Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 6 replies
  • Subscribers 2 subscribers
  • Views 1705 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Problem with Microsoft System Center Essentials 2010

awsag
Hi there

We are using a Sophos UTM 220 and have some problems with the WAN traffic always showing max since 2 weeks. I have isolated the problematic server and it's the server which only has the Microsoft System Center Essentials 2010 installed for delivering updates to our clients. It has to do with the problems like the adobe updates have without the enabled default exception it seems. We have the default exception for microsoft updates enabled though...

Somehow there is still an update looping endlessly between the WAN interface and the akamai servers. There is no internal traffic logged!

The System center essentials server is working properly though. He is downloading new updates and delivering them successfully. I tried to disable the windows services for "System Center Essentials" and "Windows Update" but to no avail. Only when i shut down the server the WAN traffic will reduce to normal after like 5 minutes...

Anyone got an idea? [:)]


This thread was automatically locked due to age.
  • 0
    I did some further testing and the only thing caught in the webfilter protocol when the wan traffic starts to max out and never comes back are these 2 lines:

    2014:03:07-13:43:27 awsophos-1 httpproxy[6050]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="HEAD" srcip="ourserverip" dstip="193.247.166.48" user="" statuscode="200" cached="0" profile="REF_DefaultHTTPProfile (Default Proxy)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="0" request="0xca59c70" url="wsus.ds.download.windowsupdate.com/.../octet-stream"
    2014:03:07-13:46:19 awsophos-1 httpproxy[6050]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="ourserverip" dstip="193.247.166.48" user="" statuscode="200" cached="0" profile="REF_DefaultHTTPProfile (Default Proxy)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="179580" request="0xca59c70" url="wsus.ds.download.windowsupdate.com/.../octet-stream"

    but that seems to be a normal update.

    i looked in the flow monitor to find the akamai server with the heaviest load and filtered the live protocol for this server:

    2014:03:07-13:48:34 awsophos-1 httpproxy[6050]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="HEAD" srcip="ourserverip" dstip="193.247.166.50" user="" statuscode="200" cached="0" profile="REF_DefaultHTTPProfile (Default Proxy)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="0" request="0x922ad80" url="wsus.ds.download.windowsupdate.com/.../octet-stream"
    2014:03:07-13:48:46 awsophos-1 httpproxy[6050]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="ourserverip" dstip="193.247.166.50" user="" statuscode="200" cached="0" profile="REF_DefaultHTTPProfile (Default Proxy)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="67160" request="0x922ad80" url="wsus.ds.download.windowsupdate.com/.../octet-stream"
    2014:03:07-13:48:55 awsophos-1 httpproxy[6050]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="ourserverip" dstip="193.247.166.50" user="" statuscode="200" cached="0" profile="REF_DefaultHTTPProfile (Default Proxy)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="0" request="0xcac9088" url="wsus.ds.download.windowsupdate.com/.../octet-stream"
    2014:03:07-13:49:04 awsophos-1 httpproxy[6050]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="ourserverip" dstip="193.247.166.50" user="" statuscode="200" cached="0" profile="REF_DefaultHTTPProfile (Default Proxy)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="70404" request="0xd415838" url="wsus.ds.download.windowsupdate.com/.../octet-stream"
    2014:03:07-13:49:22 awsophos-1 httpproxy[6050]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="ourserverip" dstip="193.247.166.50" user="" statuscode="200" cached="0" profile="REF_DefaultHTTPProfile (Default Proxy)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="40920" request="0xccfb968" url="wsus.ds.download.windowsupdate.com/.../octet-stream"
    2014:03:07-13:49:22 awsophos-1 httpproxy[6050]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="HEAD" srcip="ourserverip" dstip="193.247.166.50" user="" statuscode="200" cached="0" profile="REF_DefaultHTTPProfile (Default Proxy)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="0" request="0xdbb9208" url="wsus.ds.download.windowsupdate.com/.../octet-stream"
    2014:03:07-13:49:32 awsophos-1 httpproxy[6050]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="ourserverip" dstip="193.247.166.50" user="" statuscode="200" cached="0" profile="REF_DefaultHTTPProfile (Default Proxy)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="49640" request="0xdbb9208" url="wsus.ds.download.windowsupdate.com/.../octet-stream"

    but as said we have updates getting in successfully. really don't know where the problem lies here... with some updates he downloads them like 1000 times before he succeeds though...
  • 0
    Hi, and welcome to the User BB!

    Try #1 in https://community.sophos.com/products/unified-threat-management/astaroorg/f/51/t/22065.  Any luck with that?

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson
    Hello

    Thanks for replying. The logs i posted are from the firewall log.

    I put the System Center Server as an exception in the transparent proxy. It works now like a charm. I find it strange though that i couldn't solve this problem with a web filter exception.

    I have another strange example. The download for the Symantec Backup Exec SP3 would not start as long as i set my own workstation as an exception in the transparent proxy. And i checked the maximum download size.

    Here is the link:

    http://www.symantec.com/business/support/index?page=content&id=TECH205351  (scroll down to "Attachments")

    I think that has to do with the same problem. There surely is another solution then to set a whole workstation/server as a proxy exception right?

    I tried it with the web filter exceptions but to no avail. This problem didn't show up when we first installed the firewall. It started well over 1 month later. One thing we changed was the response_timeout$. We had to up it to 900 or 1200 because our users need some online statistic generation tool which takes up ridiculous time to process. Could that have something to do with that behaviour?
  • 0 in reply to awsag
    Most update download routines are not proxy-aware; this can cause the "looping" you describe.  The answer for most cases is to simply create a proxy exception that excludes caching, authentication, AV scanning, and file type blocking for the relevant URLs.

    CTO, Convergent Information Security Solutions, LLC

    https://www.convergesecurity.com

    Advice given as posted on this forum does not construe a support relationship or other relationship with Convergent Information Security Solutions, LLC or its subsidiaries.  Use the advice given at your own risk.

  • 0 in reply to BrucekConvergent
    Hi again.

    I am back with the same problem. This time it is a pc who constantly tries to update it's adobe reader without luck. WAN interface bandwidth usage is always maxed...

    2014:05:23-14:11:56 awsophos-1 httpproxy[5776]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="HEAD" srcip="140.167.100.10" dstip="193.247.166.67" user="" statuscode="200" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="0" request="0xdc09dc0" url="armdl.adobe.com/.../microsoftpatch"

    the default exception for adobe updates is set and it seems to work as it shows in th log:

    exceptions="av,auth,content,url,fileextension"

    the same thing happens when a user with a iphone connected to our wireless tries to update IOS. It just loops endlessly and slows down the access to the internet considerably.

    i am stunned that i find no other people with the same problem over google and i searched for hours allready... [:(]
  • 0 in reply to awsag
    The answer is the same; monitor your web filter logs to see what URLs are used for the updates (Adobe changes this all the time! -- don't expect the built-in exception to be the ultimate answer), and create exceptions.  It stinks, but app developers just don't care about proxies.

    ETA:  You didn't list caching or filetype blocking -- -make sure you exempt those too for your "update" exceptions.

    CTO, Convergent Information Security Solutions, LLC

    https://www.convergesecurity.com

    Advice given as posted on this forum does not construe a support relationship or other relationship with Convergent Information Security Solutions, LLC or its subsidiaries.  Use the advice given at your own risk.

Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?