Sophos Web Appliance SMBv1 Dependecy.

Hi,

I would like to ask:

Would there be any development in Sophos Web Appliance that supports SMBv2 or above?

A friend of mine disabled the SMBv1(in response to the Wanna Ransomware)  that makes the Active Directory integration no longer work.

They are also aware of this KB.

https://community.sophos.com/kb/en-us/126757

 

Thanks,

tech

  • We are in the process of upgrading the SMB/AD integration components on the Web Appliance and will be publishing an update to the product as soon as that work is complete and fully tested. This will allow the SWA to connect to AD services that have disabled SMBv1.

    We hope to do this before the end of July.

  • This SMBv1 dependency is puzzling me.

    We have disabled SMBv1 at the very moment SMBv2 appeared (hear me cough) more than 10 years ago ... It was not because of wannacry. It was because everyone knew already then SMBv1 was a security non-sens. Heck, we knew this was as such well before 2000 ... And if we compound SMBv2 was due, very late, and already outdated when it was released ...

    Sophos knows SMB v3 (knowing 3.0 is actually 2.2) is at its fourth iteration ?

    Jesus help us !!!

    Paul Jr Robitaille

  • In reply to RichBaldry:

    Ok ...

    No Sophos fix on the horizon.

    Would it be possible to at least publish a guide to harden networks (assuming an hypothetic basic and simple network) as much as possible in such a regrettable situation ?

    What needs to have SMBv1 re-enabled ?
         Domain controllers ?
         File servers ?
         Database Servers ?
         Desktops ?
         Anything that access Sophos Firewall ?
         Anything that access Sophos WEB gateway proxys ?
         Exchange servers with or without Pure Message ?

    What Windows Firewall rules can we push (via or not GPO) to have such a non-sense limited as much as possible ?
         Inbound rules ?
              On which machine ?
                   DCs, Desktops, anything else ?
         Outbound rules ?
              On which machine ?
                   DC, Desktops, anything else ?

    A starting point here. Scroll down at third post from M. Andy Pan.
    https://social.technet.microsoft.com/Forums/en-US/6cdee681-7f92-4562-be36-539f458fda58/firewall-rules-to-allow-smb1-to-specific-ip-addresses?forum=winserverNIS

  • In reply to RichBaldry:

    Rollout of v4.3.3, with SMB v2 support, started this week. We are rolling it out gradually to customers over the next few weeks.

  • In reply to RichBaldry:

    I've noted that already 2 days ago.  

     

    Gradually meaning randomly, or meaning Sophos targets particular hardware or OVA first ?

     

  • In reply to Big_Buck:

    All our SWA releases are published to appliances in stages, with each stage making the release available to larger groups of customers. Group selection is pretty much random, although we generally use the same groupings across a number of releases.

  • In reply to RichBaldry:

    4.3.3 installed on both of our WEB Gateways.  Authentication to domain still fails.

     

     

    Same errors including "No Netlogon" share found.  Worry not, the share is there ...  

     

    Any firewall rules to setup on DCs and Desktops to make 4.3.3 work ?

  • In reply to Big_Buck:

    I have just shutdown the firewall on all of my DCs to test connection.  Same errors.

  • In reply to Big_Buck:

    Can you please enable Remote Assistance and we'll connect to your SWA to investigate.

  • In reply to RichBaldry:

    Done.  Both appliance are enabled to support.  Case open.  Support can reach me by phone anytime tonite and tomorrow.

  • In reply to Big_Buck:

    OK.  Here's our status as of Friday night.  It may help someone ... Sophos support call to help.  We tried the same procedure as of 2017-9-7 6:28 PM.  Same error as both screen shots we posted then.

     

     

    We subsequently unchecked "Auto-detect advanced settings".  Even-though "Verify Settings" failed, fields were filled up correctly.  Then we changed port 3268 to port 389.  "Verify Settings" finally succeeded.

    We put 3268 back afterward. "Verify Settings" failed at first, but succeeded at the second attempt.  Our other SWG (we have more than one) succeeded in returning to port 3268 immediately.  Which means succeeded at joining the domain.

    Observations:  

    1- Maybe returning to 3268 on the first SWG failed because we did leave enough time to the appliance before we clicked "applied".

    2- On my Windows Domain Controller logs. Not a single 389 or 3268 request was dropped.  We event tried to join SWG to AD with all firewalls deactivated on all domain controllers.  It is clearly not a question of firewall.

    3- Sophos requirements tell UDP 3268 should be activated.  We were not able to catch any such request on all of our firewalls for as long as we can read logs.  Furthermore, UDP 3268 is barely mentioned on Google.  And I haven't found docs on Microsoft's web site yet.  This requirement seems to be an error.  TCP 3268, as it should, is frequently requested (by other devices as well).

    4- Why Sophos does not use SLDAP, port 3269 instead of unsecured LDAP, port 3268, is beyond me.

     

    I understand 4.3.3 is a beta version.

  • In reply to Big_Buck:

    So how exactly was this issue fixed??

    We have the exact same issue - saying no Netlogon share was found. I don't get it....

  • In reply to LeeWilloughby:

    It is not fixed.  Still cannot connect to Windows 2016 active directory.

  • i've the same problem and i just remove the last "." character in field "Primary Domain Controller", "Active Directory Kerberos Server" & "Active Directory LDAP Server" then it worked, strange heh.

  • In reply to Wiwin Adriansyah:

    ... and you will do the same later on and it will fail that time ???