This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

DPI / TLS Scanning exception issue with d1. d2 d3.sophosupd.com when installing Intercept-X for Mac

Hi,

today we're facing something new: issues when rolling out the Sophos Endpoint to Mac Books. Windows Endpoints: no problem.

They fail to install. Workarounds like https://support.sophos.com/support/s/article/KB-000044045?language=en_US were unsuccessful.

When we put them into Guest WiFi with no XG TLS Decryption, they succeed to install immediately.

We could not find something helpful in the install logs - there is nothing logged by the Mac installer in /var/log/install.log /var/log/system.log.

When working in Guest WiFi,

we can see in the Firewall log, they are downloading a bunch of stuff, all over unecrypted http connections:

184.30.25.172,Software Updates,d3.sophosupd.com/.../sdds.ixdata.xml

184.30.25.172,Software Updates,d2.sophosupd.com/.../e7ab79122d4ed04125ffa2d788fad371x000.xml

184.30.25.172,Software Updates,d1.sophosupd.com/.../9e6f799da98647181e68ffd70c4c50e9x000.xml

184.30.25.172,Software Updates,dci.sophosupd.com/.../c593902213ad9c5e6c22aa72ae213505.dat

All from the same IP, with different SNI.

When they fail to install when they're in the corporatre LAN, I can see no blocked firewall packets but in TLS I see errors due to

"Server did not respond to client hello"

I can simulate this. I can browse to that websites and get the Akamai Website content without error but in the XG TLS logs, it shows the same TLS error.

Manual test opening in browser:

Of course those websites are all excluded from TLS / DPI scanning - with the default rule and also the matching firewall rule has no https decryption enabled.


Exception group:

TLS exception:



This thread was automatically locked due to age.
Parents Reply
  • Likely this could be an issue with your connection as well. That is the reason to check the tcpdump. If we see an reply, the firewall is doing the blocking. If we see no replies at all, this could potentially mean, your ISP or the service is blocked. But as nobody right now is reporting this issue, this could mean, your ISP does something with those packets or potentially the packets get corrupted by the DPI. 

    There are a lot of IFs right now. I would not say, this is a general issue. 

    __________________________________________________________________________________________________________________

Children