1" auth="2" ua="Microsoft-CryptoAPI/10.0" exceptions="" category="178" reputation="neutral" categoryname="Internet Services" country="United States" application="ocsp" app-id="835" sandbox="-" content-type="application/x-x509-ca-cert"
     
    A lot of them seem to be service related:
     
    2017:09:22-13:50:51 sophostn-2 httpproxy[25718]: id="0003" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="CONNECT" srcip="10.50.1.34" dstip="" user="" group="" ad_domain="" statuscode="407" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction=" ()" size="2548" request="0xd905e000" url="bn3sch020020841.wns.windows.com/" referer="" error="" authtime="1" dnstime="0" cattime="0" avscantime="0" fullreqtime="134" device="1" auth="2" ua="" exceptions=""
    2017:09:22-13:50:51 sophostn-2 httpproxy[25718]: id="0003" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="CONNECT" srcip="10.50.1.38" dstip="" user="" group="" ad_domain="" statuscode="407" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction=" ()" size="2548" request="0xd8ef8600" url="yqlmailapps.query.yahoo.com/" referer="" error="" authtime="1" dnstime="0" cattime="0" avscantime="0" fullreqtime="180" device="1" auth="2" ua="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36" exceptions=""
    2017:09:22-13:50:52 sophostn-2 httpproxy[25718]: id="0003" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="CONNECT" srcip="10.50.1.38" dstip="" user="" group="" ad_domain="" statuscode="407" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction=" ()" size="2548" request="0xc21de00" url="https://www.yahoo.com/" referer="" error="" authtime="1" dnstime="0" cattime="0" avscantime="0" fullreqtime="126" device="1" auth="2" ua="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36" exceptions=""
    2017:09:22-13:50:53 sophostn-2 httpproxy[25718]: id="0003" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="CONNECT" srcip="10.50.1.38" dstip="" user="" group="" ad_domain="" statuscode="407" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction=" ()" size="2548" request="0xbb8ac00" url="scontent-mia3-1.xx.fbcdn.net/" referer="" error="" authtime="1" dnstime="0" cattime="0" avscantime="0" fullreqtime="140" device="1" auth="2" ua="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36" exceptions=""
     
    But there are also a lot where you will see it fail first, then authenticate the second time with the same URL like the first example. This is happening on two of our UTM's, one is the default route out of the company at a remote site and the other at the main site is not set as the default route. Our third UTM is in transparent mode at a colocation facility without any users.
Children
No Data
Unfiltered HTML