Grouped Appliance Troubleshooting

This page describes the problems that can be encountered when joining a Web Appliance to a Management Appliance, and it provides solutions to these problems.

Join fails with Mismatched Software Load error message

Problem: Clicking Join Management Appliance produces a Software versions to not match error message at the Verifying software version check.

Cause: Installed software loads on the two appliances are different version.

Solution: On both appliances, go to the Configuration > System > Updates page and ensure that the latest software version is installed.

Previously joined Web Appliances are unable to join with a new (replacement) Management Appliance

Problem: When a Management Appliance is replaced with a new unit, and the previous unit's configuration data backup is restored to the replacement unit, Web Appliances that were previously joined to the original Management Appliance are unable to communicate with the replacement Management Appliance.

Cause: Successfully joining previously joined Web Appliances to a replacement Management Appliance requires an additional step after configuration data is restored to the replacement Management Appliance, and after its fully qualified domain name and IP address are set.

Solution: After the replacement Management Appliance has had configuration data restored to it, and you have ensured that its fully qualified domain name and IP address are correct, each Web Appliance that was joined to the previous Management Appliance must be reverted to standalone mode, then be re-joined to the replacement Management Appliance.

New Management Appliance uploading Web Appliance data produces AD error alerts

Problem: When you join an established Web Appliance to a new Management Appliance, with the Copy configuration and policy data from the first web appliance to join option selected on the Management Appliance, the Management Appliance raises Active Directory integration, Active Directory synchronization, and possibly Active Directory Trusted Domains synchronization alerts.

Cause: The uploaded configuration data from the Web Appliance includes Active Directory access configuration, but the firewall between the new Management Appliance and the Active Directory server has not been configured to open the required ports.

Solution: Configure your firewall to provide access to the ports and services listed in the following tables.

External Connections

Port Function Service Protocol Connection
22 Remote assistance SSH TCP Outbound from appliance to sophos.com
22 Central configuration, status and reporting SSH TCP Outbound from Web Appliance to Management Appliance (if not collocated)
25 Remote assistance notification SMTP TCP Outbound from appliance to sophos.com
80 Outbound network web traffic HTTP TCP Outbound from appliance to internet
123 Network time synchronization NTP UDP Outbound from appliance to internet
443 Outbound network web traffic HTTPS TCP Outbound from appliance to internet

Internal Connections

Port Function Service Protocol Connection
21 Backups using passive FTP FTP TCP Outbound from appliance to FTP server
22 Central configuration, status and reporting SSH TCP Outbound from Web Appliance to Management Appliance (if collocated)
53 DNS queries DNS UDP Outbound from Appliance to LAN
80 administrative web interface HTTP TCP Inbound from LAN to appliance
88 Kerberos authentication KERBEROS TCP/UDP Inbound/outbound between appliance and AD server
139 MS NetBIOS session NETBIOS-SSN TCP/UDP Inbound/outbound between appliance and AD server
389 Directory services synchronization LDAP TCP/UDP Inbound/outbound between appliance and AD server
443 administrative web interface HTTPS TCP Inbound from LAN to appliance
445 MS server message block SMB TCP/UDP Inbound/outbound between appliance and AD server
636 LDAP synchronization LDAPS TCP Inbound/outbound between appliance and eDirectory server
3268 MS AD Global Catalog synchronization MSGC TCP/UDP Inbound/outbound between appliance and AD server
8080 Proxy (end user web browsing) HTTP/HTTPS TCP Inbound/outbound between LAN and appliance

New Web Appliance join produces an AD integration alert and blocks all users' web access

Problem: When you join a new Web Appliance to a configured Management Appliance, the Web Appliance raises an Active Directory integration alert, and web access is blocked for all of the Web Appliance's users.

Cause: The configuration data downloaded from the Management Appliance includes Active Directory access configuration, but the firewall between the new Web Appliance and the Active Directory server has not been configured to open the required ports.

Solution: You can either configure your firewall to provide access to the ports and services listed in the preceding tables, or you can configure the new Web Appliance to use a local Active Directory server, although the appliance must still have access to the ports and services indicated in the preceding tables.