Hey, I have a support request open for this but I figured I would put it out here to see what I could get before my remote session next Monday. When connected to SSLVPN through the XG I can not authenticate to O365 via ADFS using Outlook. Skype for Business works, MS Teams works, One Note, and One Drive all work... We are using IPS and SSL Decryption. I have added in all recommended exclusions using Sophos' provided tar file which was uploaded to my system. I have also added exclusions for Microsoft's second level domains as well as our ADFS URL's
There is nothing obvious in the logs AT ALL... What gives? I am like 99.9% sure this is SSL related but even when I put a straight up open rule outbound with no filtering and SSL decryption disabled it STILL fails...
If I disconnect the VPN and open Outlook... BAM it fires right up.
If anyone is wondering, it appears that Microsoft in its infinite wisdom has made Outlook depend on WINS in some fashion. In my SSL VPN settings on the XG, I put my DNS servers IPs (which are also my domain…
Hi Brian Straka,
Thank you for reaching out to the Community!
Did you configure split or full tunnel SSL VPN? If it's a full tunnel, did you apply any advanced filtering such as web and application control on VPN to WAN firewall rule?
Thanks,
Community Support Engineer | Sophos Technical SupportSupport Videos | Product Documentation | @SophosSupport | Sign up for SMS Alerts If a post solves your question use the 'Verify Answer' button.
This is a full tunnel.
Advanced filtering and application control is only applied to WAN. LAN and VPN zones have no advanced filtering applied.
Again, when I put in a rule to bypass all advanced filtering at the top... it does the same thing. (same happens when I just turn off web filtering and application control.)
Anyone else having this issue? I can't believe I am the only one. I must be missing something.....
Do you use DPI or the old proxy decryption?
__________________________________________________________________________________________________________________
DPI
I would like to try split tunneling... is there a way to configure it with the sophos connect 2.0 client? I know with the old client it was really easy to do with the sophos connect admin tool. With the new .pro configuration file I see nothing in the documentation so enable split tunneling.
You can now configure the split tunnel by adding permitted networks under VPN > IPsec(Remote Access) > Advanced settings. Please make sure to turn off use as the default gateway.
OK, I have narrowed this down to an issue with Win 10 (1909) and the SSL VPN using the Sophos Connect Client 2.0.
When the VPN connects, windows can not identify the connection and does not allow traffic through the TAP interface.
As referenced by the routing table below. I am running a full tunnel, Why do I have 2 default routes?
Interface List 17...02 50 41 00 00 01 ......PANGP Virtual Ethernet Adapter #2 16...8c 04 ba 11 28 f1 ......Intel(R) Ethernet Connection (6) I219-V 9...de fb 48 72 8c 83 ......Microsoft Wi-Fi Direct Virtual Adapter #2 19...00 ff ae 62 62 01 ......Sophos TAP Adapter 21...dc fb 48 72 8c 83 ......Intel(R) Wireless-AC 9560 160MHz 23...dc fb 48 72 8c 87 ......Bluetooth Device (Personal Area Network) #2 1...........................Software Loopback Interface 1===========================================================================IPv4 Route Table===========================================================================Active Routes:Network Destination Netmask Gateway Interface Metric 0.0.0.0 0.0.0.0 192.168.0.254 192.168.0.35 35 0.0.0.0 128.0.0.0 172.16.240.1 172.16.240.2 291
Also running Get-NetConnectionProfile in Powershell shows the following: No IPV4Connectivity on Ethernet 5 which is my Sophos TAP connection
Name : redacted.comInterfaceAlias : Ethernet 5InterfaceIndex : 19NetworkCategory : DomainAuthenticatedIPv4Connectivity : NoTrafficIPv6Connectivity : NoTrafficName : redactedInterfaceAlias : Wi-Fi 2InterfaceIndex : 21NetworkCategory : PublicIPv4Connectivity : InternetIPv6Connectivity : NoTraffic
Ethernet adapter Ethernet 5: Connection-specific DNS Suffix . : redacted.com Description . . . . . . . . . . . : Sophos TAP Adapter Physical Address. . . . . . . . . : 00-FF-AE-62-62-01 DHCP Enabled. . . . . . . . . . . : Yes Autoconfiguration Enabled . . . . : Yes Link-local IPv6 Address . . . . . : fe80::201d:4dd0:5788:f8ce%19(Preferred) IPv4 Address. . . . . . . . . . . : 172.16.240.2(Preferred) Subnet Mask . . . . . . . . . . . : 255.255.252.0 Lease Obtained. . . . . . . . . . : Tuesday, January 12, 2021 10:04:56 AM Lease Expires . . . . . . . . . . : Wednesday, January 12, 2022 10:04:55 AM Default Gateway . . . . . . . . . : DHCP Server . . . . . . . . . . . : 172.16.243.254 DHCPv6 IAID . . . . . . . . . . . : 67174318 DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-24-D2-1E-04-8C-04-BA-11-28-F1 DNS Servers . . . . . . . . . . . : 172.16.100.100 192.168.13.100 NetBIOS over Tcpip. . . . . . . . : Enabled
If I run ipconfig /release and ipconfig /renew now my connection shows: IPv4 Connectivity Internet and everything works as expected.
Name : redacted.comInterfaceAlias : Ethernet 5InterfaceIndex : 19NetworkCategory : DomainAuthenticatedIPv4Connectivity : InternetIPv6Connectivity : NoTrafficName : redactedInterfaceAlias : Wi-Fi 2InterfaceIndex : 21NetworkCategory : PublicIPv4Connectivity : InternetIPv6Connectivity : NoTraffic
If anyone is wondering, it appears that Microsoft in its infinite wisdom has made Outlook depend on WINS in some fashion. In my SSL VPN settings on the XG, I put my DNS servers IPs (which are also my domain controllers and WINS servers internally) in the WINS section of the config and voila, Outlook connects again.
Don't know why or how but seriously I can not understand how I am the only one with this issue and it took 2 weeks of putzing around to figure it out. Hopefully this answer helps some other poor soul out in the future