Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 9 replies
  • Subscribers 4 subscribers
  • Views 5596 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Web proxy SSO issue. 407 and 403 errors without username, group and ad_domain in log

Wouter Goossens

Hi all,

I hope someone can shine a light on this.

Yesterday, we suddenly got complaints that some users weren't able to access youtube anymore. It was blocked by category Streaming Media.

Indeed, in the Base policy this category is blocked. But a lot of users are member of an AD group that is attached to a different policy with a filtering action that allows streaming media.

in the logging we see 2 different things;

A lot of correct entries where a username, group and ad_domain is listed correctly. Depending on the membership that user is granted or denied access to e.g. youtube. In this example the user is denied access because he is not member of that particular AD group. So SSO works fine here.

2021:06:22-11:41:30 dtc-utm1 httpproxy[9960]: id="0060" severity="info" sys="SecureWeb" sub="http" name="web request blocked, forbidden category detected" action="block" method="GET" srcip="192.168.x.xxx" dstip="" user="[username]" group="Active Directory Users" ad_domain="[our-domain]" statuscode="403" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_HttCffUsersConteFilte (Users content filter action)" size="3543" request="0xc9ef1800" url="">fcmatch.youtube.com/pixel referer="">https://acdn.adnxs.com/" error="" authtime="109" dnstime="0" aptptime="58" cattime="77" avscantime="0" fullreqtime="966" device="0" auth="2" ua="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36" exceptions="" reason="category" category="147" reputation="unverified" categoryname="Streaming Media" 

But also a lot of incorrect entries that have statuscode of 407 or 403 and no username, group and ad_domain listed. example:

2021:06:21-13:52:56 dtc-utm1 httpproxy[6027]: id="0060" severity="info" sys="SecureWeb" sub="http" name="web request blocked, forbidden category detected" action="block" method="CONNECT" srcip="192.168.xxx.xxx" dstip="" user="" group="" ad_domain="" statuscode="403" cached="0" profile="REF_HttProContaInterLan (Transparant Proxy voor clients lokaal)" filteraction="REF_DefaultHTTPCFFBlockAction (Default content filter block action)" size="3171" request="0x10b7c700" url="">https://youtube.com/" referer="" error="" authtime="1" dnstime="0" aptptime="62" cattime="24341" avscantime="0" fullreqtime="328158" device="1" auth="2" ua="" exceptions="" reason="category" category="147" reputation="trusted" categoryname="Streaming Media"

Btw, I see also a lot of entries where users access youtube and it is tagged as an application (So Application Control is handling those requests)

This issue is happening on both our Default webfilter profile (used with our Citrix environment) and our transparent mode proxy (used to get internet access outside our citrix environment in the office). As the username etc. isn't found, I assume this is a SSO issue right? I tested SSO in the UTM and used the policy helpdesk, these were all fine, no problems overthere.

We had this issue some time ago and it was also solved by itself. I don't know what happened, but it looks like some kind of bug?!

Or has this something to do with conflicting policies / application control / misconfiguration?

Our version is Sophos UTM 9.705-7.  

Thanks in advance!

regards,

Wouter



This thread was automatically locked due to age.
  • 0

    Hoi Wouter,

    This all looks normal to me, so my guess is a network or windows/AD issue.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Hi Bob,

    Sorry, I don't understand why this is normal.

    It's not that it doesn't work at all. a lot of requests are handled correctly with AD SSO. So I don't understand why there are also a lot requests are failing with these errors.

    What do you mean that all looks normal to you? 

    thanks again!

  • 0 in reply to Wouter Goossens

    The first line shows that the user was identified, Wouter, and that that user is not allowed to access streaming media.  Hence, the 403 block message which is normal.

    The UTM's log indicates that AD isn't identifying the user in the second line.  If the second line were within a minute or two of the first, we might suspect a problem with the caching on the UTM.  As the second line above is much later, we have to suspect the AD server.  The 407 block is normal for the 'Default content filter block action'.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0

    The normal flow is:

    Web request

    Utm responds with 407 code ( who are you? )

    Browser responds with NTLM credentials.

    • UTM allows the connection and logs the event with the credentials.

    The 407 erors only indicate failure if there is no subsequent entry for the intended destination

  • 0 in reply to Wouter Goossens

    Just posted about a possibly-related issue in another thread where the user had recently replaced their AD server.  When using Standard mode, the browser's Proxy setting should use an FQDN for the Address, not the numeric IP to which the FQDN resolves.  This causes authentication to be attempted with Kerberos instead of NTLM.  Does making that change fix your issue?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to DouglasFoster

    hi Douglas,

    Thanks for your clarification, that part wasn't clear for me.

    Didn't had time yet to investigate the logs again to find subsequent entries after a 407 error. 

    But is this the same for the 403 errors? because 403 is 'forbidden' and that seems not right when there is even no username / domain in the request.

  • 0 in reply to BAlfson

    I'm sorry, it wasn't clear for me how the web proxy exactly works. explained this clearly now.

    But still, there must be something wrong somewhere. I will investigate the logs again thoroughly to find out if there are subsequent entries after a 407 error.

  • 0 in reply to BAlfson

    The issues are also in the transparent mode proxy, so above scenario wouldn't be the case in our environment. Besides that, I also configured a GPO a while ago, to put our sophos fqdn in the internet explorer intranet zone (best practise from Sophos). But that didn't help.

  • 0 in reply to Wouter Goossens

    403 means that the authentication never happened or another problem occurred,so the connection did fail.

      Check the error="text"element for more detail about 403 errors.  Also check the id="code" and name="description" elements for clues about the failure reason.

    Finally, check ua="text" to see if it was a browser or non-browser client.   Only browsers can do AD SSO authentication.

    My experience with AD SSO has been that it works very well, so a UTM bug is possible but not likely.

Unfiltered HTML