Reflexion will be End-of-life on March 31,2023. See Sophos Reflexion EoL FAQs to learn more.
We try to register an AP55 to Sophos Wireless - works like a charm when working without the XGS
When connection the AP55 behind the XGS we always receive a Timeout and the log entry (SSL/TLS inspection):
sophos.com and all necessary other sites and ports are open and excluded from SSL/TLS inspection, equally sophos.com and all other necessary sites are allowed (i can see the log entry in the firewall log that access to wifi.cloud.sophos.com is allowed) but registration times out.
As we tried to connect without the XGS the AP has the actual updated firmware.
Any ideas which rules/exclusions to build and get the registration running?
Do you have Wireless Protection enabled on that XGS-system? You should disable XGS-Wireless when using Sophos Central Wireless, both won't work togehter in the same network.
Mit freundlichem Gruß, best regards from Germany,
New Vision GmbH, GermanySophos Silver-Partner
If a post solves your question please use the 'Verify Answer' button.
Wireless Protection is disabled
Do you have the transparent webproxy in place?
No, no web-policies in any fw-rule active
(We are migrating from UTM to xg and at the moment there is no user active, so no actual web-surfing ;)
I was talking about the Proxy, which is configured under "Protect / Web / General settings"
Thanks for that point
We got them running - Problem was the FQDN-Configuration (allowing the APs to reach Central) - only some of them can be defined with wildcards (e.g.: *.prod.hydra.sophos.com works, but *.sophos.com won't work for wifilogs.sophos.com)
[FQDNS following this article Sophos Central Wireless: Network requirements]
Problem solved ;-)
thanks for posting the solution.
I can confirm it happens from time to time, that Sophos' own FQDN hosts stop working and you need to allow the full FQDN (if possible) or move some sub-domain levels up - like going from *.sophos.com to *.prod.hydra.sophos.com.