This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Endpoint Security and Control on Windows Server 2003

Hello together,

I want to install Endpoint Security and Control on a new installed Windows Server 2003 Standard Edition, 32 Bit, Service Pack 2 with all patches. I can start the installation but then there is an internet connection error and the log file has the following content:

18.07.2015,10:54:31,Informationen,------------------ Beginning installation of Sophos Anti-Virus and AutoUpdate ------------------,
18.07.2015,10:54:31,Informationen,Setup-Version 2.10.4.5,
18.07.2015,10:54:31,Informationen,Command line: c:\dokume~1\admini~1\lokale~1\temp\sophos_bootstrap\setup.exe -server mcs1-4b68.broker.sophos.com -token *****************,
18.07.2015,10:54:31,Informationen,Setup-Programm wurde von C:\DOKUME~1\ADMINI~1\LOKALE~1\Temp\sophos_bootstrap gestartet,
18.07.2015,10:54:31,Informationen,Überprüfung auf vorhandene Installation von Sophos Anti-Virus oder Sophos AutoUpdate...,
18.07.2015,10:54:31,Informationen,Überprüfung des Anwenders auf Mitgliedschaft in Administratorengruppe...,
18.07.2015,10:54:31,Informationen,Assistent versucht, Informationen über den Anwender abzurufen...,
18.07.2015,10:54:35,Informationen,Starting the install sequence.,
18.07.2015,10:54:35,Informationen,Checking for internet connectivity...,
18.07.2015,10:54:38,Abgeschlossen,Successfully connected to the URL http://dci.sophosupd.com/.,
18.07.2015,10:54:38,Informationen,Checking for internet connectivity...,
18.07.2015,10:54:42,FEHLER,Failed to receive a WinHttp response. The error code was 122 (Der an einen Systemaufruf übergebene Datenbereich ist zu klein.).,
18.07.2015,10:54:42,FEHLER,Es konnte keine Internetverbindung hergestellt werden.,
18.07.2015,11:01:05,Informationen,------------------ Installation program finishing with code 143 ------------------,

I tested the installation on an older Windows 2003 Server system and got the same error. On a Windows XP machine I didn't had this error. When searching the internet it seems to be an SSL issue. On all other clients and server the installation of the software worked fine.

I know that Windows 2003 is out of support by Microsoft but I use this license for testing.

Can you help me?

Thank you

TheExpert

This thread was automatically locked due to age.

Parents

0 Scott_Klassen over 9 years ago

OK I understand. The UTM doesn't automatically NAT or MASQ the DMZ when using a non-internet routable address. For the LAN it does it automatically because of the transparent proxy.
Almost. For any network that uses the web proxy, NAT will be automatic. It's the Non-proxy traffic that needs the MASQ rule. The same process is happening in both cases, just one is automatic and the other needs a manual rule created.

But why does the transparent proxy doesn't work correctly for the DMZ?
No idea, we don't have any information about specific settings in your UTM or UTM log entries. Are you using the same Profile/Policy/Filter Action for the LAN and DMZ, or are they different? What are you seeing in the Web Filtering log?

__________________
ACE v8/SCA v9.3

...still have a v5 install disk in a box somewhere.

http://xkcd.com
http://www.tedgoff.com/mb
http://www.projectcartoon.com/cartoon/1
Cancel
Vote Up 0 Vote Down

Cancel

0 TheExpert over 9 years ago in reply to Scott_Klassen

No idea, we don't have any information about specific settings in your UTM or UTM log entries. Are you using the same Profile/Policy/Filter Action for the LAN and DMZ, or are they different? What are you seeing in the Web Filtering log?

I'm using the default policies and profiles so there's no difference between LAN and DMZ.

The installation of Endpoint Security and Control was very tricky:

1. When starting the installation the transparent proxy has to be skipped. The installation ends with the hint that the software will be fully installed when having an internet connection.

2. Now unskipping the proxy: The software is downloaded and installed but the system is shown as offline on the UTM.

3. Again skipping the proxy: Endpoint Security and Control is working and the system is shown as online on the UTM.

Here is the MCSClient.log when skipping the proxy:

2015-07-24T18:53:36.187Z [ 6080] INFO CommandHandler::GetCommands The command handler is about to get commands from the server.
2015-07-24T18:53:36.187Z [ 6080] INFO PersistentList::Load About to load items from persistent storage in C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Sophos\Management Communications System\Endpoint\Persist\Adapters.
2015-07-24T18:53:38.515Z [ 6080] WARN HttpServerImpl::GetAutomaticProxies Failed to get the automatic proxy configuration. The error code was 12180.
2015-07-24T18:53:38.515Z [ 6080] INFO ServerManager::EvaluateServers About to send request to server mcs1-4b68.broker.sophos.com/.../ep, using no proxy.
2015-07-24T18:53:38.515Z [ 6080] INFO HttpServerImpl::SendRequest The HTTP request was initiated successfully.
2015-07-24T18:53:40.437Z [ 5740] INFO HttpServerImpl::HttpEventInstanceCallback The HTTP request completed with status 200.
2015-07-24T18:53:40.437Z [ 5740] INFO ServerManager::HttpCallback The server mcs1-4b68.broker.sophos.com/.../ep, using no proxy, responded with the HTTP result code 200.
2015-07-24T18:53:40.453Z [ 5740] INFO PersistentList::Save About to save items to persistent storage in C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Sophos\Management Communications System\Endpoint\Persist\PreferredServer.
2015-07-24T18:53:40.453Z [ 5740] INFO ServerManager::HttpCallback The preferred server has changed to mcs1-4b68.broker.sophos.com/.../ep, using no proxy.
2015-07-24T18:53:40.453Z [ 6080] INFO CommandHandler::GetCommands About to send the request to the server.
2015-07-24T18:53:40.468Z [ 6080] INFO HttpServerImpl::SendRequest The HTTP request was initiated successfully.
2015-07-24T18:53:40.890Z [ 5784] INFO HttpServerImpl::HttpEventInstanceCallback The HTTP request completed with status 200.
2015-07-24T18:53:40.890Z [ 5784] INFO CommandHandler::HttpCallback The HTTP callback was called with the HTTP result code 200.
2015-07-24T18:53:40.890Z [ 6112] INFO CommandHandler::AcknowledgeCommands The command handler is about to acknowledge commands.
2015-07-24T18:53:40.890Z [ 6112] INFO CommandHandler::AcknowledgeCommands There are no commands to acknowledge.
2015-07-24T18:55:40.890Z [ 4192] INFO CommandHandler::GetCommands The command handler is about to get commands from the server.
2015-07-24T18:55:40.890Z [ 4192] INFO PersistentList::Load About to load items from persistent storage in C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Sophos\Management Communications System\Endpoint\Persist\Adapters.
2015-07-24T18:55:43.156Z [ 4192] WARN HttpServerImpl::GetAutomaticProxies Failed to get the automatic proxy configuration. The error code was 12180.
2015-07-24T18:55:43.156Z [ 4192] INFO CommandHandler::GetCommands About to send the request to the server.
2015-07-24T18:55:43.156Z [ 4192] INFO HttpServerImpl::SendRequest The HTTP request was initiated successfully.
2015-07-24T18:55:44.687Z [ 5784] INFO HttpServerImpl::HttpEventInstanceCallback The HTTP request completed with status 200.
2015-07-24T18:55:44.687Z [ 5784] INFO CommandHandler::HttpCallback The HTTP callback was called with the HTTP result code 200.
2015-07-24T18:55:44.687Z [ 4196] INFO CommandHandler::AcknowledgeCommands The command handler is about to acknowledge commands.
2015-07-24T18:55:44.687Z [ 4196] INFO CommandHandler::AcknowledgeCommands There are no commands to acknowledge.
2015-07-24T18:57:44.687Z [ 3844] INFO CommandHandler::GetCommands The command handler is about to get commands from the server.
2015-07-24T18:57:44.687Z [ 3844] INFO PersistentList::Load About to load items from persistent storage in C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Sophos\Management Communications System\Endpoint\Persist\Adapters.
2015-07-24T18:57:46.937Z [ 3844] WARN HttpServerImpl::GetAutomaticProxies Failed to get the automatic proxy configuration. The error code was 12180.
2015-07-24T18:57:46.937Z [ 3844] INFO CommandHandler::GetCommands About to send the request to the server.
2015-07-24T18:57:46.937Z [ 3844] INFO HttpServerImpl::SendRequest The HTTP request was initiated successfully.
2015-07-24T18:57:48.546Z [ 5784] INFO HttpServerImpl::HttpEventInstanceCallback The HTTP request completed with status 200.
2015-07-24T18:57:48.546Z [ 5784] INFO CommandHandler::HttpCallback The HTTP callback was called with the HTTP result code 200.
2015-07-24T18:57:48.546Z [ 4008] INFO CommandHandler::AcknowledgeCommands The command handler is about to acknowledge commands.
2015-07-24T18:57:48.546Z [ 4008] INFO CommandHandler::AcknowledgeCommands There are no commands to acknowledge.

This is the MCSClient.log when not skipping the proxy:

2015-07-24T18:50:26.812Z [ 5376] INFO CommandHandler::GetCommands The command handler is about to get commands from the server.
2015-07-24T18:50:26.812Z [ 5376] INFO PersistentList::Load About to load items from persistent storage in C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Sophos\Management Communications System\Endpoint\Persist\Adapters.
2015-07-24T18:50:29.078Z [ 5376] WARN HttpServerImpl::GetAutomaticProxies Failed to get the automatic proxy configuration. The error code was 12180.
2015-07-24T18:50:29.078Z [ 5376] INFO ServerManager::EvaluateServers About to send request to server mcs1-4b68.broker.sophos.com/.../ep, using no proxy.
2015-07-24T18:50:29.078Z [ 5376] INFO HttpServerImpl::SendRequest The HTTP request was initiated successfully.
2015-07-24T18:50:30.750Z [ 5024] INFO HttpServerImpl::HttpEventInstanceCallback The HTTP request completed with status 0.
2015-07-24T18:50:30.750Z [ 5024] INFO ServerManager::HttpCallback The server mcs1-4b68.broker.sophos.com/.../ep, using no proxy, responded with the HTTP result code 0.
2015-07-24T18:50:30.750Z [ 5376] INFO CommandHandler::GetCommands About to send the request to the server.
2015-07-24T18:50:30.750Z [ 5376] INFO HttpServerImpl::SendRequest The HTTP request was initiated successfully.
2015-07-24T18:50:32.140Z [ 5068] INFO HttpServerImpl::HttpEventInstanceCallback The HTTP request completed with status 0.
2015-07-24T18:50:32.140Z [ 5068] INFO CommandHandler::HttpCallback The HTTP callback was called with the HTTP result code 0.
2015-07-24T18:50:32.140Z [ 5068] WARN CommandHandler::HttpCallback 3000: An HTTP transaction was not completed.
2015-07-24T18:50:35.140Z [ 5464] INFO CommandHandler::GetCommands The command handler is about to get commands from the server.
2015-07-24T18:50:35.140Z [ 5464] INFO PersistentList::Load About to load items from persistent storage in C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Sophos\Management Communications System\Endpoint\Persist\Adapters.
2015-07-24T18:50:37.390Z [ 5464] WARN HttpServerImpl::GetAutomaticProxies Failed to get the automatic proxy configuration. The error code was 12180.
2015-07-24T18:50:37.390Z [ 5464] INFO CommandHandler::GetCommands About to send the request to the server.
2015-07-24T18:50:37.390Z [ 5464] INFO HttpServerImpl::SendRequest The HTTP request was initiated successfully.
2015-07-24T18:50:38.687Z [ 5068] INFO HttpServerImpl::HttpEventInstanceCallback The HTTP request completed with status 0.
2015-07-24T18:50:38.687Z [ 5068] INFO CommandHandler::HttpCallback The HTTP callback was called with the HTTP result code 0.
2015-07-24T18:50:38.687Z [ 5068] WARN CommandHandler::HttpCallback 3000: An HTTP transaction was not completed.
2015-07-24T18:50:39.687Z [ 5536] INFO CommandHandler::GetCommands The command handler is about to get commands from the server.
2015-07-24T18:50:39.687Z [ 5536] INFO PersistentList::Load About to load items from persistent storage in C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Sophos\Management Communications System\Endpoint\Persist\Adapters.
2015-07-24T18:50:41.953Z [ 5536] WARN HttpServerImpl::GetAutomaticProxies Failed to get the automatic proxy configuration. The error code was 12180.
2015-07-24T18:50:41.953Z [ 5536] INFO CommandHandler::GetCommands About to send the request to the server.
2015-07-24T18:50:41.953Z [ 5536] INFO HttpServerImpl::SendRequest The HTTP request was initiated successfully.
2015-07-24T18:50:43.312Z [ 5068] INFO HttpServerImpl::HttpEventInstanceCallback The HTTP request completed with status 0.
2015-07-24T18:50:43.312Z [ 5068] INFO CommandHandler::HttpCallback The HTTP callback was called with the HTTP result code 0.
2015-07-24T18:50:43.312Z [ 5068] WARN CommandHandler::HttpCallback 3000: An HTTP transaction was not completed.
2015-07-24T18:50:52.312Z [ 5556] INFO CommandHandler::GetCommands The command handler is about to get commands from the server.
2015-07-24T18:50:52.312Z [ 5556] INFO PersistentList::Load About to load items from persistent storage in C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Sophos\Management Communications System\Endpoint\Persist\Adapters.
2015-07-24T18:50:54.562Z [ 5556] WARN HttpServerImpl::GetAutomaticProxies Failed to get the automatic proxy configuration. The error code was 12180.
2015-07-24T18:50:54.562Z [ 5556] INFO CommandHandler::GetCommands About to send the request to the server.
2015-07-24T18:50:54.562Z [ 5556] INFO HttpServerImpl::SendRequest The HTTP request was initiated successfully.
2015-07-24T18:50:55.921Z [ 5068] INFO HttpServerImpl::HttpEventInstanceCallback The HTTP request completed with status 0.
2015-07-24T18:50:55.921Z [ 5068] INFO CommandHandler::HttpCallback The HTTP callback was called with the HTTP result code 0.
2015-07-24T18:50:55.921Z [ 5068] WARN CommandHandler::HttpCallback 3000: An HTTP transaction was not completed.
2015-07-24T18:50:55.921Z [ 5068] INFO ServerManager::EvaluateServers About to send request to server mcs1-4b68.broker.sophos.com/.../ep, using no proxy.
2015-07-24T18:50:55.921Z [ 5068] INFO HttpServerImpl::SendRequest The HTTP request was initiated successfully.
2015-07-24T18:50:57.281Z [ 5024] INFO HttpServerImpl::HttpEventInstanceCallback The HTTP request completed with status 0.
2015-07-24T18:50:57.281Z [ 5024] INFO ServerManager::HttpCallback The server mcs1-4b68.broker.sophos.com/.../ep, using no proxy, responded with the HTTP result code 0.

The UTM sends ist logs to splunk:

Jul 24 20:50:57 192.168.X.X 2015:07:24-20:50:57 *** httpproxy[5808]: id="0002" severity="info" sys="SecureWeb" sub="http" name="web request blocked" action="block" method="" srcip="172.16.X.X" dstip="54.251.33.56" user="" ad_domain="" statuscode="502" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="3877" request="0xc90e000" url="54.251.33.56/" referer="" error="Failed to verify server certificate" authtime="0" dnstime="1" cattime="0" avscantime="0" fullreqtime="1356136" device="0" auth="0" ua="" exceptions=""

host = 192.168.X.X 
 source = udp:514 
 sourcetype = syslog 

Jul 24 20:50:55 192.168.X.X 2015:07:24-20:50:55 *** httpproxy[5808]: id="0002" severity="info" sys="SecureWeb" sub="http" name="web request blocked" action="block" method="" srcip="172.16.X.X" dstip="54.251.33.56" user="" ad_domain="" statuscode="502" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="3877" request="0xe15d2800" url="54.251.33.56/" referer="" error="Failed to verify server certificate" authtime="0" dnstime="1" cattime="0" avscantime="0" fullreqtime="1331889" device="0" auth="0" ua="" exceptions=""

host = 192.168.X.X 
 source = udp:514 
 sourcetype = syslog 

Jul 24 20:50:43 192.168.X.X 2015:07:24-20:50:43 *** httpproxy[5808]: id="0002" severity="info" sys="SecureWeb" sub="http" name="web request blocked" action="block" method="" srcip="172.16.X.X" dstip="54.251.33.56" user="" ad_domain="" statuscode="502" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="3877" request="0xe3986000" url="54.251.33.56/" referer="" error="Failed to verify server certificate" authtime="0" dnstime="1" cattime="0" avscantime="0" fullreqtime="1336316" device="0" auth="0" ua="" exceptions=""

host = 192.168.X.X 
 source = udp:514 
 sourcetype = syslog 
 
Jul 24 20:50:38 192.168.X.X 2015:07:24-20:50:38 *** httpproxy[5808]: id="0002" severity="info" sys="SecureWeb" sub="http" name="web request blocked" action="block" method="" srcip="172.16.X.X" dstip="54.251.33.56" user="" ad_domain="" statuscode="502" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="3877" request="0xe2bfa800" url="54.251.33.56/" referer="" error="Failed to verify server certificate" authtime="0" dnstime="1" cattime="0" avscantime="0" fullreqtime="1285011" device="0" auth="0" ua="" exceptions=""

host = 192.168.X.X 
 source = udp:514 
 sourcetype = syslog 

Jul 24 20:50:31 192.168.X.X 2015:07:24-20:50:31 *** httpproxy[5808]: id="0002" severity="info" sys="SecureWeb" sub="http" name="web request blocked" action="block" method="" srcip="172.16.X.X" dstip="54.251.33.56" user="" ad_domain="" statuscode="502" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="3877" request="0xe399f000" url="54.251.33.56/" referer="" error="Failed to verify server certificate" authtime="0" dnstime="1" cattime="0" avscantime="0" fullreqtime="1339272" device="0" auth="0" ua="" exceptions=""

host = 192.168.X.X 
 source = udp:514 
 sourcetype = syslog 
 
Jul 24 20:50:30 192.168.X.X 2015:07:24-20:50:30 *** httpproxy[5808]: id="0002" severity="info" sys="SecureWeb" sub="http" name="web request blocked" action="block" method="" srcip="172.16.X.X" dstip="54.251.33.56" user="" ad_domain="" statuscode="502" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="3877" request="0x95ae000" url="54.251.33.56/" referer="" error="Failed to verify server certificate" authtime="0" dnstime="1" cattime="0" avscantime="0" fullreqtime="1371261" device="0" auth="0" ua="" exceptions=""

host = 192.168.X.X 
 source = udp:514 
 sourcetype = syslog

So there is a certificate error for an IP address of Amazon:

C:\Users\***>nslookup 54.251.33.56
Server:  UnKnown
Address:  192.168.X.X

Name:    ec2-54-251-33-56.ap-southeast-1.compute.amazonaws.com
Address:  54.251.33.56

Is this IP address used by Sophos? I never changed the exceptions for Sophos LiveConnect etc. Installing the software on systems in the LAN never had such problems.

TheExpert

Kind Regards

TheExpert

Reply