This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

StatusCode 407 Errors on 9.502-4 and 9.503-4

This is similar/same as a previous thread from 2015, but something I just noticed on our firewalls. The logs are full of 407 errors, almost one for every 200 code when I crunch the numbers.

Standard Proxy with AD SSO

DHCP autoproxy configuration option 252 = http://sophos.internal.com:8080/wpad.dat

Group created in Definitions and Users for domain users.

Authentication configured and tested.

 

We get the same result with all browsers (IE, Edge, Chrome, Firefox) whether they are configured with "Automatic Discovery" (DHCP - Except Firefox which doesn't support DHCP discovery), "Automatic Proxy Configuration" (http://sophos.internal.com:8080/wpad.dat) or "Manual Proxy" (http://sophos.internal.com:8080).



This thread was automatically locked due to age.
  • I think the manual proxy should include wpad.dat

    Overall, you seem to have two possibilities - proxy config not being applied successfully or UTM failing to talk to AD correctly.

    Given UTM recent history, you should probably disconnect from AD, then join to the domain again.   Then retest on the authentication server tab.  Then test on Policy Help desk tab.  Then test from a desktop device.  

  • It appears to be a non-issue. According to Sophos support, the 407 errors are normal for Standard proxy with authentication. I found an old log file from before the upgrade to 9.5xx and it also had the 407 errors.

    Actually the reason I was so concerned was that I had to rejoin one of the UTM's to the domain last night these errors were still occurring. Only time I really looked at the statuscode for traffic that was "passed" rather than "blocked". I also created a pivot table with statuscode showing a ton of 407's.

  • Your browsers are configured to use "standard mode" proxy via WPAD.  I don't think that your problem is related to this.  If your really want to, manually configure a browser to use the proxy (rather than auto discover) and see if the problem continues to occur.

     

    407 indicates that something is asking to authenticate.  There are times that the proxy will send a 407 back to the client browser.  But if I recall correctly we don't log it when we are generating the 407.

    Is is possible you have another device (such as an upstream proxy) that is trying to authenticate?

     

    Can you post a sample log line?

  • The Sophos is internet facing, so no upstream proxies. I have tried manual proxy configuration and still get the 407's.

     

    2017:09:22-13:45:49 sophostn-2 httpproxy[25718]: id="0003" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="10.50.1.34" dstip="" user="" group="" ad_domain="" statuscode="407" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction=" ()" size="2540" request="0xd9192400" url="ocsp.godaddy.com/.../MEgwRjBEMEIwQDAJBgUrDgMCGgUABBS2CA1fbGt26xPkOKX4ZguoUjM0TgQUQMK9J47MNIMwojPX+2yz8LQsgM4CBwQw+RaCaUs=" referer="" error="" authtime="1" dnstime="0" cattime="0" avscantime="0" fullreqtime="168" device="1" auth="2" ua="Microsoft-CryptoAPI/10.0" exceptions=""
    2017:09:22-13:45:49 sophostn-2 httpproxy[25718]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="10.50.1.34" dstip="50.63.243.230" user="user.name" group="" ad_domain="CORP" statuscode="200" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_HttCffTcsDefault (TCS Default)" size="1775" request="0xd9192400" url="ocsp.godaddy.com/.../MEgwRjBEMEIwQDAJBgUrDgMCGgUABBS2CA1fbGt26xPkOKX4ZguoUjM0TgQUQMK9J47MNIMwojPX+2yz8LQsgM4CBwQw+RaCaUs=" referer="" error="" authtime="594" dnstime="65896" cattime="30519" avscantime="983" fullreqtime="145170" device="1" auth="2" ua="Microsoft-CryptoAPI/10.0" exceptions="" category="178" reputation="neutral" categoryname="Internet Services" country="United States" application="ocsp" app-id="835" sandbox="-" content-type="application/x-x509-ca-cert"
     
    A lot of them seem to be service related:
     
    2017:09:22-13:50:51 sophostn-2 httpproxy[25718]: id="0003" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="CONNECT" srcip="10.50.1.34" dstip="" user="" group="" ad_domain="" statuscode="407" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction=" ()" size="2548" request="0xd905e000" url="bn3sch020020841.wns.windows.com/" referer="" error="" authtime="1" dnstime="0" cattime="0" avscantime="0" fullreqtime="134" device="1" auth="2" ua="" exceptions=""
    2017:09:22-13:50:51 sophostn-2 httpproxy[25718]: id="0003" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="CONNECT" srcip="10.50.1.38" dstip="" user="" group="" ad_domain="" statuscode="407" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction=" ()" size="2548" request="0xd8ef8600" url="yqlmailapps.query.yahoo.com/" referer="" error="" authtime="1" dnstime="0" cattime="0" avscantime="0" fullreqtime="180" device="1" auth="2" ua="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36" exceptions=""
    2017:09:22-13:50:52 sophostn-2 httpproxy[25718]: id="0003" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="CONNECT" srcip="10.50.1.38" dstip="" user="" group="" ad_domain="" statuscode="407" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction=" ()" size="2548" request="0xc21de00" url="https://www.yahoo.com/" referer="" error="" authtime="1" dnstime="0" cattime="0" avscantime="0" fullreqtime="126" device="1" auth="2" ua="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36" exceptions=""
    2017:09:22-13:50:53 sophostn-2 httpproxy[25718]: id="0003" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="CONNECT" srcip="10.50.1.38" dstip="" user="" group="" ad_domain="" statuscode="407" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction=" ()" size="2548" request="0xbb8ac00" url="scontent-mia3-1.xx.fbcdn.net/" referer="" error="" authtime="1" dnstime="0" cattime="0" avscantime="0" fullreqtime="140" device="1" auth="2" ua="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36" exceptions=""
     
    But there are also a lot where you will see it fail first, then authenticate the second time with the same URL like the first example. This is happening on two of our UTM's, one is the default route out of the company at a remote site and the other at the main site is not set as the default route. Our third UTM is in transparent mode at a colocation facility without any users.
  • Typically, a 407 would be expected to generate a pop-up asking for "basic mode" login information.  If that is not occurring, then Support must be correct.

    I use Standard proxy and I thought I knew my log files pretty well, but I do not remember seeing this occur frequently.   Good catch.