Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 2 replies
  • Subscribers 5 subscribers
  • Views 951 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

UTM 9.605-1 Certain websites fail through proxy on some windows 7 IE11 browsers, work fine in chrome.

David Campbell

Seemingly since the update to 9.605-1, though it was not immediately apparent as it doesn't affect all websites, this is however the only change we have knowingly made to our network, we have some windows 7 machines having issues connecting to some websites, all of them are secure sites and work fine in chrome and other browsers, only IE11 seems to be having the problem, they are sites that generally work better or only work in IE11 for some design reason or another so using them through IE11 is a requirement for us. It doesn't seem to be a specific version of IE11 having the issue, however we have narrowed it down to a certain batch of deployed machines that started with the same base image and are at the same windows update level, updating IE11 does not seem to have affected the issue.

Has anyone else experienced this? Some of these sites are sensitive by the nature of the industry and I'd prefer not to share their URL's however sony.com.au also fails with the same problems, outlook.com, google.com and newgrounds.com for example work fine.

We manually set our proxy settings and do not use it in a transparent fashion, we also do not scan or man-in-the-middle our HTTPS traffic, and we only use the UTM as a web proxy and an email spam gateway.

There do not appear to be any errors in the logs of the UTM and in the web proxy logs there are no DENY entries in the log.




This thread was automatically locked due to age.
Parents
  • 0

    I have never seen that message. 

    Possibility #1

    Check UTM logs and current status.   

    • Is CPU maxed out?   
    • Is HTTP Proxy crashing?   

    This forum has had reports of these problems, but I thought 9.605 had all of them resolved.

    Possibility #2

    Check for ciphersuite problems.  IEv11 uses the Microsoft stack.  Chrome uses its own encryption stack.  Microsoft configuration is controlled by registry key at hklm\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL.   Nirsoft has a downloadable tool IISCrypto which manipulates the registry keys using a graphical interface.  There are two types of keys:  Enabled=0 causes the component to be unusable by any method.   The system has a default set of components which are loaded, but a program can ask for additional components from the available pool.   DisabledByDefault=0 changes the component to be included in the default set.    Setting either key to a a different value is equivalent to deleting the key.

    In particular, initial releases of Windows 7 had TLS1.2 available but disabled by default (heaven only knows why).   At some point, a Windows Update changed the default to make it enabled.  If your systems are badly out of patch cycle, it may be that they cannot talk TLS 1.2 with IEv11.

    Decrypt-and-scan causes additional ciphersuite concerns, but you said this was disabled.

    Not sure why any of this would be affected by the UTM version.   Need to ask Sophos Support to do a debug session with you.

Reply
  • 0

    I have never seen that message. 

    Possibility #1

    Check UTM logs and current status.   

    • Is CPU maxed out?   
    • Is HTTP Proxy crashing?   

    This forum has had reports of these problems, but I thought 9.605 had all of them resolved.

    Possibility #2

    Check for ciphersuite problems.  IEv11 uses the Microsoft stack.  Chrome uses its own encryption stack.  Microsoft configuration is controlled by registry key at hklm\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL.   Nirsoft has a downloadable tool IISCrypto which manipulates the registry keys using a graphical interface.  There are two types of keys:  Enabled=0 causes the component to be unusable by any method.   The system has a default set of components which are loaded, but a program can ask for additional components from the available pool.   DisabledByDefault=0 changes the component to be included in the default set.    Setting either key to a a different value is equivalent to deleting the key.

    In particular, initial releases of Windows 7 had TLS1.2 available but disabled by default (heaven only knows why).   At some point, a Windows Update changed the default to make it enabled.  If your systems are badly out of patch cycle, it may be that they cannot talk TLS 1.2 with IEv11.

    Decrypt-and-scan causes additional ciphersuite concerns, but you said this was disabled.

    Not sure why any of this would be affected by the UTM version.   Need to ask Sophos Support to do a debug session with you.

Children
No Data
Unfiltered HTML