Configuring VPN Remote Access for the first time on your Sophos XG Firewall? Check out this useful Community post!
Advisory: Sophos XG Firewall - Antivirus service stopped due to failed pattern update. Please visit this KBA for the latest updates
We'd love to hear about it! Click here to go to the product suggestion community
A colleague reported a strange issue with our internal DevOps (old TFS) server. One of the links appears to malfunction. My testing indicates that this link only malfunctions when the UTM is used as the middle-man for accessing the server (i.e. if I create a HOSTS file entry and attempt to connect to the target server directly using the same URL the issue is gone).
The link in question looks similar to this (note that the example has been "anonymized"; I've also replaced https with hxxps to prevent this community forum from formatting the text as links):
Note the %2F in the link, which is a URL-encoded dash symbol. Why it's encoded in this way, I have no idea. Perhaps unsurprisingly the same page can be accessed via:
So in other words, DevOps IIS can handle both version of the dash - unencoded as well as encoded.
Unfortunately, this seems to be UTM-related since the target server itself can handle its own weird link fine, and I have no idea how to potentially tackle this one (outside of not using the Webserver Protection feature at all, and just giving direct access to the server via a NAT rule).
EDIT:I've managed to resolve the issue using URL Rewrite on the DevOps IIS server. But I would still like to know if there's a potential fix on UTM-side of things...?
Note that the error message when attempting to access the link without URL Rewrite seems to be from UTM (I think?) and already formats the %2F into a dash. In other words, accessing the initial link would result in a "The requested URL /ARP/ProjectXYZ/_build/results was not found on this server." error message.
Also, I found that any dash after the host name can be replaced with %2F and IIS will treat it correctly, while UTM's proxy will fail.
EDIT 3:Apparently I'm not the first person to discover this issue, and the above is likely similar to the following:
Unfortunately I'm not 100% sold on the suggested "fix" described in that thread. I would feel a lot better if the setting was available from the UI itself.
Hi Mateusz Bender
I guess this is a known issue with the UTM 9 WAF. The known bug ID is NUTM-4996 and published under KIL(Known issues List) which you can find in this KBA Known Issues List for Sophos Products. Download the excel file and go to UTM 9 Sheet and search the bug ID NUTM-4996.
In reply to Jaydeep:
Well... at least I know it's a know bug and I was able to to workaround it (or at least this one, very specific instance) using URL Rewrite on IIS...
In reply to Mateusz Bender:
I'm glad that you were able to find a workaround.
I spoke too soon. I guess I was too hasty in my tests, but apparently the URL Rewrite didn't help at all. Perhaps I was testing this from the wrong server somehow. :(
Hi Mateusz Bender
Is it possible for you to speak to Sophos Support for this issue? Maybe they can provide a workaround I'm not aware of.