Grouped Appliance Troubleshooting
This page describes the problems that can be encountered when joining a Web Appliance to a Management Appliance, and it provides solutions to these problems.
Join fails with Mismatched Software Load error message
Problem: Clicking Join Management Appliance produces a Software versions to not match error message at the Verifying software version check.
Cause: Installed software loads on the two appliances are different version.
Solution: On both appliances, go to the page and ensure that the latest software version is installed.
Previously joined Web Appliances are unable to join with a new (replacement) Management Appliance
Problem: When a Management Appliance is replaced with a new unit, and the previous unit’s configuration data backup is restored to the replacement unit, Web Appliances that were previously joined to the original Management Appliance are unable to communicate with the replacement Management Appliance.
Cause: Successfully joining previously joined Web Appliances to a replacement Management Appliance requires an additional step after configuration data is restored to the replacement Management Appliance, and after its fully qualified domain name and IP address are set.
Solution: After the replacement Management Appliance has had configuration data restored to it, and you have ensured that its fully qualified domain name and IP address are correct, each Web Appliance that was joined to the previous Management Appliance must be reverted to standalone mode, then be re-joined to the replacement Management Appliance.
New Management Appliance uploading Web Appliance data produces AD error alerts
Problem: When you join an established Web Appliance to a new Management Appliance, with the Copy configuration and policy data from the first web appliance to join option selected on the Management Appliance, the Management Appliance raises Active Directory integration, Active Directory synchronization, and possibly Active Directory Trusted Domains synchronization alerts.
Cause: The uploaded configuration data from the Web Appliance includes Active Directory access configuration, but the firewall between the new Management Appliance and the Active Directory server has not been configured to open the required ports.
Solution: Configure your firewall to provide access to the ports and services listed in the following tables.
External Connections
| Port | Function | Service | Protocol | Connection |
|---|---|---|---|---|
| 22 | Remote assistance | SSH | TCP | Outbound from appliance to sophos.com |
| 22 | Central configuration, status and reporting | SSH | TCP | Outbound from Web Appliance to Management Appliance (if not collocated) |
| 25 | Remote assistance notification | SMTP | TCP | Outbound from appliance to sophos.com |
| 80 | Outbound network web traffic | HTTP | TCP | Outbound from appliance to internet |
| 123 | Network time synchronization | NTP | UDP | Outbound from appliance to internet |
| 443 | Outbound network web traffic | HTTPS | TCP | Outbound from appliance to internet |
Internal Connections
| Port | Function | Service | Protocol | Connection |
|---|---|---|---|---|
| 21 | Backups using passive FTP | FTP | TCP | Outbound from appliance to FTP server |
| 22 | Central configuration, status and reporting | SSH | TCP | Outbound from Web Appliance to Management Appliance (if collocated) |
| 53 | DNS queries | DNS | UDP | Outbound from Appliance to LAN |
| 80 | administrative web interface | HTTP | TCP | Inbound from LAN to appliance |
| 88 | Kerberos authentication | KERBEROS | TCP/UDP | Inbound/outbound between appliance and AD server |
| 139 | MS NetBIOS session | NETBIOS-SSN | TCP/UDP | Inbound/outbound between appliance and AD server |
| 389 | Directory services synchronization | LDAP | TCP/UDP | Inbound/outbound between appliance and AD server |
| 443 | administrative web interface | HTTPS | TCP | Inbound from LAN to appliance |
| 445 | MS server message block | SMB | TCP/UDP | Inbound/outbound between appliance and AD server |
| 636 | LDAP synchronization | LDAPS | TCP | Inbound/outbound between appliance and eDirectory server |
| 1024–1300, 49152–65535 | Dynamic RPC | RPC | TCP | Inbound/outbound between appliance and AD server |
| 3268 | MS AD Global Catalog synchronization | MSGC | TCP/UDP | Inbound/outbound between appliance and AD server |
| 8080 | Proxy (end user web browsing) | HTTP/HTTPS | TCP | Inbound/outbound between LAN and appliance |
New Web Appliance join produces an AD integration alert and blocks all users’ web access
Problem: When you join a new Web Appliance to a configured Management Appliance, the Web Appliance raises an Active Directory integration alert, and web access is blocked for all of the Web Appliance’s users.
Cause: The configuration data downloaded from the Management Appliance includes Active Directory access configuration, but the firewall between the new Web Appliance and the Active Directory server has not been configured to open the required ports.
Solution: You can either configure your firewall to provide access to the ports and services listed in the preceding tables, or you can configure the new Web Appliance to use a local Active Directory server, although the appliance must still have access to the ports and services indicated in the preceding tables.