Outlook connecting to O365 18.0.4 MR4

Hey, I have a support request open for this but I figured I would put it out here to see what I could get before my remote session next Monday.  When connected to SSLVPN through the XG I can not authenticate to O365 via ADFS using Outlook.  Skype for Business works, MS Teams works, One Note, and One Drive all work...  We are using IPS and SSL Decryption.  I have added in all recommended exclusions using Sophos' provided tar file which was uploaded to my system.  I have also added exclusions for Microsoft's second level domains as well as our ADFS URL's

There is nothing obvious in the logs AT ALL... What gives?  I am like 99.9% sure this is SSL related but even when I put a straight up open rule outbound with no filtering and SSL decryption disabled it STILL fails...

If I disconnect the VPN and open Outlook... BAM it fires right up.

  • Hi ,

    Thank you for reaching out to the Community! 

    Did you configure split or full tunnel SSL VPN? If it's a full tunnel, did you apply any advanced filtering such as web and application control on VPN to WAN firewall rule? 

    Thanks,

     

     
    Harsh Patel (H_Patel)

    Community Support Engineer | Sophos Technical Support
    Support Videos | Product Documentation | @SophosSupport | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' button.

  • This is a full tunnel.

    Advanced filtering and application control is only applied to WAN.  LAN and VPN zones have no advanced filtering applied.

  • Again, when I put in a rule to bypass all advanced filtering at the top... it does the same thing. (same happens when I just turn off web filtering and application control.)

  • Anyone else having this issue?  I can't believe I am the only one. I must be missing something.....

  • Do you use DPI or the old proxy decryption? 

    __________________________________________________________________________________________________________________

  • I would like to try split tunneling... is there a way to configure it with the sophos connect 2.0 client?  I know with the old client it was really easy to do with the sophos connect admin tool.  With the new .pro configuration file I see nothing in the documentation so enable split tunneling.

  • Hi ,

    You can now configure the split tunnel by adding permitted networks under VPN > IPsec(Remote Access) > Advanced settings. Please make sure to turn off use as the default gateway. 

    Thanks,

     

     
    Harsh Patel (H_Patel)

    Community Support Engineer | Sophos Technical Support
    Support Videos | Product Documentation | @SophosSupport | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' button.

  • OK, I have narrowed this down to an issue with Win 10 (1909) and the SSL VPN using the Sophos Connect Client 2.0.

    When the VPN connects, windows can not identify the connection and does not allow traffic through the TAP interface.

    As referenced by the routing table below. I am running a full tunnel, Why do I have 2 default routes?

    Interface List
     17...02 50 41 00 00 01 ......PANGP Virtual Ethernet Adapter #2
     16...8c 04 ba 11 28 f1 ......Intel(R) Ethernet Connection (6) I219-V
      9...de fb 48 72 8c 83 ......Microsoft Wi-Fi Direct Virtual Adapter #2
     19...00 ff ae 62 62 01 ......Sophos TAP Adapter
     21...dc fb 48 72 8c 83 ......Intel(R) Wireless-AC 9560 160MHz
     23...dc fb 48 72 8c 87 ......Bluetooth Device (Personal Area Network) #2
      1...........................Software Loopback Interface 1
    ===========================================================================

    IPv4 Route Table
    ===========================================================================
    Active Routes:
    Network Destination        Netmask          Gateway       Interface  Metric
              0.0.0.0          0.0.0.0    192.168.0.254     192.168.0.35     35
              0.0.0.0        128.0.0.0     172.16.240.1     172.16.240.2    291

    Also running Get-NetConnectionProfile in Powershell shows the following: No IPV4Connectivity on Ethernet 5 which is my Sophos TAP connection

    Name             : redacted.com
    InterfaceAlias   : Ethernet 5
    InterfaceIndex   : 19
    NetworkCategory  : DomainAuthenticated
    IPv4Connectivity : NoTraffic
    IPv6Connectivity : NoTraffic

    Name             : redacted
    InterfaceAlias   : Wi-Fi 2
    InterfaceIndex   : 21
    NetworkCategory  : Public
    IPv4Connectivity : Internet
    IPv6Connectivity : NoTraffic

    Ethernet adapter Ethernet 5:

       Connection-specific DNS Suffix  . : redacted.com
       Description . . . . . . . . . . . : Sophos TAP Adapter
       Physical Address. . . . . . . . . : 00-FF-AE-62-62-01
       DHCP Enabled. . . . . . . . . . . : Yes
       Autoconfiguration Enabled . . . . : Yes
       Link-local IPv6 Address . . . . . : fe80::201d:4dd0:5788:f8ce%19(Preferred)
       IPv4 Address. . . . . . . . . . . : 172.16.240.2(Preferred)
       Subnet Mask . . . . . . . . . . . : 255.255.252.0
       Lease Obtained. . . . . . . . . . : Tuesday, January 12, 2021 10:04:56 AM
       Lease Expires . . . . . . . . . . : Wednesday, January 12, 2022 10:04:55 AM
       Default Gateway . . . . . . . . . :
       DHCP Server . . . . . . . . . . . : 172.16.243.254
       DHCPv6 IAID . . . . . . . . . . . : 67174318
       DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-24-D2-1E-04-8C-04-BA-11-28-F1
       DNS Servers . . . . . . . . . . . : 172.16.100.100
                                           192.168.13.100
       NetBIOS over Tcpip. . . . . . . . : Enabled

    If I run ipconfig /release and ipconfig /renew now my connection shows: IPv4 Connectivity Internet and everything works as expected.

    Name             : redacted.com
    InterfaceAlias   : Ethernet 5
    InterfaceIndex   : 19
    NetworkCategory  : DomainAuthenticated
    IPv4Connectivity : Internet
    IPv6Connectivity : NoTraffic

    Name             : redacted
    InterfaceAlias   : Wi-Fi 2
    InterfaceIndex   : 21
    NetworkCategory  : Public
    IPv4Connectivity : Internet
    IPv6Connectivity : NoTraffic

  • If anyone is wondering, it appears that Microsoft in its infinite wisdom has made Outlook depend on WINS in some fashion.  In my SSL VPN settings on the XG, I put my DNS servers IPs (which are also my domain controllers and WINS servers internally) in the WINS section of the config and voila, Outlook connects again.

    Don't know why or how but seriously I can not understand how I am the only one with this issue and it took 2 weeks of putzing around to figure it out. Hopefully this answer helps some other poor soul out in the future