This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SPX Portal Not Working

Trying to get SPX email encryption working. Sophos XG Home v 18.0.4-MR4

The email protection is set up as MTA mode.  Normal email routing and deliver is working fine.

I've created the SPX template and when I try to send an email with the SPX header set to yes, the firewall holds the emails in quarantine as it should since the user has not created a password yet,, and sends the SPX registration email, which is received by the end user The link in the email is correct. The link properly resolves to the firewall's WAN interface IP.

However, clicking on the link results in a 'This Site cannot be reached' page.  Reason:  Connection Refused.

When I do a packet capture on the firewall, I see the request coming in on the correct port, and the status for the packed is 'Consumed'. 

Nothing is logged on the firewall report indicating anything is dropping or rejecting the request.

I'm stumped here.  Tried rebooting the firewall, recreating the SPX template, re-configuring the encryption settings.  

Any help would be appreciated.



This thread was automatically locked due to age.
Parents
  • Can anyone confirm if this is a bug or if it's a limitation on the XG Home license? 

    Basically, I'm still stuck where, the SPX portal is only available if I use the template to have ALL emails I send be encrypted, but the portal doesn't appear to work if you want emails to be conditionally encrypted (i.e. via Outlook plug in or via setting the SPX-X Header to 'Yes').

    IT seems to me the that without the template telling the device to encrypt all emails, it never starts the portal service.

    At this point I'd just like to know if it's a known bug or a known limitation with the current firmware(s) or home license.

  • Hi  This functionality of having SPX encryption working with the Outlook Add-in (setting a value on the SPX-X header) on the XG has been reduced.

    To apply this SPX template in MTA mode, you must select the template in the SMTP route and scan policy under Domains and routing target or Data control list.

    Help section updated with reference to same:

    docs.sophos.com/.../EmailEncryptionMTA.html

    Regards,

    Vishal Ranpariya
    Technical Account Manager | Sophos Technical Support

    Sophos Support Videos | Knowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'This helped me' link.

  • Hi : Please verify the settings on your XG as per above last comment and confirm the status of SPX portal.

    Regards,

    Vishal Ranpariya
    Technical Account Manager | Sophos Technical Support

    Sophos Support Videos | Knowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'This helped me' link.

  • I'll try this later this today.  Looking through the updated online documentation, I think using a DP policy will work for me if the Outlook plugin functionality has been reduced.  But I will let you know.

  • I can confirm that using a Data Control Policy does work.  I tested with a custom Data Control Policy with just the 'Sensitive Content Marker  (Global)' CC selected in it.  This triggers an encrypted email anytime I place the string 'CTRL:XX' in the subject or body.  The Portal is available and all seems to be working.  Emails without that string in them are sent unencrypted.

    Thank you very much.

  • Hi : Thanks for sharing this latest update and I am glad you managed to fixed issue based on shared information.

    Regards,

    Vishal Ranpariya
    Technical Account Manager | Sophos Technical Support

    Sophos Support Videos | Knowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'This helped me' link.

  • Hi Vishal_R,

    I can confirm that the information helps and that the portal is now available. While this block is only for incoming mail, I cannot see why this setting then ensures that the portal is accessible. Unfortunately, the configuration is not very intuitive at this point.

    I have an additional question: Is it possible that the URL to the portal in the mail and the PDF point to the FQDN as selected in the configuration? It is very difficult to get a SSL SAN CA with IP support unless you are the owner of the ASN block. In most cases the IP Subnet is provided by your internet provider. Meanwhile some clients reported that their spam filter matches against IP and Port in this URL so the mail end up in spam or marked as spam not an advantage for secure and trustworthy communication.

    Thanks, Tobias

  • Hi  As per current working - setting up the Hostname in SPX portal settings which usually point to the external IP of the Sophos XG Firewall will not change the IP to Hostname for the SPX Portal link sent to recipients.

    Please find the related feature request here. You may add your vote and keep this thread in your watch list.

    You may also raise this request with your Sophos Partner/Account Manager for higher priority.

    Regards,

    Vishal Ranpariya
    Technical Account Manager | Sophos Technical Support

    Sophos Support Videos | Knowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'This helped me' link.

  • Ok, I already thought so. I've already seen the feature request and voted for it. Another forum thread mentioned "There is an existing feature request to support FQDN for the Captive Portal and it is already currently under review. We should see host names/FQDN's for portals supported soon!" but this was over 3 years ago. Disappointed

Reply
  • Ok, I already thought so. I've already seen the feature request and voted for it. Another forum thread mentioned "There is an existing feature request to support FQDN for the Captive Portal and it is already currently under review. We should see host names/FQDN's for portals supported soon!" but this was over 3 years ago. Disappointed

Children
No Data