This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Why are my web applications not connecting?

I have Sophos Web Appliance 4.3.1.1 and there were many workstations that were not connected to the proxy. Once connected there were many complaints about not being able to access certain websites.. this was expected. However, users can't use applications like google drive and dropbox are not able to connect to the internet via proxy.

 

I'm not sure what to do.



This thread was automatically locked due to age.
Parents
  • There are many things that could be happening.

     

    In short:

     

    #1 - HTTPS scanning is required for any application control on an encrypted site.  Otherwise the applaince can ONLY see root domains.    For example, mail.google.com, google.com/mail and google.com would all look like requeusts to google.com  https scanning allows the applaince to see the compltete url.  This is also required for address rewriting like safe search.

    #2 applications are not supported, ONLY browser requests are supported (so going to gmail from IE can be blocked, but using the gmail app may not work due to a plethora of reasons including HSTS, bad coding/non-standard RFC requests etc) 

    #3 setting a site as "trusted" in the local site list may help, once added give it up to 5 mins to take effect. (if this does not resolve it, remove the entry. Setting a site to trusted should only be used if absolutely necessary, or testing as it omits the site from AV scanning.   The most common reason to add a site as trusted is streaming media, there is no end to the file so it can cause the AV scanner to hang.

    #4 add the domain to the https scanning exemptions.   This will essentially create the tunnel between client and site and offload the process from further scanning. 

    #5 use tools such as ssllabs to test the site in question, the appliance will drop things like SSLv3 and certificate validation will drop self signed / invalid certificates. 

    #6 conduct a policy test configuration / group policy / policy test   The site field should be the fqdn : https://www.google.com and the user should be DOMAIN\user  

     

    Finally Output the logs and check the traffic..  The best way to see what's going on is to export the sophos.log to a splunk/syslog server.

    configuration / system / alerts & monitoring / syslog tab

     

    This will export the raw proxy log entries.. like so.

    h=10.99.115.13 u="DOMAIN\\johnsmith" s=200 X=- t=1336666489 T=284453
    Ts=0 act=1 cat="0x220000002a" app="-" rsn=- threat="-" type="text/html" ctype="text/html"
    sav-ev=4.77 sav-dv=2012.5.10.4770003 uri-dv=- cache=- in=1255 out=26198
    meth=GET ref="-" ua="Mozilla/5.0 (Windows NT 6.1; WOW64; rv:12.0) Gecko/20100101 Firefox/12.0"
    req="GET http://www.google.ca/ HTTP/1.1" dom="google.ca" filetype="-" rule="0"
    filesize=25815 axtime=0.048193 fttime=0.049360 scantime=0.011 src_cat="0x2f0000002a"
    labs_cat="0x2f0000002a" dcat_prox="-" target_ip="74.125.127.94" labs_rule_id="0"
    reqtime=0.027 adtime=0.001625 ftbypass=- os=Windows authn=53 auth_by=portal_cache
    dnstime=0.000197 quotatime=- sandbox=-

    Then you can cross reference the blocks, here.

    http://wsa.sophos.com/docs/wsa/webhelp/index.html#swa/concepts/InterpretingLogFiles.html

    I bolded the main ones you will need. In short anything that's like acts -1 .. is been blocked.. the rsn ie 1406 would be blocked by a policy.. 

    the get request is the fqdn you could test at say ssllabs.

  • This is great information!. The moment I enable the HTTP Scanning users were havign issues with sites like Google.com. Receiving an Untrusted website error.  I suppose we will need a certificate right or is there any other way around that?

  • That's correct.

    In short HTTPS --

    client makes https request.. >> infrastructure >> Lan interface of appliance >> appliance decrypts the traffic >> applaince re-encrypts and makes request to google.

    The opposite is true on the way back.

     

    The certificate error your getting is because the applaince has a root authority self signed certificate, this is required to that the appliance can generate a new certificate for each https request.

    When this is employed you will never see a signing authority from any provider.

    for example, if you goto google.com.  the certificate will be issued for google.com but issued by the sophos plc.  So your browser is complaining because its received a certificate signed by a self signed authority.

     

    To resolve this just go into the HTTPS scanning area, there is a button to download the authority.. push that out via gpo and your done.  There is a complete walkthrough here:

    https://community.sophos.com/kb/en-us/42153

  • Excellent information. I will try this tomorrow.

  • I applied the policy and end users have received the certificate. Upon turning on HTTPS scanning, all our users were unable to send emails. We use google apps here and there was a 403 error. 

    I wish I had implemented the web appliance when it was first introduced to our infrastructure but unfortunately I came a few years after.  So any help, literature, guidance would be appreciated.

Reply
  • I applied the policy and end users have received the certificate. Upon turning on HTTPS scanning, all our users were unable to send emails. We use google apps here and there was a 403 error. 

    I wish I had implemented the web appliance when it was first introduced to our infrastructure but unfortunately I came a few years after.  So any help, literature, guidance would be appreciated.

Children