Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Internal traffic blocked by authentication ntlmauth

New XG deployment running SFOS 18.0.4

I have my primary internal network 192.168.10.x

I have a production VLAN 192.168.50.x

I have a firewall rule that allows ALL traffic between these 2 private networks. No user authentication. No web filtering. Plain vanilla firewall rule.

From a computer on the primary network I open a web browser and browse to a web page on the production network. Example:  http://192.168.50.14

Using Google Chrome or Firefox. Immediately I get redirected to this URL > sophosxg.mydomain.com:8091/ntlmauth.html

First question is why is the xg trying to apply ANY sort of authentication between internal networks? (Both networks are in the LAN zone)

Interestingly: If I open Microsoft Edge browser and go to 192.168.50.14 immediately the page loads as expected.  If I jump back to Chrome or Firefox and try to browse to that same site, now it works.   Maybe 20 minutes later I try again on Chrome or Firefox, and it fails again.  Hop over to Edge, page loads fine.

I have an active support ticket with Sophos and have demonstrated this to 3 or 4 techs and after lengthy remote sessions they all agree on the same thing:  This should not be happening.

Anyone else experiencing this? Any suggestions?

I am using Active Directory SSO using Kerberos and NTLM. But isn't this ONLY supposed to come into play when going to the Internet? Plus, as I mentioned, my firewall rule that allows traffic between internal LAN has the "Match known users" option unchecked.



This thread was automatically locked due to age.
Parents
  • Its a issue with NTLM in your setup.

    The browser is using HSTS to open this page as HTTPS of NTLM of XG. Hence XG will drop it, as NTLM requires HTTP. 

    See this discussion for more reference: https://community.sophos.com/xg-firewall/f/discussions/118573/set-up-kerberos-in-v18/451140#451140

    XGs goal is to have the NTLM/Kerberos all the time. It will store the information after the first succesful auth. So basically it should work if you first go to the internet. 

    You cannot disable Kerberos for particular requests. 

    Fix the HSTS Issue and it should not be a problem. 

    __________________________________________________________________________________________________________________

  • It's a bit difficult to understand that post because part of it looks like it was written in another language and then translated. But ... it appears what you are describing in that post is EXACTLY what is happening to me. I have literally spent HOURS with Sophos support and so far no one knows why this is happening. Are you available to assist with my case? Case number is 03532264. This is having a major impact on my network.

    I do not want to disable Kerberos (I actually prefer it wherever it can be used). But I don't know what you mean by 'fix the HSTS issue'.

Reply
  • It's a bit difficult to understand that post because part of it looks like it was written in another language and then translated. But ... it appears what you are describing in that post is EXACTLY what is happening to me. I have literally spent HOURS with Sophos support and so far no one knows why this is happening. Are you available to assist with my case? Case number is 03532264. This is having a major impact on my network.

    I do not want to disable Kerberos (I actually prefer it wherever it can be used). But I don't know what you mean by 'fix the HSTS issue'.

Children
  • Its not translated at all... It simply from the top of my head. If a translation tool write bad english like mine, that would be sad... 

    Lets recap: HSTS is a tool of the browser to "always use HTTPS, if possible". 

    As your hostname is sophosxg.mydomain.com, there could be a use case, where you open this page with HTTPS (User Portal? Webadmin? etc.). This will be stored into the local HSTS Cache. 

    Now you open a browser and try to access a website (internally). XG notice, your client is not authenticated, hence sends you a redirect to NTLM page. The client notice the redirect on http, but HSTS in the browser forces the client to use HTTPS://  This will lead into a page unload as the NTLM redirect has to be HTTP://

    How to solve this? You should figure out, which URL also uses the hostname and try to change to another FQDN/DNS. Essentially this is one of the easiest ways to fix this. Sophos is still investigating, how to fix this "for every customer". As this is a HSTS issue within the client, we need to figure out, what we can do about this. 

    __________________________________________________________________________________________________________________

  • By the way: For those here in this Thread: The HSTS Situation with Port 8091 and HTTPS is addressed in V20.0 MR2. 

    __________________________________________________________________________________________________________________