This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Web proxy SSO issue. 407 and 403 errors without username, group and ad_domain in log

Hi all,

I hope someone can shine a light on this.

Yesterday, we suddenly got complaints that some users weren't able to access youtube anymore. It was blocked by category Streaming Media.

Indeed, in the Base policy this category is blocked. But a lot of users are member of an AD group that is attached to a different policy with a filtering action that allows streaming media.

in the logging we see 2 different things;

A lot of correct entries where a username, group and ad_domain is listed correctly. Depending on the membership that user is granted or denied access to e.g. youtube. In this example the user is denied access because he is not member of that particular AD group. So SSO works fine here.

2021:06:22-11:41:30 dtc-utm1 httpproxy[9960]: id="0060" severity="info" sys="SecureWeb" sub="http" name="web request blocked, forbidden category detected" action="block" method="GET" srcip="192.168.x.xxx" dstip="" user="[username]" group="Active Directory Users" ad_domain="[our-domain]" statuscode="403" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_HttCffUsersConteFilte (Users content filter action)" size="3543" request="0xc9ef1800" url="">fcmatch.youtube.com/pixel referer="">https://acdn.adnxs.com/" error="" authtime="109" dnstime="0" aptptime="58" cattime="77" avscantime="0" fullreqtime="966" device="0" auth="2" ua="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36" exceptions="" reason="category" category="147" reputation="unverified" categoryname="Streaming Media" 

But also a lot of incorrect entries that have statuscode of 407 or 403 and no username, group and ad_domain listed. example:

2021:06:21-13:52:56 dtc-utm1 httpproxy[6027]: id="0060" severity="info" sys="SecureWeb" sub="http" name="web request blocked, forbidden category detected" action="block" method="CONNECT" srcip="192.168.xxx.xxx" dstip="" user="" group="" ad_domain="" statuscode="403" cached="0" profile="REF_HttProContaInterLan (Transparant Proxy voor clients lokaal)" filteraction="REF_DefaultHTTPCFFBlockAction (Default content filter block action)" size="3171" request="0x10b7c700" url="">https://youtube.com/" referer="" error="" authtime="1" dnstime="0" aptptime="62" cattime="24341" avscantime="0" fullreqtime="328158" device="1" auth="2" ua="" exceptions="" reason="category" category="147" reputation="trusted" categoryname="Streaming Media"

Btw, I see also a lot of entries where users access youtube and it is tagged as an application (So Application Control is handling those requests)

This issue is happening on both our Default webfilter profile (used with our Citrix environment) and our transparent mode proxy (used to get internet access outside our citrix environment in the office). As the username etc. isn't found, I assume this is a SSO issue right? I tested SSO in the UTM and used the policy helpdesk, these were all fine, no problems overthere.

We had this issue some time ago and it was also solved by itself. I don't know what happened, but it looks like some kind of bug?!

Or has this something to do with conflicting policies / application control / misconfiguration?

Our version is Sophos UTM 9.705-7.  

Thanks in advance!

regards,

Wouter



This thread was automatically locked due to age.
Parents
  • Hoi Wouter,

    This all looks normal to me, so my guess is a network or windows/AD issue.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • Hoi Wouter,

    This all looks normal to me, so my guess is a network or windows/AD issue.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
  • Hi Bob,

    Sorry, I don't understand why this is normal.

    It's not that it doesn't work at all. a lot of requests are handled correctly with AD SSO. So I don't understand why there are also a lot requests are failing with these errors.

    What do you mean that all looks normal to you? 

    thanks again!

  • The first line shows that the user was identified, Wouter, and that that user is not allowed to access streaming media.  Hence, the 403 block message which is normal.

    The UTM's log indicates that AD isn't identifying the user in the second line.  If the second line were within a minute or two of the first, we might suspect a problem with the caching on the UTM.  As the second line above is much later, we have to suspect the AD server.  The 407 block is normal for the 'Default content filter block action'.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Just posted about a possibly-related issue in another thread where the user had recently replaced their AD server.  When using Standard mode, the browser's Proxy setting should use an FQDN for the Address, not the numeric IP to which the FQDN resolves.  This causes authentication to be attempted with Kerberos instead of NTLM.  Does making that change fix your issue?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • I'm sorry, it wasn't clear for me how the web proxy exactly works. explained this clearly now.

    But still, there must be something wrong somewhere. I will investigate the logs again thoroughly to find out if there are subsequent entries after a 407 error.

  • The issues are also in the transparent mode proxy, so above scenario wouldn't be the case in our environment. Besides that, I also configured a GPO a while ago, to put our sophos fqdn in the internet explorer intranet zone (best practise from Sophos). But that didn't help.