Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 4 replies
  • Subscribers 4 subscribers
  • Views 9271 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Office365 connection

Peter Vroegop

 Hi,

As newby in the UTM world I'm study the webfiltering.
I hope my question is here on the right place

I thought I noticed a false web block on our connection to office365.
So I created a exclusion on the webfilter for the URLs autodiscovery.companyname.nl (dutch domain) and autodiscovery.companyname.onmicrosoft.com.
At first I selected all the exclusion options and the blocks were gone, however when I deselected the allow and block loggin I noticed the block was not gone at all.
However I know the rule is working :)

I played with the webfilterlog filter and filtered on autodiscovery.companyname.
What I see now is very strange (to my)

I see a patter in the logs for autodiscovery.companyname.nl and autodiscovery.companyname.onmicrosoft.com.
On none regulair times I see four log notifications for autodiscovery.companyname.nl.
The first three are blocked requests with error = "Connection refused"
The forth notification is an accept.
A few seconds later I got 4 notifications for autodiscovery.companyname.onmicrosoft.com with the same pattern.
First three times a blocked request follwed by one accept.

I tried this with and without the earlier called exclusions for the URL's

The results are the same.
So There is no problem with the webfilter Only I discoverd the problem(?) at testig the webfilter

Has some one an idea what's going on with the connections at office365?

Best regards

 

Peter



This thread was automatically locked due to age.
  • 0

    Hallo Peter,

    What do you see in the Web Filtering log when this problem occurs?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Hi Bob,

    Thanks for your response.

    The next 4 lines I copied from the live webfilterlog

    2018:02:05-08:19:12 sophos01 httpproxy[5812]: id="0002" severity="info" sys="SecureWeb" sub="http" name="web request blocked" action="block" method="CONNECT" srcip="192.168.10.20" dstip="40.101.18.24" user="" group="" ad_domain="" statuscode="500" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="196" request="0xdc51c600" url="autodiscover.compaxo.nl/" referer="" error="Connection refused" authtime="0" dnstime="27788" cattime="0" avscantime="0" fullreqtime="48982" device="0" auth="0" ua="" exceptions="av,sandbox,auth,content,url,ssl,certcheck,certdate,mime,cache,fileextension,size"
     
    2018:02:05-08:19:12 sophos01 httpproxy[5812]: id="0002" severity="info" sys="SecureWeb" sub="http" name="web request blocked" action="block" method="CONNECT" srcip="192.168.10.20" dstip="40.101.18.24" user="" group="" ad_domain="" statuscode="500" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="144" request="0xdaf17600" url="autodiscover.compaxo.nl/" referer="" error="Connection refused" authtime="0" dnstime="3" cattime="0" avscantime="0" fullreqtime="16468" device="0" auth="0" ua="" exceptions="av,sandbox,auth,content,url,ssl,certcheck,certdate,mime,cache,fileextension,size"
     
    2018:02:05-08:19:12 sophos01 httpproxy[5812]: id="0002" severity="info" sys="SecureWeb" sub="http" name="web request blocked" action="block" method="CONNECT" srcip="192.168.10.20" dstip="40.101.18.24" user="" group="" ad_domain="" statuscode="500" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="144" request="0xd41b9000" url="autodiscover.compaxo.nl/" referer="" error="Connection refused" authtime="0" dnstime="7" cattime="0" avscantime="0" fullreqtime="27483" device="0" auth="0" ua="" exceptions="av,sandbox,auth,content,url,ssl,certcheck,certdate,mime,cache,fileextension,size"
     
    2018:02:05-08:19:12 sophos01 httpproxy[5812]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="192.168.10.20" dstip="40.101.18.24" user="" group="" ad_domain="" statuscode="302" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="0" request="0xd378b600" url="autodiscover.compaxo.nl/.../autodiscover.xml" referer="" error="" authtime="0" dnstime="76" cattime="0" avscantime="0" fullreqtime="33616" device="0" auth="0" ua="Microsoft Office/15.0 (Windows NT 6.2; Microsoft Excel 15.0.4997; Pro)" exceptions="av,sandbox,auth,content,url,ssl,certcheck,certdate,mime,cache,fileextension,size"

    This 4 lines followed by 4 almost the same lines (with autodiscover.compaxo.microsoftonline.com as destination) are repeatedly showing up in the log.

    The time between the appearance of this 8 lines is different

    I hope you can tell me more about it.

     

    Regards,

    Peter

  • +1 in reply to Peter Vroegop

    When you see statuscode="500" or any 50x code, Peter, you can assume that the server doesn't "like" the Proxy.  When you also see error="Connection refused" in the log, you know that you need to skip the Proxy for that server.

    It looks like you're using Transparent mode, so you will want to add a DNS Group definition for autodiscover.compaxo.nl in the 'Skip Transparent Mode Destination Hosts/Nets' list.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?

Unfiltered HTML