This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Office365 failing with Application Control set to allow

I have a rule in Web Protection \ Application Control to allow Office 365.

When I attempt to open an excel document in the cloud, I get a long delay and generally a failure to open anything.  Occassionally I get an error: "Sorry, we couldn't open 'https://[mydomain].sharepoing.com/Shared Documents/myfile.xlsx"

Here are the App Control logs showing the allow
[SIZE=1]
14:28:21[/SIZE] [SIZE=1]Application control rule #2[/SIZE] [SIZE=1]Microsoft[/SIZE]  [SIZE=1]10.1.2.3[/SIZE] [SIZE=1]:[/SIZE] [SIZE=1]61168[/SIZE] [SIZE=1]→[/SIZE] [SIZE=1]64.4.54.254[/SIZE] [SIZE=1]:[/SIZE] [SIZE=1]443[/SIZE]  [SIZE=1][ACK PSH][/SIZE] [SIZE=1]len=175[/SIZE] [SIZE=1]ttl=127[/SIZE] [SIZE=1]tos=0x00[/SIZE] [SIZE=1]srcmac=7a[:D]b:b9:f6:8c:03[/SIZE][FONT=monospace][SIZE=1]
[/SIZE]
[SIZE=1]14:28:51[/SIZE] [SIZE=1]Application control rule #2[/SIZE] [SIZE=1]Microsoft[/SIZE]  [SIZE=1]10.1.2.3[/SIZE] [SIZE=1]:[/SIZE] [SIZE=1]61178[/SIZE] [SIZE=1]→[/SIZE] [SIZE=1]165.254.42.83[/SIZE] [SIZE=1]:[/SIZE] [SIZE=1]80[/SIZE]  [SIZE=1][ACK PSH][/SIZE] [SIZE=1]len=318[/SIZE] [SIZE=1]ttl=127[/SIZE] [SIZE=1]tos=0x00[/SIZE] [SIZE=1]srcmac=7a[:D]b:b9:f6:8c:03[/SIZE][/FONT]
[SIZE=1]14:28:51[/SIZE][SIZE=1] Application control rule #2[/SIZE] [SIZE=1]Microsoft[/SIZE]  [SIZE=1]10.1.2.3[/SIZE] [SIZE=1]:[/SIZE] [SIZE=1]61179[/SIZE] [SIZE=1]→[/SIZE] [SIZE=1]23.55.170.235[/SIZE] [SIZE=1]:[/SIZE] [SIZE=1]80[/SIZE]  [SIZE=1][ACK PSH][/SIZE] [SIZE=1]len=314[/SIZE] [SIZE=1]ttl=127[/SIZE] [SIZE=1]tos=0x00[/SIZE] [SIZE=1]srcmac=7a[:D]b:b9:f6:8c:03[/SIZE]
This appears to be a bug in the rules.

Any thoughts?

Thanks,
Doug


This thread was automatically locked due to age.
Parents
  • Are the only packets ACK PSH, Doug?  Does #1 in Rulz give you any clues?  What about the Web Filtering log?

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • Are the only packets ACK PSH, Doug?  Does #1 in Rulz give you any clues?  What about the Web Filtering log?

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
  • Are the only packets ACK PSH, Doug?  Does #1 in Rulz give you any clues?  What about the Web Filtering log?

    Cheers - Bob


    Yes, I always look at those logs and I've never gotten a hit on the Advanced Threat Protection.

    When attempting to open the file that's out on the Microsoft Cloud (Sharpoint.com) I get a proxy authentication request, the a long wait.


    This is a lot of logs (Web Filtering) that seem to simply say the connection was reset by Microsoft.

    [FONT=monospace]2015:08:12-00:45:48  ravenna httpproxy[5997]: id="0003" severity="info" sys="SecureWeb"  sub="http" name="http access" action="pass" method="OPTIONS"  srcip="10.1.2.3" dstip="" user="" ad_domain="" statuscode="407"  cached="0" profile="REF_HttProSecurDeskt (Laptops & PC's)"  filteraction=" ()" size="2621" request="0x32036000"  url="http://support.content.office.microsoft.com/en-us/static/"  referer="" error="" authtime="1" dnstime="0" cattime="0" avscantime="0"  fullreqtime="191" device="0" auth="1" ua="Microsoft Office Excel 2013"  exceptions="" [/FONT]
    [FONT=monospace]2015:08:12-00:45:48  ravenna httpproxy[5997]: id="0003" severity="info" sys="SecureWeb"  sub="http" name="http access" action="pass" method="OPTIONS"  srcip="10.1.2.3" dstip="" user="" ad_domain="" statuscode="407"  cached="0" profile="REF_HttProSecurDeskt (Laptops & PC's)"  filteraction=" ()" size="2621" request="0x2e865000"  url="http://support.content.office.microsoft.com/en-us/static/"  referer="" error="" authtime="2" dnstime="0" cattime="0" avscantime="0"  fullreqtime="344" device="0" auth="1" ua="Microsoft Office Excel 2013"  exceptions="" [/FONT]
    [FONT=monospace]2015:08:12-00:45:48  ravenna httpproxy[5997]: id="0003" severity="info" sys="SecureWeb"  sub="http" name="http access" action="pass" method="GET"  srcip="10.1.2.3" dstip="" user="" ad_domain="" statuscode="407"  cached="0" profile="REF_HttProSecurDeskt (Laptops & PC's)"  filteraction=" ()" size="2621" request="0x2e865000"  url="http://support.content.office.microsoft.com/en-us/static/AF102819338.xml?lcid=1033&syslcid=1033&uilcid=1033&ver=15"  referer="" error="" authtime="1" dnstime="0" cattime="0" avscantime="0"  fullreqtime="229" device="0" auth="1" ua="Microsoft Office/15.0  (Windows NT 6.1; Microsoft Excel 15.0.4737; Pro)" exceptions="" [/FONT]
    [FONT=monospace]2015:08:12-00:45:48  ravenna httpproxy[5997]: id="0003" severity="info" sys="SecureWeb"  sub="http" name="http access" action="pass" method="OPTIONS"  srcip="10.1.2.3" dstip="" user="" ad_domain="" statuscode="407"  cached="0" profile="REF_HttProSecurDeskt (Laptops & PC's)"  filteraction=" ()" size="2621" request="0x28885000"  url="http://support.content.office.microsoft.com/en-us/static/"  referer="" error="" authtime="2" dnstime="0" cattime="0" avscantime="0"  fullreqtime="286" device="0" auth="1" ua="Microsoft Office Excel 2013"  exceptions="" [/FONT]
    [FONT=monospace]2015:08:12-00:45:48  ravenna httpproxy[5997]: id="0003" severity="info" sys="SecureWeb"  sub="http" name="http access" action="pass" method="OPTIONS"  srcip="10.1.2.3" dstip="" user="" ad_domain="" statuscode="407"  cached="0" profile="REF_HttProSecurDeskt (Laptops & PC's)"  filteraction=" ()" size="2621" request="0x28885000"  url="http://support.content.office.microsoft.com/en-us/static/"  referer="" error="" authtime="1" dnstime="0" cattime="0" avscantime="0"  fullreqtime="212" device="0" auth="1" ua="Microsoft Office Excel 2013"  exceptions="" [/FONT]
    [FONT=monospace]2015:08:12-00:45:48  ravenna httpproxy[5997]: id="0003" severity="info" sys="SecureWeb"  sub="http" name="http access" action="pass" method="OPTIONS"  srcip="10.1.2.3" dstip="" user="" ad_domain="" statuscode="407"  cached="0" profile="REF_HttProSecurDeskt (Laptops & PC's)"  filteraction=" ()" size="2621" request="0x9c98000"  url="http://support.content.office.microsoft.com/en-us/static/"  referer="" error="" authtime="2" dnstime="0" cattime="0" avscantime="0"  fullreqtime="283" device="0" auth="1" ua="Microsoft Office Excel 2013"  exceptions="" [/FONT]
    [FONT=monospace]2015:08:12-00:45:48  ravenna httpproxy[5997]: id="0003" severity="info" sys="SecureWeb"  sub="http" name="http access" action="pass" method="OPTIONS"  srcip="10.1.2.3" dstip="" user="" ad_domain="" statuscode="407"  cached="0" profile="REF_HttProSecurDeskt (Laptops & PC's)"  filteraction=" ()" size="2621" request="0x9c98000"  url="http://support.content.office.microsoft.com/en-us/static/"  referer="" error="" authtime="1" dnstime="0" cattime="0" avscantime="0"  fullreqtime="205" device="0" auth="1" ua="Microsoft Office Excel 2013"  exceptions="" [/FONT]
    [FONT=monospace]2015:08:12-00:45:48  ravenna httpproxy[5997]: id="0003" severity="info" sys="SecureWeb"  sub="http" name="http access" action="pass" method="OPTIONS"  srcip="10.1.2.3" dstip="" user="" ad_domain="" statuscode="407"  cached="0" profile="REF_HttProSecurDeskt (Laptops & PC's)"  filteraction=" ()" size="2621" request="0xa68e000"  url="http://support.content.office.microsoft.com/en-us/static/"  referer="" error="" authtime="2" dnstime="0" cattime="0" avscantime="0"  fullreqtime="259" device="0" auth="1" ua="Microsoft Office Excel 2013"  exceptions="" [/FONT]
    [FONT=monospace]2015:08:12-00:45:48  ravenna httpproxy[5997]: id="0003" severity="info" sys="SecureWeb"  sub="http" name="http access" action="pass" method="OPTIONS"  srcip="10.1.2.3" dstip="" user="" ad_domain="" statuscode="407"  cached="0" profile="REF_HttProSecurDeskt (Laptops & PC's)"  filteraction=" ()" size="2621" request="0xa68e000"  url="http://support.content.office.microsoft.com/en-us/static/"  referer="" error="" authtime="1" dnstime="0" cattime="0" avscantime="0"  fullreqtime="193" device="0" auth="1" ua="Microsoft Office Excel 2013"  exceptions="" [/FONT]
    [FONT=monospace]2015:08:12-00:45:48  ravenna httpproxy[5997]: id="0003" severity="info" sys="SecureWeb"  sub="http" name="http access" action="pass" method="GET"  srcip="10.1.2.3" dstip="" user="" ad_domain="" statuscode="407"  cached="0" profile="REF_HttProSecurDeskt (Laptops & PC's)"  filteraction=" ()" size="2621" request="0x28653800"  url="http://support.content.office.microsoft.com/en-us/static/AF102819338.xml?lcid=1033&syslcid=1033&uilcid=1033&ver=15"  referer="" error="" authtime="2" dnstime="0" cattime="0" avscantime="0"  fullreqtime="276" device="0" auth="1" ua="Microsoft Office/15.0  (Windows NT 6.1; Microsoft Excel 15.0.4737; Pro)" exceptions="" [/FONT]
    [FONT=monospace]2015:08:12-00:45:48  ravenna httpproxy[5997]: id="0003" severity="info" sys="SecureWeb"  sub="http" name="http access" action="pass" method="OPTIONS"  srcip="10.1.2.3" dstip="" user="" ad_domain="" statuscode="407"  cached="0" profile="REF_HttProSecurDeskt (Laptops & PC's)"  filteraction=" ()" size="2621" request="0x28653800"  url="http://support.content.office.microsoft.com/en-us/static/"  referer="" error="" authtime="1" dnstime="0" cattime="0" avscantime="0"  fullreqtime="193" device="0" auth="1" ua="Microsoft Office Excel 2013"  exceptions="" [/FONT]
    [FONT=monospace]2015:08:12-00:45:48  ravenna httpproxy[5997]: id="0003" severity="info" sys="SecureWeb"  sub="http" name="http access" action="pass" method="OPTIONS"  srcip="10.1.2.3" dstip="" user="" ad_domain="" statuscode="407"  cached="0" profile="REF_HttProSecurDeskt (Laptops & PC's)"  filteraction=" ()" size="2621" request="0x2df86800"  url="http://support.content.office.microsoft.com/en-us/static/"  referer="" error="" authtime="2" dnstime="0" cattime="0" avscantime="0"  fullreqtime="288" device="0" auth="1" ua="Microsoft Office Excel 2013"  exceptions="" [/FONT]
    [FONT=monospace]2015:08:12-00:45:48  ravenna httpproxy[5997]: id="0003" severity="info" sys="SecureWeb"  sub="http" name="http access" action="pass" method="OPTIONS"  srcip="10.1.2.3" dstip="" user="" ad_domain="" statuscode="407"  cached="0" profile="REF_HttProSecurDeskt (Laptops & PC's)"  filteraction=" ()" size="2621" request="0x2df86800"  url="http://support.content.office.microsoft.com/en-us/static/"  referer="" error="" authtime="1" dnstime="0" cattime="0" avscantime="0"  fullreqtime="191" device="0" auth="1" ua="Microsoft Office Excel 2013"  exceptions="" [/FONT]
    [FONT=monospace]2015:08:12-00:45:48  ravenna httpproxy[5997]: id="0003" severity="info" sys="SecureWeb"  sub="http" name="http access" action="pass" method="OPTIONS"  srcip="10.1.2.3" dstip="" user="" ad_domain="" statuscode="407"  cached="0" profile="REF_HttProSecurDeskt (Laptops & PC's)"  filteraction=" ()" size="2621" request="0x28453000"  url="http://support.content.office.microsoft.com/en-us/static/"  referer="" error="" authtime="2" dnstime="0" cattime="0" avscantime="0"  fullreqtime="233" device="0" auth="1" ua="Microsoft Office Excel 2013"  exceptions="" [/FONT]
    [FONT=monospace]2015:08:12-00:45:48  ravenna httpproxy[5997]: id="0003" severity="info" sys="SecureWeb"  sub="http" name="http access" action="pass" method="OPTIONS"  srcip="10.1.2.3" dstip="" user="" ad_domain="" statuscode="407"  cached="0" profile="REF_HttProSecurDeskt (Laptops & PC's)"  filteraction=" ()" size="2621" request="0x28453000"  url="http://support.content.office.microsoft.com/en-us/static/"  referer="" error="" authtime="2" dnstime="0" cattime="0" avscantime="0"  fullreqtime="223" device="0" auth="1" ua="Microsoft Office Excel 2013"  exceptions="" [/FONT]
    [FONT=monospace]2015:08:12-00:45:48  ravenna httpproxy[5997]: id="0003" severity="info" sys="SecureWeb"  sub="http" name="http access" action="pass" method="OPTIONS"  srcip="10.1.2.3" dstip="" user="" ad_domain="" statuscode="407"  cached="0" profile="REF_HttProSecurDeskt (Laptops & PC's)"  filteraction=" ()" size="2621" request="0x29a2c800"  url="http://support.content.office.microsoft.com/en-us/static/"  referer="" error="" authtime="7" dnstime="0" cattime="0" avscantime="0"  fullreqtime="236" device="0" auth="1" ua="Microsoft Office Excel 2013"  exceptions="" [/FONT]
    [FONT=monospace]2015:08:12-00:45:48  ravenna httpproxy[5997]: id="0001" severity="info" sys="SecureWeb"  sub="http" name="http access" action="pass" method="GET"  srcip="10.1.2.3" dstip="70.37.81.47" user="doug" ad_domain=""  statuscode="200" cached="0" profile="REF_HttProSecurDeskt (Laptops  & PC's)" filteraction="REF_xtQVuVVAPc (Doug)" size="3058"  request="0x295ab000"  url="https://odc.officeapps.live.com/odc/servicemanager/userconnected?lcid=1033&syslcid=1033&uilcid=1033&app=1&ver=15"  referer="" error="" authtime="5" dnstime="147146" cattime="69"  avscantime="2626" fullreqtime="538979" device="0" auth="1" ua="Microsoft  Office/15.0 (Windows NT 6.1; Microsoft Excel 15.0.4737; Pro)"  exceptions="" category="172" reputation="neutral"  categoryname="Interactive Web Applications" country="United States"  content-type="text/xml" application="office" app-id="1156" [/FONT]
    [FONT=monospace]2015:08:12-00:46:04  ravenna httpproxy[5997]: id="0003" severity="info" sys="SecureWeb"  sub="http" name="http access" action="pass" method="CONNECT"  srcip="10.1.2.3" dstip="" user="" ad_domain="" statuscode="407"  cached="0" profile="REF_HttProSecurDeskt (Laptops & PC's)"  filteraction=" ()" size="2629" request="0x29f2b000"  url="https://roaming.officeapps.live.com/" referer="" error=""  authtime="3" dnstime="0" cattime="0" avscantime="0" fullreqtime="446"  device="0" auth="1" ua="" exceptions="" [/FONT]
    [FONT=monospace]2015:08:12-00:46:19  ravenna httpproxy[5997]: id="0003" severity="info" sys="SecureWeb"  sub="http" request="0x2e268000" function="ssl_connect" file="ssl.c"  line="1444" message="ssl_handshake: Connection reset by peer" [/FONT]
    [FONT=monospace]2015:08:12-00:46:19  ravenna httpproxy[5997]: id="0002" severity="info" sys="SecureWeb"  sub="http" name="web request blocked" action="block" method="OPTIONS"  srcip="10.1.2.3" dstip="104.146.156.25" user="doug" ad_domain=""  statuscode="502" cached="0" profile="REF_HttProSecurDeskt (Laptops  & PC's)" filteraction="REF_xtQVuVVAPc (Doug)" size="2640"  request="0x2e268000" url="https://techtutor-my.sharepoint.com/"  referer="" error="Connection reset by peer" authtime="11"  dnstime="921297" cattime="23" avscantime="0" fullreqtime="31113155"  device="0" auth="1" ua="Microsoft Office Excel 2013 (15.0.4737) Windows  NT 6.1" exceptions="" category="172" reputation="trusted"  categoryname="Interactive Web Applications" country="United States"  application="shrpntol" app-id="1164" [/FONT]
    [FONT=monospace]2015:08:12-00:46:19  ravenna httpproxy[5997]: id="0003" severity="info" sys="SecureWeb"  sub="http" request="0x295ab000" function="ssl_raw_read" file="ssl.c"  line="655" message="SSL_ERROR_SYSCALL: ret=-1 error=Connection reset by  peer" [/FONT]
    [FONT=monospace]2015:08:12-00:46:20  ravenna httpproxy[5997]: id="0003" severity="info" sys="SecureWeb"  sub="http" request="0x298a2000" function="ssl_connect" file="ssl.c"  line="1444" message="ssl_handshake: Connection reset by peer" [/FONT]
    [FONT=monospace]2015:08:12-00:46:20  ravenna httpproxy[5997]: id="0002" severity="info" sys="SecureWeb"  sub="http" name="web request blocked" action="block" method="OPTIONS"  srcip="10.1.2.3" dstip="104.146.156.25" user="doug" ad_domain=""  statuscode="502" cached="0" profile="REF_HttProSecurDeskt (Laptops  & PC's)" filteraction="REF_xtQVuVVAPc (Doug)" size="2656"  request="0x298a2000"  url="https://techtutor.sharepoint.com/Shared%20Documents/" referer=""  error="Connection reset by peer" authtime="15" dnstime="347"  cattime="40" avscantime="0" fullreqtime="30209562" device="0" auth="1"  ua="Microsoft Office Excel 2013 (15.0.4737) Windows NT 6.1"  exceptions="" category="172" reputation="trusted"  categoryname="Interactive Web Applications" country="United States"  application="shrpntol" app-id="1164" [/FONT]
    [FONT=monospace]2015:08:12-00:46:49  ravenna httpproxy[5997]: id="0003" severity="info" sys="SecureWeb"  sub="http" request="0x24047000" function="ssl_connect" file="ssl.c"  line="1444" message="ssl_handshake: Connection reset by peer" [/FONT]
    [FONT=monospace]2015:08:12-00:46:49  ravenna httpproxy[5997]: id="0002" severity="info" sys="SecureWeb"  sub="http" name="web request blocked" action="block" method="POST"  srcip="10.1.2.3" dstip="104.146.156.25" user="doug" ad_domain=""  statuscode="502" cached="0" profile="REF_HttProSecurDeskt (Laptops  & PC's)" filteraction="REF_xtQVuVVAPc (Doug)" size="0"  request="0x24047000"  url="https://techtutor-my.sharepoint.com/_api/contextinfo" referer=""  error="Connection reset by peer" authtime="5" dnstime="355" cattime="26"  avscantime="0" fullreqtime="30209332" device="0" auth="1" ua="Microsoft  Office/15.0 (Windows NT 6.1; Microsoft Excel 15.0.4737; Pro)"  exceptions="" category="172" reputation="trusted"  categoryname="Interactive Web Applications" country="United States"  application="shrpntol" app-id="1164" [/FONT]
    [FONT=monospace]2015:08:12-00:46:51  ravenna httpproxy[5997]: id="0003" severity="info" sys="SecureWeb"  sub="http" request="0x28b08000" function="ssl_connect" file="ssl.c"  line="1444" message="ssl_handshake: Connection reset by peer" [/FONT]
    [FONT=monospace]2015:08:12-00:46:51  ravenna httpproxy[5997]: id="0002" severity="info" sys="SecureWeb"  sub="http" name="web request blocked" action="block" method="OPTIONS"  srcip="10.1.2.3" dstip="104.146.156.25" user="doug" ad_domain=""  statuscode="502" cached="0" profile="REF_HttProSecurDeskt (Laptops  & PC's)" filteraction="REF_xtQVuVVAPc (Doug)" size="2656"  request="0x28b08000"  url="https://techtutor.sharepoint.com/Shared%20Documents/" referer=""  error="Connection reset by peer" authtime="6" dnstime="215697"  cattime="40" avscantime="0" fullreqtime="30426320" device="0" auth="1"  ua="Microsoft Office Excel 2013 (15.0.4737) Windows NT 6.1"  exceptions="" category="172" reputation="trusted"  categoryname="Interactive Web Applications" country="United States"  application="shrpntol" app-id="1164" [/FONT]
    [FONT=monospace]2015:08:12-00:47:13  ravenna httpproxy[5997]: id="0002" severity="info" sys="SecureWeb"  sub="http" name="web request blocked" action="block" method="POST"  srcip="10.1.3.2" dstip="" user="" ad_domain="" statuscode="502"  cached="0" profile="REF_HttProHue (Hue)"  filteraction="REF_DefaultHTTPCFFAction (Default content filter action)"  size="0" request="0x9c9c800"  url="http://dcs.cb.philips.com/Dcs.ConnectionService" referer=""  error="Transport endpoint is not connected" authtime="0" dnstime="0"  cattime="32" avscantime="0" fullreqtime="2050209875" device="0" auth="0"  ua="" exceptions="" category="105" reputation="trusted"  categoryname="Business" [/FONT]
    [FONT=monospace]2015:08:12-00:47:21  ravenna httpproxy[5997]: id="0003" severity="info" sys="SecureWeb"  sub="http" request="0x28f2a800" function="ssl_connect" file="ssl.c"  line="1444" message="ssl_handshake: Connection reset by peer" [/FONT]
    [FONT=monospace]2015:08:12-00:47:21  ravenna httpproxy[5997]: id="0002" severity="info" sys="SecureWeb"  sub="http" name="web request blocked" action="block" method="OPTIONS"  srcip="10.1.2.3" dstip="104.146.156.25" user="doug" ad_domain=""  statuscode="502" cached="0" profile="REF_HttProSecurDeskt (Laptops  & PC's)" filteraction="REF_xtQVuVVAPc (Doug)" size="2656"  request="0x28f2a800"  url="https://techtutor.sharepoint.com/Shared%20Documents/" referer=""  error="Connection reset by peer" authtime="9" dnstime="622" cattime="67"  avscantime="0" fullreqtime="30214418" device="0" auth="1" ua="Microsoft  Office Excel 2013 (15.0.4737) Windows NT 6.1" exceptions=""  category="172" reputation="trusted" categoryname="Interactive Web  Applications" country="United States" application="shrpntol"  app-id="1164" [/FONT]
    [FONT=monospace]2015:08:12-00:47:37  ravenna httpproxy[5997]: id="0003" severity="info" sys="SecureWeb"  sub="http" request="(nil)" function="sc_check_servers"  file="early_scr_scanner.c" line="780" message="server  'cffs18.astaro.com' access time: 61ms" [/FONT]

  • Are you using authentication?

    Does it work if you turn authentication off?

    Are you using an upstream proxy?  Is there any possibility that something else is generating the 407 Proxy Authentication Required?