Thread Info
  • Locked Locked
  • Replies 0 replies
  • Subscribers 4 subscribers
  • Views 2929 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Applications taking 30 seconds to 1 minute to open after server traffic directed through Sophos UTM

AndrewGordon

Hi

I've just gone through a week long (slightly longer) process of Sophos support and troubleshooting and today we have reached a conclusion.  My hope is that by posting some information here it will help other who may experience the same type of issue.  This is quite a long post so if you want the resolution head down to the bottom.

Environment (relevant points)


- Windows 2008 R2 Terminal Server running on VMware 4.5 (4xCPU, 12GB RAM, 3PAR SAN)

- MPLS network behind Fortinet firewall

- Sophos UTM 9.405-5

- MS Office 2013 Pro Plus sp1

- Internet Explorer 11

- MalwareBytes Anti-Exploit

Problem


Our TS was behaving normally, applications opening in about 1 to 2 second or less, until I started routing all the server traffic through the UTM.  Once that change was made, applications like MS Excel, MS Word, Internet Explorer, Adobe Acrobat Reader and even the Command Prompt were taking about 1 minute to open.  If I reverse the change then applications were opening in 1 to 2 second again.  It wasn't clear what UTM was doing to cause this delay but it seemed that some applications were sending out Internet traffic upon opening and this was being blocked or delayed.

 

Investigations and UTM changes


With the hold of Sophos Support we checked through everything we could think of and the case was escalated to Second Line Support.  Second line support make a number of changes which are outlined below.  These changes improved the speed from 1 minute opening times to about 15 seconds.
 
> When I tried to access Microsoft word or power-point some URL going to be blocked "stats.mbamupdates.com".

> I have Configured firewall rule for allowing traffic for "stats.mbamupdates.com" URL. 

2016:09:29-11:59:22 como httpproxy[27349]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="10.20.14.150" dstip="168.61.149.17" user="ieliezer" group="" ad_domain="OML" statuscode="304" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_HttCffAllsoDefau (Allsop Default)" size="0" request="0xfe3f600" url="https://nexusrules.officeapps.live.com/nexus/rules?Application=EXCEL.EXE&Version=15.0.4859.1000&ClientId=%7BFF666A43-0FC4-4D2A-945E-8CB17E9489D0%7D" referer="" error="" authtime="126" dnstime="0" cattime="257" avscantime="0" fullreqtime="112941" device="1" auth="2" ua="Microsoft Office/15.0 (Windows NT 6.1; Microsoft Excel 15.0.4859;)" exceptions="" country="United States" category="172" reputation="neutral" categoryname="Interactive Web Applications" application="office" app-id="1156"
2016:09:29-11:59:41 como httpproxy[27349]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="10.20.14.150" dstip="104.40.208.40" user="ieliezer" group="" ad_domain="OML" statuscode="200" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_HttCffAllsoDefau (Allsop Default)" size="6" request="0xcf4c1800" url="https://odc.officeapps.live.com/odc/emailhrd/getfederationprovider?domain=oml.uk.com" referer="" error="" authtime="97" dnstime="0" cattime="377" avscantime="0" fullreqtime="20040733" device="1" auth="2" ua="Microsoft Office/15.0 (Windows NT 6.1; Microsoft Excel 15.0.4859; Pro)" exceptions="" country="Netherlands" category="172" reputation="neutral" categoryname="Interactive Web Applications" application="office" app-id="1156" content-type="text/plain"

> Also added URL in transparent mode skip list.

> I have also find that some traffic is going to drop because of county-blocking. For that I have disabled country-blocking.

> Had done fine tuning of IPS for improving performance of UTM.

> I have changed Anti-virus scanning from dual to single.

> After making these changes, We are able to access Microsoft word, power-point within 15 sec. which seems quickly open compare to pervious.

Resolution


After we appeared to reach the end of the road with Sophos and applications were still taking 15 seconds to open, a less frustrated and clearer thinking colleague suggested that there may be a conflict with MalwareBytes.  He'd had a similar issue at home so I stopped the MalwareBytes services, closed down any associated user processes and tested again.  Applications are opening in 1 to 2 seconds again or faster - woohoo! 

There were issues with the Sophos setup that were resolved by Second Line Support but ultimately it's been a conflict between Sophos a MalwareBytes.  Strangely, when I turn the MalwareBytes services back on and restart the user processes the delays haven't returned.  I'll restart the server and test further but I'm fairly confident they'll return after a restart.  The task now is to troubleshoot with MalwareBytes as we would like to continue using both products: Defence in Depth!


I hope that this will help anyone who's pulling their hair out and perhaps even unable to see the wood for the trees.

All the best, Andrew



This thread was automatically locked due to age.