Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 31 replies
  • Subscribers 38 subscribers
  • Views 110431 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SFOS V17 - Microsoft Update and Xbox Download Issues

ShawnGilronan

I recently upgraded my SFOS software to v17.0.0 GA from 16.05.8MR-8.  After upgrading, I was not able to run ANY updates from windows, let alone the anniversary updates people have had issues with lately.

Additionally, I thought my Xbox One X had died, after just getting it.  I had a bunch of patches to install for various games, and all of them were failing to install, until I connected the dots to the windows updates failing on all of my PCs as well.

Here's the curious part, after analyzing both the Xbox One downloads, as well as the windows updates, I noticed that all of the updates and downloads crashed out at the 2 GB mark.  It was easy to trace with the Xbox, as it gives you a running total of the current download.  However I ran the real-time logs through Sophos as well, and noticed every time the download hit the 2GB mark, it would be killed.

I set the exception for Microsoft Windows Update to ON for the Web Exception filtering, however it had no affect on the problem.

Why would Sophos kill any downloads from Microsoft that hit the 2GB mark?  What is special about that file size?  I did not have this problem with any other files of larger sizes.  I moved a bunch of my movies up to my google drive and onedrive, and was able to pull them back down no problem.

I would love to upgrade (again) to v17, however until this problem is resolved, I'll stick to v16.5.



This thread was automatically locked due to age.
Parents
  • 0

    Same issue here running SFOS 17.0.3 MR-3 and trying to download anything to the Xbox over 2GB.

  • 0 in reply to Dave Pokrifchak

    There is a bug when handling range requests (files broken down into smaller chunks downloaded separately) and file sizes over 2GB.

    This will be resolved in 17.0 MR5.

    There are no issues in downloading file sizes over 2GB when doing full file downloads or when the file is not broken down using range requests.  Some applications/sites break down large files in other ways.

     

    The workaround until then is to create a higher level firewall rule for service Web and destination network of just that site.  Be sure to remove the workaround after MR5 is installed.

  • 0 in reply to Michael Dunn

    Thanks for the update! I'll be watching for MR5 release.

  • 0 in reply to Michael Dunn

    Michael,

    Could you please be more specific on the workaround you are suggesting?

    This bug also appears to be blocking the download of Windows Updates on WSUS server in addition to Standard Windows updates. I would simply like the best way to allow this on an entire domain until MR5 is released and hopefully resolves this. 

    Thanks!

    Ryan

  • 0 in reply to RyanE
    For Standard Mode, you need to configure the clients not to use the proxy for the internal WSUS server. How you do this depends on how you are configuring your clients.
     
    The following steps are for Transparent Mode:
     
    Go to hosts and Services, IP Host (or FQDN Host).
    Add an entry that specifies your WSUS server.
    Add a firewall rule
    Source Zone LAN, Network Any
    Destination Zone LAN (or wherever zone the WSUS server is), Network is the Host entry you created
    Services is HTTP and HTTPS
    Match known users off
    Scan HTTP and Decrypt and Scan HTTPS both unchecked
    Web Policy None.

    So you are creating a firewall rule from your clients, only to the WSUS server, it applies to HTTP and HTTPS (port 80 and 443 traffic) but it does do anything that requires the httpproxy - so it is passed through without going through the proxy.  Make it higher priority than your main web rule.
     
    You can also go into the log viewer (top right) and switch to Policy Test tab.  You should see there is no Web section in requests to your wsus server.
     
    This is the generic mechanism any time you want traffic to completely bypass the web proxy.
     

    I have no exact date on the MR5 release, but I think it will be within the next 2 weeks.
  • 0 in reply to Michael Dunn

    Michael,

    I think we got off-track here. I am not having any issues with clients connecting to the WSUS server for updates, I have that working just fine. 

    The issue is the WSUS server is not downloading all needed files from Microsoft since I updated the Sophos XG to v17. I am also not able to download larger updates on any PC on the network if I click on "Check online for updates from Microsoft Update". I assume that this is all related to the same issues that this post is describing. 

    What I was asking is if you could elaborate on this sentence as to what exactly you are saying to do. "The workaround until then is to create a higher level firewall rule for service Web and destination network of just that site."

    Thanks!

Reply
  • 0 in reply to Michael Dunn

    Michael,

    I think we got off-track here. I am not having any issues with clients connecting to the WSUS server for updates, I have that working just fine. 

    The issue is the WSUS server is not downloading all needed files from Microsoft since I updated the Sophos XG to v17. I am also not able to download larger updates on any PC on the network if I click on "Check online for updates from Microsoft Update". I assume that this is all related to the same issues that this post is describing. 

    What I was asking is if you could elaborate on this sentence as to what exactly you are saying to do. "The workaround until then is to create a higher level firewall rule for service Web and destination network of just that site."

    Thanks!

Children
  • 0 in reply to RyanE

    I just described the how to create "a higher level firewall rule for service Web and destination network of just that site".  If the description is not clear enough, let me know.

    If the issue is from WSUS server to Microsoft the solution is the same.

    You can create a firewall rule exactly as I described, but this time putting in the WSUS server as the source network rather than the destination network.  Then all Web traffic of any type from that computer will not go through the proxy.  Which is perhaps less safe.

    Alternately you can determine what Microsoft servers it is downloading and failing from (you should be able to see this in Web Filter logs and search for status_code="416") and create an FQDN host to use a destination.  It is possible that the Out-of-Box definition for Microsoft Services (*.microsoft.com) is what you need.

    You can even do both.  Create a rule from Source WSUS Server to Destination Microsoft.

    The solution (creating a firewall rule that bypasses proxy based on the source/destination) is the same and I've described it.  Choosing a source or destination that is appropriate for your environment is something you need to figure out.

     

    Edit: fixed status_code

  • 0 in reply to Michael Dunn

    Don't like it, but a quick fix for it is simple (put the rule on top). I hope devs patch this out fast.