This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Online Grammar Checker - Issue

Hi all,

We have a pair of SG450 UTM Appliances (Firmware version 9.405-5) running in Hot Standby Mode.

We have several users attempting to access a site (https://www.grammarly.com). This site allows the upload of passages of text to be checked for grammar etc. However, after logging on to the site an error message is shown which states:

"Your network configuration blocks Grammarly services on this computer. To troubleshoot this issue, click here"

Clicking 'here' opens a link to a diagnostic test between the user PC and the site itself.

A screenshot of the result is shown below:

I cannot see anything in the logs to indicate what the issue may be here and was wondering if anyone has encountered something like this.

Many thanks for your time and assistance in this matter.

John P



This thread was automatically locked due to age.
Parents
  • Hi all,

    Just a quick update. I referred this issue to Sophos who advised me to bypass the UTM for the site concerned to ensure that it was indeed the UTM that was the problem here.

    Not surprisingly, when I reverted to our old Microsoft TMG 2010 to access the site, everything worked OK.

    I believe it to be websocket issue and have seen on several posts in this forum that other users have had issues similar to this (I won't expose my ignorance on the topic of websockets at this particular time though). Also I have seen a Feature Request with 700+ votes to get the UTM to handle websockets. As of yet Sophos haven't indicated if they are going to address this particular problem.

    In the end I had to disable SSL Scanning for the site in question and all appears to be working fine now. Not my ideal solution, but in the absence of anything from Sophos, will have to do.

    Best regards,

    John P

    2 x SG450 (Version 9.714-4)

    HA = Active-Passive

  • HI isoffice ,

    Seems that with SSL encryption the issue occurs with the connection on HTTPS (TCP:443.), These are apps that would associate with Google Chrome / Mozilla and in some cases when SSL Scanning is Enabled , issue occurs when the server (remote end ) does not comply with UTM certificate .  At this point,  your only option would need to Bypass the sites from SSL scanning exceptions . 

    To work reliably, Grammarly needs a stable Internet connection. Either message can indicate a problem with your local network, your ISP, or your computer settings.

    • Your network or system administrator must ensure that your antivirus and (or) firewall software allows access to the following Internet addresses by adding exception rules for the following addresses to your firewall and/or antivirus software:
      1. capi.grammarly.com (ports 80 and 443)
      2. api.mixpanel.com (ports 80 and 443)
      3. api.parse.com (ports 80 and 443)
      4. auth.grammarly.com (ports 80 and 443)

    Taken from the website https://support.grammarly.com/hc/en-us/articles/206120167-Error-Connecting-to-the-Grammarly-server-message-or-Not-connected-notification-pop-up-What-should-I-do-

    Thanks and Regards 

    Aditya Patel | Network and Security Engineer.

    Regards,

    Aditya Patel
    Global Escalation Support Engineer | Sophos Technical Support

    Knowledge Base  |  @SophosSupport | Sign up for SMS Alerts
    If a post solves your question use the 'This helped me' link.

  • Hi Guys,

    Thank you for the additional information, it has proved quite useful.

    Sachingurung, I have checked the logs specified in #1 of Rulz and cannot see anything untoward there.

    Aditya, I have created an exception (for SSL Scanning) based on the addresses mentioned in your post. All appears to be working now.

    However, the article to which you referred to also states, "If you use a proxy, please verify that it supports WebSocket protocol."

    Am I wrong in thinking that the UTM does not support the WebSocket Protocol?

    Best regards,

    John P

    2 x SG450 (Version 9.714-4)

    HA = Active-Passive

  • Hi all,

    I had raised a call with Sophos Support on this and they have confirmed:

    "Unfortunately right now Sophos UTM is unable to handle web socket traffic for web application firewall. So for the mean time you may add exemption for the the destination domain from SSL inspection".

    They go on to say that I should add my vote (already done) to the feature request that might resolve this issue (http://ideas.sophos.com/forums/17359-utm-formerly-asg-feature-requests/suggestions/4849021-websocket-support-for-waf).

    However, given that the initial feature request was made almost 3 years ago, it looks like my exemption will be in place for the foreseeable future. 

    Thank you for your kind assistance.

    John P

    2 x SG450 (Version 9.714-4)

    HA = Active-Passive

  • Hi John 

    Could you share your Service Request so I may look into it  ? , Kindly Message me and do not post it for Public viewing. 

    Thanks and Regards 

    Aditya Patel 

    Network and Security Engineer.

    Regards,

    Aditya Patel
    Global Escalation Support Engineer | Sophos Technical Support

    Knowledge Base  |  @SophosSupport | Sign up for SMS Alerts
    If a post solves your question use the 'This helped me' link.

  • Hi Aditya,

    I have forwarded those details that you requested.

    Best regards,

    John Perry

    2 x SG450 (Version 9.714-4)

    HA = Active-Passive

  • That the web application firewall cannot do web socket traffic doesn't mean that the Web Filtering Proxy cannot.

    The solution is skipping SSL scanning, as Aditya mentions.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hello

     

    We are using an SG210 running firmware 9.509-3

     

    I also have a problem connecting to Grammarly when Web Filtering is in use.

     

    I have added:

    ^https?://([A-Za-z0-9.-]*\.)?grammarly\.com/

    ^https?://([A-Za-z0-9.-]*\.)?grammarly\.io/

    To Web Filtering Exceptions, ticking the SSL Scanning, Certificate Trust Check & Certificate Date Check boxes.  In the Web Filtering logs I can see requests to Grammaly being passed along with my selected exlusions being applied.

     

    I still cannot connect to Grammarly, nor pass the Grammarly diagnostic test - it fails as soon as I get to the Web Sockets tests.

     

    Does anyone have any further tips?

    Many thanks

  • Please paste the relevant lines from the Web Filtering log.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Here's the log when I run the Grammarly Self-Diagnostic Tool:

     

    2018:10:26-07:34:58 utm httpproxy[16587]: id="0003" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="CONNECT" srcip="0.0.0.0" dstip="" user="" group="" ad_domain="" statuscode="407" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction=" ()" size="2518" request="0xc5bb0000" url="https://app.grammarly.com/" referer="" error="" authtime="1" dnstime="0" cattime="0" avscantime="0" fullreqtime="134" device="0" auth="2" ua="Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36" exceptions="content,url,ssl,certcheck,certdate"
    2018:10:26-07:34:58 utm httpproxy[16587]: id="0003" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="CONNECT" srcip="0.0.0.0" dstip="" user="" group="" ad_domain="" statuscode="407" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction=" ()" size="2518" request="0xa8ae9200" url="denali-static.grammarly.com/" referer="" error="" authtime="0" dnstime="0" cattime="0" avscantime="0" fullreqtime="172" device="0" auth="2" ua="Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36" exceptions="content,url,ssl,certcheck,certdate"
    2018:10:26-07:34:58 utm httpproxy[16587]: id="0003" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="CONNECT" srcip="0.0.0.0" dstip="" user="" group="" ad_domain="" statuscode="407" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction=" ()" size="2518" request="0xcb233000" url="https://fonts.googleapis.com/" referer="" error="" authtime="0" dnstime="0" cattime="0" avscantime="0" fullreqtime="109" device="0" auth="2" ua="Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36" exceptions="content,url,ssl,certcheck,certdate"
    2018:10:26-07:34:58 utm httpproxy[16587]: id="0003" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="CONNECT" srcip="0.0.0.0" dstip="" user="" group="" ad_domain="" statuscode="407" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction=" ()" size="2518" request="0xc400b800" url="https://fonts.gstatic.com/" referer="" error="" authtime="1" dnstime="0" cattime="0" avscantime="0" fullreqtime="234" device="0" auth="2" ua="Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36" exceptions="content,url,ssl,certcheck,certdate"
    2018:10:26-07:34:58 utm httpproxy[16587]: id="0003" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="CONNECT" srcip="0.0.0.0" dstip="" user="" group="" ad_domain="" statuscode="407" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction=" ()" size="2518" request="0xc962a600" url="www.google-analytics.com/" referer="" error="" authtime="0" dnstime="0" cattime="0" avscantime="0" fullreqtime="166" device="0" auth="2" ua="Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36" exceptions=""
    2018:10:26-07:34:58 utm httpproxy[16587]: id="0003" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="CONNECT" srcip="0.0.0.0" dstip="" user="" group="" ad_domain="" statuscode="407" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction=" ()" size="2518" request="0xc5bb0000" url="https://app.grammarly.com/" referer="" error="" authtime="7" dnstime="0" cattime="0" avscantime="0" fullreqtime="117" device="0" auth="2" ua="Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36" exceptions="content,url,ssl,certcheck,certdate"
    2018:10:26-07:34:58 utm httpproxy[16587]: id="0003" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="CONNECT" srcip="0.0.0.0" dstip="" user="" group="" ad_domain="" statuscode="407" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction=" ()" size="2518" request="0xc8bc9800" url="denali-static.grammarly.com/" referer="" error="" authtime="1" dnstime="0" cattime="0" avscantime="0" fullreqtime="196" device="0" auth="2" ua="Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36" exceptions="content,url,ssl,certcheck,certdate"
    2018:10:26-07:34:58 utm httpproxy[16587]: id="0003" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="CONNECT" srcip="0.0.0.0" dstip="" user="" group="" ad_domain="" statuscode="407" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction=" ()" size="2518" request="0xca3cf200" url="denali-static.grammarly.com/" referer="" error="" authtime="1" dnstime="0" cattime="0" avscantime="0" fullreqtime="131" device="0" auth="2" ua="Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36" exceptions="content,url,ssl,certcheck,certdate"
    2018:10:26-07:34:58 utm httpproxy[16587]: id="0003" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="CONNECT" srcip="0.0.0.0" dstip="" user="" group="" ad_domain="" statuscode="407" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction=" ()" size="2518" request="0xc8bc9800" url="denali-static.grammarly.com/" referer="" error="" authtime="8" dnstime="0" cattime="0" avscantime="0" fullreqtime="180" device="0" auth="2" ua="Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36" exceptions="content,url,ssl,certcheck,certdate"
    2018:10:26-07:34:58 utm httpproxy[16587]: id="0003" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="CONNECT" srcip="0.0.0.0" dstip="" user="" group="" ad_domain="" statuscode="407" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction=" ()" size="2518" request="0xca3cf200" url="denali-static.grammarly.com/" referer="" error="" authtime="6" dnstime="0" cattime="0" avscantime="0" fullreqtime="139" device="0" auth="2" ua="Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36" exceptions="content,url,ssl,certcheck,certdate"
    2018:10:26-07:34:58 utm httpproxy[16587]: id="0003" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="CONNECT" srcip="0.0.0.0" dstip="" user="" group="" ad_domain="" statuscode="407" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction=" ()" size="2518" request="0xd0813800" url="denali-static.grammarly.com/" referer="" error="" authtime="1" dnstime="0" cattime="0" avscantime="0" fullreqtime="147" device="0" auth="2" ua="Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36" exceptions="content,url,ssl,certcheck,certdate"
    2018:10:26-07:34:58 utm httpproxy[16587]: id="0003" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="CONNECT" srcip="0.0.0.0" dstip="" user="" group="" ad_domain="" statuscode="407" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction=" ()" size="2518" request="0x91449600" url="denali-static.grammarly.com/" referer="" error="" authtime="1" dnstime="0" cattime="0" avscantime="0" fullreqtime="132" device="0" auth="2" ua="Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36" exceptions="content,url,ssl,certcheck,certdate"
    2018:10:26-07:34:58 utm httpproxy[16587]: id="0003" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="CONNECT" srcip="0.0.0.0" dstip="" user="" group="" ad_domain="" statuscode="407" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction=" ()" size="2518" request="0xd0813800" url="denali-static.grammarly.com/" referer="" error="" authtime="7" dnstime="0" cattime="0" avscantime="0" fullreqtime="127" device="0" auth="2" ua="Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36" exceptions="content,url,ssl,certcheck,certdate"
    2018:10:26-07:34:58 utm httpproxy[16587]: id="0003" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="CONNECT" srcip="0.0.0.0" dstip="" user="" group="" ad_domain="" statuscode="407" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction=" ()" size="2518" request="0x91449600" url="denali-static.grammarly.com/" referer="" error="" authtime="10" dnstime="0" cattime="0" avscantime="0" fullreqtime="119" device="0" auth="2" ua="Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36" exceptions="content,url,ssl,certcheck,certdate"
    2018:10:26-07:34:58 utm httpproxy[16587]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="CONNECT" srcip="0.0.0.0" dstip="54.230.8.172" user="user.name" group="Web Filtering Level 3" ad_domain="DOMAIN" statuscode="200" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_HttCffWebFilteLevel3 (Web Filtering Level Three (Unrestricted Web Filtering))" size="718" request="0xd0813800" url="denali-static.grammarly.com/" referer="" error="" authtime="99" dnstime="2" cattime="0" avscantime="0" fullreqtime="21615" device="0" auth="2" ua="Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36" exceptions="content,url,ssl,certcheck,certdate"
    2018:10:26-07:34:58 utm httpproxy[16587]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="CONNECT" srcip="0.0.0.0" dstip="54.230.8.172" user="user.name" group="Web Filtering Level 3" ad_domain="DOMAIN" statuscode="200" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_HttCffWebFilteLevel3 (Web Filtering Level Three (Unrestricted Web Filtering))" size="718" request="0x91449600" url="denali-static.grammarly.com/" referer="" error="" authtime="49" dnstime="3" cattime="0" avscantime="0" fullreqtime="24081" device="0" auth="2" ua="Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36" exceptions="content,url,ssl,certcheck,certdate"
    2018:10:26-07:34:58 utm httpproxy[16587]: id="0003" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="CONNECT" srcip="0.0.0.0" dstip="" user="" group="" ad_domain="" statuscode="407" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction=" ()" size="2518" request="0x907eb600" url="https://fonts.gstatic.com/" referer="" error="" authtime="1" dnstime="0" cattime="0" avscantime="0" fullreqtime="160" device="0" auth="2" ua="Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36" exceptions="content,url,ssl,certcheck,certdate"
    2018:10:26-07:34:59 utm httpproxy[16587]: id="0003" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="CONNECT" srcip="0.0.0.0" dstip="" user="" group="" ad_domain="" statuscode="407" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction=" ()" size="2518" request="0xc7d10a00" url="f-log-editor.grammarly.io/" referer="" error="" authtime="1" dnstime="0" cattime="0" avscantime="0" fullreqtime="170" device="0" auth="2" ua="Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36" exceptions="content,url,ssl,certcheck,certdate"
    2018:10:26-07:34:59 utm httpproxy[16587]: id="0003" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="CONNECT" srcip="0.0.0.0" dstip="" user="" group="" ad_domain="" statuscode="407" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction=" ()" size="2518" request="0xc7d10a00" url="f-log-editor.grammarly.io/" referer="" error="" authtime="9" dnstime="0" cattime="0" avscantime="0" fullreqtime="149" device="0" auth="2" ua="Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36" exceptions="content,url,ssl,certcheck,certdate"
    2018:10:26-07:34:59 utm httpproxy[16587]: id="0003" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="CONNECT" srcip="0.0.0.0" dstip="" user="" group="" ad_domain="" statuscode="407" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction=" ()" size="2518" request="0xcad5b800" url="f-log-editor.grammarly.io/" referer="" error="" authtime="1" dnstime="0" cattime="0" avscantime="0" fullreqtime="151" device="0" auth="2" ua="Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36" exceptions="content,url,ssl,certcheck,certdate"
    2018:10:26-07:34:59 utm httpproxy[16587]: id="0003" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="CONNECT" srcip="0.0.0.0" dstip="" user="" group="" ad_domain="" statuscode="407" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction=" ()" size="2518" request="0xcad5b800" url="f-log-editor.grammarly.io/" referer="" error="" authtime="7" dnstime="0" cattime="0" avscantime="0" fullreqtime="145" device="0" auth="2" ua="Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36" exceptions="content,url,ssl,certcheck,certdate"
    2018:10:26-07:34:59 utm httpproxy[16587]: id="0003" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="CONNECT" srcip="0.0.0.0" dstip="" user="" group="" ad_domain="" statuscode="407" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction=" ()" size="2518" request="0xd250a600" url="f-log-editor.grammarly.io/" referer="" error="" authtime="1" dnstime="0" cattime="0" avscantime="0" fullreqtime="147" device="0" auth="2" ua="Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36" exceptions="content,url,ssl,certcheck,certdate"
    2018:10:26-07:34:59 utm httpproxy[16587]: id="0003" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="CONNECT" srcip="0.0.0.0" dstip="" user="" group="" ad_domain="" statuscode="407" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction=" ()" size="2518" request="0xcd6e2400" url="f-log-editor.grammarly.io/" referer="" error="" authtime="1" dnstime="0" cattime="0" avscantime="0" fullreqtime="134" device="0" auth="2" ua="Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36" exceptions="content,url,ssl,certcheck,certdate"
    2018:10:26-07:34:59 utm httpproxy[16587]: id="0003" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="CONNECT" srcip="0.0.0.0" dstip="" user="" group="" ad_domain="" statuscode="407" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction=" ()" size="2518" request="0xd250a600" url="f-log-editor.grammarly.io/" referer="" error="" authtime="7" dnstime="0" cattime="0" avscantime="0" fullreqtime="135" device="0" auth="2" ua="Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36" exceptions="content,url,ssl,certcheck,certdate"
    2018:10:26-07:34:59 utm httpproxy[16587]: id="0003" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="CONNECT" srcip="0.0.0.0" dstip="" user="" group="" ad_domain="" statuscode="407" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction=" ()" size="2518" request="0xe0ce8c00" url="f-log-editor.grammarly.io/" referer="" error="" authtime="1" dnstime="0" cattime="0" avscantime="0" fullreqtime="124" device="0" auth="2" ua="Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36" exceptions="content,url,ssl,certcheck,certdate"
    2018:10:26-07:34:59 utm httpproxy[16587]: id="0003" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="CONNECT" srcip="0.0.0.0" dstip="" user="" group="" ad_domain="" statuscode="407" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction=" ()" size="2518" request="0xe0ce8c00" url="f-log-editor.grammarly.io/" referer="" error="" authtime="6" dnstime="0" cattime="0" avscantime="0" fullreqtime="120" device="0" auth="2" ua="Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36" exceptions="content,url,ssl,certcheck,certdate"
    2018:10:26-07:34:59 utm httpproxy[16587]: id="0003" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="CONNECT" srcip="0.0.0.0" dstip="" user="" group="" ad_domain="" statuscode="407" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction=" ()" size="2518" request="0xa2814400" url="f-log-editor.grammarly.io/" referer="" error="" authtime="1" dnstime="0" cattime="0" avscantime="0" fullreqtime="129" device="0" auth="2" ua="Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36" exceptions="content,url,ssl,certcheck,certdate"
    2018:10:26-07:34:59 utm httpproxy[16587]: id="0003" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="CONNECT" srcip="0.0.0.0" dstip="" user="" group="" ad_domain="" statuscode="407" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction=" ()" size="2518" request="0xa2814400" url="f-log-editor.grammarly.io/" referer="" error="" authtime="7" dnstime="0" cattime="0" avscantime="0" fullreqtime="142" device="0" auth="2" ua="Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36" exceptions="content,url,ssl,certcheck,certdate"
    2018:10:26-07:34:59 utm httpproxy[16587]: id="0003" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="CONNECT" srcip="0.0.0.0" dstip="" user="" group="" ad_domain="" statuscode="407" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction=" ()" size="2518" request="0xa51b6600" url="https://auth.grammarly.com/" referer="" error="" authtime="5" dnstime="0" cattime="0" avscantime="0" fullreqtime="160" device="0" auth="2" ua="Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36" exceptions="content,url,ssl,certcheck,certdate"
    2018:10:26-07:34:59 utm httpproxy[16587]: id="0003" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="CONNECT" srcip="0.0.0.0" dstip="" user="" group="" ad_domain="" statuscode="407" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction=" ()" size="2518" request="0xa51b6600" url="https://auth.grammarly.com/" referer="" error="" authtime="7" dnstime="0" cattime="0" avscantime="0" fullreqtime="129" device="0" auth="2" ua="Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36" exceptions="content,url,ssl,certcheck,certdate"
    2018:10:26-07:34:59 utm httpproxy[16587]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="CONNECT" srcip="0.0.0.0" dstip="52.0.104.133" user="user.name" group="Web Filtering Level 3" ad_domain="DOMAIN" statuscode="200" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_HttCffWebFilteLevel3 (Web Filtering Level Three (Unrestricted Web Filtering))" size="727" request="0xcad5b800" url="f-log-editor.grammarly.io/" referer="" error="" authtime="67" dnstime="2" cattime="0" avscantime="0" fullreqtime="168070" device="0" auth="2" ua="Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36" exceptions="content,url,ssl,certcheck,certdate"
    2018:10:26-07:34:59 utm httpproxy[16587]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="CONNECT" srcip="0.0.0.0" dstip="52.0.104.133" user="user.name" group="Web Filtering Level 3" ad_domain="DOMAIN" statuscode="200" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_HttCffWebFilteLevel3 (Web Filtering Level Three (Unrestricted Web Filtering))" size="727" request="0xa2814400" url="f-log-editor.grammarly.io/" referer="" error="" authtime="68" dnstime="2" cattime="0" avscantime="0" fullreqtime="188317" device="0" auth="2" ua="Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36" exceptions="content,url,ssl,certcheck,certdate"
    2018:10:26-07:34:59 utm httpproxy[16587]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="CONNECT" srcip="0.0.0.0" dstip="52.0.104.133" user="user.name" group="Web Filtering Level 3" ad_domain="DOMAIN" statuscode="200" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_HttCffWebFilteLevel3 (Web Filtering Level Three (Unrestricted Web Filtering))" size="727" request="0xe0ce8c00" url="f-log-editor.grammarly.io/" referer="" error="" authtime="61" dnstime="2" cattime="0" avscantime="0" fullreqtime="193628" device="0" auth="2" ua="Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36" exceptions="content,url,ssl,certcheck,certdate"

     

     

    Many thanks

  • Please replace that with lines where the srcip is obfuscated like 192.168.x.21, 172.29.y.21 and 10.x.y.21.

    statuscode="407" means that the client is not allowed under the "Default Web Filter Profile."  Under "Web Filtering Level Three (Unrestricted Web Filtering)," the user is allowed, but we don't know if this is all the same client.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • statuscode="407" only means that the proxy is asking the browser for credentials, so this log entry should be ignored for most purposes, as it is not a final result.   In my logs, 407 will appear one or two times before the entry that tells me the final disposition.

Reply
  • statuscode="407" only means that the proxy is asking the browser for credentials, so this log entry should be ignored for most purposes, as it is not a final result.   In my logs, 407 will appear one or two times before the entry that tells me the final disposition.

Children
  • Given the number of 407 errors, I conclude the following:

    • The website is downloading some sort of plug-in, which is why it needs websockets.
    • The plug-in is unable to pass NTLM authentication.
    • The proxy keeps asking for credentials, and gets no response, so it never lets the traffic through.

    Try creating an exception object to bypass authentication for these destinations, remove the more permissive exceptions, and try again.

  • Thank-you for all your replies.

    I have crated a new Exception Group in the UTM for Grammarly that skips authentication (as well as SSL checks).  It seems that this exception is working when looking in the logs, but Grammarly still doesn't work.  Here's the log:

    2018:10:29-09:05:29 utm httpproxy[16587]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="CONNECT" srcip="192.168.XX.170" dstip="52.85.58.157" user="" group="" ad_domain="" statuscode="200" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="2816" request="0xbaff0a00" url="denali-static.grammarly.com/" referer="" error="" authtime="0" dnstime="3" cattime="0" avscantime="0" fullreqtime="7731411" device="0" auth="2" ua="Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36" exceptions="auth,content,url,ssl,certcheck,certdate"
    2018:10:29-09:05:29 utm httpproxy[16587]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="CONNECT" srcip="192.168.XX.170" dstip="54.161.98.25" user="" group="" ad_domain="" statuscode="200" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="21326" request="0xa65bcc00" url="f-log-editor.grammarly.io/" referer="" error="" authtime="0" dnstime="10896" cattime="0" avscantime="0" fullreqtime="7074987" device="0" auth="2" ua="Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36" exceptions="auth,content,url,ssl,certcheck,certdate"
    2018:10:29-09:05:29 utm httpproxy[16587]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="CONNECT" srcip="192.168.XX.170" dstip="54.88.131.17" user="" group="" ad_domain="" statuscode="200" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="5704" request="0xc81bf800" url="subscription.grammarly.com/" referer="" error="" authtime="0" dnstime="16387" cattime="0" avscantime="0" fullreqtime="6379777" device="0" auth="2" ua="Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36" exceptions="auth,content,url,ssl,certcheck,certdate"
    2018:10:29-09:05:29 utm httpproxy[16587]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="CONNECT" srcip="192.168.XX.170" dstip="52.85.58.157" user="" group="" ad_domain="" statuscode="200" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="3071" request="0x96cdec00" url="denali-static.grammarly.com/" referer="" error="" authtime="0" dnstime="13724" cattime="0" avscantime="0" fullreqtime="8037962" device="0" auth="2" ua="Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36" exceptions="auth,content,url,ssl,certcheck,certdate"
    2018:10:29-09:05:29 utm httpproxy[16587]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="CONNECT" srcip="192.168.XX.170" dstip="18.205.91.83" user="" group="" ad_domain="" statuscode="200" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="5599" request="0xc4265800" url="https://app.grammarly.com/" referer="" error="" authtime="0" dnstime="10641" cattime="0" avscantime="0" fullreqtime="8038420" device="0" auth="2" ua="Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36" exceptions="auth,content,url,ssl,certcheck,certdate"
    2018:10:29-09:05:29 utm httpproxy[16587]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="CONNECT" srcip="192.168.XX.170" dstip="54.210.34.44" user="" group="" ad_domain="" statuscode="200" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="5908" request="0xce252c00" url="https://auth.grammarly.com/" referer="" error="" authtime="0" dnstime="8086" cattime="0" avscantime="0" fullreqtime="6737884" device="0" auth="2" ua="Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36" exceptions="auth,content,url,ssl,certcheck,certdate"
    2018:10:29-09:05:39 utm httpproxy[16587]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="CONNECT" srcip="192.168.XX.170" dstip="54.161.98.25" user="" group="" ad_domain="" statuscode="200" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="1939" request="0xa83b0a00" url="f-log-editor.grammarly.io/" referer="" error="" authtime="0" dnstime="4" cattime="0" avscantime="0" fullreqtime="9577448" device="0" auth="2" ua="Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36" exceptions="auth,content,url,ssl,certcheck,certdate"

     

    Many thanks