Register Now


Lost Password

Lost your password? Please enter your email address. You will receive a link and will create a new password via email.

CAA is not authenticating when configuring firewall as explicit proxy


If sophos XG firewall configured as explicit proxy unable to authenticate with CAA.

Here is the sample network diagram

Sample diagram
Sample Network Diagram


Before going to troubleshoot this issue, first try to confirm whether you have configured CAA correctly. You can use this article for the same

Sophos XG CAA

First we will understand the authentication process of client authentication agent.

When user is trying to authenticate with client authentication agent, authentication request will be sent to “” on port 9922 instead of sophos XG firewall IP.

Here in the above scenario request will be directly sent to default gateway which is “” and it will not reach the firewall. So the user will not get authenticated.

To resolve this issue, you need to configure one static route in default gateway to point traffic towards “” towards the sophos firewall.


You need to configure DHCP option code 234 in the DHCP server to point traffic towards “” to the sophos XG firewall.

Then users will be authenticated with sophos XG firewall.

Hope this article helps you.