| Work Order # | Description |
|---|---|
| SUG97025 | When using a portal certificate, Safari on Mac will attempt to connect to the
certificate revocation list (CRL) URL before displaying the portal. Because
authentication is not complete, the URL is blocked by the appliance, and the portal
is not displayed. To resolve this:
|
| DEF90478 | Manually downloading a backup using Internet Explorer (IE) may fail. This can be caused by certain combinations of settings. The description of the issue and its resolution for IE v9 can be found in this Microsoft support article , while the description and resolution for earlier versions of IE can be found in this Microsoft support article. |
| DEF88976 | When testing sites on the page, you must enter the address without the protocol. For instance,
enter www.example.com and not
http://www.example.com. |
| WKI67266 | Endpoint to Sophos Web Appliance (SWA) communication does not work with non-SWA proxies that use ActiveDirectory authentication. |
| WKI75267 | If an endpoint registers with a Sophos Web Appliance (SWA) or Sophos Management Appliance (SMA), then registers with a second, different SWA or SMA, it will then be unable to re-register with the first SWA or SMA. |
| DEF72642 | In load-balancing mode, some unique users may be double-counted on the Management Appliance dashboard when one of the load-balanced appliances becomes temporarily unavailable. |
| DEF51492 | If you want to your users to be able to communicate using the stand-alone
version of Google Talk, you must add both talk.google.com and
www.google.com to the HTTPS scanning exemption list. Note that
adding |
| DEF51244 | When a proxy with an incompatible forwarding method attempts to join a Web Cache Communication Protocol (WCCP) service group, the Cisco router correctly detects that an unusable proxy has joined, but it does not update the router's record. To correct this, you must disable WCCP on the router, and then re-enable it, clearing the list of known routers. |
| SUG40083 | By default, the Adobe Flash player uses port 1935 to receive streamed content. The Sophos Web Appliance does not block this traffic (unless you have configured your policy to block Adobe Flash video), but it is common for firewalls to block traffic through this port. If you find that you are unable to view Flash videos in your network, and you have not explicitly blocked access to Adobe Flash video in your policy, open port 1935 access on your firewall. Other solutions are available, but are beyond the scope of the Sophos Web Appliance documentation; however, you can examine the options discussed in this Adobe article: http://www.adobe.com/devnet/flashcom/articles/firewalls_proxy02.html. |
| SUG34557 | If you change a Web Appliance from explicit to either bridged or transparent mode, it causes interoperability issues with the spanning-tree calculations of Cisco switches. This can be overcome by running spanning-tree bpduguard disable for the appropriate port on the Cisco switch. |
| SUG32420 | Currently, you can add a Local Site List entry with an unused tag which can take precedence over a Local Site List entry with a used tag, potentially disabling the used tag. To prevent this, always ensure that all added tags have actions configured in the wizard. |
| SUG31712 | By default, the instant messaging application, ICQ, connects to login.icq.com through port 5190, which will not work with the Web Appliance. To be able to connect, ICQ must be reconfigured to use port 80 for this connection. |
| SUG31038 | If a Web Appliance is joined to a Security Management Appliance by entering the Security Management Appliance's fully qualified domain name into the Hostname text box in the page, but an administrator subsequently accesses the Security Management Appliance's administrative web interface by using the Security Management Appliance's IP address while proxying through the Web Appliance, the usual policy bypassing applied to that access is ignored as the IP address will not be recognized as being the Security Management Appliance. |
| SUG26603 | The Web Appliance's PDF generation library does not support all character sets, so Active Directory user names that use unsupported character sets do not render correctly. |
| SUG24359, SUG48524 | HTTP range requests, or partial-content requests, are used by download accelerators and for large PDF files to download partial "ranges" of a file. These are only allowed by the Web Appliance for trusted sites. This is by design. Partial files cannot be scanned for viruses or other malware, so allowing HTTP range requests only makes sense for completely trusted sites. |
| DEF23793, SUG31838 | If you are proxying through the Web Appliance to access the Web Appliance's Administrator web interface, saving settings in the page may cause an erroneous "Problem Saving Settings" message to be displayed in the status bar at the bottom of the page. To avoid this and other subsequent problems, it is strongly advised that you access the administrative web interface through a direct, non-proxied, connection. |
| DEF23759 | Enabling certificate validation blocks access to Sophos Email Appliances that are using self-signed certificates. To enable access to Sophos Email Appliances, add them to the HTTPS scanning exemption list in the page. |
| SUG23597 | Your users will not be able to access AOL Instant Messenger (AIM) if you have HTTPS scanning or certificate validation enabled. The workaround for this problem is to either set the site as globally allowed or add the AOL Instant Messaging server(s) to your and set the Risk Level to Trusted. Also, you must either turn Certificate Validation Off, or add that server's certificate authority by entering the AOL Instant Messenger server's Site address and clicking Get Certificate in the Add certificate from a web site section of the page. As the URL and IP address(es) of the AOL Instant Messaging server(s) may differ depending on your geographical region, and may change over time, you must discover this information by disabling HTTPS Scanning and Certificate Validation, and then having one of your users access this service (use AOL Instant Messaging). You can then check the for that user to find the AOL Instant Messaging server's URL(s) and IP address(es). |
| SUG23486 | When a RealPlayer client is operating behind a strict firewall, you must configure RealPlayer to use the "HTTP Only" option to connect to the Internet, even though this option tends to deliver a more intermittent playback than other options. Alternatively, you can open port 554 on your firewall. |
| SUG21539 | In Internet Explorer, some websites or pop-ups may not display properly and the user may receive "Web page cannot be displayed" or "Object expected" error messages. This is a known Internet Explorer issue, and is due to an Internet Explorer update not getting installed. To remedy this issue, please ensure that you have installed cumulative security update MS08-024. For more information, see Microsoft KB947864. |
| DEF19675 | Users that are not connected to the same Active Directory domain to which the Web Appliance is connected will experience problems using applications (such as Microsoft Office Activation) that do not prompt for credentials. These applications will fail to connect to the internet through the proxy because they do not automatically provide the correct domain user credentials for the domain used by the Web Appliance, nor do they prompt (like a browser would) for the user to enter their correct name and password. Either have these clients connect to the proper Active Directory domain or add the IP address of the problem system to the Allow unauthenticated browsing for the following IP addresses list in the page. |
| DEF11744 | Users may be prompted to login when trying to open stream media with Windows Media Player 9. This issue is related to two Microsoft knowledge base issues: |
| SUG11651 | There can be a performance problem when using the ISA 2000 with an upstream proxy, such as the Web Appliance. For the solution, see http://support.microsoft.com/kb/317822/en-us. |
| DEF10441 | If you have an internal Windows update server, add its hostname as a trusted site to the appliance local classifications to ensure that there are no interruptions in your local Windows update service. Automatic Windows Updates via Microsoft's sites are unaffected. |
| No Number | While the appliance is under heavy load, the Blocked Sites and various Users reports may take up to a minute to generate. |
| DEF48710, DEF10961, DEF48620 | Various sites generate occasional credential pop-ups when using Firefox with NTLM authentication turned on, and configured to Authenticate all requests. |
| DEF48810 (SUG08290) | The Web Appliance web interface can slow down or freeze when enabling Remote Assistance. Once the request succeeds or times out it will return to normal. Proxy usage is not affected. |
| No Number | To block access to internal sites (ones that your internal DNS will resolve to an internal domain), you will need to create multiple entries in the local classifications for each applicable FQDN. If you do not do this, users will be able to bypass filtering by entering the unqualified internal hostname. For example, for a server on your network called testbox that is available on two domains, you would need to add testbox.domain1.com, testbox.domain2.com and testbox to the Local Classifications. |
| DEF48700, DEF48702, DEF74075 | Various software, including Quicktime and Yahoo Messenger, may require HTTP 1.1
through proxy connections. To enable this for Internet Explorer:
|
| DEF48392, DEF48522 | Reports do not show graphs for the first hour after midnight. Graphical reports will not show values between 12AM and 1AM. |
| DEF80779 | When an appliance configured in transparent mode and with HTTPS scanning enabled reboots, users who have their default page set to an HTTPS site will not be properly authenticated to Active Directory. To avoid this, users can configure their default homepage as an HTTP site rather than an HTTPS site. |
| Work Order # | Description |
|---|---|
| No Number | When the Sophos
Web Appliance uses eDirectory to
identify users, the following issues may occur:
|
| DEF60685 | A limitation in Internet Explorer prevents usernames of the forms DOMAIN\username, domain.tld\username or username@domain.tld from working with FTP sites that require authentication. Instead, only the simple username should be used for FTP sites. If it is necessary to use one of the three listed forms, you should use the Firefox browser instead. For more information, see the associated Microsoft knowledgebase article. |
| SUG31737 | Access to Yahoo! Messenger is disabled when certificate validation is turned on. To enable access to Yahoo! Messenger, Certificate Validation must be turned Off in the page. Alternatively, Certificate Validation can be turned On, but you must add the certificate used by Yahoo! Messenger in the page. Yahoo! Messenger uses multiple servers, but each of these use the same certificate, so you can get this certificate from any of the following servers: 216.155.194.149, 98.136.113.168, or 98.136.113.173. |
| DEF27953 | When the DNS servers in the page are specified manually, only the first DNS server is used to lookup the Active Directory domain when you run Verify Settings in the page. The first DNS server configured in the page must be able to resolve the Active Directory domain. |
| DEF21244 | Occasionally, web pages from an allowed site will contain images or other resources that are linked in from blocked sites. These content resources will be blocked, which may leave the resulting page looking broken. This is the expected behavior and can only be changed by either allowing the content from the blocked site or blocking the allowed site that contains the blocked resources. |
| SUG17217 | The patience page that is displayed when using FTP-over-HTTP in Internet Explorer is always in English as Internet Explorer does not include the “Accept-Language” attribute-value pair in the HTTP request. (For an explanation, see the FTP-over-HTTP glossary entry.) |
| DEF15645 | If an ISA Server is used as upstream proxy of a Web Appliance, you will be unable to:
Note: Placing your ISA Server in a downstream (client side) location in
your network relative to the Web Appliance remains the
preferred network deployment option.
|
| SUG15118 | Service Principal Name (SPN) formatted usernames (for example,
user@domain) are not supported when applying policy to a user.
Usernames must be in the Down-Level Logon Name format (for example,
DOMAIN\username). |
| DEF14181 | If the Web Appliance attempts to display notification pages in more than two tabs of Internet Explorer, only the first two notification pages will display. This is a deliberate Internet Explorer limitation—only two connections are allowed per server—, documented in http://support.microsoft.com/kb/282402, which therefore cannot be addressed by the Web Appliance. |
| SUG12261 | In order to use certain Autodesk applications, such as Land Desktop, AutoCAD Map, Raster Design, Survey, Viz, Architectural Desktop, Revit, and Civil 3d, autodesk.com must be added to the Local Classifications as a trusted site. |
| SUG11277 | If the administrator's Username entered in the page contains UTF8 characters, the username will not be saved properly and it will cause "Invalid Credentials" errors on subsequent logins. To prevent such errors ensure that the administrator username you select does not contain any UTF8 characters. |
| DEF50460 (DEF09429) | Firefox develops a memory leak when displaying the Web Appliance Administrator web interface. |
| DEF50129 (DEF09220) | The notification page for HTTPS blocked pages are always displayed in English on Internet Explorer 7 despite any localization setting. |
| DEF49956 (DEF09092) | Alert messages are not sent from the appliance to Sophos Support if your email is hosted externally, such as by an ISP, and SMTP authentication with that mail server is required. |