This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

After updating to 9.501-5 SSO for HTTP authentication failed and domain join not working.

UTM 9.501-5

Windows server 2012 domain controller.

I installed the 9.5 update on June 2, did not see any issues with this for the client, updated to 9.501-5 on June 12 midnight, and Internet access is failing on multiple sites.

Can get to Google.ca

Cannot get to canada411.com - Too many http redirects message.

Turned off web filtering and the websites were available - but the client requires filtering.

Re-enabled and turned off AD SSO authentication and websites are available again with correct content being blocked.

Attempted to remove from and rejoin domain, but domain join failed.

 

Currently, I have the client functioning, but, I need to rejoin AD and resume SSO authentication.

 



This thread was automatically locked due to age.
Parents
  • Same problem here. Upgraded the firmware this morning and then the issue started.

  • Hello,

    A fix for this issue is coming in MR2 which will be available soon, we apologize for the wait. You can also contact Sophos Support who will be able to apply a hotfix.

    Thank you,

    Bob

  • I called support this morning and identified this issue to them.  After a remote session they said it is a confirmed bug with the UTM and I would need to bring it offline and restore the 9.412 iso image (RELOAD THE OS).  They said to call back in a week for an update.

     

    I have a call to my vendor to get a different firewall appliance.

  • You need a different vendor, Mark, someone that knows this stuff.  Just changing firewalls won't change the underlying problem.  The patch is available, and your reseller should have explained that to you and Sophos Support.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • I assumed he meant that he's looking to get a different (as in non-Sophos) firewall. We are exploring the same now. Eleven days leaving us dead in the water with their under-cooked update and it's time to bail. Completely unacceptable.

  • Bob,  Below is the email I got from sophos tech support to resolve this issue.  If there is a hotfix please post a link so I can download it.  I will not call sophos tech support again.  They have no clue and are only interested in sending me KB articles and making sure they can close the ticket.  I have quotes for 2 different firewall appliances (that are NOT sophos) and we will be migrating to one of them in the next week or 2.  We will also be migrating away from the sophos endpoint security. 

     

    As per our phone cal conversation you can do one thing . You can downgrade the firmware to version 9.413 as it is most stable firmware version.

    Note: Before downgrading the firmware take the backup of the configuration at firmware 9.413 (Meaning the configuration back up of the UTM when it was at firmware 9.413)

    >To downgrade the firmware you need to re-image the device.

    Please follow the below Kb article to re-image the device.
    -----------------------------------------
    Article ID: 115879
    Title: How to re-image a Sophos UTM and Astaro Security Gateway (ASG) Appliance
    URL: http://sophos.com/kb/115879
    -----------------------------------------

    >Please follow the below link for downloading the 9.413 ISO file.

    http://downloads.sophos.com/inst_utm/QGeK8bWlc3ORMIN5o1TPkwZD01Mjk4/v9/hardware_appliance/iso/ssi-9.413-4.1.iso

    >After you re image the device all the configuration from the device will be wiped off.

    >After that when you are doing the installation part you just need to restore the backup which you have earlier downloaded or taken.

    >Alternatively , you can do one more thing 

    >You can re-join the AD on the UTM by the following methods as rejoining the AD solves the problem for some of the users(This is also a workaround).
    ---------------------------------------------------------------------------------------------------------------------
    GUI Method

    Navigate to Definitions & Users > Authentication Services > Single Sign-On.

    Enter the Admin username and Password and then click Apply.

    CLI Method

    To rejoin the domain from the CLI follow the steps below:

    Log into the shell of the UTM as the root user via SSH or console.
    Type the following command and substitute the specific information for your environment:
    cc ad_join_domain DOMAIN.LOCAL adminbob G3d0utahere! 172.16.1.5
    DOMAIN.LOCAL - Active Directory domain name
    adminbob - Administrative username in AD
    G3d0utahere! - Password in AD for adminbob
    172.16.1.5 - IP Address of Domain controller
    You create a cron job with this if needed but use /usr/local/bin/confd-client.plx instead of cc.

    --------------------------------------------------------------------------------------------------------------------------


    > Note :- And if you are using the GUI method you might have to do the process every morning and after that you would able to access internet with the web filter enabled.



    Please revert us with your response.

    Please contact us for further assistance.





    Regards,

    Dhruv Gupta
    Sophos Technical Support

     

  • Mark Payne said:

    Bob,  Below is the email I got from sophos tech support to resolve this issue.  If there is a hotfix please post a link so I can download it.  I will not call sophos tech support again.  They have no clue and are only interested in sending me KB articles and making sure they can close the ticket.  I have quotes for 2 different firewall appliances (that are NOT sophos) and we will be migrating to one of them in the next week or 2.  We will also be migrating away from the sophos endpoint security. 

     

    I feel your pain, although I have a wonderful reseller in GlobelinkUK, that cannot make up for the total incompetence of handling these issues at SOPHOS  and I have emailed all the way up to the top in the past and it just gets no better.

    I accept that there will always be bugs/problems with software, it's how they are handled which is important.

    in this case they created a KB article for this issue back on 26th May and did not pull the patch even one month on! and now they are inundated with unhappy customers like me waiting for GSS to apply the hotfix. 

    I have pointed out that the KB article does not even contain the actual error message  that appears in the log (which is the first thing I tried to google it) so it will not turn up on a google search for the error. Sophos acknowledged this yesterday on their twitter feed and yet still it hasn't been updated!

    In the past on major incidents they haven't even acknowledged the issues with a kb article and just wait for everyone to report the same known issue over and over again to support, blocking up the support lines.

  • Clearly, it's too late to help you, Mark, but others may be able to benefit...

    Never call Sophos Support.  Email them only (support@sophos.com or utm-premium@sophos.com if you have premium support).  My response to the email above would have been short: "Please escalate urgently."

    Also, if your reseller isn't informing you about when you should apply Up2Dates, find a better partner for your Sophos products.  It's basic customer service and marketing 101 for products like these.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • "Also, if your reseller isn't informing you about when you should apply Up2Dates, find a better partner for your Sophos products.  It's basic customer service and marketing 101 for products like these."

     

    Forgive me for expecting Sophos to test and support a product they sell and charge an annual licensing and support fee for.  I'll throw my reseller under the bus instead. 

     

    Or not.

Reply
  • "Also, if your reseller isn't informing you about when you should apply Up2Dates, find a better partner for your Sophos products.  It's basic customer service and marketing 101 for products like these."

     

    Forgive me for expecting Sophos to test and support a product they sell and charge an annual licensing and support fee for.  I'll throw my reseller under the bus instead. 

     

    Or not.

Children
  • I'm not excusing Support's failure with you - that definitely reveals an organizational problem.

    I'm just telling you what most of us do.  None of our clients have seen this bug because they're all on 9.413.  I've been in the IT world for 40+ years both in the USA and Europe and, for a complex product like this one, the approach I've described has always been the standard.  My wife is a storage administrator for a large organization with hundreds of terabytes behind an IBM SVC.  They plan their upgrades meticulously and they never put Operations at risk.  It has happened that IBM, to whom they pay a lot more money for support, has released buggy code that brought down the SVC at their backup site.  Once that was fixed and running for two weeks, the main data center was upgraded.

    With as many people as you have behind your UTM, I'm amazed that your reseller didn't get you on Hot-Standby and configured to reserve a node when applying Up2Dates.  Again, standard practice for professionals that know what they're doing.  I don't reserve a node on my clients' High Availability UTMs since I never tell them to Up2Date until I know it's safe.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • In the other, active 9.5 thread, Steve Hart reports:

    "The patch seems to have solved the SSO issue.

    "Their internal tracking number on this issue was NUTM-7960. "

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • I recently had a Firewall in HA fail. During the RMA process I specified my Required Firmware as 9.4.14-2 and was advised against upgrading to 9.5 because of these known bugs. I recieved my new UTM Monday and low and behold it was preloaded with 9.501-5 . Someone at Sophos dropped the ball.

  • "The patch seems to have solved the SSO issue."

    Great but how do we get hold of it when Sophos don't reply to emails and fob you off on the phone

  • We had 2 SG135 UTMs die within 3 days.  One running 9.501 and 9.414.  We also asked for 9.414 or earlier, but they installed 9.501.  Very disappointing that they would roll out 2 horrible updates and then wait so long to roll out a fix...while still rolling out the broken updates.

  • TCF, in the past, we've seen plenty of issues with Up2Dated UTMs that did not occur on fresh installs.  If you want to experiment, try the following:

    1. On the 'Hardware' tab of 'Interfaces', set Virtual MACs to equal the real MACs for the NICs in use.
    2. Create a config backup and download it to a FAT32 USB memory stick.
    3. Insert the USB stick into the new 9.501 SG and boot it.  It will upgrade the 9.414 configuration as it imports it.
    4. Power down the 9.414 SG and move the cables to the new one.
    5. Check to see if you're having the SSO problem others are seeing.

    If that works with no problems, you're left with the choice of reimaging the 9.414 box with a new 9.501 ISO and losing your logs and reporting or re-imaging the new 9.501 unit with 9.414.  My choice would be the latter.  If you do notice any problems related to Active Directory in 9.414, the one-time fix in the following should get you back to normal: Sophos UTM: Httpproxy with AD-SSO authentication doesn't work with Internet Explorer and Chrome after upgrading to 9.5

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • In the USA, an end user with Premium Support should email utm-premium@Sophos.com. An end user without should email/call their reseller.

    In Europe, as I understand it, the first step for a reseller to get a case open with Sophos Support is to email their distributor, but an end user with Premium Support can email Support directly.

    Never call any support for any IT issue unless you have a separate support contract of five figures or more.  Always chose email or a web form.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • We had the patch applied today, followed the instructions for the post patch actions and now can't get the UTM to rejoin the domain.  Will report back when more fault finding has occured.

     

    Stephen

  • Domain join resolved (do not include domain in the Administrator username) and proxy is now functioning normally.

     

    Stephen

  • Stephen, please show examples of what failed and what worked  - thanks!

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA