Known Issues and Limitations

Known Issues

Work Order # Description
SUG97025 When using a portal certificate, Safari on Mac will attempt to connect to the certificate revocation list (CRL) URL before displaying the portal. Because authentication is not complete, the URL is blocked by the appliance, and the portal is not displayed. To resolve this:
  • On the Config > System > Connection Profiles page, create a connection profile for Mac OS X.
  • On the Config > System > Authentication page, in the Profiles tab, create an authentication profile that references the Mac OS X authentication profile. Ensure that this authentication profile applies to all connections, that it is applied only to the CRL URL, and that it bypasses authentication.
For more information, see the Configuring Connection and Authentication Profiles example in the help.
DEF90478 Manually downloading a backup using Internet Explorer (IE) may fail. This can be caused by certain combinations of settings. The description of the issue and its resolution for IE v9 can be found in this Microsoft support article , while the description and resolution for earlier versions of IE can be found in this Microsoft support article.
DEF88976 When testing sites on the Network > Diagnostic Tools page, you must enter the address without the protocol. For instance, enter and not
WKI67266 Endpoint to Sophos Web Appliance (SWA) communication does not work with non-SWA proxies that use ActiveDirectory authentication.
WKI75267 If an endpoint registers with a Sophos Web Appliance (SWA) or Sophos Management Appliance (SMA), then registers with a second, different SWA or SMA, it will then be unable to re-register with the first SWA or SMA.
DEF72642 In load-balancing mode, some unique users may be double-counted on the Management Appliance dashboard when one of the load-balanced appliances becomes temporarily unavailable.
DEF51492 If you want to your users to be able to communicate using the stand-alone version of Google Talk, you must add both and to the HTTPS scanning exemption list.

Note that adding to the HTTPS scanning exemption list can potentially prevent search terms from being logged, if is used to perform a search. Alternatively, instead of adding and to the HTTPS scanning exemption list, you can instruct your users to launch a web-based version of the application from within Gmail.

DEF51244 When a proxy with an incompatible forwarding method attempts to join a Web Cache Communication Protocol (WCCP) service group, the Cisco router correctly detects that an unusable proxy has joined, but it does not update the router's record. To correct this, you must disable WCCP on the router, and then re-enable it, clearing the list of known routers.
SUG40083 By default, the Adobe Flash player uses port 1935 to receive streamed content. The Sophos Web Appliance does not block this traffic (unless you have configured your policy to block Adobe Flash video), but it is common for firewalls to block traffic through this port. If you find that you are unable to view Flash videos in your network, and you have not explicitly blocked access to Adobe Flash video in your policy, open port 1935 access on your firewall. Other solutions are available, but are beyond the scope of the Sophos Web Appliance documentation; however, you can examine the options discussed in this Adobe article:
SUG34557 If you change a Web Appliance from explicit to either bridged or transparent mode, it causes interoperability issues with the spanning-tree calculations of Cisco switches. This can be overcome by running spanning-tree bpduguard disable for the appropriate port on the Cisco switch.
SUG32420 Currently, you can add a Local Site List entry with an unused tag which can take precedence over a Local Site List entry with a used tag, potentially disabling the used tag. To prevent this, always ensure that all added tags have actions configured in the Configuration > Group Policy > Additional Policies wizard.
SUG31712 By default, the instant messaging application, ICQ, connects to through port 5190, which will not work with the Web Appliance. To be able to connect, ICQ must be reconfigured to use port 80 for this connection.
SUG31038 If a Web Appliance is joined to a Security Management Appliance by entering the Security Management Appliance's fully qualified domain name into the Hostname text box in the Configuration > System > Central Management page, but an administrator subsequently accesses the Security Management Appliance's administrative web interface by using the Security Management Appliance's IP address while proxying through the Web Appliance, the usual policy bypassing applied to that access is ignored as the IP address will not be recognized as being the Security Management Appliance.
SUG26603 The Web Appliance's PDF generation library does not support all character sets, so Active Directory user names that use unsupported character sets do not render correctly.
SUG24359, SUG48524 HTTP range requests, or partial-content requests, are used by download accelerators and for large PDF files to download partial "ranges" of a file. These are only allowed by the Web Appliance for trusted sites. This is by design. Partial files cannot be scanned for viruses or other malware, so allowing HTTP range requests only makes sense for completely trusted sites.
DEF23793, SUG31838 If you are proxying through the Web Appliance to access the Web Appliance's Administrator web interface, saving settings in the Configuration > Network > Network Interface page may cause an erroneous "Problem Saving Settings" message to be displayed in the status bar at the bottom of the page. To avoid this and other subsequent problems, it is strongly advised that you access the administrative web interface through a direct, non-proxied, connection.
DEF23759 Enabling certificate validation blocks access to Sophos Email Appliances that are using self-signed certificates. To enable access to Sophos Email Appliances, add them to the HTTPS scanning exemption list in the Configuration > Global Policy > HTTPS Scanning page.
SUG23597 Your users will not be able to access AOL Instant Messenger (AIM) if you have HTTPS scanning or certificate validation enabled. The workaround for this problem is to either set the site as globally allowed or add the AOL Instant Messaging server(s) to your Configuration > Group Policy > Local Site List and set the Risk Level to Trusted. Also, you must either turn Certificate Validation Off, or add that server's certificate authority by entering the AOL Instant Messenger server's Site address and clicking Get Certificate in the Add certificate from a web site section of the Configuration > Global Policy > Certificate Validation page. As the URL and IP address(es) of the AOL Instant Messaging server(s) may differ depending on your geographical region, and may change over time, you must discover this information by disabling HTTPS Scanning and Certificate Validation, and then having one of your users access this service (use AOL Instant Messaging). You can then check the Search > Recent Activity Search > By User for that user to find the AOL Instant Messaging server's URL(s) and IP address(es).
SUG23486 When a RealPlayer client is operating behind a strict firewall, you must configure RealPlayer to use the "HTTP Only" option to connect to the Internet, even though this option tends to deliver a more intermittent playback than other options. Alternatively, you can open port 554 on your firewall.
SUG21539 In Internet Explorer, some websites or pop-ups may not display properly and the user may receive "Web page cannot be displayed" or "Object expected" error messages. This is a known Internet Explorer issue, and is due to an Internet Explorer update not getting installed. To remedy this issue, please ensure that you have installed cumulative security update MS08-024. For more information, see Microsoft KB947864.
DEF19675 Users that are not connected to the same Active Directory domain to which the Web Appliance is connected will experience problems using applications (such as Microsoft Office Activation) that do not prompt for credentials. These applications will fail to connect to the internet through the proxy because they do not automatically provide the correct domain user credentials for the domain used by the Web Appliance, nor do they prompt (like a browser would) for the user to enter their correct name and password. Either have these clients connect to the proper Active Directory domain or add the IP address of the problem system to the Allow unauthenticated browsing for the following IP addresses list in the Configuration > System > Active Directory page.
DEF11744 Users may be prompted to login when trying to open stream media with Windows Media Player 9. This issue is related to two Microsoft knowledge base issues:
SUG11651 There can be a performance problem when using the ISA 2000 with an upstream proxy, such as the Web Appliance. For the solution, see
DEF10441 If you have an internal Windows update server, add its hostname as a trusted site to the appliance local classifications to ensure that there are no interruptions in your local Windows update service. Automatic Windows Updates via Microsoft's sites are unaffected.
No Number While the appliance is under heavy load, the Blocked Sites and various Users reports may take up to a minute to generate.
DEF48710, DEF10961, DEF48620 Various sites generate occasional credential pop-ups when using Firefox with NTLM authentication turned on, and configured to Authenticate all requests.
DEF48810 (SUG08290) The Web Appliance web interface can slow down or freeze when enabling Remote Assistance. Once the request succeeds or times out it will return to normal. Proxy usage is not affected.
No Number To block access to internal sites (ones that your internal DNS will resolve to an internal domain), you will need to create multiple entries in the local classifications for each applicable FQDN. If you do not do this, users will be able to bypass filtering by entering the unqualified internal hostname. For example, for a server on your network called testbox that is available on two domains, you would need to add, and testbox to the Local Classifications.
DEF48700, DEF48702, DEF74075 Various software, including Quicktime and Yahoo Messenger, may require HTTP 1.1 through proxy connections. To enable this for Internet Explorer:
  1. Choose Tools > Internet Options.
  2. Click Advanced and select Use HTTP 1.1 through proxy connections.
  3. Click OK.
DEF48392, DEF48522 Reports do not show graphs for the first hour after midnight. Graphical reports will not show values between 12AM and 1AM.
DEF80779 When an appliance configured in transparent mode and with HTTPS scanning enabled reboots, users who have their default page set to an HTTPS site will not be properly authenticated to Active Directory. To avoid this, users can configure their default homepage as an HTTP site rather than an HTTPS site.


Work Order # Description
No Number When the Sophos Web Appliance uses eDirectory to identify users, the following issues may occur:
  • Terminal Server assigns the same address to multiple users. The Web Appliance resolves identification conflicts by selecting the user with the most recent login time. Only the user logged in last is identified correctly.
  • Users may log in on multiple workstations using the same account. For the first login, the Web Appliance caches and uses the correct username for Group Policy. For subsequent logins, the Web Appliance uses the workstation's IP address for Group Policy. It is recommended that you avoid logging in from different workstations.
DEF60685 A limitation in Internet Explorer prevents usernames of the forms DOMAIN\username, domain.tld\username or username@domain.tld from working with FTP sites that require authentication. Instead, only the simple username should be used for FTP sites. If it is necessary to use one of the three listed forms, you should use the Firefox browser instead. For more information, see the associated Microsoft knowledgebase article.
SUG31737 Access to Yahoo! Messenger is disabled when certificate validation is turned on. To enable access to Yahoo! Messenger, Certificate Validation must be turned Off in the Configuration > Global Policy > Certificate Validation page. Alternatively, Certificate Validation can be turned On, but you must add the certificate used by Yahoo! Messenger in the Configuration > Global Policy > Certificate Validation page. Yahoo! Messenger uses multiple servers, but each of these use the same certificate, so you can get this certificate from any of the following servers:,, or
DEF27953 When the DNS servers in the Configuration > Network > Network Interface page are specified manually, only the first DNS server is used to lookup the Active Directory domain when you run Verify Settings in the Configuration > System > Active Directory page. The first DNS server configured in the Configuration > Network > Network Interface page must be able to resolve the Active Directory domain.
DEF21244 Occasionally, web pages from an allowed site will contain images or other resources that are linked in from blocked sites. These content resources will be blocked, which may leave the resulting page looking broken. This is the expected behavior and can only be changed by either allowing the content from the blocked site or blocking the allowed site that contains the blocked resources.
SUG17217 The patience page that is displayed when using FTP-over-HTTP in Internet Explorer is always in English as Internet Explorer does not include the “Accept-Language” attribute-value pair in the HTTP request. (For an explanation, see the FTP-over-HTTP glossary entry.)
DEF15645 If an ISA Server is used as upstream proxy of a Web Appliance, you will be unable to:
  • Install the Web Appliance within the ISA Server perimeter (specifically, the Install Wizard's Connection Test will fail)
  • Access secure sites from clients
  • Establish remote assistance sessions between the Web Appliance and Sophos Support
This is a known issue for both ISA 2004 and ISA 2006:
Note: Placing your ISA Server in a downstream (client side) location in your network relative to the Web Appliance remains the preferred network deployment option.
SUG15118 Service Principal Name (SPN) formatted usernames (for example, user@domain) are not supported when applying policy to a user. Usernames must be in the Down-Level Logon Name format (for example, DOMAIN\username).
DEF14181 If the Web Appliance attempts to display notification pages in more than two tabs of Internet Explorer, only the first two notification pages will display. This is a deliberate Internet Explorer limitation—only two connections are allowed per server—, documented in, which therefore cannot be addressed by the Web Appliance.
SUG12261 In order to use certain Autodesk applications, such as Land Desktop, AutoCAD Map, Raster Design, Survey, Viz, Architectural Desktop, Revit, and Civil 3d, must be added to the Local Classifications as a trusted site.
SUG11277 If the administrator's Username entered in the Configuration > System > Active Directory page contains UTF8 characters, the username will not be saved properly and it will cause "Invalid Credentials" errors on subsequent logins. To prevent such errors ensure that the administrator username you select does not contain any UTF8 characters.
DEF50460 (DEF09429) Firefox develops a memory leak when displaying the Web Appliance Administrator web interface.
DEF50129 (DEF09220) The notification page for HTTPS blocked pages are always displayed in English on Internet Explorer 7 despite any localization setting.
DEF49956 (DEF09092) Alert messages are not sent from the appliance to Sophos Support if your email is hosted externally, such as by an ISP, and SMTP authentication with that mail server is required.