Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 12 replies
  • Answers 2 answers
  • Subscribers 4 subscribers
  • Views 5816 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Changing from Transparent Proxy to Standard Proxy Breaks Outlook and Website Images When SSL Decrypt and Scan is Enabled

colly72

I'm wanting to changes our setup from a transparent proxy with AD SSO, to standard proxy with AD SSO authentication.  With transparent proxy, SSL decrypt and scan is set and the cert distributed to all clients, which works fine.  When I switch to standard proxy, some web page images no longer load a and also outlook 2016 gets disconnected from our Exchange server.  As soon as I disable the SSL decrypt and scan, it all starts working again.

Is there something else I should be changing to fix this?  I can't work out where the issue is.



This thread was automatically locked due to age.
  • 0

    Is this a question about Web Filtering or about Webserver Protection (WAF)?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    It’s a web filtering question. Https decryption just seems to break most sites on standard proxy.  Transparent is fine.

  • 0 in reply to colly72

    OK, I will have moved this thread from General Discussion to the Web Protection forum.

    What relevant line(s) do you see in the Web Filtering log when your browser is configured to use the Standard Proxy and website images are broken?  Are the web servers with broken images internal or out on the Internet?  What browser?  Is this the Outlook app that breaks or Outlook Web Access?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0

    Yes, there is no free lunch.

    You have merged two issues:

    • Standard vs. Transparent Mode Proxy
    • HTTPS inspection enabled or disabled

    These are actually independent decistions, so there are four possible combinations.

    I recommend running both proxy modes.  I use Standard mode with AD SSO authentication for browser traffic, and Transparent mode with no authentication for non-browser traffic  (of which there is much more than I expected.)

    HTTPS inspection is a tougher call.  UTM becomes the client to the remote website, not your PC.   This creates a number of issues:

    • UTM does not support the ciphersuites of some websites.
    • UTM does not support AIA fetching for sites that do not provide their intermediate certificates.
    • Some browser plugins will not work correctly.
    • Most dual-session products will not work correctly (gotomypc and equivalents, Citrix sessions, etc.)

    The first two are theoretically correctable, but the browser companies have more money so they can adapt much more quickly than Sophos.   The latter two issues are inherent to the technology.

    You should have a monitoring and tuning process for any webfiltering endeavor.   Your tuning effort is greater with HTTPS inspection enabled.  The logs have the data that you need.

    To work around specific problems like the ones in your headline:

    • Assign websites to Tags, and assign Tags to Exception objects.   
    • Use an Exception object that bypasses everything rather than using skiplists.

    For more pontificating, see my posts "Web Filtering Lessons Learned" and "Troubleshooting Web Filteirng".  Both are pinned to the top of the Web Filtering forum

  • 0 in reply to BAlfson

    Hi Bob,

    The websites that break are out on the internet.  It seems to affect css and images.  In the logs, I can see the entry that refers to an image that won't display - this is just one example:

     

    2019:04:01-12:25:01 utm httpproxy[5915]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="192.168.60.3" dstip="104.72.152.201" user="xxxx" group="" ad_domain="SIMS" statuscode="200" cached="0" profile="REF_HttProContaInterNetwo6 (containing IT Tech VLAN)" filteraction="REF_HttCffStaff (Staff)" size="0" request="0xc8cda700" url="ichef.bbci.co.uk/.../_106249572_upset-internet-user.jpg" referer="www.bbc.co.uk/.../business-47768666" error="" authtime="75" dnstime="6" aptptime="94" cattime="100" avscantime="0" fullreqtime="1159" device="0" auth="2" ua="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.86 Safari/537.36" exceptions="ssl,application" category="134" reputation="neutral" categoryname="General News" country="Netherlands"

     

    Sometimes, the web page just appears blank, sometimes, it shows but without the image and sometimes, it seems to work perfectly.  When I turn off SSL Decrypt & Scan, it always works as intended.

     

    With regards to Outlook, it's the app that disconnects.  Again, as soon as I turn off SSL decryption, it connects again.


    Thanks in advance for any advice/help.

  • 0 in reply to colly72

    That is not the problem entry as evidenced by theses clauses:

    id="0001"
    action="pass"
    statuscode="200"
    error=""

    Capture all activity from the source IP during the test.   Many websites reference data from other servers.    

  • 0 in reply to colly72

    IPv6 is not active on my lab device.  decrypt and scan are selected in the Office Profile and there is no antivirus Exception.

    When I go directly to the image link, I receive the image about a minute later and the following immediately appears in the logs:

    2019:04:01-14:50:27 secure httpproxy[7765]: id="0003" severity="info" sys="SecureWeb" sub="http" request="0xd8e5ca00" function="connect_server_timeout" file="dns.c" line="884" message="Connection to ichef.bbci.co.uk using IPv6 timed out [60s], re-trying to connect using IPv4"
    2019:04:01-14:50:27 secure httpproxy[7765]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="10.x.y.65" dstip="23.54.160.213" user="username" group="Open Web Access" ad_domain="labdomain" statuscode="304" cached="0" profile="REF_RMxbSZXQTi (Office)" filteraction="REF_IiqUeSGrWr (Open Web Access)" size="0" request="0xd8e5ca00" url="ichef.bbci.co.uk/.../_106249572_upset-internet-user.jpg" referer="community.sophos.com/.../400661" error="" authtime="93" dnstime="26657" aptptime="136" cattime="87056" avscantime="0" fullreqtime="60333146" device="1" auth="2" ua="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko" exceptions="" category="134" reputation="neutral" categoryname="General News" country="United States" country="United States"

    If I go to the other link, the same timeout occurs and I see the image in context of the page.  My conclusion is that something is amiss with the BBC site.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Hi Bob,

     

    Thanks for your reply.  What doesn't make sense to me, is that the same links work perfectly when using transparent proxy, with SSL Decrypt and scan turned on.  That would seem to indicate that the BBC (and other sites) are all fine but something on the UTM is not working properly?

    Cheers,

    Michael

  • 0 in reply to colly72

    The error may be different.  Bob, you have the IPv6 error and a fullreqtime of 60s.  Colly has a fullreqtime quite small.  However you can also see he has size=0 which does indicate that even though the action is pass, he is not getting anything.
     
    There are differences inherent in standard versus transparent mode.  For example in transparent mode (with pharming protection off) the IP address gets resolved by the client and the UTM just connects to that IP.  In standard mode, the client does not resolve it at all, it is the UTM that resolves it.  This moves resolution errors, which can affect some apps like Outlook.
     
    However, I cannot see anything obvious that would randomly cause some requests to not load.  Is it repeatable?  For example, colly if you load that image 10 times, does it work some of the time and fail some of the time?
     
    If so, that proves it is not some part of policy.  Load balancing?  Different destination IPs?
  • 0 in reply to Michael Dunn

    I tried to load the image - first time it didnt work, then after that it worked all the time.  Another example, if I try and access our Sophos Central portal, which is https://central.sophos.com/manage/login, with transparent mode it works fine but in standard mode with SSL decrypt turned on, all I get is a blank page.  The moment I turn SSL Decrypt off, it works perfectly.  The only log entries I get in the web filter log are like this:

     

    2019:04:03-08:47:09 utm httpproxy[5915]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="192.168.60.3" dstip="52.31.224.234" user="xxxx" group="Domain Admins" ad_domain="SIMS" statuscode="200" cached="0" profile="REF_HttProContaInterNetwo6 (containing IT Tech VLAN)" filteraction="REF_HttCffItAdmin (IT Admin)" size="26443" request="0xd0eb7c00" url="central.sophos.com/.../" referer="" error="" authtime="0" dnstime="0" aptptime="69" cattime="103" avscantime="12140" fullreqtime="41745" device="0" auth="2" ua="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.86 Safari/537.36" exceptions="application" category="105" reputation="trusted" categoryname="Business" sandbox="-" content-type="text/html"

     

Unfiltered HTML