Sophos

In recently deploying the Captive Portal feature of a Palo Alto Networks Next Generation Firewall (NGFW) in testing we were finding Apple Macs take 120+ seconds to load the sign-in page. First thoughts jumped to the Apple Captive Network Assistance (CNA) feature not functioning correctly however this appeared to be a dead end. Some time and a few packet captures later showed that the Mac wasn’t even trying to reach out to the Captive Portal in a timely manner, after much head scratching the customer I was working with suggested that their Sophos Endpoint agent (Intercept X) might be the cause of this problem.

Disabling the agent didn’t seem to resolve the issue however uninstalling it did – the Captive Portal page appeared nearly instantly. In reviewing the packet captures again it was clear the Sophos agent was trying to reach out to a reputation service which was being blocked by the authentication profile on the firewall, it just took a really long time for the agent to stop trying and allow access to the Captive Portal.

To work around this issue the domains listed in the link below were added to an authentication bypass policy on the NGFW, with this in place the Captive Portal loaded promptly. If anything it makes sense to allow unauthenticated access to such services (including Windows Update and the likes) to ensure a client has the ability to update itself regardless of authentication status.

https://doc.sophos.com/central/Customer/help/en-us/PeopleAndDevices/ProtectDevices/DomainsPorts/index.html

With the continued rise of ‘Next Generation’ Anti-Virus like Sophos Intercept X and PaloAlto Traps the question from many SysAdmins might be well how do I deploy these?

If you are looking at Intercept X and you already are Running Sophos Central (with Endpoint Protection) the simple answer is a press a few buttons in the Admin Console.

In short, login to Sophos Central (https://cloud.sophos.com/manage/login) go to Endpoint Protection > Computers > Manage Endpoint Software > Intercept X > Add your computers from the displayed list > click Save.

For a more in depth walkthrough take a look at the screenshots below. One quick note – due to the changing nature of Sophos Central (previously Sophos Cloud) its quite possible that the look/feel of the Admin Console will have changed between the time I published this article and you read it.

Once you have deployed Intercept X to your existing machines be sure to update your installers to use when deploying new computers. You can download these from the ‘Protect Devices’ button on the Admin Console Dashboard.

Recently I have been doing a lot of movements of server roles, one of those was changing our DCs to newer servers that will be pure best practice based (nothing else on them other than AD/DNS/File Storage). One of the old server however had the Sophos Enterprise Console (v4.7 for anyone who is keeping count) on and after removing AD DS from the server I was getting the following error when trying to get to the Sophos Enterprise Console-

Cannot open Sophos Enterprise Console

The user “DOMAIN\Administrator” is not assigned to any sub-estates. You must be a member of at least one sub-estate to run this console.

Contact your Administrator to resolve this issue.

Upon inspection (in Server Manager > Configuration > Local Users and Groups) it appeared that the user group Sophos Full Administrators no longer existed.

The simple solution is to create a new group (called Sophos Full Administrators) and assign your Administrative account to it, the screen shots below show this in a little more detail.

While setting up our new backup server (System Centre Data Protection Manager 2012) one of the issues we came across was with it failing the data synchronizations with a error message like this one-

Type:     Synchronization
Status:  Failed
Description:        Changes for Volume C:\ on <servername><domainname> cannot be applied to \\?\Volume{4fac41a1-0f58-11dc-8993-806d6172696f}\ProgramData\Sophos\AutoUpdate\Cache\savxp\. (ID 112 Details: Cannot create a file when that file already exists (0x800700B7))
More information

End time:             11/06/2012 14:29:16
Start time:           11/06/2012 14:28:14
Time elapsed:    00:01:01
Data transferred:             0 MB
Cluster node      –
Source details:  C:\
Protection group:            <servername>

The simple solution here is to exclude the Sophos AutoUpdate folder from the DPM backup, its quite a pain if you have to do it for a whole lot of servers but not much else that can be done!

The screenshots below go into a little more detail