This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Why does Input/Output Error Occur?

Hi all,

Our current setup is two SG450 Hardware Appliances running Version 9.409-9 in a Hot-Standby (Active-Passive) configuration.

When attempting to access a particular site (https://www.ward.ie) we are getting a 'page blocked' page stating that the 'content could not be delivered due to the following condition: Input/Output Error'.

I have seen similar postings on this forum in relation to this and the accepted fix is to exempt the site from SSL scanning.

This indeed does work and I have applied it as a (hopefully temporary) workaround.

However, could someone please explain why I have to do this at all? Are we seeing a trend towards exemption from SSL Scanning because the destination site somehow doesn't like how the UTM is intercepting the HTTPS traffic and possibly sees the resulting traffic emerging from the UTM as a Man-In-The-Middle attack? I have had to exempt several sites in recent months for this very reason and I am a bit concerned that this may become the norm.

Any views would be most welcome.

Best regards,

John P



This thread was automatically locked due to age.
Parents
  • Hi folks,

    Just to append to this original post.

    I have tested access to this site via our no longer used, Cisco IronPort Web Security Appliances (which the Sophos UTM replaced!!) and was able to access the site fine, even with SSL Scanning enabled on the IronPorts.

    Best regards,

    John P

    2 x SG450 (Version 9.714-4)

    HA = Active-Passive

  • "The destination site somehow doesn't like how the UTM is intercepting the HTTPS traffic and possibly sees the resulting traffic emerging from the UTM as a Man-In-The-Middle attack?"

    Yes.  If there was no such exception in the IronPort, then I would get a support case open with Sophos.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hi Bob,

    Thank you for your reply. It's always good to get a sanity check when these sort of things happen.

    I have a couple of calls open with Sophos Support, one of which I think is quite similar to this in that their recommendation is to exempt the site from SSL Scanning as I'm getting a 'broken pipe' error message.

    My main concern is the apparent lack of appetite on behalf of Sophos to resolve these problems. All that is being offered is a workaround which, let's face it, is not totally satisfactory. Having to exempt an increasing number of sites from SSL Scanning sort of defeats the purpose of scanning them in the first place.

    Monday morning rant over!!

    Back to work.

    Thanks again,

    John P

    2 x SG450 (Version 9.714-4)

    HA = Active-Passive

  • John, I ALWAYS configure to skip SSL scanning for the Finance/banking, Health and Pharmacy categories.

    Did you check to confirm that you had no such exception in the IronPort?  Please do let us know Sophos' response.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hi Bob,

    Like you I do not impose SSL scanning on sites classified as Finance/Banking. However, the site I was attempting to access on this occasion was classified (by the UTM Policy Helpdesk) as a 'Business' website with a 'Neutral' URL Reputation.

    I can also confirm the the site in question (https://www.ward.ie) was not included as an exception in our old IronPort installation.

    The response from Sophos, prior to closing the case, was:

    "Certain servers don't like proxied traffic and in this cases the server responds in this manner. Thats the reason those URLs have to bypassed. As this is not an issue with UTM but the end server, modifying anything on UTM wont help.

    If SSL scanning was bypassed for the same, the certificate TLS check is bypassed and hence proxy scanning for that website will not occur. We will definitely make note of this to our development but for now if it works, may we go ahead and close this case ?"

    I'm still unconvinced that the UTM is entirely blameless in this situation as were able to access the site fine via the IronPorts. However, I'm willing to live with the minor inconvenience of creating an exception. I stated my concern to Sophos that this trend of exempting traffic from security scans did not address the underlying problem so, the ball is in their court. Hopefully it is something that will be addressed in future updates.

    Best regards and thank you again for your input.

    John P

    2 x SG450 (Version 9.714-4)

    HA = Active-Passive

Reply
  • Hi Bob,

    Like you I do not impose SSL scanning on sites classified as Finance/Banking. However, the site I was attempting to access on this occasion was classified (by the UTM Policy Helpdesk) as a 'Business' website with a 'Neutral' URL Reputation.

    I can also confirm the the site in question (https://www.ward.ie) was not included as an exception in our old IronPort installation.

    The response from Sophos, prior to closing the case, was:

    "Certain servers don't like proxied traffic and in this cases the server responds in this manner. Thats the reason those URLs have to bypassed. As this is not an issue with UTM but the end server, modifying anything on UTM wont help.

    If SSL scanning was bypassed for the same, the certificate TLS check is bypassed and hence proxy scanning for that website will not occur. We will definitely make note of this to our development but for now if it works, may we go ahead and close this case ?"

    I'm still unconvinced that the UTM is entirely blameless in this situation as were able to access the site fine via the IronPorts. However, I'm willing to live with the minor inconvenience of creating an exception. I stated my concern to Sophos that this trend of exempting traffic from security scans did not address the underlying problem so, the ball is in their court. Hopefully it is something that will be addressed in future updates.

    Best regards and thank you again for your input.

    John P

    2 x SG450 (Version 9.714-4)

    HA = Active-Passive

Children
No Data