Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 6 replies
  • Answers 1 answer
  • Subscribers 29 subscribers
  • Views 2016 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos Endpoint Protection installer is not working with wildcard FQDN

Greywolf

Hello,

we have got a Sophos XG330 (SFOS 18.5.4 MR-4-Build418). Wildcard rules are not working anymore. It's located in Germany, german windows installation, german installer. 

Like in https://community.sophos.com/intercept-x-endpoint/f/discussions/131280/intercept-x-for-server-install-fails---trying-to-connect-to-api-cloudstation-eu-central-1-prod-hydra-sophos-com you have to add "api-cloudstation-eu-central-1.prod.hydra.sophos.com" and "sus.sophosupd.com" to work properly. 

We already had

  • *.sophosupd.com
  • *.sophos.com

INFO : Did not discover an URL for a PAC file

INFO : Attempting to connect using proxy '' of type 'Empty Proxy'.

INFO : Set security protocol: 00000800

INFO : Opening connection to api-cloudstation-eu-central-1.prod.hydra.sophos.com

INFO : Request content size: 30

ERROR : WinHttpSendRequest failed with error 12002

INFO : Failed to connect using proxy '' with error: WinHttpSendRequest failed

INFO : Cleaning up extracted files

ERROR : Error downloading/running stage 2: Failed to get stage-2 info: Failed to connect with any proxy

After adding "api-cloudstation-eu-central-1.prod.hydra.sophos.com" it was successful in downloading. Strangely the installation still wasn't successful.

INFO : No manually configured proxy
INFO : WinHttp default proxy not set
INFO : WinHttp discovered proxies not found
INFO : Trying update service url sus.sophosupd.com/.../6aad049b-31df-4b03-9992-f0435b9d31aa with proxy: <direct; no proxy>
WARNING : Error from sus.sophosupd.com/.../6aad049b-31df-4b03-9992-f0435b9d31aa with proxy: <direct; no proxy>: WinHttpSendRequest failed: Das Zeitlimit für den Vorgang wurde erreicht. (12002)
INFO : Trying update service url sus.sophosupd.com/.../6aad049b-31df-4b03-9992-f0435b9d31aa with proxy: <direct; no proxy> (try 2 of 5)
WARNING : Error from sus.sophosupd.com/.../6aad049b-31df-4b03-9992-f0435b9d31aa with proxy: <direct; no proxy>: WinHttpSendRequest failed: Das Zeitlimit für den Vorgang wurde erreicht. (12002)
INFO : Trying update service url sus.sophosupd.com/.../6aad049b-31df-4b03-9992-f0435b9d31aa with proxy: <direct; no proxy> (try 3 of 5)
WARNING : Error from sus.sophosupd.com/.../6aad049b-31df-4b03-9992-f0435b9d31aa with proxy: <direct; no proxy>: WinHttpSendRequest failed: Das Zeitlimit für den Vorgang wurde erreicht. (12002)
INFO : Trying update service url sus.sophosupd.com/.../6aad049b-31df-4b03-9992-f0435b9d31aa with proxy: <direct; no proxy> (try 4 of 5)
WARNING : Error from sus.sophosupd.com/.../6aad049b-31df-4b03-9992-f0435b9d31aa with proxy: <direct; no proxy>: WinHttpSendRequest failed: Das Zeitlimit für den Vorgang wurde erreicht. (12002)
INFO : Trying update service url sus.sophosupd.com/.../6aad049b-31df-4b03-9992-f0435b9d31aa with proxy: <direct; no proxy> (try 5 of 5)
WARNING : Error from sus.sophosupd.com/.../6aad049b-31df-4b03-9992-f0435b9d31aa with proxy: <direct; no proxy>: WinHttpSendRequest failed: Das Zeitlimit für den Vorgang wurde erreicht. (12002)
ERROR : Error: No reachable update service locations
ERROR : DownloadCommand::onRun() failed with std::exception: SDDS3 sync failed
INFO : Command 'Download' completed with failure with reboot code '0' and error message 'Software konnte nicht heruntergeladen werden'.
ERROR : Installation failed.

So I also added "sus.sophosupd.com" to our ruleset (reminder: we already had "*.sophosupd.com"). Now it's working. But I personally don't feel safe with that. Nothing in the logs, just "blocked" in the policy-testing-area. But the rule was working for other clients, already installed ones. 

For example: 

Destination IP
54.73.133.163, port 443, TCP
Source IP
10.11.12.13
Source zone
Auto-detection
User
User unauthenticated
Firewall rule
No matched rule (ID: 0)
Result
Blocked
*.sophos.com does not include "central.sophos.com", does it? (and yes, HTTPS is enabled as service)



This thread was automatically locked due to age.
Parents
  • 0

    Hi GreyWolf,

    Thank you for reaching out.

    As you may be aware that Sophos services are hosted in AWS, it is resolved by their domain names and it is most important that we add those domains in firewall to allow the traffic.

    As per the below article, any things that come before the top-level and 2nd level domain of Sophos apply to *.sophos.com
    https://docs.sophos.com/central/customer/help/en-us/PeopleAndDevices/ProtectDevices/DomainsPorts/index.html#sophos-domains

    So this is vital in protecting your devices and communicating between Sophos Central Admin and your managed devices.

    Hope this helps.

    Ismail Jaweed Ahmed (Ismail) 
    Senior Professional Service Engineer

  • 0 in reply to IsmailJaweed

    Hello Ismail, 

    I think we need to define some words... 

    Top-Level-Domain (TLD) is .com, .de, .net, .org, etc. 
    2nd Level Domain is sophos.TLD.

    I think you meant everything before .sophos.

    I didn't post the whole rule, just parts of it, which should be able to solve it properly. It worked until the last emergency update, I think.

    • *.sophos.com
    • *.sophosupd.com
    • *.sophosupd.net
    • *.sophosxl.net

    We already had. <wildcard>.sophosupd.com should include sus.sophosupd.com also. It also includes in my opinion any other .sophosupd.com domain. 

    So the list above includes: 

    • dci.sophosupd.com
    • d1.sophosupd.com
    • d2.sophosupd.com
    • d3.sophosupd.com
    • dci.sophosupd.net
    • d1.sophosupd.net
    • d2.sophosupd.net
    • d3.sophosupd.net
    • t1.sophosupd.com
    • sus.sophosupd.com
    • sdds3.sophosupd.com
    • sdds3.sophosupd.net
    • sdu-feedback.sophos.com
    • sophosxl.net
    • 4.sophosxl.net
    • samples.sophosxl.net
    • cloud.sophos.com
    • id.sophos.com
    • central.sophos.com
    • downloads.sophos.com

    but that's obviously not working. Even amazonaws.com and *.amazonaws.com is inside our ruleset, so the reverse lookup shouldn't be an issue.
    If you say anything.*.sophos is just a wildcard for the first part of the domain (3.2.1.sophos.tld), why is sus.sophosupd.com (    *.sophosupd.com) not working?

    SUS.SOPHOSUPD.COM. is the same as *.SOPHOSUPD.COM. but in some cases it isn't. Am I right? 

  • 0 in reply to Greywolf

    Hi GreyWolf,

    You are right. *.sophosupd.com includes all the "3rdLD.sophosups.com"  and *.sophos.com includes anything that comes before sophos.com. Additionally, we add " *.ctr.sophos.com" and *.hydra.sophos.com because the ctr and hydra itself are 3rd-level domains.

    Also, *.sophosupd.com is the same as sus.sophosupd.com and it's always the same. 

    If all the required domains are allowed, it shouldn't be a problem, However, if you are still facing an issue, we can try the below command in PowerShell for all the listed domains in the mentioned article, just so we can confirm which Sophos domain is being blocked. 

    "tnc dci.sophosupd.com"

    Accordingly, we can allow that domain. Then if we are still facing an issue, I suggest you raise a complaint with us via support.sophos.com. You can raise a technical case or you can call us directly. 

    Our technical support team should be able to assist you by getting on a session with you.

    Ismail Jaweed Ahmed (Ismail) 
    Senior Professional Service Engineer

  • 0 in reply to IsmailJaweed

    Hi Ismail, 

    that's the point of the issue. I think it might be a bug. 

    • *.sophos.com
    • *.sophosupd.com
    • *.sophosupd.net
    • *.sophosxl.net

    Download is not working. 

    • *.sophos.com
    • *.sophosupd.com
    • *.sophosupd.net
    • *.sophosxl.net
    • api-cloudstation-eu-central-1.prod.hydra.sophos.com

    Download is working, installation failed. 

    • *.sophos.com
    • *.sophosupd.com
    • *.sophosupd.net
    • *.sophosxl.net
    • api-cloudstation-eu-central-1.prod.hydra.sophos.com
    • sus.sophosupd.com

    Download is working, installation successful. 

    So: 

    sus.sophosupd.com = *.sophosupd.com is not working. 

    And if I understand it right, api-cloudstation-eu-central-1.prod.hydra.sophos.com = *.sophos.com, neither. 

    Both should be working. But both are just working in explicit naming the domain. 

    IsmailJaweed said:
    "tnc dci.sophosupd.com"

    Is blocked, too, if sus.sophosupd.com and api-cloudstation-eu-central-1.prod.hydra.sophos.com cleared from the list.



    Warnung: Ping to 23.35.229.161 failed with status: TimedOut
    ComputerName: dci.sophosupd.com

    RemoteAddress: 23.35.229.161

    InterfaceAlias: WLAN

    SourceAddress: 10.11.12.13

    PingSucceeded: False

    PingReplayDetails (RTT): 0ms

    With both entrys in the list it changes to IP 2.18.161.158. Thats all. But ping isn't allowed here, too.

    Well, I tried installing a notebook via WiFi, but that's the same network as wired and the issue is the same. 

Reply
  • 0 in reply to IsmailJaweed

    Hi Ismail, 

    that's the point of the issue. I think it might be a bug. 

    • *.sophos.com
    • *.sophosupd.com
    • *.sophosupd.net
    • *.sophosxl.net

    Download is not working. 

    • *.sophos.com
    • *.sophosupd.com
    • *.sophosupd.net
    • *.sophosxl.net
    • api-cloudstation-eu-central-1.prod.hydra.sophos.com

    Download is working, installation failed. 

    • *.sophos.com
    • *.sophosupd.com
    • *.sophosupd.net
    • *.sophosxl.net
    • api-cloudstation-eu-central-1.prod.hydra.sophos.com
    • sus.sophosupd.com

    Download is working, installation successful. 

    So: 

    sus.sophosupd.com = *.sophosupd.com is not working. 

    And if I understand it right, api-cloudstation-eu-central-1.prod.hydra.sophos.com = *.sophos.com, neither. 

    Both should be working. But both are just working in explicit naming the domain. 

    IsmailJaweed said:
    "tnc dci.sophosupd.com"

    Is blocked, too, if sus.sophosupd.com and api-cloudstation-eu-central-1.prod.hydra.sophos.com cleared from the list.



    Warnung: Ping to 23.35.229.161 failed with status: TimedOut
    ComputerName: dci.sophosupd.com

    RemoteAddress: 23.35.229.161

    InterfaceAlias: WLAN

    SourceAddress: 10.11.12.13

    PingSucceeded: False

    PingReplayDetails (RTT): 0ms

    With both entrys in the list it changes to IP 2.18.161.158. Thats all. But ping isn't allowed here, too.

    Well, I tried installing a notebook via WiFi, but that's the same network as wired and the issue is the same. 

Children
Unfiltered HTML