This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

http Proxy gone down after upgrade to 8.303

I also have problems after the upgrade form 8.302 to 8.303.

My network behind the Astaro Appliance cannot connect to the Internet anymore. Except when I change the InternetExplorer/FireFox setting to not use Proxy settings.
Before the upgrade all systems (laptops/desktops/servers) could connect to without any problems. (Only 1 desktop had problems with FireFox proxy settings in combination with Facebook.com (constantly asking for network username and password)).

I checked many settings in the Astaro. Changed the WebFiltering Authantication mode form "None" to "Active Directory SSO" with 2 AD groups. But nothing works.
I found out, that the problems lie in the http-proxy settings, because the Exange server behind tha Astaro has no problems on the port 25. While the port 8080 is blocked.

PLEASE HELP!

See below for a copy/paste from the LiveLog

2012:05:19-15:13:41 VUURMUUR httpproxy[4282]: id="0002" severity="info" sys="SecureWeb" sub="http" name="web request blocked" action="block" method="GET" srcip="192.168.87.115" dstip="" user="huib" statuscode="407" cached="0" profile="REF_asOsBDRyvy (Proxy Filter)" filteraction=" ()" size="4718" request="0xac63048" url="www.google.nl/" exceptions="" error=""
2012:05:19-15:13:56 VUURMUUR httpproxy[4282]: id="0002" severity="info" sys="SecureWeb" sub="http" name="web request blocked" action="block" method="GET" srcip="192.168.87.115" dstip="" user="huib" statuscode="403" cached="0" profile="REF_asOsBDRyvy (Proxy Filter)" filteraction="REF_DefaultHTTPCFFBlockAction (Default content filter block action)" size="6600" request="0xac63048" url="www.google.nl/" exceptions="" error=""
2012:05:19-15:15:09 VUURMUUR httpproxy[4282]: id="0003" severity="info" sys="SecureWeb" sub="http" request="(nil)" function="confd_config_reload_func" file="confd-client.c" line="721" message="reloading config"
2012:05:19-15:15:10 VUURMUUR httpproxy[4282]: id="0003" severity="info" sys="SecureWeb" sub="http" request="(nil)" function="parse_address" file="util.c" line="548" message="getaddrinfo: passthrough6.fw-notify.net: Name or service not known"
2012:05:19-15:15:10 VUURMUUR httpproxy[4282]: id="0003" severity="info" sys="SecureWeb" sub="http" request="(nil)" function="confd_config_filter" file="confd-client.c" line="2596" message="failed to resolve passthrough6.fw-notify.net, using 2a01:198:200:680::8080"
2012:05:19-15:15:10 VUURMUUR httpproxy[4282]: id="0003" severity="info" sys="SecureWeb" sub="http" request="(nil)" function="confd_config_reload_func" file="confd-client.c" line="759" message="reloading config done, new version 330"
2012:05:19-15:15:25 VUURMUUR httpproxy[4282]: id="0003" severity="info" sys="SecureWeb" sub="http" request="0x9d53710" function="auth_adir_update_sid_whitelist_callback" file="auth_adir.c" line="1020" message="winbindd lookup of SID for groupname [Astaro Proxy Users] failed ()"
2012:05:19-15:15:25 VUURMUUR httpproxy[4282]: id="0003" severity="info" sys="SecureWeb" sub="http" request="0x9d53710" function="auth_adir_getsid_callback" file="auth_adir.c" line="586" message="winbindd request failed ()"
2012:05:19-15:15:25 VUURMUUR httpproxy[4282]: id="0002" severity="info" sys="SecureWeb" sub="http" name="web request blocked" action="block" method="GET" srcip="192.168.87.1" dstip="" user="administrator" statuscode="407" cached="0" profile="REF_asOsBDRyvy (Proxy Filter)" filteraction=" ()" size="4718" request="0x9d53710" url="www.google.nl/" exceptions="" error=""
2012:05:19-15:15:28 VUURMUUR httpproxy[4282]: id="0002" severity="info" sys="SecureWeb" sub="http" name="web request blocked" action="block" method="GET" srcip="192.168.87.1" dstip="" user="administrator" statuscode="403" cached="0" profile="REF_asOsBDRyvy (Proxy Filter)" filteraction="REF_DefaultHTTPCFFBlockAction (Default content filter block action)" size="6600" request="0x9d53710" url="www.google.nl/" exceptions="" error=""

2012:05:19-15:22:14 VUURMUUR httpproxy[4282]: id="0003" severity="info" sys="SecureWeb" sub="http" request="0xab54e68" function="auth_adir_update_sid_whitelist_callback" file="auth_adir.c" line="1020" message="winbindd lookup of SID for groupname [Astaro Proxy Users] failed ()"
2012:05:19-15:22:14 VUURMUUR httpproxy[4282]: id="0003" severity="info" sys="SecureWeb" sub="http" request="0xab54e68" function="auth_adir_update_sid_whitelist_callback" file="auth_adir.c" line="1020" message="winbindd lookup of SID for groupname [Astaro Proxy Users] failed ()"
2012:05:19-15:22:14 VUURMUUR httpproxy[4282]: id="0003" severity="info" sys="SecureWeb" sub="http" request="0xab54e68" function="auth_adir_getsid_callback" file="auth_adir.c" line="586" message="winbindd request failed ()"
2012:05:19-15:22:14 VUURMUUR httpproxy[4282]: id="0002" severity="info" sys="SecureWeb" sub="http" name="web request blocked" action="block" method="GET" srcip="192.168.87.1" dstip="" user="administrator" statuscode="407" cached="0" profile="REF_asOsBDRyvy (Proxy Filter)" filteraction=" ()" size="4718" request="0xab54e68" url="www.google.nl/" exceptions="" error=""
2012:05:19-15:22:14 VUURMUUR httpproxy[4282]: id="0003" severity="info" sys="SecureWeb" sub="http" request="0xab54e68" function="auth_adir_update_sid_whitelist_callback" file="auth_adir.c" line="1020" message="winbindd lookup of SID for groupname [Astaro Proxy Users] failed ()"
2012:05:19-15:22:14 VUURMUUR httpproxy[4282]: id="0003" severity="info" sys="SecureWeb" sub="http" request="0xab54e68" function="auth_adir_getsid_callback" file="auth_adir.c" line="586" message="winbindd request failed ()"
2012:05:19-15:22:14 VUURMUUR httpproxy[4282]: id="0002" severity="info" sys="SecureWeb" sub="http" name="web request blocked" action="block" method="GET" srcip="192.168.87.1" dstip="" user="administrator" statuscode="407" cached="0" profile="REF_asOsBDRyvy (Proxy Filter)" filteraction=" ()" size="4718" request="0xab54e68" url="www.google.nl/" exceptions="" error=""
2012:05:19-15:22:14 VUURMUUR httpproxy[4282]: id="0003" severity="info" sys="SecureWeb" sub="http" request="0xab54e68" function="auth_adir_getsid_callback" file="auth_adir.c" line="586" message="winbindd request failed ()"
2012:05:19-15:22:14 VUURMUUR httpproxy[4282]: id="0002" severity="info" sys="SecureWeb" sub="http" name="web request blocked" action="block" method="GET" srcip="192.168.87.1" dstip="" user="administrator" statuscode="407" cached="0" profile="REF_asOsBDRyvy (Proxy Filter)" filteraction=" ()" size="4718" request="0xab54e68" url="www.google.nl/" exceptions="" error=""
2012:05:19-15:22:17 VUURMUUR httpproxy[4282]: id="0002" severity="info" sys="SecureWeb" sub="http" name="web request blocked" action="block" method="GET" srcip="192.168.87.1" dstip="" user="administrator" statuscode="403" cached="0" profile="REF_asOsBDRyvy (Proxy Filter)" filteraction="REF_DefaultHTTPCFFBlockAction (Default content filter block action)" size="6600" request="0xab54e68" url="www.google.nl/" exceptions="" error=""
2012:05:19-15:22:17 VUURMUUR httpproxy[4282]: id="0002" severity="info" sys="SecureWeb" sub="http" name="web request blocked" action="block" method="GET" srcip="192.168.87.1" dstip="" user="administrator" statuscode="403" cached="0" profile="REF_asOsBDRyvy (Proxy Filter)" filteraction="REF_DefaultHTTPCFFBlockAction (Default content filter block action)" size="6600" request="0xab54e68" url="www.google.nl/" exceptions="" error=""
2012:05:19-15:22:17 VUURMUUR httpproxy[4282]: id="0002" severity="info" sys="SecureWeb" sub="http" name="web request blocked" action="block" method="GET" srcip="192.168.87.1" dstip="" user="administrator" statuscode="403" cached="0" profile="REF_asOsBDRyvy (Proxy Filter)" filteraction="REF_DefaultHTTPCFFBlockAction (Default content filter block action)" size="6600" request="0xab54e68" url="www.google.nl/" exceptions="" error=""

This thread was automatically locked due to age.

0 BAlfson over 13 years ago

How about trying a delete/rejoin again now that you have V9 running?

Cheers - Bob

Sophos UTM Community Moderator
Sophos Certified Architect - UTM
Sophos Certified Engineer - XG
Gold Solution Partner since 2005

MediaSoft, Inc. USA
Cancel
Vote Up 0 Vote Down

Cancel
0 HMaster over 13 years ago in reply to BAlfson

How about trying a delete/rejoin again now that you have V9 running?

Cheers - Bob

Well the Unjoin and rejoin process took a hour or so. [:@]

I deleted the AD record.
Unjoined -> suc6
Rejoin -> FAIL
Rejoin with other account -> FAIL (repaet for all other Admin accounts in de AD)
Deleted the DNS and PTR record -> suc6
Rejoin with other account -> FAIL (repaet for all other Admin accounts in de AD)
Getting frustrated and drink a few cup of espresso -> suc6 [:D]
Rebooted the Astaro in VMware by Rebooting the VM directly (not from within the WebAdmin panel) -> suc6 [8-)]
>>>found out that the Astaro connected itself automaticly in the AD and DNS/PTR records
Rejoin the Astaro in SSO -> suc6 [:O]

Strange things happened... But the UTM is now again running in AD/SSO and I am testing my server to run with the http-proxy. Still looking good. I am going to test it this eveing with our pc and laptops.
Cancel
Vote Up 0 Vote Down

Cancel
0 HMaster over 13 years ago in reply to HMaster

Well, as I also posted in the German forum, I still have winbindd errors.
Even within the new UTM 9.000.

*clicky to post*

I have renamed the Astaro/UTM to a new hostname so that I could do a full DNS change for the firewall.
Also a fully unjoin and rejoin action for a new AD-SSO action.

BUT.... Still no connection when I set IE or FireFox to use the http-proxy.
When I set the proxy (with IP adress to be sure the proxy works) to the ON mode, I directly loose internet connection. And get the pop-up with username and password.

IP address of the AD server is 192.168.87.1
IP address of the UTM internaly is 192.168.87.254
See attatched image for the proxy settings.

I have set the Prefetch of the userDB to never. I used to have this on daily, but I do not add many users in the near future.

When I take a look in the web-filter log I see the next statement.

2012:07:24-13:18:33 FIREWALL httpproxy[18489]: id="0003" severity="info" sys="SecureWeb" sub="http" request="0x9f786c8" function="auth_adir_getsid_callback" file="auth_adir.c" line="502" message="winbindd request failed ()"
2012:07:24-13:18:33 FIREWALL httpproxy[18489]: id="0002" severity="info" sys="SecureWeb" sub="http" name="web request blocked" action="block" method="GET" srcip="192.168.87.1" dstip="" user="username" statuscode="407" cached="0" profile="REF_asOsBDRyvy (Proxy Filter)" filteraction=" ()" size="2477" request="0x9f786c8" url="http://www.google.nl/search?q=Amelia+Earhart&oi=ddle&ct=earhart12-hp&bav=on.2,or.r_gc.r_pw.r_qf.,cf.osb&fp=f5d866a30d498d04&biw=992&bih=581&tch=3&ech=1&psi=gIIOUJ6VLaOp0QWLroGQBw.1343128179377.1&wrapid=tlif134312817937710" exceptions="" error=""
- proxy.png
- View
- Hide
Cancel
Vote Up 0 Vote Down

Cancel
0 BAlfson over 13 years ago

HMaster, I didn't think of this before because it seemed unrelated. At some point in time, an old bug came back, and you might try this workaround...

In the Backend User Group definition, when you Drag-n-Drop a Security Group from the Active Directory into the 'Active Directory Groups' box, the entire DN appears. Edit the Group definition so that ONLY the content of the first CN appears. For example:

Replace
CN=Web Allowed,OU=Users,DC=Ourdomain,DC=local

with
Web Allowed

Cheers - Bob

Sophos UTM Community Moderator
Sophos Certified Architect - UTM
Sophos Certified Engineer - XG
Gold Solution Partner since 2005

MediaSoft, Inc. USA
Cancel
Vote Up 0 Vote Down

Cancel
0 HMaster over 13 years ago

Where do I exactly change all the entire DN to only CN=[usergroup]??
I tried to set the users&groups->groups tab. But I still get AccessDenied when I try the proxy.

Greetzzz Huib
Cancel
Vote Up 0 Vote Down

Cancel
0 BAlfson over 13 years ago

The changes would be made on the 'Groups' tab - just edit the group definitions there.

So, you made the changes, but the problem still exists? Did you give the Astaro a few minutes to absorb the changes before you tested?

Cheers - Bob

Sophos UTM Community Moderator
Sophos Certified Architect - UTM
Sophos Certified Engineer - XG
Gold Solution Partner since 2005

MediaSoft, Inc. USA
Cancel
Vote Up 0 Vote Down

Cancel
0 HMaster over 13 years ago in reply to BAlfson

Well....
Today after a reboot of the Astaro, I saw finaly the http-proxy working again.
So it looks for the moment that this bug can be by-passed with a workaround... For this moment at least. Now we have to wait for a day or more to see if the setting will be kept in the Astaro. [8-)]

Greetzzz Huib
Cancel
Vote Up 0 Vote Down

Cancel
0 HMaster over 13 years ago in reply to HMaster

Well....
Today after a reboot of the Astaro, I saw finaly the http-proxy working again.
So it looks for the moment that this bug can be by-passed with a workaround... For this moment at least. Now we have to wait for a day or more to see if the setting will be kept in the Astaro. [8-)]

Greetzzz Huib

Okayyyyyyy When I now use the http-proxy then I have to enter my Windows username and password for about 10 to 25 times before I can open a webpage [:S][:@]

There is still something wrong...
Cancel
Vote Up 0 Vote Down

Cancel
0 BAlfson over 13 years ago

Huib, is that after you made the changes I recommended above? It sounds like you might want to check the Backend Group that you're a member of to be certain that the name of the AD Security Group is correct.

Cheers - Bob

Sophos UTM Community Moderator
Sophos Certified Architect - UTM
Sophos Certified Engineer - XG
Gold Solution Partner since 2005

MediaSoft, Inc. USA
Cancel
Vote Up 0 Vote Down

Cancel
0 mle over 13 years ago

Hi Bob,

usually there is no need to manually convert the DN string with the LDAP attributes to the plain groupname. The HTTP proxy should do this internally already.

However, there is a corner case (mostly with groups that have a whitespace in their display name), where the CN attribute is different to the group's display name. Here the WebAdmin widget for browsing the AD objects has a glitch as it inserts the display name of the selected object into the CN attribute. This is not correct but seems to work in most cases.

If you make sure that to have the CN attribute right, everything should work from that point on.

Regards,
mlenk
Cancel
Vote Up 0 Vote Down

Cancel