Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 12 replies
  • Answers 2 answers
  • Subscribers 4 subscribers
  • Views 5760 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Changing from Transparent Proxy to Standard Proxy Breaks Outlook and Website Images When SSL Decrypt and Scan is Enabled

colly72

I'm wanting to changes our setup from a transparent proxy with AD SSO, to standard proxy with AD SSO authentication.  With transparent proxy, SSL decrypt and scan is set and the cert distributed to all clients, which works fine.  When I switch to standard proxy, some web page images no longer load a and also outlook 2016 gets disconnected from our Exchange server.  As soon as I disable the SSL decrypt and scan, it all starts working again.

Is there something else I should be changing to fix this?  I can't work out where the issue is.



This thread was automatically locked due to age.
Parents
  • 0

    Is this a question about Web Filtering or about Webserver Protection (WAF)?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    It’s a web filtering question. Https decryption just seems to break most sites on standard proxy.  Transparent is fine.

  • 0 in reply to colly72

    OK, I will have moved this thread from General Discussion to the Web Protection forum.

    What relevant line(s) do you see in the Web Filtering log when your browser is configured to use the Standard Proxy and website images are broken?  Are the web servers with broken images internal or out on the Internet?  What browser?  Is this the Outlook app that breaks or Outlook Web Access?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Hi Bob,

    The websites that break are out on the internet.  It seems to affect css and images.  In the logs, I can see the entry that refers to an image that won't display - this is just one example:

     

    2019:04:01-12:25:01 utm httpproxy[5915]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="192.168.60.3" dstip="104.72.152.201" user="xxxx" group="" ad_domain="SIMS" statuscode="200" cached="0" profile="REF_HttProContaInterNetwo6 (containing IT Tech VLAN)" filteraction="REF_HttCffStaff (Staff)" size="0" request="0xc8cda700" url="ichef.bbci.co.uk/.../_106249572_upset-internet-user.jpg" referer="www.bbc.co.uk/.../business-47768666" error="" authtime="75" dnstime="6" aptptime="94" cattime="100" avscantime="0" fullreqtime="1159" device="0" auth="2" ua="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.86 Safari/537.36" exceptions="ssl,application" category="134" reputation="neutral" categoryname="General News" country="Netherlands"

     

    Sometimes, the web page just appears blank, sometimes, it shows but without the image and sometimes, it seems to work perfectly.  When I turn off SSL Decrypt & Scan, it always works as intended.

     

    With regards to Outlook, it's the app that disconnects.  Again, as soon as I turn off SSL decryption, it connects again.


    Thanks in advance for any advice/help.

  • 0 in reply to colly72

    That is not the problem entry as evidenced by theses clauses:

    id="0001"
    action="pass"
    statuscode="200"
    error=""

    Capture all activity from the source IP during the test.   Many websites reference data from other servers.    

  • 0 in reply to colly72

    IPv6 is not active on my lab device.  decrypt and scan are selected in the Office Profile and there is no antivirus Exception.

    When I go directly to the image link, I receive the image about a minute later and the following immediately appears in the logs:

    2019:04:01-14:50:27 secure httpproxy[7765]: id="0003" severity="info" sys="SecureWeb" sub="http" request="0xd8e5ca00" function="connect_server_timeout" file="dns.c" line="884" message="Connection to ichef.bbci.co.uk using IPv6 timed out [60s], re-trying to connect using IPv4"
    2019:04:01-14:50:27 secure httpproxy[7765]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="10.x.y.65" dstip="23.54.160.213" user="username" group="Open Web Access" ad_domain="labdomain" statuscode="304" cached="0" profile="REF_RMxbSZXQTi (Office)" filteraction="REF_IiqUeSGrWr (Open Web Access)" size="0" request="0xd8e5ca00" url="ichef.bbci.co.uk/.../_106249572_upset-internet-user.jpg" referer="community.sophos.com/.../400661" error="" authtime="93" dnstime="26657" aptptime="136" cattime="87056" avscantime="0" fullreqtime="60333146" device="1" auth="2" ua="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko" exceptions="" category="134" reputation="neutral" categoryname="General News" country="United States" country="United States"

    If I go to the other link, the same timeout occurs and I see the image in context of the page.  My conclusion is that something is amiss with the BBC site.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Hi Bob,

     

    Thanks for your reply.  What doesn't make sense to me, is that the same links work perfectly when using transparent proxy, with SSL Decrypt and scan turned on.  That would seem to indicate that the BBC (and other sites) are all fine but something on the UTM is not working properly?

    Cheers,

    Michael

  • 0 in reply to colly72

    The error may be different.  Bob, you have the IPv6 error and a fullreqtime of 60s.  Colly has a fullreqtime quite small.  However you can also see he has size=0 which does indicate that even though the action is pass, he is not getting anything.
     
    There are differences inherent in standard versus transparent mode.  For example in transparent mode (with pharming protection off) the IP address gets resolved by the client and the UTM just connects to that IP.  In standard mode, the client does not resolve it at all, it is the UTM that resolves it.  This moves resolution errors, which can affect some apps like Outlook.
     
    However, I cannot see anything obvious that would randomly cause some requests to not load.  Is it repeatable?  For example, colly if you load that image 10 times, does it work some of the time and fail some of the time?
     
    If so, that proves it is not some part of policy.  Load balancing?  Different destination IPs?
Reply
  • 0 in reply to colly72

    The error may be different.  Bob, you have the IPv6 error and a fullreqtime of 60s.  Colly has a fullreqtime quite small.  However you can also see he has size=0 which does indicate that even though the action is pass, he is not getting anything.
     
    There are differences inherent in standard versus transparent mode.  For example in transparent mode (with pharming protection off) the IP address gets resolved by the client and the UTM just connects to that IP.  In standard mode, the client does not resolve it at all, it is the UTM that resolves it.  This moves resolution errors, which can affect some apps like Outlook.
     
    However, I cannot see anything obvious that would randomly cause some requests to not load.  Is it repeatable?  For example, colly if you load that image 10 times, does it work some of the time and fail some of the time?
     
    If so, that proves it is not some part of policy.  Load balancing?  Different destination IPs?
Children
  • 0 in reply to Michael Dunn

    I tried to load the image - first time it didnt work, then after that it worked all the time.  Another example, if I try and access our Sophos Central portal, which is https://central.sophos.com/manage/login, with transparent mode it works fine but in standard mode with SSL decrypt turned on, all I get is a blank page.  The moment I turn SSL Decrypt off, it works perfectly.  The only log entries I get in the web filter log are like this:

     

    2019:04:03-08:47:09 utm httpproxy[5915]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="192.168.60.3" dstip="52.31.224.234" user="xxxx" group="Domain Admins" ad_domain="SIMS" statuscode="200" cached="0" profile="REF_HttProContaInterNetwo6 (containing IT Tech VLAN)" filteraction="REF_HttCffItAdmin (IT Admin)" size="26443" request="0xd0eb7c00" url="central.sophos.com/.../" referer="" error="" authtime="0" dnstime="0" aptptime="69" cattime="103" avscantime="12140" fullreqtime="41745" device="0" auth="2" ua="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.86 Safari/537.36" exceptions="application" category="105" reputation="trusted" categoryname="Business" sandbox="-" content-type="text/html"

     

  • 0 in reply to colly72

    Does RPR84's Outlook Exception work for you?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Hi Bob,

     

    The Outlook problem is on our domain Windows 10 desktops, not an app.

     

    I don't know if it's related but I've noticed that Kerberos authentication doesn't seem to be working.  I have the UTM as our gateway (IP address) and I can access the web with SSL turned off but when I use the utm FQDN, I get an authentication failed message.  I've tried removing the UTM from the domain, deleting it in AD then rejoining but that doesn't seem to help.  Might be a completely unrelated issue!


    Thanks,

     

    Michael

Unfiltered HTML