[8.960][ANSWERED] Issue with Sophos Endpoint Update behind firewall and proxy...

This may be related to this old post here: https://community.sophos.com/products/unified-threat-management/astaroorg/f/77/t/64660

Anyway, tinkered with having a client using another proxy (not the Beta UTM, another ASG in this case, but I feel it would apply to any mobile worker behind any other proxy) as configured in IE and as the system proxy (on Vista, used netsh winhttp import proxy function to set this), with a firewall configuration that does not allow direct outbound traffic on port 80 or 443 (all web traffic has to go through the proxy), proxy not operating in transparent mode... found that while I could install the Endpoint client, it could not update, as it was trying to go directly to d3.sophosupd.com ... if I look at the client settings, there does appear to be a place to enter proxy information, but it is unconfigurable, even with tamper protection disabled.

This could potentially be a problem for remote or local users behind a proxy and firewall that does not have a specially configured exception for the sophos update site... is there a fix for this?

0 BrucekConvergent over 11 years ago

I did find a place to manually enable the client proxy to be configured...

C:\ProgramData\Sophos\AutoUpdate\Config\iconn.cfg

Change the "AllowLocalConfig" option under [PPI.ProxyConfig_Primary] to 1 .. then the box is enabled in the client.

I'm thinking maybe a simple solution would be to add the option to preconfigure this for different groups of computers from the UTM side... perhaps for the Primary and/or Secondary connections (Primary using Proxy, Secondary direct, maybe, for when a user roams to a hotel, Starbucks, etc.).

CTO, Convergent Information Security Solutions, LLC

https://www.convergesecurity.com

Sophos Platinum Partner

--------------------------------------

Advice given as posted on this forum does not construe a support relationship or other relationship with Convergent Information Security Solutions, LLC or its subsidiaries. Use the advice given at your own risk.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 RFCat_vk_01 over 11 years ago in reply to BrucekConvergent

Hi Bruce,
thank you for the reminder to add the proxy bypass to my mobile UTM.

Ian
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 BrucekConvergent over 11 years ago in reply to RFCat_vk_01

You're welcome [:)]

CTO, Convergent Information Security Solutions, LLC

https://www.convergesecurity.com

Sophos Platinum Partner

--------------------------------------

Advice given as posted on this forum does not construe a support relationship or other relationship with Convergent Information Security Solutions, LLC or its subsidiaries. Use the advice given at your own risk.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 BrucekConvergent over 11 years ago in reply to BrucekConvergent

How is this labeled "Answered" the original issue still exists... it is not practical to do this manual change for many clients for a deployment...

CTO, Convergent Information Security Solutions, LLC

https://www.convergesecurity.com

Sophos Platinum Partner

--------------------------------------

Advice given as posted on this forum does not construe a support relationship or other relationship with Convergent Information Security Solutions, LLC or its subsidiaries. Use the advice given at your own risk.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 cziel over 11 years ago in reply to BrucekConvergent

Hi BrucekConvergent,

I marked the thread as ANSWERED because independently of which type of proxy you use (even if it's not one of our products) you have to define a proxy bypass for the Sophos LiveConnect servers. This bypass is neccessary due to the endpoints functionality and method of communication with Sophos LiveConnect.

So if you'd like to use this feature you don't really have a choice but to define such a bypass. For this reason the UTM combines all functionalities to ensure a smooth usage with no more further configuration.

Cheers,
Cristof
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 BrucekConvergent over 11 years ago in reply to cziel

The issue is, is that it's not currently simple to deploy the client with these settings, one has to manually edit a config file on each client... we need a central method of configuring this... I haven't looked yet, but I'm pretty sure the regular Sophos AV Management Console can do this.

CTO, Convergent Information Security Solutions, LLC

https://www.convergesecurity.com

Sophos Platinum Partner

--------------------------------------

Advice given as posted on this forum does not construe a support relationship or other relationship with Convergent Information Security Solutions, LLC or its subsidiaries. Use the advice given at your own risk.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel