To confirm, yes - the release for v18 MR3 has been unfortunately delayed and will not be released this week. Please stay tuned next week, as we'll continue to follow up with the development teams to share updates for the Community.
Big_Buckis right about the TLS/SSL Inspection Rules; it just doesn't work. You will pull your hair out trying to troubleshoot why sites randomly either fail to load or load extremely slowly. Loved getting the panic call from our HR people who couldn't process payroll because the site wouldn't load halfway through. The answer you'll get from Sophos is "Make an exception" but when you observe that somewhere around 30% of sites have problems, that's not a practical or realistic or serious answer.
Part of the reason I've been so interested in MR3 is the hope that there are major improvements to the TLS/SSL engine, but I'm not holding my breath anymore.
Make exception rules was what I was told too. If you look at Sophos own built-in exception rules (for Microsoft updates for example), you'll notice that many of them disable ssl inspection very widely to a point it is not usefull anymore.
I'm afraid they would have to fire everyone who had anything to do with a firewall rules, NAT rules and TLS / SSL rules too. So is it about half of all developers? I think they would definitely deserve it, but I'm afraid it didn't happen ....
That is true, but it has been cut across all departments. It was not aimed at incompetent developers. Unfortunately, it also affected workers who were very capable and were definitely a benefit to Sophos. When the forest is felled, splinters fly - we say here.
Maybe if/when this update comes it will allow me to fight this tumor in my head that is VPN issues I seem to be encountering, Hopefully before it does any real permanent damage. Just chaotic instability issues it seems - mostly seen with 2FA enabled on VPN. Many of them keep having to re-enter their one-time password all day D:
I think that gives me some good information. I think I'm going to disable 2FA for IPsec / SSL VPN as I can use certs and only enable it for the user portal. This stops people from downloading the config with a compromised account if it happens but keeps the user experience optimal. At least until it works better...
EDIT: Well damn I found that green thing you asked if it was a bad joke... I guess that makes sense, I was starting to find 4/ 8 hour connection issues. Mostly 4 hours as we moved many of the systems to IPsec because the SSL VPN clients weren't seemingly playing as nice as I'd like... or something. We just did for fun. Though I remember seeing 4 hours in some logs, the tickets lay out a 4-5 hour window and the one from last night was 8 hours exactly. It's very noticeable when they suddenly have to enter their 2FA code again so I'm disabling it on everything but the user portal for now. Jeesh. Thanks again for helping out that VPN tumor that has been growing :S
Beside from disabling the 2FA, you can easily set the Maximum Session Limit at the XG to 12 hours, if it reasonable for your network. We did this also for our ssl vpn clients and there are no further disconnects.
Yea. We also have most people using IPsec with the new connect thing haha. The hard coded timeout crap. Though with the new 2.0 client, I think we can get them back to SSL VPN as it seems to work nicely. I started the discussion internally so that's fun. Stupid rekey time thing with 2FA hah.
