IE Slow Behind Sophos

Congratulations on your sleuthing.

Host not found means that DNS is not resolving the way you want.   I suspect that it is querying your internal DNS servers and getting an internal address, but it is trying to use it as an external address.

This link has Sophos recommendations for DNS configuration

https://community.sophos.com/kb/en-us/120283

The availability group adds some complexity, but the key issues are:

On the Network Services... DNS... "Forwarders' tab, you want to use an external DNS server, such as google's DNS at 8.8.8.8

On the Network Services... DNS... "Request Routing" tab, you want to configure an internal DNS server for each internal domain.

Google says that they set up their DNS because they have almost everything about DNS cached, so their servers can reply faster than the DNS servers offered by your ISP.   This performance benefit is why the Sophos document recommends using them.

Another option is Norton ConnectSafe DNS, which returns a dead-end DNS result if they have a DNS name on their blacklist.   More info at https://dns.norton.com/   For buisnesses, no-cost registration is required.

If you have enabled DNSSEC validation (on the UTM DNS global tab), try turning it off.   If you have DNSSEC enabled but use a DNS server that does not implement it fully, you could get non-existent host errors as a result.   Active Directory DNS servers have very limited support for DNS SEC.

Hello,

Thanks for the link tot he guide! I followed it to a T. I tested a few work stations and it appears the issue is gone but it's sporadic so it's possible that it's just not happening right now. I will let you all know what happens. We're a financial institution so I'd really like to be able to use IPS but the issues is was causing is far more concerning to users.

Thanks

Brandon

Hi Brandon,

nice to read that you found the issue. :)

But I'm wondering why the other WebBrowsers had not the same problem, because the DNS querys are using the same way, independently which browser you are using. I guess that IE makes something different because of some kind of protection.

I suggest that you check the IPS log to identify the reason for your issue, and try to solve it (e.g. disabling the DNS server pattern). Or create an exception for the AD DNS servers.

Jas

Hello,

I did turn off "Automatically Detect Settings" under connections and LAN settings in IE. Not sure if that changed anything or not. I know before it didn't seem to have any affect with the Waiting for Page issue. I did follow that guide for the best case DNS settings and I had my internal servers where I should've have forwarders and vice versa. 

After all seemed well, I turned IPS back on and we haven't had any issues yet *knock on wood*. I think it was a combination of the DNS settings, Web Protection settings, and IE settings. I wish I could say what exactly it was but I changed so much that I really can't say. I do know the issue persisted eve when completely disabling IPS, WebProtection, Application Control, etc. 

So currently, WebProtection is running in transparent mode (our tools run in IE with a few active X's and don't behave nicely when forcing IE to go thru a proxy and UTM in standard mode).

Application Control is running, blocking all Windows Updates

IPS is running with all defaults. 

Our workstations use our internal DNS servers to resolve them our servers use the UTM for DNS forwarding. The UTM uses Google DNS.

Our workstations all have Sophos Endpoint AV installed with web control active.

UTM is updated to the latest available packages.

I will be sure to update this thread if I come across a direct fix for my issue. Thanks everyone for you help!

Brandon 

Douglas, the DNS Best Practice article in the KnowledgeBase was copied from DNS best practice almost two years ago.  As you'll see in the Change Log in my post, I've added six improvements since the copy was taken.  If they're not going to maintain their article, they should delete the content and have it link instead to the post I improve based on comments made here.

Cheers - Bob

As DouglasFoster and Jas Man have said, Brandon, the entire problem was probably DNS.  As I mentioned above, there were some updates in DNS best practice that might be worth examining - I didn't look.

A look in the Web Filtering log would have told you if ports other than 80&443 were seen by the Proxy.  If so, then disabling 'Automatically Detect Settings' might have been important, too.  In fact, if the client sees that a proxy is active and sends to it, the UTM Web Filtering Profile handles the traffic as if it were in Standard mode.

Cheers - Bob

Hello everyone,

This issue has returned but it is only happening at the site that utilizes a RED to full tunnel back to our UTM. Our main site that has our UTM isn't having any issues. Any ideas?

RED Tunnel Compression is turned off.

I forgot to mention, the issue goes away if a machine at the RED site disconnects from our network and connects to a mobile hot spot.

Brian, do you mean the problem goes away for others at that site or that it goes away for the individual connected to a mobile hotspot?

Cheers - Bob

Issue is gone! I restarted the RED and the site's core switch. I started running wireshark connected to the hot spot then connected back to the site's network to test and it seems to be working okay now. I hope the issue is gone for good!