In the past day, we have begun the release of version 4.3.1 of the Sophos Web Appliance. Rollout will continue to customers over the next couple of weeks.

This new version fixes a vulnerability, discovered by Russell Sanford of Critical Start, along with a number of defects that were either discovered in-house or experienced by customers. You can find out more about these fixes in the Release Notes.

A couple of the fixes required behaviour changes that may impact customers on upgrade. If your SWA is configured with multiple DNS servers, and those servers cannot resolve all the same domain information, or if you restrict access from your SWA to NTP services via rules on your network firewalls, you may be affected - so read on.

The DNS change relates to the use of secondary or tertiary DNS servers. Prior to version 4.3.1 the SWA would only switch from using the primary to the secondary after a failure, which for some customers meant that they would experience browsing failures for short periods while the system was waiting for the responses to fail and then switch over.

In version 4.3.1 we are taking a more dynamic approach to us of multiple DNS servers. By optimizing requests between servers, we can be more robust when one server fails. But it does make it more likely that the secondary or tertiary server will come into play from time to time.

If your secondary or tertiary servers cannot resolve some domain names (for example, if your primary is an internal server with Active Directory information, and you use an ISP or other public DNS server for the secondary) you may find that users trying to browse to those non-public domains will occasionally fail. We expect most of you will not be in this situation, but your users do report intermittent failures browsing to local sites, do check your DNS server settings, and check that all your DNS servers are configured correctly.

If you do not have multiple servers hosting your internal DNS information, we recommend you do not configure a public DNS server as a secondary or tertiary.

For more information, see this knowledgebase article.

On the NTP side, we have changed the default NTP server used by the SWA to better reflect the terms of service of the NTP Pool Project. The default is now, which resolves to a different IP address. For most customers, this will not have any impact, but if you are still using the default, and if your firewall has been configured to only allow outbound NTP connections to specific addresses, then the firewall may need to be updated so that your SWA can keep its clock in sync.

To find out more about the NTP Pool Project, visit their website.