XGS Central registration via a Parent Proxy

Hello Marcel,

Greetings!

We should be able to do it. Just make sure that the domains are allowed on parent proxy.

You may collect the tcpdump on port 53 using below command to get the domain on which the firewall trying to reach.

tcpdump ' port 53 

Hi Mayur,

all Domains are working great via the Parent Proxy.

But, the Firewall try to register in central via the following URL:  

ZT: Connecting to Sophos Central HUB [https://utm.cloud.sophos.com/api/utm] failed 3 times.

Hello Marcel,

ideally firewall may connects on utm.cloud.sophos.com and utm-cloudstation-us-east-2.prod.hydra.sophos.com based on region your central account register. You find that by running the below commands in advance shell of your device.

tail -f centralmanagement.log

Once you finds the domain, perform the openssl connection on it and paste the output of that here!

openssl s_client -connect utm-cloudstation-us-east-2.prod.hydra.sophos.com:443

Also, the port 443 traffic should not be intercepted by your proxy.

Hi Mayur

Server closed connection without sending any data back at /lib32/perl/site_perl/5.20.1/Net/HTTP/Methods.pm line 397.

2022-10-14 11:15:26Z INFO API.pm[29556]:120 SFOS::Common::Central::API::send_request - HTTP::Request failed due to a SSL verification error
2022-10-14 11:15:26Z INFO zt-hub-connect[29556]:107 main:: - ZT: Connecting to Sophos Central HUB [https://utm.cloud.sophos.com/api/utm] failed for the 1 time. Retry in a second.
2022-10-14 11:15:27Z WARN API.pm[29556]:119 SFOS::Common::Central::API::send_request - 500 Server closed connection without sending any data back
Content-Type: text/plain
Client-Date: Fri, 14 Oct 2022 11:15:27 GMT
Client-Warning: Internal response

Server closed connection without sending any data back at /lib32/perl/site_perl/5.20.1/Net/HTTP/Methods.pm line 397.

-----------

XGS2300_RL01_SFOS 19.0.1 MR-1-Build365# openssl s_client -connect utm-cloudstation-us-east-2.prod.hydra.sophos.com:443
CONNECTED(00000003)
depth=2 C = US, O = Amazon, CN = Amazon Root CA 1
verify return:1
depth=1 C = US, O = Amazon, OU = Server CA 1B, CN = Amazon
verify return:1
depth=0 CN = utm-cloudstation-us-east-2.prod.hydra.sophos.com
verify return:1
---
Certificate chain
0 s:CN = utm-cloudstation-us-east-2.prod.hydra.sophos.com
i:C = US, O = Amazon, OU = Server CA 1B, CN = Amazon
1 s:C = US, O = Amazon, OU = Server CA 1B, CN = Amazon
i:C = US, O = Amazon, CN = Amazon Root CA 1
2 s:C = US, O = Amazon, CN = Amazon Root CA 1
i:C = US, ST = Arizona, L = Scottsdale, O = "Starfield Technologies, Inc.", CN = Starfield Services Root Certificate Authority - G2
3 s:C = US, ST = Arizona, L = Scottsdale, O = "Starfield Technologies, Inc.", CN = Starfield Services Root Certificate Authority - G2
i:C = US, O = "Starfield Technologies, Inc.", OU = Starfield Class 2 Certification Authority
---
Server certificate
-----BEGIN CERTIFICATE-----

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

removed

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
-----END CERTIFICATE-----
subject=CN = utm-cloudstation-us-east-2.prod.hydra.sophos.com

issuer=C = US, O = Amazon, OU = Server CA 1B, CN = Amazon

---
No client certificate CA names sent
Peer signing digest: SHA512
Peer signature type: RSA
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 5713 bytes and written 476 bytes
Verification: OK
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES128-GCM-SHA256
Session-ID: 0A8DCAE1AEBE7F535CF56F2C7DC37792FBDCDFDD3E53B2E468D3FB107A5514AF
Session-ID-ctx:
Master-Key: 8DCE31096612C9CE0FDA889AFB760D9BF42CDD57A26AA8BD47D2B4FD50C75EF140A89E2EFD7E8BE0CC3AADB58592AD7C
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 43200 (seconds)
TLS session ticket:
0000 - 14 2d e3 1e f6 00 11 9b-0d 85 f8 74 5a 79 e7 45 .-.........tZy.E
0010 - 9e d9 73 e7 98 2a 48 5a-d3 eb 8c 5e 92 39 3d 22 ..s..*HZ...^.9="
0020 - ce e3 06 46 75 a9 11 51-a0 d0 c8 f4 93 02 9e 52 ...Fu..Q.......R
0030 - 85 4f b2 85 6b 29 79 a5-c1 6f 74 5c 20 a1 b3 b6 .O..k)y..ot\ ...
0040 - 96 c0 9e dd 54 dd 58 46-e5 e8 aa 84 d0 e2 8b 78 ....T.XF.......x
0050 - a3 65 d2 3f 91 74 c4 6d-3f be 3f 31 4d d5 23 60 .e.?.t.m?.?1M.#`
0060 - 78 a7 cd 2e 44 19 20 4c-11 a6 44 3c 0b d3 04 aa x...D. L..D<....
0070 - 4c a7 73 42 82 31 da 6d-3b 57 35 02 05 aa 3d 7d L.sB.1.m;W5...=}
0080 - 84 e9 32 49 6e 88 45 ac-78 fe a6 23 18 2a 29 c6 ..2In.E.x..#.*).
0090 - 6b ef 6f 96 67 1c 1c cd-1d 25 67 2b 25 73 db 98 k.o.g....%g+%s..
00a0 - fa 5d 4c 5c 7a cf c5 d6-8f 6b f2 88 29 b0 fe cb .]L\z....k..)...
00b0 - c1 0a 3f 5c bc f4 23 b6-94 ab fe 9f 23 f0 d1 a2 ..?\..#.....#...
00c0 - d4 75 bb a4 13 11 45 cc-20 9f 45 2f a7 c0 a9 6c .u....E. .E/...l
00d0 - 5f f1 fe 2e 6e 7f 2f b8-3e 78 50 f2 46 e6 bc 62 _...n./.>xP.F..b

Start Time: 1665746236
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
---
closed
XGS2300_RL01_SFOS 19.0.1 MR-1-Build365#

Hello Marcel,

As per the output, it seems like https intercepted on domain utm.cloud.sophos.com.

Kindly run the command as below and share us the output:

openssl s_client -connect utm.cloud.sophos.com:443

Hi Mayur,

here the output:

XGS2300_RL01_SFOS 19.0.1 MR-1-Build365# openssl s_client -connect utm.cloud.sophos.com:443
CONNECTED(00000003)
depth=2 C = US, O = Amazon, CN = Amazon Root CA 1
verify return:1
depth=1 C = US, O = Amazon, OU = Server CA 1B, CN = Amazon
verify return:1
depth=0 CN = central.sophos.com
verify return:1
---
Certificate chain
0 s:CN = central.sophos.com
i:C = US, O = Amazon, OU = Server CA 1B, CN = Amazon
1 s:C = US, O = Amazon, OU = Server CA 1B, CN = Amazon
i:C = US, O = Amazon, CN = Amazon Root CA 1
2 s:C = US, O = Amazon, CN = Amazon Root CA 1
i:C = US, ST = Arizona, L = Scottsdale, O = "Starfield Technologies, Inc.", CN = Starfield Services Root Certificate Authority - G2
3 s:C = US, ST = Arizona, L = Scottsdale, O = "Starfield Technologies, Inc.", CN = Starfield Services Root Certificate Authority - G2
i:C = US, O = "Starfield Technologies, Inc.", OU = Starfield Class 2 Certification Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

removed

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
-----END CERTIFICATE-----
subject=CN = central.sophos.com

issuer=C = US, O = Amazon, OU = Server CA 1B, CN = Amazon

---
No client certificate CA names sent
Peer signing digest: SHA512
Peer signature type: RSA
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 5749 bytes and written 448 bytes
Verification: OK
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES128-GCM-SHA256
Session-ID: 7B58F3C8CC92CA6F920EC5010D5099C7F671A1AF47F1F919076BB29F259B21F3
Session-ID-ctx:
Master-Key: 3F1CE9827DCB37951B6D60C1CB953D2AF3D4D160FF4F6B098BB849FFD9873DFB100C2DC354D1B88949ED5E39EAA631A1
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 43200 (seconds)
TLS session ticket:
0000 - 2e c7 55 37 0a 37 9b 6d-c7 97 c8 f4 6a cf c0 21 ..U7.7.m....j..!
0010 - 5b 8d 48 da ef 86 62 0f-f4 39 72 d7 2f 9c 64 3f [.H...b..9r./.d?
0020 - ab 59 6f cf ed 42 86 7c-f4 e5 d2 b0 14 1f 18 9b .Yo..B.|........
0030 - 91 92 16 90 56 b5 74 84-20 25 56 f1 52 61 06 da ....V.t. %V.Ra..
0040 - 3f e5 7f 7b 21 ed fd ce-14 29 21 16 f8 d0 30 93 ?..{!....)!...0.
0050 - 3b 3f 97 0f 6a f5 04 41-68 6d 52 ee f9 e7 c7 60 ;?..j..AhmR....`
0060 - 9f fe 29 68 62 43 1a 29-3f 87 0f af 4d 73 c0 88 ..)hbC.)?...Ms..
0070 - 15 0b 4a 8f d4 ca 2b d4-a4 c8 3e b1 88 c1 1e a7 ..J...+...>.....
0080 - 88 d4 28 8a f7 6d 72 0f-34 e2 57 14 7e 28 8b 36 ..(..mr.4.W.~(.6
0090 - 62 be c9 1d 4b dc 12 ae-41 20 17 a3 eb 7c 5f 0a b...K...A ...|_.
00a0 - af 57 2f 1b b0 f0 3f 7a-96 1e 80 17 04 64 ff 29 .W/...?z.....d.)
00b0 - 08 1c 5a 48 f6 a0 e6 8b-47 c0 be 94 94 49 45 fc ..ZH....G....IE.
00c0 - 39 a0 18 1f 37 45 53 79-d2 ee 58 e5 88 52 28 2e 9...7ESy..X..R(.

Start Time: 1665746907
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
---

Hi Mayur,

here the output:

XGS2300_RL01_SFOS 19.0.1 MR-1-Build365# openssl s_client -connect utm.cloud.sophos.com:443
CONNECTED(00000003)
depth=2 C = US, O = Amazon, CN = Amazon Root CA 1
verify return:1
depth=1 C = US, O = Amazon, OU = Server CA 1B, CN = Amazon
verify return:1
depth=0 CN = central.sophos.com
verify return:1
---
Certificate chain
0 s:CN = central.sophos.com
i:C = US, O = Amazon, OU = Server CA 1B, CN = Amazon
1 s:C = US, O = Amazon, OU = Server CA 1B, CN = Amazon
i:C = US, O = Amazon, CN = Amazon Root CA 1
2 s:C = US, O = Amazon, CN = Amazon Root CA 1
i:C = US, ST = Arizona, L = Scottsdale, O = "Starfield Technologies, Inc.", CN = Starfield Services Root Certificate Authority - G2
3 s:C = US, ST = Arizona, L = Scottsdale, O = "Starfield Technologies, Inc.", CN = Starfield Services Root Certificate Authority - G2
i:C = US, O = "Starfield Technologies, Inc.", OU = Starfield Class 2 Certification Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

removed

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
-----END CERTIFICATE-----
subject=CN = central.sophos.com

issuer=C = US, O = Amazon, OU = Server CA 1B, CN = Amazon

---
No client certificate CA names sent
Peer signing digest: SHA512
Peer signature type: RSA
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 5749 bytes and written 448 bytes
Verification: OK
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES128-GCM-SHA256
Session-ID: 7B58F3C8CC92CA6F920EC5010D5099C7F671A1AF47F1F919076BB29F259B21F3
Session-ID-ctx:
Master-Key: 3F1CE9827DCB37951B6D60C1CB953D2AF3D4D160FF4F6B098BB849FFD9873DFB100C2DC354D1B88949ED5E39EAA631A1
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 43200 (seconds)
TLS session ticket:
0000 - 2e c7 55 37 0a 37 9b 6d-c7 97 c8 f4 6a cf c0 21 ..U7.7.m....j..!
0010 - 5b 8d 48 da ef 86 62 0f-f4 39 72 d7 2f 9c 64 3f [.H...b..9r./.d?
0020 - ab 59 6f cf ed 42 86 7c-f4 e5 d2 b0 14 1f 18 9b .Yo..B.|........
0030 - 91 92 16 90 56 b5 74 84-20 25 56 f1 52 61 06 da ....V.t. %V.Ra..
0040 - 3f e5 7f 7b 21 ed fd ce-14 29 21 16 f8 d0 30 93 ?..{!....)!...0.
0050 - 3b 3f 97 0f 6a f5 04 41-68 6d 52 ee f9 e7 c7 60 ;?..j..AhmR....`
0060 - 9f fe 29 68 62 43 1a 29-3f 87 0f af 4d 73 c0 88 ..)hbC.)?...Ms..
0070 - 15 0b 4a 8f d4 ca 2b d4-a4 c8 3e b1 88 c1 1e a7 ..J...+...>.....
0080 - 88 d4 28 8a f7 6d 72 0f-34 e2 57 14 7e 28 8b 36 ..(..mr.4.W.~(.6
0090 - 62 be c9 1d 4b dc 12 ae-41 20 17 a3 eb 7c 5f 0a b...K...A ...|_.
00a0 - af 57 2f 1b b0 f0 3f 7a-96 1e 80 17 04 64 ff 29 .W/...?z.....d.)
00b0 - 08 1c 5a 48 f6 a0 e6 8b-47 c0 be 94 94 49 45 fc ..ZH....G....IE.
00c0 - 39 a0 18 1f 37 45 53 79-d2 ee 58 e5 88 52 28 2e 9...7ESy..X..R(.

Start Time: 1665746907
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
---

Hello Marcel,

Openssl connection does not says any interception from your proxy server. However, the connection was terminated due to below:

2022-10-14 11:15:26Z INFO API.pm[29556]:120 SFOS::Common::Central::API::send_request - HTTP::Request failed due to a SSL verification error

you need collect packet capture on your parent proxy for the above domain while registering the device on central and that can help you to find the details.

On XG, you may collet tcpdump on above domain and just make sure that the traffic submitted to proxy server while registering.

Hi Mayur,

thx for your answer. We have no access on the Parent Proxy.

On our XG i can try to collect the needed Dump

Hello Marcel,

I believe that would not help! As the connection made through the parent proxy and capturing traffic on parent proxy can give us clue. 

Collecting the tcpdump on the firewall can help to identify whether - firewall sending the traffic to the parent proxy or via another route.

Sophos uses custom certificates on  some services. If your parent proxy does not trust them, the connection will fail.

Assure, you're not decrypting traffic to the sophos domains on the parent proxy. This will cause you trouble also in the future and makes work for sophos support even harder.

Skip decrypting to these URL mentioned here:

https://docs.sophos.com/central/Customer/help/en-us/PeopleAndDevices/ProtectDevices/DomainsPorts/index.html#sophos-central-admin-domains

Hi, please check, the certificate of this domain has been renewed today.

Probably one of the reasons for the issues.

Sophos had some trouble with their central services recently.