This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

After updating to 9.501-5 SSO for HTTP authentication failed and domain join not working.

UTM 9.501-5

Windows server 2012 domain controller.

I installed the 9.5 update on June 2, did not see any issues with this for the client, updated to 9.501-5 on June 12 midnight, and Internet access is failing on multiple sites.

Can get to Google.ca

Cannot get to canada411.com - Too many http redirects message.

Turned off web filtering and the websites were available - but the client requires filtering.

Re-enabled and turned off AD SSO authentication and websites are available again with correct content being blocked.

Attempted to remove from and rejoin domain, but domain join failed.

 

Currently, I have the client functioning, but, I need to rejoin AD and resume SSO authentication.

 



This thread was automatically locked due to age.
Parents
  • Same problem here. Upgraded the firmware this morning and then the issue started.

  • Hello,

    A fix for this issue is coming in MR2 which will be available soon, we apologize for the wait. You can also contact Sophos Support who will be able to apply a hotfix.

    Thank you,

    Bob

  • I called support this morning and identified this issue to them.  After a remote session they said it is a confirmed bug with the UTM and I would need to bring it offline and restore the 9.412 iso image (RELOAD THE OS).  They said to call back in a week for an update.

     

    I have a call to my vendor to get a different firewall appliance.

  • You need a different vendor, Mark, someone that knows this stuff.  Just changing firewalls won't change the underlying problem.  The patch is available, and your reseller should have explained that to you and Sophos Support.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • I assumed he meant that he's looking to get a different (as in non-Sophos) firewall. We are exploring the same now. Eleven days leaving us dead in the water with their under-cooked update and it's time to bail. Completely unacceptable.

  • Bob,  Below is the email I got from sophos tech support to resolve this issue.  If there is a hotfix please post a link so I can download it.  I will not call sophos tech support again.  They have no clue and are only interested in sending me KB articles and making sure they can close the ticket.  I have quotes for 2 different firewall appliances (that are NOT sophos) and we will be migrating to one of them in the next week or 2.  We will also be migrating away from the sophos endpoint security. 

     

    As per our phone cal conversation you can do one thing . You can downgrade the firmware to version 9.413 as it is most stable firmware version.

    Note: Before downgrading the firmware take the backup of the configuration at firmware 9.413 (Meaning the configuration back up of the UTM when it was at firmware 9.413)

    >To downgrade the firmware you need to re-image the device.

    Please follow the below Kb article to re-image the device.
    -----------------------------------------
    Article ID: 115879
    Title: How to re-image a Sophos UTM and Astaro Security Gateway (ASG) Appliance
    URL: http://sophos.com/kb/115879
    -----------------------------------------

    >Please follow the below link for downloading the 9.413 ISO file.

    http://downloads.sophos.com/inst_utm/QGeK8bWlc3ORMIN5o1TPkwZD01Mjk4/v9/hardware_appliance/iso/ssi-9.413-4.1.iso

    >After you re image the device all the configuration from the device will be wiped off.

    >After that when you are doing the installation part you just need to restore the backup which you have earlier downloaded or taken.

    >Alternatively , you can do one more thing 

    >You can re-join the AD on the UTM by the following methods as rejoining the AD solves the problem for some of the users(This is also a workaround).
    ---------------------------------------------------------------------------------------------------------------------
    GUI Method

    Navigate to Definitions & Users > Authentication Services > Single Sign-On.

    Enter the Admin username and Password and then click Apply.

    CLI Method

    To rejoin the domain from the CLI follow the steps below:

    Log into the shell of the UTM as the root user via SSH or console.
    Type the following command and substitute the specific information for your environment:
    cc ad_join_domain DOMAIN.LOCAL adminbob G3d0utahere! 172.16.1.5
    DOMAIN.LOCAL - Active Directory domain name
    adminbob - Administrative username in AD
    G3d0utahere! - Password in AD for adminbob
    172.16.1.5 - IP Address of Domain controller
    You create a cron job with this if needed but use /usr/local/bin/confd-client.plx instead of cc.

    --------------------------------------------------------------------------------------------------------------------------


    > Note :- And if you are using the GUI method you might have to do the process every morning and after that you would able to access internet with the web filter enabled.



    Please revert us with your response.

    Please contact us for further assistance.





    Regards,

    Dhruv Gupta
    Sophos Technical Support

     

  • Mark Payne said:

    Bob,  Below is the email I got from sophos tech support to resolve this issue.  If there is a hotfix please post a link so I can download it.  I will not call sophos tech support again.  They have no clue and are only interested in sending me KB articles and making sure they can close the ticket.  I have quotes for 2 different firewall appliances (that are NOT sophos) and we will be migrating to one of them in the next week or 2.  We will also be migrating away from the sophos endpoint security. 

     

    I feel your pain, although I have a wonderful reseller in GlobelinkUK, that cannot make up for the total incompetence of handling these issues at SOPHOS  and I have emailed all the way up to the top in the past and it just gets no better.

    I accept that there will always be bugs/problems with software, it's how they are handled which is important.

    in this case they created a KB article for this issue back on 26th May and did not pull the patch even one month on! and now they are inundated with unhappy customers like me waiting for GSS to apply the hotfix. 

    I have pointed out that the KB article does not even contain the actual error message  that appears in the log (which is the first thing I tried to google it) so it will not turn up on a google search for the error. Sophos acknowledged this yesterday on their twitter feed and yet still it hasn't been updated!

    In the past on major incidents they haven't even acknowledged the issues with a kb article and just wait for everyone to report the same known issue over and over again to support, blocking up the support lines.

Reply
  • Mark Payne said:

    Bob,  Below is the email I got from sophos tech support to resolve this issue.  If there is a hotfix please post a link so I can download it.  I will not call sophos tech support again.  They have no clue and are only interested in sending me KB articles and making sure they can close the ticket.  I have quotes for 2 different firewall appliances (that are NOT sophos) and we will be migrating to one of them in the next week or 2.  We will also be migrating away from the sophos endpoint security. 

     

    I feel your pain, although I have a wonderful reseller in GlobelinkUK, that cannot make up for the total incompetence of handling these issues at SOPHOS  and I have emailed all the way up to the top in the past and it just gets no better.

    I accept that there will always be bugs/problems with software, it's how they are handled which is important.

    in this case they created a KB article for this issue back on 26th May and did not pull the patch even one month on! and now they are inundated with unhappy customers like me waiting for GSS to apply the hotfix. 

    I have pointed out that the KB article does not even contain the actual error message  that appears in the log (which is the first thing I tried to google it) so it will not turn up on a google search for the error. Sophos acknowledged this yesterday on their twitter feed and yet still it hasn't been updated!

    In the past on major incidents they haven't even acknowledged the issues with a kb article and just wait for everyone to report the same known issue over and over again to support, blocking up the support lines.

Children
No Data