Sophos UTM
Administration Guide
Product version: 9.500
Document date: Tuesday, May 09, 2017
The specifications and information in this document are subject to change without notice. Com
panies, names, and data used in examples herein are fictitious unless otherwise noted. This
document may not be copied or distributed by any means, in whole or in part, for any reason,
without the express written permission of Sophos Limited. Translations of this original manual
must be marked as follows: "Translation of the original manual".
© 2017 Sophos Limited. All rights reserved.
http://www.sophos.com
Sophos UTM, Sophos UTM Manager, Sophos Gateway Manager, Sophos iView Setup and
WebAdmin are trademarks of Sophos Limited. Cisco is a registered trademark of Cisco Sys
tems Inc. iOS is a trademark of Apple Inc. Linux is a trademark of Linus Torvalds. All further
trademarks are the property of their respective owners.
Limited Warranty
No guarantee is given for the correctness of the information contained in this document.
Please send any comments or corrections to nsg-docu@sophos.com.
Contents
1 Installation
1.1 Recommended Reading
1.2 System Requirements
1.2.1 UPS Device Support
1.2.2 RAID Support
1.3 Installation Instructions
1.3.1 Key Functions During Installation
1.3.2 Special Options During Installation
1.3.3 Installing Sophos UTM
1.4 Basic Configuration
1.5 Backup Restoration
2 WebAdmin
2.1 WebAdmin Menu
2.2 Button Bar
2.3 Lists
2.4 Searching in Lists
2.5 Dialog Boxes
2.6 Buttons and Icons
2.7 Object Lists
3 Dashboard
3.1 Dashboard Settings
3.2 Flow Monitor
4 Management
4.1 System Settings
4.1.1 Organizational
4.1.2 Hostname
4.1.3 Time and Date
4.1.4 Shell Access
4.1.5 Scan Settings
4.1.6 Reset Configuration or Passwords
4.2 WebAdmin Settings
4.2.1 General
4.2.2 Access Control
4.2.2.1 User Rights
4.2.3 HTTPS Certificate
4.2.4 RESTful API
17
17
18
19
19
19
20
20
21
24
31
33
34
36
37
38
39
41
42
45
47
49
53
54
54
54
54
57
59
60
62
62
63
64
67
69
Contents
4.2.5 User Preferences
4.2.6 Advanced
4.3 Licensing
4.3.1 How to Obtain a License
4.3.2 Licensing Model
4.3.3 Overview
4.3.4 Installation
4.3.5 Active IP Addresses
4.4 Up2Date
4.4.1 Overview
4.4.2 Configuration
4.4.3 Advanced
4.5 Backup/Restore
4.5.1 Backup/Restore
4.5.2 Automatic Backups
4.6 User Portal
4.6.1 Global
4.6.2 Advanced
4.7 Notifications
4.7.1 Global
4.7.2 Notifications
4.7.3 Advanced
4.8 Customization
4.8.1 Global
4.8.2 Web Messages
4.8.2.1 Modifying a Web Message
4.8.2.2 Download Manager
4.8.3 Web Templates
4.8.3.1 Customizing Web Templates
4.8.3.2 Uploading Custom Web Templates and Images
4.8.4 Email Messages
4.9 SNMP
4.9.1 Query
4.9.2 Traps
4.10 Central Management
4.10.1 Sophos UTM Manager
4.11 Sophos Mobile Control
4.11.1 General
4.11.2 Compliance Overview
4.11.3 Network Access Control
4.11.4 Configuration Settings
iv
70
71
73
74
75
80
81
81
82
82
84
85
86
86
90
91
94
94
96
96
96
97
97
98
99
101
101
103
103
104
104
106
107
108
110
110
113
114
116
116
117
UTM 9 WebAdmin
Contents
4.12 High Availability
4.12.1 Hardware and Software Requirements
4.12.2 Status
4.12.3 System Status
4.12.4 Configuration
4.13 Shutdown and Restart
5 Definitions & Users
5.1 Network Definitions
5.1.1 Network Definitions
5.1.2 MAC Address Definitions
5.2 Service Definitions
5.3 Time Period Definitions
5.4 Users & Groups
5.4.1 Users
5.4.2 Groups
5.5 Client Authentication
5.5.1 Global
5.5.2 Client Authentication
5.5.3 Sophos Transparent Authentication Suite
5.6 AWS Profiles
5.7 Authentication Services
5.7.1 Global Settings
5.7.2 Servers
5.7.2.1 eDirectory
5.7.2.2 Active Directory
5.7.2.3 LDAP
5.7.2.4 RADIUS
5.7.2.5 TACACS+
5.7.3 Single Sign-On
5.7.4 One-time Password
5.7.5 Advanced
6 Interfaces & Routing
6.1 Interfaces
6.1.1 Interfaces
6.1.1.1 Automatic Interface Network Definitions
6.1.1.2 Interface Types
6.1.1.3 Group
6.1.1.4 3G/UMTS
6.1.1.5 Ethernet
6.1.1.6 Ethernet Bridge
UTM 9 WebAdmin
118
120
120
121
122
126
129
129
130
136
137
139
140
140
143
145
146
146
147
148
149
150
151
152
154
158
159
162
163
164
171
175
175
176
176
177
179
179
181
184
v
Contents
6.1.1.7 Ethernet VLAN
6.1.1.8 DSL (PPPoE)
6.1.1.9 DSL (PPPoA/PPTP)
6.1.1.10 Modem (PPP)
6.1.2 Additional Addresses
6.1.3 Link Aggregation
6.1.4 Uplink Balancing
6.1.5 Multipath Rules
6.1.6 Hardware
6.2 Quality of Service (QoS)
6.2.1 Status
6.2.2 Traffic Selectors
6.2.3 Bandwidth Pools
6.2.4 Download Throttling
6.2.5 Advanced
6.3 Uplink Monitoring
6.3.1 Global
6.3.2 Actions
6.3.3 Advanced
6.4 IPv6
6.4.1 Global
6.4.2 Prefix Advertisements
6.4.3 Renumbering
6.4.4 6to4
6.4.5 Tunnel Broker
6.5 Static Routing
6.5.1 Standard Static Routes
6.5.2 Policy Routes
6.6 Dynamic Routing (OSPF)
6.6.1 Global
6.6.2 Area
6.6.3 Interfaces
6.6.4 Message Digests
6.6.5 Debug
6.6.6 Advanced
6.7 Border Gateway Protocol
6.7.1 Global
6.7.2 Systems
6.7.3 Neighbor
6.7.4 Route Map
6.7.5 Filter List
vi
187
189
191
194
196
197
198
202
205
206
207
208
212
214
215
216
216
217
218
220
221
221
222
223
224
225
226
227
229
229
230
232
234
234
235
236
236
237
238
240
241
UTM 9 WebAdmin
Contents
6.7.6 Advanced
6.8 Multicast Routing (PIM-SM)
6.8.1 Global
6.8.2 Interfaces
6.8.3 RP Routers
6.8.4 Routes
6.8.5 Advanced
7 Network Services
7.1 DNS
7.1.1 Global
7.1.2 Forwarders
7.1.3 Request Routing
7.1.4 Static Entries
7.1.5 DynDNS
7.2 DHCP
7.2.1 Servers
7.2.2 Relay
7.2.3 DHCPv6 Relay
7.2.4 Static Mappings
7.2.5 IPv4 Lease Table
7.2.6 IPv6 Lease Table
7.2.7 Options
7.3 NTP
8 Network Protection
8.1 Firewall
8.1.1 Rules
8.1.2 Country Blocking
8.1.3 Country Blocking Exceptions
8.1.4 ICMP
8.1.5 Advanced
8.2 NAT
8.2.1 Masquerading
8.2.2 NAT
8.3 Intrusion Prevention
8.3.1 Global
8.3.2 Attack Patterns
8.3.3 Anti-DoS/Flooding
8.3.4 Anti-Portscan
8.3.5 Exceptions
8.3.6 Advanced
UTM 9 WebAdmin
242
244
244
245
246
247
247
249
249
249
250
251
251
252
255
255
258
259
260
260
262
263
266
267
267
268
271
272
274
276
279
279
280
284
284
286
287
289
291
293
vii
Contents
8.4 Server Load Balancing
8.4.1 Balancing Rules
9 VoIP
298
9.1 SIP
9.2 H.323
298
299
10 Advanced
301
10.1 Generic Proxy
10.2 SOCKS Proxy
10.3 IDENT Reverse Proxy
11 Web Protection
11.1 Web Filtering
11.1.1 Web Filtering Changes
11.1.1.1 Some Key Differences
11.1.1.2 Common Tasks
11.1.1.3 Migration
11.1.2 Global
11.1.3 HTTPS
11.1.4 Policies
11.1.4.1 Filter Action Wizard
11.1.4.2 Categories
11.1.4.3 Websites
11.1.4.4 Downloads
11.1.4.5 Antivirus
11.1.4.6 Additional Options
11.2 Web Filter Profiles
11.2.1 Filter Profiles
11.2.2 Filter Actions
11.2.3 Parent Proxies
11.3 Filtering Options
11.3.1 Exceptions
11.3.2 Websites
11.3.3 Bypass Users
11.3.4 Potentially Unwanted Applications
11.3.5 Categories
11.3.6 HTTPS CAs
11.3.7 Misc
11.4 Policy Helpdesk
11.4.1 Policy Test
11.4.2 Quota Status
viii
294
295
301
302
303
305
306
306
307
307
309
310
315
315
317
317
319
321
322
323
325
325
332
332
333
333
336
337
338
338
339
343
348
348
349
UTM 9 WebAdmin
Contents
11.5 Application Control
11.5.1 Network Visibility
11.5.2 Application Control Rules
11.5.3 Advanced
11.6 FTP
11.6.1 Global
11.6.2 Antivirus
11.6.3 Exceptions
11.6.4 Advanced
12 Email Protection
12.1 SMTP
12.1.1 Global
12.1.2 Routing
12.1.3 Malware
12.1.4 Antispam
12.1.5 Data Protection
12.1.6 Exceptions
12.1.7 Relaying
12.1.8 Advanced
12.2 SMTP Profiles
12.3 POP3
12.3.1 Global
12.3.2 Malware
12.3.3 Antispam
12.3.4 Exceptions
12.3.5 Advanced
12.4 Encryption
12.4.1 Global
12.4.2 Options
12.4.3 Internal Users
12.4.4 S/MIME Authorities
12.4.5 S/MIME Certificates
12.4.6 OpenPGP Public Keys
12.5 SPX Encryption
12.5.1 SPX Configuration
12.5.2 SPX Templates
12.5.2.1 Variables for SPX Templates
12.5.3 Sophos Outlook Add-in
12.6 Quarantine Report
12.6.1 Global
UTM 9 WebAdmin
349
350
350
353
353
354
355
355
356
359
359
359
360
362
365
371
373
374
376
379
384
385
386
387
388
389
394
397
398
399
401
403
404
405
406
408
412
412
413
414
ix
Contents
12.6.2 Exceptions
12.6.3 Advanced
12.7 Mail Manager
12.7.1 Mail Manager Window
12.7.1.1 SMTP/POP3 Quarantine
12.7.1.2 SMTP Spool
12.7.1.3 SMTP Log
12.7.1.4 SMTP Corrupt
12.7.2 Global
12.7.3 Configuration
13 Advanced Protection
13.1 Sophos Sandstorm
13.2 Advanced Threat Protection
13.3 Sophos Sandstorm
13.3.1 Overview
13.3.2 Sandbox Activity
13.3.3 Configuration
13.3.3.1 Sandstorm Data Center Location
13.3.3.2 Sandstorm File Type Exclusions
13.4 Advanced Threat Protection
13.4.1 Global
14 Endpoint Protection
14.1 Computer Management
14.1.1 Global
14.1.2 Deploy Agent
14.1.3 Manage Computers
14.1.4 Manage Groups
14.1.5 Advanced
14.2 Antivirus
14.2.1 Policies
14.2.2 Exceptions
14.3 Device Control
14.3.1 Policies
14.3.2 Exceptions
14.4 Endpoint Web Control
14.4.1 Global
14.4.2 Advanced
14.4.3 Features not Supported
15 Wireless Protection
x
415
416
417
418
419
420
421
422
423
424
426
426
426
427
427
427
428
428
428
429
429
431
433
433
434
435
436
438
438
439
440
442
442
443
446
446
446
447
449
UTM 9 WebAdmin
Contents
15.1 Global Settings
15.1.1 Global Settings
15.1.2 Advanced
15.2 Wireless Networks
15.3 Access Points
15.3.1 Overview
15.3.2 Grouping
15.3.3 RED 15w
15.4 Mesh Networks
15.5 Wireless Clients
15.6 Hotspots
15.6.1 Global
15.6.2 Hotspots
15.6.3 Voucher Definitions
15.6.4 Advanced
16 Webserver Protection
16.1 Web Application Firewall
16.1.1 Virtual Webservers
16.1.2 Real Webservers
16.1.3 Site Path Routing
16.1.4 Request Redirection
16.1.5 Advanced
16.1.5.1 SlowHTTP Protection
16.2 Firewall Profiles
16.2.1 Firewall Profiles
16.2.2 Exceptions
16.3 Reverse Authentication
16.3.1 Profiles
16.3.2 Form Templates
16.4 Certificate Management
16.4.1 Certificates
16.4.2 Certificate Authority
16.4.3 Revocation Lists (CRLs)
16.4.4 Advanced
17 RED Management
17.1 Overview
17.2 Global Settings
17.3 Client Management
17.4 Deployment Helper
17.5 Tunnel Management
UTM 9 WebAdmin
450
450
451
452
456
459
465
466
469
472
472
474
475
484
485
487
487
487
491
492
495
496
497
498
498
505
506
507
511
513
513
513
514
514
515
516
517
518
528
530
xi
Contents
17.6 RED 15w
17.6.0.1 Standard / Unified
17.6.0.2 Standard / Split
17.6.0.3 Transparent / Split
17.7 RED 50 Uplink Balancing
18 Site-to-site VPN
18.1 Amazon VPC
18.1.1 Status
18.1.2 Setup
18.2 IPsec
18.2.1 Connections
18.2.2 Remote Gateways
18.2.3 Policies
18.2.4 Local RSA Key
18.2.5 Advanced
18.2.6 Debug
18.3 SSL
18.3.1 Connections
18.3.2 Settings
18.3.3 Advanced
18.4 Certificate Management
18.4.1 Certificates
18.4.2 Certificate Authority
18.4.3 Revocation Lists (CRLs)
18.4.4 Advanced
19 Remote Access
19.1 SSL
19.1.1 Profiles
19.1.2 Settings
19.1.3 Advanced
19.2 PPTP
19.2.1 Global
19.2.2 iOS Devices
19.2.3 Advanced
19.3 L2TP over IPsec
19.3.1 Global
19.3.2 iOS Devices
19.3.3 Debug
19.4 IPsec
19.4.1 Connections
xii
531
531
532
533
534
537
538
538
539
541
543
545
548
552
553
555
555
556
558
559
561
561
563
564
565
567
568
568
570
571
572
573
574
575
576
576
579
580
580
583
UTM 9 WebAdmin
Contents
19.4.2 Policies
19.4.3 Advanced
19.4.4 Debug
19.5 HTML5 VPN Portal
19.5.1 Global
19.6 Cisco VPN Client
19.6.1 Global
19.6.2 iOS Devices
19.6.3 Debug
19.7 Advanced
19.8 Certificate Management
19.8.1 Certificates
19.8.2 Certificate Authority
19.8.3 Revocation Lists (CRLs)
19.8.4 Advanced
20 Logging & Reporting
20.1 View Log Files
20.1.1 Today's Log Files
20.1.2 Archived Log Files
20.1.3 Search Log Files
20.2 Hardware
20.2.1 Daily
20.2.2 Weekly
20.2.3 Monthly
20.2.4 Yearly
20.3 Network Usage
20.3.1 Daily
20.3.2 Weekly
20.3.3 Monthly
20.3.4 Yearly
20.3.5 Bandwidth Usage
20.4 Network Protection
20.4.1 Daily
20.4.2 Weekly
20.4.3 Monthly
20.4.4 Yearly
20.4.5 Firewall
20.4.6 Advanced Threat Protection
20.4.7 IPS
20.5 Web Protection
UTM 9 WebAdmin
585
589
591
591
592
596
596
597
599
599
600
600
600
600
600
601
603
603
603
604
605
605
606
606
606
606
607
607
607
607
607
609
609
609
609
610
610
611
611
612
xiii
Contents
20.5.1 Web Usage Report
20.5.2 Search Engine Report
20.5.3 Departments
20.5.4 Scheduled Reports
20.5.5 Application Control
20.5.6 Deanonymization
20.6 Email Protection
20.6.1 Usage Graphs
20.6.2 Mail Usage
20.6.3 Blocked Mail
20.6.4 Deanonymization
20.7 Wireless Protection
20.7.1 Daily
20.7.2 Weekly
20.7.3 Monthly
20.7.4 Yearly
20.8 Remote Access
20.8.1 Activity
20.8.2 Session
20.9 Webserver Protection
20.9.1 Usage Graphs
20.9.2 Details
20.10 Executive Report
20.10.1 View Report
20.10.2 Archived Executive Reports
20.10.3 Configuration
20.11 Log Settings
20.11.1 Local Logging
20.11.2 Remote Syslog Server
20.11.3 Remote Log File Archives
20.11.4 CloudWatch
20.11.4.1 AWS Profile Settings
20.12 Reporting Settings
20.12.1 Settings
20.12.2 Exceptions
20.12.3 Anonymizing
21 Support
21.1 Documentation
21.2 Printable Configuration
21.3 Contact Support
xiv
612
616
618
619
620
621
621
621
622
623
623
624
624
624
625
625
625
625
625
626
626
627
628
628
628
628
629
629
630
631
633
634
634
634
637
638
641
641
642
643
UTM 9 WebAdmin
Contents
21.4 Support Access
21.4.1 Access Status
21.4.2 Live Log
21.5 Tools
21.5.1 Ping Check
21.5.2 Traceroute
21.5.3 DNS Lookup
21.6 Advanced
21.6.1 Process List
21.6.2 LAN Connections
21.6.3 Routes Table
21.6.4 Interfaces Table
21.6.5 Config Dump
21.6.6 Resolve REF
643
644
644
644
644
645
646
646
646
647
647
647
647
647
22 Log Off
649
23 User Portal
651
23.1 User Portal: Mail Quarantine
23.2 User Portal: Mail Log
23.3 User Portal: POP3 Accounts
23.4 User Portal: Sender Whitelist
23.5 User Portal: Sender Blacklist
23.6 User Portal: Hotspots
23.7 User Portal: Client Authentication
23.8 User Portal: OTP Tokens
23.9 User Portal: Remote Access
23.10 User Portal: HTML5 VPN Portal
23.11 User Portal: Change Password
23.12 User Portal: HTTPS Proxy
Appendix - Allocated Ports
UTM 9 WebAdmin
652
653
654
655
655
656
659
659
660
661
663
663
665
xv
1 Installation
This section provides information on installing and setting up Sophos UTM on your net
work. The installation of Sophos UTM proceeds in two steps: first, installing the soft
ware; second, configuring basic system settings. The initial setup required for installing
the software is performed through a console-based installation menu. The internal con
figuration can be performed from your management workstation through the webbased administrative interface of Sophos UTM called WebAdmin. Before you start the
installation, check if your hardware meets the minimum system requirements.
Note – If you are employing a Sophos UTM hardware appliance, you can skip the fol
lowing sections and directly jump to the Basic Configuration section, as all Sophos
UTM hardware appliances ship with UTM Software preinstalled.
The following topics are included in this chapter:
l
Recommended Reading
l
System Requirements
l
Installation Instructions
l
Basic Configuration
l
Backup Restoration
1.1 Recommended Reading
Before you begin the installation, you are advised to read the following documents that
help you setting up Sophos UTM, all of which are enclosed within the package of your
Sophos UTM hardware appliance unit and which are also available at the Sophos UTM
Resource Center:
l
Quick Start Guides Hardware
l
Operating Instructions
1.2 System Requirements
1 Installation
1.2 System Requirements
The minimum hardware requirements for installing and using UTM are as follows:
l
Processor: Intel Atom Dual Core with 1.46 GHz (or compatible)
l
Memory: 2 GB RAM
l
HDD: 40 GB SATA hard disk drive or SSD
l
CD-ROM Drive: Bootable IDE or SCSI CD-ROM drive
l
NIC: Two or more PCIe 2.0 Ethernet network interface cards
l
l
l
NIC (optional): One heart-beat capable PCI Ethernet network interface card. In a
high-availability system, the primary and secondary system communicate with
one another through so-called heart-beat requests. If you want to set up a highavailability system, both units need to be equipped with heart-beat capable net
work interface cards.
USB (optional): One USB port for communications with a UPS device and one USB
port for connecting a Sophos UTM Smart Installer(SUSI)
Switch (optional): A network device that connects (and selects between) net
work segments. Note that this switch must have jumbo frame support enabled.
Sophos provides a list of hardware devices compatible with UTM Software. The Hard
ware Compatibility List (HCL) is available at the Sophos Knowledgebase. To make the
installation and operation of UTM Software less error-prone, you are advised to only use
hardware that is listed in the HCL. The hardware and software requirements for the cli
ent PC used to access WebAdmin are as follows:
l
l
18
Processor: Clock signal frequency 2 GHz or higher
Browser: The UTM requires the latest version of Firefox (recommended), latest
version of Chrome, latest version of Safari, or last two versions of Microsoft Inter
net Explorer. JavaScript must be enabled. In addition, the browser must be con
figured not to use a proxy for the IP address of the UTM’s internal network card
(eth0).
UTM 9 WebAdmin
1 Installation
1.3 Installation Instructions
1.2.1 UPS Device Support
Uninterruptible Power Supply (UPS) devices maintain a continuous supply of electric
power to connected equipment by supplying power from a separate source when utility
power is not available. Sophos UTM supports UPS devices of the manufacturers MGE
UPS Systems and APC. The communication between the UPS device and Sophos UTM
is made via the USB interface.
As soon as the UPS device runs in battery operation, a notification is sent to the admin
istrator. If the power failure persists for a longer period and the voltage of the UPS
device approximates a critical value, another message will be sent to the admin
istrator—Sophos UTM will be shut down automatically.
Note – Please read the operation manual of the UPS device to connect the devices to
Sophos UTM. UTM will recognize the UPS device when booting via the USB interface.
Only boot Sophos UTM when you have connected the USB interfaces to each other.
1.2.2 RAID Support
A RAID (Redundant Array of Independent Disks) is a data storage scheme using mul
tiple hard drives to share or replicate data among the drives. To ensure that the RAID
system is detected and properly displayed on the Dashboard, you need to use a RAID
controller that is supported by Sophos UTM. Check the HCL to figure out which RAID con
trollers are supported. The HCL is available at the Sophos Knowledgebase. Use "HCL" as
search term to locate the corresponding page.
1.3 Installation Instructions
What follows is a step-by-step guide of the installation process of Sophos UTM Soft
ware.
Before you begin the installation, please make sure you have the following items avail
able:
l
The Sophos UTM CD-ROM
l
The license key for Sophos UTM
UTM 9 WebAdmin
19
1.3 Installation Instructions
1 Installation
The setup program will check the hardware of the system, and then install the soft
ware on your PC.
1.3.1 Key Functions During Installation
In order to navigate through the menus, use the following keys (please also note the
additional key functions listed at the bottom of a screen):
l
l
l
l
F1: Displays the context-sensitive help screen.
Cursor keys: Use these keys to navigate through the text boxes (for example, the
license agreement or when selecting a keyboard layout).
Tab key: Move back and forth between text boxes, lists, and buttons.
Enter key: The entered information is confirmed, and the installation proceeds to
the next step.
l
Space key: Select or unselect options marked with an asterisk.
l
Alt-F2: Switch to the installation console.
l
Alt-F4: Switch to the log.
l
Alt-F1: Switch to the interactive bash shell.
l
Alt-F1: Return to the main installation screen.
1.3.2 Special Options During Installation
Some screens offer additional options:
View Log: Opens the installation log.
Support: Opens the support dialog screen.
To USB Stick: Writes the installation log as zip file to a USB stick. Remember to insert
a USB stick before confirming this option. The zip file can be used to solve installation
problems, e.g. by the Sophos UTM Support Team.
Back: Returns to the previous screen.
Cancel: Opens a confirmation dialog window to abort the installation.
Help: Opens the context-sensitive help screen.
20
UTM 9 WebAdmin
1 Installation
1.3 Installation Instructions
1.3.3 Installing Sophos UTM
1. Boot your PC from CD-ROM drive or mount the downloaded ISO on a virtual drive.
The installation start screen is displayed.
Note – You can always press F1 to access the help menu. Pressing F3 in the
start screen opens a troubleshooting screen.
2. Press Enter.
The Introduction screen is displayed.
3. Select Start Installation.
The Hardware Detection screen is displayed.
The software will check the following hardware components:
l
CPU
l
Size and type of hard disk drive
l
CD-ROM drive
l
Network interface cards
l
IDE or SCSI controllers
If your system does not meet the minimum requirements, the installation will
report the error and abort.
As soon as the hardware detection is completed, the Detected Hardware screen
is displayed for information purposes.
4. Press Enter.
The Select Keyboard screen is displayed.
5. Select your keyboard layout.
Use the Cursor keys to select your keyboard layout, e.g. English (UK), and press
Enter to continue.
The Select Timezone screen is displayed.
6. Select your area.
Use the Cursor keys to select your area, e.g. Europe, and press Enter to continue.
UTM 9 WebAdmin
21
1.3 Installation Instructions
1 Installation
7. Select your time zone.
Use the Cursor keys to select your time zone, e.g. London, and press Enter to con
tinue.
The Date and Time screen is displayed.
8. Set date and time.
If date and time are not correct, you can change them here. Use the Tab key and
the Cursor keys to switch between text boxes. You can unselect the Host clock is
UTC option by pressing the Space key. Invalid entries will be rejected. Confirm
your settings with the Enter key.
The Select Admin Interface screen is displayed.
9. Select an internal network card.
In order to use the WebAdmin tool to configure the rest of Sophos UTM, select a
network interface card to be the internal network card (eth0). Choose one of the
available network cards from the list and confirm your selection with the Enter
key.
Note – Interfaces having an active connection are marked with [link].
The Network Configuration screen is displayed.
10. Configure the administrative network interface.
Define the IP address, network mask, and gateway of the internal interface which
is going to be the administrative network interface. The default values are:
Address: 192.168.2.100
Netmask: 255.255.255.0
Gateway: none
22
UTM 9 WebAdmin
1 Installation
1.3 Installation Instructions
You need to change the gateway value only if you wish to use the WebAdmin
interface from a workstation outside the subnet defined by the netmask. Note
that the gateway itself must be within the subnet.1
Confirm your settings with the Enter key.
If your CPU supports 64 bit the 64 Bit Kernel Support screen is displayed. Other
wise the installation continues with the Enterprise Toolkit screen.
11. Install the 64-bit kernel.
Select Yes to install the 64-bit kernel or No to install the 32-bit kernel.
The Enterprise Toolkit screen is displayed.
12. Accept installation of the Enterprise Toolkit.
The Enterprise Toolkit comprises the Sophos UTM Software. You can decide to
install Open Source software only. However, we advise to also install the Enter
prise Toolkit to be able to use the full functionality of Sophos UTM.
Press Enter to install both software packages or select No to install the Open
Source software only.
The Installation: Partitioning screen is displayed.
13. Confirm the warning message to start the installation.
Please read the warning carefully. After confirming, all existing data on the PC
will be destroyed.
If you want to cancel the installation and reboot instead, select No.
Caution – The installation process will delete all data on the hard disk drive.
The software installation process can take up to a couple of minutes.
The Installation Finished screen is displayed.
1For example, if you are using a network mask of 255.255.255.0, the subnet is defined by the
first three octets of the address: in this case, 192.168.2. If your administration computer has
the IP address 192.168.10.5, it is not on the same subnet, and thus requires a gateway. The
gateway router must have an interface on the 192.168.2 subnet and must be able to contact
the administration computer. In our example, assume the gateway has the IP address
192.168.2.1.
UTM 9 WebAdmin
23
1.4 Basic Configuration
1 Installation
14. Remove the CD-ROM, connect to the internal network, and reboot the system.
When the installation process is complete, remove the CD-ROM from the drive
and connect the eth0 network card to the internal network. Except for the internal
network card (eth0), the sequence of network cards normally will be determined
by PCI ID and by the kernel drivers. The sequence of network card names may
also change if the hardware configuration is changed, especially if network cards
are removed or added.
Then press Enter in the installation screen to reboot UTM. During the boot pro
cess, the IP addresses of the internal network cards are changed. The installation
routine console (Alt+F1) may display the message "No IP on eth0" during this
time.
After Sophos UTM has rebooted (a process which, depending on your hardware, can
take several minutes), ping the IP address of the eth0 interface to ensure it is reach
able. If no connection is possible, please check if one of the following problems is
present:
l
The IP address of Sophos UTM is incorrect.
l
The IP address of the administrative computer is incorrect.
l
The default gateway on the client is incorrect.
l
The network cable is connected to the wrong network card.
l
All network cards are connected to the same hub.
1.4 Basic Configuration
The second step of the installation is performed through WebAdmin, the web based
administrative interface of Sophos UTM. Prior to configuring basic system settings, you
should have a plan how to integrate Sophos UTM into your network. You must decide
which functions you want it to provide, for example, if you want to operate it in bridge
mode or in standard (routing) mode, or how you want it to control the data packets flow
ing between its interfaces. However, you can always reconfigure Sophos UTM at a later
time. So if you have not yet planned how to integrate Sophos UTM into your network,
you can begin with the basic configuration right away.
24
UTM 9 WebAdmin
1 Installation
1.4 Basic Configuration
1. Start your browser and openWebAdmin.
Browse to the URL of Sophos UTM (i.e., the IP address of eth0). In order to stay
consistent with our configuration example above, this would be
https://192.168.2.100:4444 (note the HTTPS protocol and port number 4444).
Deviating from the configuration example, each Sophos UTM ships with the fol
lowing default settings:
l
Interfaces: Internal network interface (eth0)
l
IP address: 192.168.0.1
l
Network mask: 255.255.255.0
l
Default gateway: none
To access WebAdmin of any Sophos UTM, enter the following URL instead:
https://192.168.0.1:4444
To provide authentication and encrypted communication, Sophos UTM comes
with a self-signed security certificate. This certificate is offered to the web
browser when an HTTPS-based connection to WebAdmin is established. If unable
to check the certificate's validity, the browser will display a security warning.
Once you have accepted the certificate, the initial login page is displayed.
UTM 9 WebAdmin
25
1.4 Basic Configuration
1 Installation
Figure 1 WebAdmin: Initial Login Page
2. Fill out the Basic System Setup form.
Enter accurate information of your company in the text boxes presented here. In
addition, specify a password and valid email address for the administrator
account.
If you run an Amazon Machine Image (AMI) of Sophos UTM, you will see an addi
tional text field AWS Instance ID. Enter that ID to prove that you are the owner of
that Amazon instance.
If you accept the license agreement, click the Perform Basic System Setup but
ton to continue logging in. While performing the basic system setup, a number of
certificates and certificate authorities are being created:
l
26
WebAdmin CA: The CA with which the WebAdmin certificate was signed
(see Management > WebAdmin Settings > HTTPS Certificate).
UTM 9 WebAdmin
1 Installation
l
l
l
1.4 Basic Configuration
VPN Signing CA: The CA with which digital certificates are signed that are
used for VPN connections (see Site-to-site VPN > Certificate Management >
Certificate Authority).
WebAdmin Certificate: The digital certificate of WebAdmin (see Site-to-site
VPN > Certificate Management > Certificates).
Local X.509 Certificate: The digital certificate of Sophos UTM that is used
for VPN connections (see Site-to-Site VPN > Certificate Management > Cer
tificates).
The login page appears. (With some browsers it may, however, happen that you
are presented another security warning because the certificate has changed
according to your entered values.)
Figure 2 WebAdmin: Regular Login Page
3. Log into WebAdmin.
Type admin in the Username field and enter the password you have specified on
the previous screen.
A configuration wizard is presented to you which will guide you through the initial
configuration process.
Continue: If you want to use the wizard, select this option and then click Next. Fol
low the steps to configure the basic settings of Sophos UTM.
Restore a backup: If you have a backup file, you can decide to restore this backup
file instead. Select this option and then click Next. How to continue is described
in section Backup Restoration.
Alternatively, you can safely click Cancel (at any time during the wizard’s steps)
and thereby exit the wizard, for example if you want to configure Sophos UTM dir
UTM 9 WebAdmin
27
1.4 Basic Configuration
1 Installation
ectly in WebAdmin. You can also click Finish at any time to save your settings
done so far and exit the wizard.
4. Install your license.
Click the Folder icon to upload your purchased license (a text file). Click Next to
install the license. In case you did not purchase a license, click Next to use the
built-in 30-day trial license with all features enabled that is shipped with Sophos
UTM.
Note – If the selected license does not contain a certain subscription, the
respective page will be disabled during the further procedure.
5. Configure the internal network interface.
Check the presented settings for the internal network interface (eth0). The set
tings for this interface are based on the information you provided during the
installation of the software. Additionally, you can set Sophos UTM to act as DHCP
server on the internal interface by selecting the checkbox.
Note – If you change the IP address of the internal interface, you must connect
to WebAdmin again using the new IP address after finishing the wizard.
6. Select the uplink type for the external interface.
Select the connection type of your uplink/Internet connection the external net
work card is going to use. The type of interface and its configuration depend on
what kind of connection to the Internet you are going to use. Click Next.
In case Sophos UTM has no uplink or you do not want to configure it right now,
select the Setup Internet connection later checkbox. If you configure an Internet
uplink, IP masquerading will automatically be configured for connections from
the internal network to the Internet.
If you select Standard Ethernet interface with static IP address, specifying a
Default gateway is optional. If you leave the text box blank, your default gateway
setting of the installation routine will persist. You can skip each of the following
steps by clicking Next. You can make and change those skipped settings later in
WebAdmin.
28
UTM 9 WebAdmin
1 Installation
1.4 Basic Configuration
Note – If your license does not allow one of the following features, the con
cerning feature will not be displayed.
7. Make your basic firewall settings.
You can now select what types of services you want to allow on the Internet.
Click Next to confirm your settings.
8. Make your advanced threat protection settings.
You can now make settings regarding intrusion prevention and com
mand&control/botnet detection for several operation systems and databases.
Click Next to confirm your settings.
9. Make your web protection settings.
You can now select whether the web traffic should be scanned for viruses and
spyware. Additionally, you can select to block webpages that belong to certain
categories. Click Next to confirm your settings.
10. Make your email protection settings.
You can now select the first checkbox to enable the POP3 proxy. You can also
select the second checkbox to enable UTM as inbound SMTP relay: Enter the IP
address of your internal mail server and add SMTP domains to route. Click Next to
confirm your settings.
11. Make your wireless protection settings.
You can now select the checkbox to enable wireless protection. In the box, select
or add the interfaces that are allowed to connect your wireless access points to
your system. Click the Folder icon to add an interface or click the Plus icon to cre
ate a new interface. Enter the other wireless network parameters. Click Next to
confirm your settings.
12. Make your advanced threat adaptive learning settings.
You can now select if you want to send anonymous data to the Sophos research
team. This data is used to improve future versions and to improve and enlarge
the network visibility and application control library.
13. Confirm your settings.
A summary of your settings is displayed. Click Finish to confirm them or Back to
change them. However, you can also change them in WebAdmin later.
UTM 9 WebAdmin
29
1.4 Basic Configuration
1 Installation
After clicking Finish your settings are saved and you are redirected to the Dash
board of WebAdmin, providing you with the most important system status inform
ation of the Sophos UTM unit.
Figure 3 WebAdmin: Dashboard
If you encounter any problems while completing these steps, please contact the sup
port department of your Sophos UTM supplier. For more information, visit the following
websites:
30
l
Sophos UTM Support Forum
l
Sophos Knowledgebase
UTM 9 WebAdmin
1 Installation
1.5 Backup Restoration
1.5 Backup Restoration
The WebAdmin configuration wizard (see section Basic Configuration) allows you to
restore an existing backup file instead of going through the basic configuration process.
Do the following:
1. Select Restore existing backup file in the configuration wizard.
Select Restore existing backup file in the configuration wizard and click Next.
You are directed to the upload page.
2. Upload the backup.
Click the Folder icon, select the backup file you want to restore, and click Start
Upload.
3. Restore the backup.
Click Finish to restore the backup.
Important Note – You will not be able to use the configuration wizard afterwards.
As soon as the backup has been restored successfully you will be redirected to the
login page.
UTM 9 WebAdmin
31
2 WebAdmin
WebAdmin is the web-based administrative interface that allows you to configure
every aspect of Sophos UTM. WebAdmin consists of a menu and pages, many of which
have multiple tabs. The menu on the left of the screen organizes the features of Sophos
UTM in a logical manner. When you select a menu item, such as Network Protection, it
expands to reveal a submenu and the associated page opens. Note that for some menu
items no page is associated. Then, the page of the previously selected menu or sub
menu item keeps being displayed. You have to select one of the submenu items, which
opens the associated page at its first tab.
On the first start of the WebAdmin the Setup Wizard appears unique. Follow the instruc
tions to set up the most important settings.
The procedures in this documentation direct you to a page by specifying the menu
item, submenu item, and the tab, for example: "On the Interfaces & Routing > Interfaces
> Hardware tab, configure ..."
Note – The UTM requires the latest version of Firefox (recommended), latest version
of Chrome, latest version of Safari, or last two versions of Microsoft Internet Explorer.
JavaScript must be enabled. In addition, the browser must be configured not to use a
proxy for the IP address of the UTM’s internal network card (eth0).
2.1 WebAdmin Menu
2 WebAdmin
Figure 4 WebAdmin: Overview
2.1 WebAdmin Menu
The WebAdmin menu provides access to all configuration options of Sophos UTM, that
is, there is no need for using a command line interface to configure specific para
meters.
l
l
l
l
34
Dashboard: The Dashboard graphically displays a snapshot of the current oper
ating status of the Sophos UTM unit.
Management: Configure basic system and WebAdmin settings as well as all set
tings that concern the configuration of the Sophos UTM unit.
Definitions & Users: Configure network, service, and time period definitions as
well as user accounts, user groups, and external authentication services for use
with the Sophos UTM unit.
Interfaces & Routing: Configure system facilities such as network interfaces as
well as routing options, among other things.
UTM 9 WebAdmin
2 WebAdmin
l
l
l
l
l
l
l
2.1 WebAdmin Menu
Network Services: Configure network services such as DNS and DHCP, among
other things.
Network Protection: Configure basic network protection features such as firewall
rules, voice over IP, or intrusion prevention settings.
Web Protection: Configure the Web Filter and application control of Sophos UTM
unit as well as the FTP proxy.
Email Protection: Configure the SMTP and POP3 proxies of the Sophos UTM unit
as well as email encryption.
Endpoint Protection: Configure and manage the protection of endpoint devices in
your network.
Wireless Protection: Configure wireless access points for the gateway.
Webserver Protection: Protect your webservers from attacks like cross-site
scripting and SQL injection.
l
RED Management: Configure your remote Ethernet device (RED) appliances.
l
Site-to-site VPN: Configure site-to-site Virtual Private Networks.
l
l
Remote Access: Configure remote access VPN connections to the Sophos UTM
unit.
Logging & Reporting: View log messages and statistics about the utilization of
the Sophos UTM unit and configure settings for logging and reporting.
l
Support: Access to the support tools available at the Sophos UTM unit.
l
Log Off: Log out of the user interface.
Searching the Menu
Above the menu a search box is located. It lets you search the menu for keywords in
order to easily find menus concerning a certain subject. The search function matches
the name of menus but additionally allows for hidden indexed aliases and keywords.
As soon as you start typing into the search box, the menu automatically reduces to rel
evant menu entries only. You can leave the search box at any time and click the menu
entry matching your prospect. The reduced menu stays intact, displaying the search
results, until you click the reset button next to it.
Tip – You can set focus on the search box via the keyboard shortcut CTRL+Y.
UTM 9 WebAdmin
35
2.2 Button Bar
2 WebAdmin
2.2 Button Bar
The buttons in the upper right corner of WebAdmin provide access to the following fea
tures:
l
l
Username/IP: Shows the currently logged in user and the IP address from which
WebAdmin is accessed. If other users are currently logged in, their data will be
shown, too.
Open Live Log: Clicking this button opens the live log that is associated with the
WebAdmin menu or tab you are currently on. To see a different live log without
having to change the menu or tab, hover over the Live Log button. After some
seconds a list of all available live logs opens where you can select a live log to
display. Your selection is memorized as long as you stay on the same WebAdmin
menu or tab.
Tip – You can also open live logs via the Open Live Log buttons provided on mul
tiple WebAdmin pages.
l
Online Help: Every menu, submenu, and tab has an online help screen that
provides context-sensitive information and procedures related to the controls of
the current WebAdmin page.
Note – The online help is version-based and updated by means of patterns. If
you update to a new firmware version, your online help will also be updated, if
available.
l
Reload: To request the already displayed WebAdmin page again, always click the
Reload button.
Note – Never use the reload button of the browser, because otherwise you will
be logged out of WebAdmin.
36
UTM 9 WebAdmin
2 WebAdmin
2.3 Lists
2.3 Lists
Many pages in WebAdmin consist of lists. The buttons on the left of each list item
enable you to edit, delete, or clone the item (for more information, see chapter Buttons
and Icons). To add an item to the list, click the New … button, where "…" is a placeholder
for the object being created (e.g., interface). This opens a dialog box where you can
define the properties of the new object.
Figure 5 WebAdmin: Example of a List
With the first drop-down list on the top you can filter all items according to their type
or group. The second field on the top lets you search for items specifically. Enter a
search string and click Find.
Lists with more than ten items are split into several chunks, which can be browsed
with Forward (>>) and Backward (<<) buttons. With the Display drop-down list, you can
temporarily change the number of items per page. Additionally, you can change the
default setting for all lists on the Management > WebAdmin Settings > User Preferences
tab.
The header of a list provides some functionality. Selecting an item from the Sort by
dropdown sorts the list for that item, e.g. selecting Name asc sorts the list ascending
by object names. The Action field in the header contains some batch options you can
carry out on previously selected list objects. To select objects, select their checkbox.
Note that the selection stays valid across multiple pages, that is, while browsing
between pages of a list already selected objects stay selected.
UTM 9 WebAdmin
37
2.4 Searching in Lists
2 WebAdmin
Tip – Clicking on the Info icon will show all configuration options in which the object
is used.
2.4 Searching in Lists
A filter field helps you to quickly reduce the number of items displayed in a list. This
makes it much easier to find the object(s) you were looking for.
Important Facts
l
l
A search in a list typically scans several fields for the search expression. A
search in Users & Groups for example considers the username, the real name,
the comment, and the first email address. Generally speaking, the search con
siders all texts which you can see in the list, excluding details displayed via the
Info icon.
The list search is case-insensitive. That means it makes no difference whether
you enter upper- or lower-case letters. The search result will contain matches
both with upper-case and lower-case letters. Searching explicitly for upper-case
or lower-case letters is not possible.
l
The list search is based on Perl regular expression syntax (although case-insens
itive). Typical search expressions known from e.g. text editors like * and ? as
simple wildcard characters or the AND and OR operators do not work in list
search.
Examples
The following list is a small selection of useful search strings:
Simple string: Matches all words that contain the given string. For example, "inter"
matches "Internet", "interface", and "printer".
Beginning of a word: Mark the search expression with a \b at the beginning. For
example, \binter matches "Internet" and "interface" but not "printer".
End of a word: Mark the search expression with a \b at the end. For example, http\b
matches "http" but not "https".
38
UTM 9 WebAdmin
2 WebAdmin
2.5 Dialog Boxes
Beginning of an entry: Mark the search expression with a ^ at the beginning. For
example, ^inter matches "Internet Uplink" but not "Uplink Interfaces".
IP addresses: Searching for IP addresses, you need to escape dots with a backslash.
For example, 192\.168 matches "192.168". To search more generally for IP addresses
use \d which matches any digit. \d+ matches multiple digits in a row. For example,
\d+\.\d+\.\d+\.\d+ matches any IPv4 address.
Note – It makes sense to rather use an easy, fail-safe search expression which will
lead to more matches than to rack your brains for a supposedly more perfect one
which can easily lead to unexpected results and wrong conclusions.
You can find a detailed description of regular expressions and their usage in Sophos
UTM in the Sophos Knowledgebase.
2.5 Dialog Boxes
Dialog boxes are special windows which are used by WebAdmin to prompt you for
entering specific information. The example shows a dialog box for creating a new group
in the Definitions & Users > Users & Groups menu.
UTM 9 WebAdmin
39
2.5 Dialog Boxes
2 WebAdmin
Figure 6 WebAdmin: Example of a Dialog Box
Each dialog box can consist of various widgets such as text boxes, checkboxes, and so
on. In addition, many dialog boxes offer a drag-and-drop functionality, which is indicated
by a special background reading DND. Whenever you encounter such a box, you can
drag an object into the box. To open the object list from where to drag the objects, click
the Folder icon that is located right next to the text box. Depending on the configuration
option, this opens the list of available networks, interfaces, users/groups, or services.
Clicking the green Plus icon opens a dialog window letting you create a new definition.
Some widgets that are not necessary for a certain configuration are grayed out. In
some cases, however, they can still be edited, but having no effect.
Note – You may have noticed the presence of both Save and Apply buttons in
WebAdmin. The Save button is used in the context of creating or editing objects in
WebAdmin such as static routes or network definitions. It is always accompanied by
a Cancel button. The Apply button, on the other hand, serves to confirm your settings
in the backend, thus promptly activating them.
40
UTM 9 WebAdmin
2 WebAdmin
2.6 Buttons and Icons
2.6 Buttons and Icons
WebAdmin has some buttons and functional icons whose usage is described here.
Buttons
Meaning
Shows a dialog box with detailed information on the object.
Opens a dialog box to edit properties of the object.
Deletes the object. If an object is still in use somewhere, there will be a
warning. Not all objects can be deleted if they are in use.
Opens a dialog box for creating an object with identical settings/properties. Helps you to create similar objects without having to
type all identical settings over and over again.
Functional Meaning
Icons
Info: Shows all configurations where the object is in use.
Details: Links to another WebAdmin page with more information about the
topic.
Alert: Shows issues of an object which might lead to malfunction.
Toggle switch: Enables or disables a function. Green when enabled, gray
when disabled, and amber when configuration is required before enabling.
Folder: Has two different functions: (1) Opens an object list (see section
below) on the left side where you can choose appropriate objects from. (2)
Opens a dialog window to upload a file.
Plus: Opens a dialog window to add a new object of the required type.
Action: Opens a drop-down menu with actions. The actions depend on the
location of the icon: (1) Icon in list header: the actions, e.g., Enable, Disable,
Delete, apply to the selected list objects. (2) Icon in text box: with the actions
Import and Export you can import or export text, and with Empty you delete
the entire content. There is also a filter field which helps you to drill down a list
to relevant elements. Note that the filter is case-sensitive.
UTM 9 WebAdmin
41
2.7 Object Lists
2 WebAdmin
Functional Meaning
Icons
Empty: Removes an object from the current configuration when located in
front of the object. Removes all objects from a box when located in the
Actions menu. Objects are however never deleted.
Import: Opens a dialog window to import text with more than one item or line.
Enhances adding multiple items without having to type them individually, e.g.
a large blacklist to the URL blacklist. Copy the text from anywhere and enter it
using CTRL+V.
Export: Opens a dialog window to export all existing items. You can select a
delimiter to separate the items, which can either be new line, colon, or
comma. To export the items as text, mark the whole text in the Exported Text
field and press CTRL+C to copy it. You can then paste it into all common applications using CTRL+V, for example a text editor.
Sort: Using these two arrows, you can sort list elements by moving an element down or up, respectively.
Forward/Backward: Depending on the location you can navigate through
the pages of a long list, or move back and forth along the history of changes
and settings.
PDF: Saves the current view of data in a PDF file and then opens a dialog window to download the created file.
CSV: Saves the current view of data in a CSV (comma-separated values) file
and then opens a dialog window to download the created file.
2.7 Object Lists
An object list is a drag-and-drop list which is temporarily displayed on the left side of
WebAdmin, covering the main menu.
42
UTM 9 WebAdmin
2 WebAdmin
2.7 Object Lists
Figure 7 WebAdmin: Dragging an Object From the Object List Networks
An object list is opened automatically when you click the Folder icon (see section
above), or you can open it manually via a keyboard shortcut (see Management >
WebAdmin Settings > User Preferences).
The object list gives you quick access to WebAdmin objects like users/groups, inter
faces, networks, and services to be able to select them for configuration purposes.
Objects are selected simply by dragging and dropping them onto the current con
figuration.
According to the different existing object types, there are five different types of object
lists. Clicking the Folder icon will always open the type required by the current con
figuration.
UTM 9 WebAdmin
43
3 Dashboard
The Dashboard graphically displays a snapshot of the current operating status of
Sophos UTM. With help of the Dashboard Settings icon on the top right you can,
amongst others, configure which topic sections are displayed. Further information to
the settings you find in Dashboard > Dashboard Settings.
The Dashboard displays by default when you log in to WebAdmin and shows the fol
lowing information:
l
l
l
General Information: Hostname, model, license ID, subscriptions, and uptime of
the unit. The display color of a subscription switches to orange 30 days before its
expiration date. During the last 7 days and after expiration, a subscription is dis
played in red.
Version Information: Information on the currently installed firmware and pattern
versions as well as available updates.
Resource Usage: Current system utilization, including the following components:
l
l
l
The CPU utilization in percent
The RAM utilization in percent. Please note that the total memory displayed
is the part that is usable by the operating system. With 32-bit systems, in
some cases that does not represent the actual size of the physical
memory installed, as part of it is reserved for hardware.
l
The amount of hard disk space consumed by the log partition in percent
l
The amount of hard disk space consumed by the root partition in percent
l
The status of the UPS (uninterruptible power supply) module (if available)
Today's Threat Status: A counter for the most relevant security threats detected
since midnight:
l
The total of dropped and rejected data packets for which logging is enabled
l
The total of blocked intrusion attempts
l
The total of blocked viruses (all proxies)
l
The total of blocked spam messages (SMTP/POP3)
l
The total of blocked spyware (all proxies)
3 Dashboard
l
l
l
l
The total of blocked URLs (HTTP/S)
l
The total of blocked webserver attacks (WAF)
l
The total of blocked endpoint attacks and blocked devices
Interfaces: Name and status of configured network interface cards. In addition,
information on the average bit rate of the last 75 seconds for both incoming and
outgoing traffic is shown. The values presented are obtained from bit rate aver
ages based on samples that were taken at intervals of 15 seconds. Clicking a
traffic value of an interface opens a Flow Monitor in a new window. The Flow Mon
itor displays the traffic of the last ten minutes and refreshes automatically at
short intervals. For more information, see chapter Flow Monitor.
Advanced Threat Protection: Status of Advanced Threat Protection. The display
shows an alert if Advanced Threat Protection is enabled and it shows a counter
of infected hosts. An alert will be automatically deleted after 72 hours. If you
want to delete all alerts immediately, click the Reset button.
Current System Configuration: Enabled/disabled representation of the most rel
evant security features. Clicking one of the entries opens the WebAdmin page
with the respective settings:
l
l
l
l
l
l
l
l
46
Firewall: Information about the total of active firewall rules.
Intrusion Prevention: The intrusion prevention system (IPS) recognizes
attacks by means of a signature-based IPS rule set.
Web Filtering: An application-level gateway for the HTTP/S protocol, fea
turing a rich set of web filtering techniques for the networks that are
allowed to use its services.
Network Visibility: Sophos' layer 7 application control allows to categorize
and control network traffic.
SMTP Proxy: An application-level gateway for messages sent via the
Simple Mail Transfer Protocol (SMTP).
POP3 Proxy: An application-level gateway for messages sent via the Post
Office Protocol 3 (POP3).
RED: Configuration of Remote Ethernet Device (RED) appliances for branch
office security.
Wireless Protection: Configuration of wireless networks and access points.
UTM 9 WebAdmin
3 Dashboard
l
3.1 Dashboard Settings
Endpoint Protection: Management of endpoint devices in your network. Dis
plays the number of connected endpoints and alerts.
l
Site-to-Site VPN: Configuration of site-to-site VPN scenarios.
l
Remote Access: Configuration of road warrior VPN scenarios.
l
l
l
l
l
l
l
Web Application Firewall: An application-level gateway to protect your web
servers from attacks like cross-site scripting and SQL injection.
HA/Cluster: High availability (HA) failover and clustering, that is, the dis
tribution of processing-intensive tasks such as content filtering, virus scan
ning, intrusion detection, or decryption equally among multiple cluster
nodes.
Sophos UTM Manager: Management of your Sophos UTM appliance via the
central management tool Sophos UTM Manager (SUM).
Sophos Mobile Control: Management of your mobile devices to control con
tent, applications and emails.
Antivirus: Protection of your network from web traffic that carries harmful
and dangerous content such as viruses, worms, or other malware.
Antispam: Detection of unsolicited spam emails and identification of spam
transmissions from known or suspected spam purveyors.
Antispyware: Protection from spyware infections by means of two dif
ferent virus scanning engines with constantly updated signature databases
and spyware filtering techniques that protects both inbound and outbound
traffic.
3.1 Dashboard Settings
You can modify several settings concerning the Dashboard. Click the Dashboard Set
tings icon on the top right of the Dashboard to open the Edit Dashboard Settings dialog
window.
Refresh Dashboard: By default, the Dashboard is updated at intervals of five seconds.
You can configure the refresh rate from Never to Every Minute.
Left Column – Right Column: The Dashboard is divided into different topic sections
providing information on the respective topic. With the two boxes Left Column and
Right Column you can arrange those topic sections and add or remove them from
UTM 9 WebAdmin
47
3.1 Dashboard Settings
3 Dashboard
display. Those settings will then be reflected by the Dashboard. Use the sort icons to
sort the topic sections of a column. To add or remove a particular topic section from
display, select or unselect its checkbox.
The topic sections displayed by default are described in the Dashboard chapter. These
topic sections can also be displayed:
l
Web Protection: Top Apps: Overview of the most used applications. In this sec
tion, hovering the cursor on an application displays one or two icons with addi
tional functionality:
l
l
l
l
l
l
l
48
Click the Block icon to block the respective application from now on. This
will create a rule on the Application Control Rules page. This option is
unavailable for applications relevant to the flawless operation of Sophos
UTM. WebAdmin traffic, for example, cannot be blocked as this might lead
to shutting yourself out of WebAdmin. Unclassified traffic cannot be
blocked, either.
Click the Shape icon to enable traffic shaping of the respective application.
A dialog window opens where you are asked to define the rule settings.
Click Save when you are done. This will create a rule both on the Traffic
Selectors and on the Bandwidth Pools page.Traffic shaping is not available
when viewing the All Interfaces Flow Monitor as shaping works interfacebased.
Click the Throttle icon to enable traffic throttling of the respective applic
ation. A dialog window opens where you are asked to define the rule set
tings. Click Save when you are done. This will create a rule both on the
Traffic Selectors and on the Download Throttling page. Download throttling
is not available when viewing the All Interfaces Flow Monitor as throttling
works interface-based.
Web Protection: Top Sites by Time: Overview of the most visited domains accord
ing to time.
Web Protection: Top Sites by Traffic: Overview of the most visited domains
according to traffic.
Logging: Status of the log partition of your Sophos UTM unit, including information
about the disk space left and fillup rate.
News Feed: News about Sophos and its products.
UTM 9 WebAdmin
3 Dashboard
l
l
l
l
l
3.2 Flow Monitor
Chart: Concurrent Connections: Daily statistics and histogram of the total of con
current connections.
Chart: Log Partition Status: Four-week statistics and histogram of the log par
tition usage.
Chart: CPU Usage: Daily statistics and histogram of the current processor usage
in percent.
Chart: Memory/Swap Usage: Daily statistics and histogram of the memory and
swap usage in percent.
Chart: Partition Usage: Daily statistics and histogram of the usage of selected
partitions in percent.
Enable autogrouping on Dashboard: Select this option to display the information on the
Dashboard compactly. This option only affects the selected Web Protection items in
the left column and the selected Chart items in the right column. If selected, the
respective information elements will be displayed as overlaying tabs on the Dashboard.
If unselected, the information elements are displayed side by side.
Click Save to save your settings.
3.2 Flow Monitor
The Flow Monitor of Sophos UTM is an application which gives quick access to inform
ation on network traffic currently passing the interfaces of UTM. It can be easily
accessed via the Dashboard by clicking one of the interfaces at the top right. By click
ing All Interfaces the Flow Monitor displays the traffic accumulated on all active inter
faces. By clicking a single interface, the Flow Monitor displays the traffic of this inter
face only.
Note – The Flow Monitor opens in a new browser window. As pop-up blockers are
likely to block this window it is advisable to deactivate pop-up blockers for
WebAdmin.
The Flow Monitor provides two views, a chart and a table, which are described in the
next sections. It refreshes every five seconds. You can click the Pause button to stop
refreshing. After clicking Continue to start refreshing again, the Flow Monitor updates to
the current traffic information.
UTM 9 WebAdmin
49
3.2 Flow Monitor
3 Dashboard
Tabular View
The Flow Monitor table provides information on network traffic for the past five
seconds:
#: Traffic is ranked based on its current bandwidth usage.
Application: Protocol or name of the network traffic if available. Unclassified traffic is a
type of traffic unknown to the system. Clicking an application opens a window which
provides information on the server, the port used, bandwidth usage per server con
nection, and total traffic.
Clients: Number of client connections using the application. Clicking a client opens a
window which provides information on the client's IP address, bandwidth usage per cli
ent connection, and total traffic. Note that with unclassified traffic the number of cli
ents in the table may be higher than the clients displayed in the additional information
window. This is due to the fact that the term "unclassified" comprises more than one
application. So, there might be only one client in the information window but three cli
ents in the table, the latter actually being the connections of the single client to three
different, unclassified applications.
Bandwidth Usage Now: The bandwidth usage during the last five seconds. Clicking a
bandwidth opens a window which provides information on the download and upload
rate of the application connection.
Total Traffic: The total of network traffic produced during the "lifetime" of a connection.
Example 1: A download started some time in the past and still going on: the whole
traffic produced during the time from the beginning of the download will be displayed.
Example 2: Several clients using facebook: as long as one client keeps the connection
open, the traffic produced by all clients so far adds up to the total traffic displayed.
Clicking a total traffic opens a window which provides information on the overall down
load and upload rate of the application connection.
Actions: Depending on the application type, there are actions available (except for
unclassified traffic).
l
50
Blocking: Click the Block button to block the respective application from now on.
This will create a rule on the Application Control Rules page. This option is unavail
able for applications relevant to the flawless operation of Sophos UTM.
UTM 9 WebAdmin
3 Dashboard
3.2 Flow Monitor
WebAdmin traffic, for example, cannot be blocked as this might lead to shutting
yourself out of WebAdmin. Unclassified traffic cannot be blocked, either.
l
l
Traffic shaping: Click the Shape button to enable traffic shaping of the respective
application. A dialog window opens where you are asked to define the rule set
tings. Click Save when you are done. This will create a rule both on the Traffic
Selectors and on the Bandwidth Pools page.Traffic shaping is not available when
viewing the All Interfaces Flow Monitor as shaping works interface-based.
Download throttling: Click the Throttle button to enable download throttling for
the respective application. A dialog window opens where you are asked to define
the rule settings. Click Save when you are done. This will create a rule both on the
Traffic Selectors and on the Download Throttling page. Download throttling is not
available when viewing the All Interfaces Flow Monitor as throttling works inter
face-based.
Chart View
The Flow Monitor chart displays the network traffic for the past ten minutes. The hori
zontal axis reflects time, the vertical axis reflects the amount of traffic while dynam
ically adapting the scale to the throughput.
At the bottom of the chart view a legend is located which refers to the type of traffic
passing an interface. Each type of traffic has a different color so that it can be easily
distinguished in the chart.
Note – The Flow Monitor displays much more differentiated information on traffic if
Network Visibility is enabled (see chapter Web Protection > Application Control > Net
work Visibility).
When hovering the mouse cursor on a chart a big dot will appear, which gives detailed
information of this part of the chart. The dot is clung to the line of the chart. As you
move the mouse cursor the dot follows. In case a chart has several lines, the dot
switches between them according to where you move the mouse cursor. Additionally,
the dot changes its color depending on which line its information refer to, which is espe
cially useful with lines running close to each other. The dot provides information on
type and size of the traffic at the respective point of time.
UTM 9 WebAdmin
51
4 Management
This chapter describes how to configure basic system settings as well as the settings
of the web-based administrative interface of Sophos UTM among others. The Overview
page shows statistics of the last WebAdmin sessions including possible changes. Click
the Show button in the Changelog column to view the changes in detail.
In the State column, the end times of previous WebAdmin sessions are listed.
Note – You can end a WebAdmin session by clicking the Log off menu. If you close the
browser without clicking the Log off menu, the session times out after the time span
defined on the Management > WebAdmin Settings > Advanced tab.
The following topics are included in this chapter:
l
System Settings
l
WebAdmin Settings
l
Licensing
l
Up2Date
l
Backup/Restore
l
User Portal
l
Notifications
l
Customization
l
SNMP
l
Central Management
l
High Availability
l
Certificate Management
l
Shutdown/Restart
4.1 System Settings
4 Management
4.1 System Settings
The system settings menu allows you to configure basic settings of your UTM. You can
set hostname, date and time settings as well as scan settings for antivirus engine or
advanced threat protection options. Configuration or password resets and SSH shell
access configurations can also be done.
4.1.1 Organizational
Enter these organizational information (if not yet done in the Installation Wizard):
l
Organization name: Name of your organization.
l
City: Location of your organization.
l
Country: Country where your organization is located.
l
Administrator's email address: Email address to reach the person or group tech
nically responsible for the operation of your Sophos UTM.
Note that this data is also used in certificates for IPsec, email encryption and
WebAdmin.
4.1.2 Hostname
Enter the hostname of your UTM as a fully qualified domain name (FQDN). The fully qual
ified domain name is an unambiguous domain name that specifies the node's absolute
position in the DNS tree hierarchy, for example utm.example.com. A hostname may con
tain alphanumeric characters, dots, and hyphens. At the end of the hostname there
must be a special designator such as com, org, or de. The hostname will be used in noti
fication messages to identify UTM. It will also appear in status messages sent by the
Web Filter. Note that the hostname does not need to be registered in the DNS zone for
your domain.
4.1.3 Time and Date
On your UTM, date and time should always be set correctly. This is needed both for get
ting correct information from the logging and reporting systems and to assure
54
UTM 9 WebAdmin
4 Management
4.1 System Settings
interoperability with other computers on the Internet.
Usually, you do not need to set the time and date manually. By default, automatic syn
chronization with public Internet time servers is enabled (see section Synchronize Time
with Internet Server below).
In the rare case that you need to disable synchronization with time servers, you can
change the time and date manually. However, when doing so, pay attention to the fol
lowing caveats:
l
l
l
l
Never change the system time from standard time to daylight saving time or
vice versa. This change is always automatically covered by your time zone set
tings even if automatic synchronization with time servers is disabled.
Never change date or time manually while synchronization with time servers is
enabled, because automatic synchronization would typically undo your change
right away. In case you must set the date or time manually, remember to first
remove all servers from the NTP Servers box in the Synchronize Time with Inter
net Server section below and click Apply.
After manually changing the system time, wait until you see the green con
firmation message, stating that the change was successful. Then reboot the sys
tem (Management > Shutdown/Restart). This is highly recommended as many
services rely on the fact that time is changing continuously, not abruptly. Jumps
in time therefore might lead to malfunction of various services. This advice holds
universally true for all kind of computer systems.
In rare cases, changing the system time might terminate your WebAdmin ses
sion. In case this happens, log in again, check whether the time is now correctly
set and restart the system afterwards.
If you operate multiple interconnected UTMs that span several time zones, select the
same time zone for all devices, for example UTC (Coordinated Universal Time)—this
will make log messages much easier to compare.
Note that when you manually change the system time, you will encounter several sideeffects, even when having properly restarted the system:
l
Turning the clock forward
l
Time-based reports will contain no data for the skipped hour. In most
graphs, this time span will appear as a straight line in the amount of the
latest recorded value.
UTM 9 WebAdmin
55
4.1 System Settings
l
l
4 Management
Accounting reports will contain values of 0 for all variables during this
time.
Turning the clock backward
l
l
l
l
l
There is already log data for the corresponding time span in time-based
reports.
Most diagrams will display the values recorded during this period as com
pressed.
The elapsed time since the last pattern check (as displayed on the Dash
board) shows the value "never", even though the last check was in fact
only a few minutes ago.
Automatically created certificates on UTM may become invalid because
the beginning of their validity periods would be in the future.
Accounting reports will retain the values recorded from the future time.
Once the time of the reset is reached again, the accounting data will be
written again as normal.
Because of these drawbacks the system time should only be set once when setting up
the system with only small adjustments being made thereafter. This especially holds
true if accounting and reporting data needs to be processed further and accuracy of the
data is important.
Set Date and T ime
To configure the system time manually, select date and time from the respective dropdown lists. Click Apply to save your settings.
Set T ime Zone
To change the system's time zone, select an area or a time zone from the drop-down
list. Click Apply to save your settings.
Changing the time zone does not change the system time, but only how the time is rep
resented in output, for example in logging and reporting data. Even if it does not disrupt
services, we highly recommend to reboot afterwards to make sure that all services
use the new time setting.
Synchroniz e T ime w ith I nternet Server
To synchronize the system time using a timeserver, select one or more NTP servers.
Click Apply after you have finished the configuration.
56
UTM 9 WebAdmin
4 Management
4.1 System Settings
NTP Servers: The NTP Server Pool is selected by default. This network definition is
linked to the big virtual cluster of public timeservers of the pool.ntp.org project. In case
your Internet service provider operates NTP servers for customers and you have
access to these servers, it is recommended to remove the NTP Server Pool and use
your provider's servers instead. When choosing your own or your provider's servers,
using more than one server is useful to improve precision and reliability. The usage of
three independent servers is almost always sufficient. Adding more than three servers
rarely results in additional improvements, while increasing the total server load. Using
both NTP Server Pool and your own or your provider's servers is not recommended
because it will usually neither improve precision nor reliability.
Tip – If you want client computers to be able to connect to these NTP servers, add
them to the allowed networks on the Network Services > NTP page.
Test Configured Servers: Click this button if you want to test whether a connection to
the selected NTP server(s) can be established from your device and whether it returns
usable time data. This will measure the time offset between your system and the serv
ers. Offsets should generally be well below one second if your system is configured cor
rectly and has been operating in a stable state for some time.
Right after enabling NTP or adding other servers, it is normal to see larger offsets. To
avoid large time jumps, NTP will then slowly skew the system time, such that even
tually, it will become correct without any jumping. In that situation, please be patient. In
particular, in this case, do not restart the system. Rather, return to check about an hour
later. If the offsets decrease, all is working as it should.
4.1.4 Shell Access
Secure Shell (SSH) is a command-line access mode primarily used to gain remote
shell access to UTM. It is typically used for low-level maintenance or troubleshooting.
To access this shell you need an SSH client, which usually comes with most Linux dis
tributions. For Windows you can download an SSH client for free, e.g. PuTTY (www.putty.org) or DameWare (www.dameware.com).
Shell User P assw ords
Enter passwords for the default shell accounts root and loginuser. To change the
password for one out of these two accounts only, just leave both input boxes for the
other account blank.
UTM 9 WebAdmin
57
4.1 System Settings
4 Management
Note – To enable SSH shell access, passwords must be set initially. In addition, you
can only specify passwords that adhere to the password complexity settings as con
figured on the Definitions & Users > Authentication Services > Advanced tab. That is, if
you have enabled complex passwords, shell user passwords must meet the same
requirements.
Accessing UT M via SSH
To access the UTM via SSH, connect via SSH port (TCP 22 by default) using your normal
SSH utility program (e.g. PuTTY).
You can login as
l
l
loginuser by prompting loginuser and the associated password as set above at
the SSH or
root after you have logged in as loginuser by typing su - and entering the asso
ciated password as set above.
Note – Any modifications done by root will void your support. Even users not logged
in as root have direct access to a lot of information on the UTM and should be con
sidered privileged users. Therefore, it is strongly recommended to grant SSH access
only to administrators in WebAdmin. For any configuration change, use WebAdmin
instead.
Allow ed Netw orks
Use the Allowed Networks control to restrict access to this feature to certain networks
only. Networks listed here will be able to connect to the SSH service.
Authentication
In this section you can define an authentication method for SSH access and the strict
ness of access. The following authentication methods are available:
58
l
Password (default)
l
Public key
l
Password and public key
UTM 9 WebAdmin
4 Management
4.1 System Settings
To use these options select the respective checkboxes. To use Public Key Authentic
ation you need to upload the respective public key(s) into the field Authorized Keys for
loginuser for each user allowed to authenticate via their public key(s).
Allow root login: You can allow SSH access for the root user. This option is disabled by
default as it leads to a higher security risk. When this option is enabled, the root user is
able to login via their public key. Upload the public key(s) for the root user into the field
Authorized Keys for root.
Note – For more information on generating SSH keys, see the Sophos Knowledgebase
articles Creating SSH key on a Linux based system, using PuTTY.
Click Apply to save your settings.
SSH Daemon Listen Port
This option lets you change the TCP port used for SSH. By default, this is the standard
SSH port 22. To change the port, enter an appropriate value in the range from 1024 to
65535 in the Port number box and click Apply.
4.1.5 Scan Settings
Antivirus Engine Pref erences
Select the antivirus engine which will be used in all single scan configurations through
out WebAdmin. In dual scan configurations, both antivirus engines will be used. Note
that dual scan is not available with BasicGuard subscription. Click Apply to save your
settings.
Advanced T hreat Protection Options
Select the Send suspicious content to SophosLabs for analysis option to help improve
protection. SophosLabs features a cloud-based sandbox where the behavior of sus
pected malware can be automatically observed and analyzed. This helps ensure speedy
delivery of protection updates directly to your UTM. Disabling this functionality may
increase defense response time.
All submissions are sent over a secure channel and are handled according to the
SophosLabs Information Security Policy.
UTM 9 WebAdmin
59
4.1 System Settings
4 Management
Antispam Engine P ref erences
A parent proxy is often required in those countries that require Internet access to be
routed through a government-approved proxy server. If your security policy requires the
use of a parent proxy, you can set it up here by selecting the host definition and port.
Use a parent proxy:
1. Select the checkbox to enable parent proxy use.
2. Select or add the host.
3. Enter the port of the proxy.
How to add a definition is explained on the Definitions & Users > Network Defin
itions > Network Definitions page.
4. Click Apply.
Your settings will be saved.
Proxy requires authentication: If the parent proxy requires authentication, enter user
name and password here.
4.1.6 Reset Configuration or Passwords
The options on the Reset Configuration or Passwords tab let you delete the passwords
of the shell users. In addition, you can execute a factory reset, and you can reset the
UTM's system ID.
Reset System P assw ords
Executing the Reset System Passwords Now function will reset the passwords of the fol
lowing users:
l
root (shell user)
l
loginuser (shell user)
l
admin (predefined administrator account)
In addition, to halt the system, select the Shutdown system afterwards option.
Security Note – The next person connecting to the WebAdmin will be presented an
Admin Password Setup dialog window. Thus, after resetting the passwords, you
60
UTM 9 WebAdmin
4 Management
4.1 System Settings
should usually quickly log out, reload the page in your browser, and set a new admin
password.
Besides, shell access will not be possible anymore until you set new shell passwords
on the Management > System Settings > Shell Access tab.
Factory Reset
The Run Factory Reset Now function resets the device back to the factory default con
figuration. The following data will be deleted:
l
System configuration
l
Web Filter cache
l
Logs and reporting data
l
Databases
l
Update packages
l
Licenses
l
Passwords
l
High availability status
However, the version number of Sophos UTM Software will remain the same, that is, all
firmware and pattern updates that have been installed will be retained.
Note – Sophos UTM will shut down once a factory reset has been initiated.
UT M I D Reset
With the Reset UTM ID Now function you reset the system ID of the UTM to a new, ran
dom value. This is for example relevant when you use endpoint protection. Every UTM
using endpoint protection identifies itself on Sophos LiveConnect with its unique sys
tem ID. When you for example clone a virtual UTM using endpoint protection and want
the clone to use it too, you need to reset the cloned UTM's system ID so that it can after
wards identify with the new system ID. During the reset, if turned on, endpoint pro
tection will be turned off.
UTM 9 WebAdmin
61
4.2 WebAdmin Settings
4 Management
Note – Endpoints are connected to their UTM using the UTM system ID. If you reset the
UTM system ID and there is no other UTM listening on the old UTM ID, their endpoints
will need to be reinstalled.
Note – If a UTM is connected to Sophos UTM Manager, and you reset its UTM system
ID, the UTM will connect as a new device. If necessary, you can merge the two
devices.
4.2 WebAdmin Settings
The tabs under Management > WebAdmin Settings allow you to configure basic
WebAdmin settings such as access control, the TCP port, HTTPS certificates, user pref
erences, and the WebAdmin language, among other things.
4.2.1 General
On the WebAdmin Settings > General tab you can configure the WebAdmin language
and basic access settings.
W ebAdmin Language
Select the language of WebAdmin. The selected language will also be used for some
WebAdmin output, e.g., email notifications or the executive report. Note that this setting
is global and applies to all users. Click Apply to save your settings.
After changing the language, it might be necessary to empty your browser cache to
make sure that all texts are displayed in the correct language.
W ebAdmin Access Conf iguration
Here you can configure which users and/or networks should have access to
WebAdmin.
Allowed Administrators: Sophos UTM can be administered by multiple administrators
simultaneously. In the Allowed Administrators box you can specify which users or
groups should have unlimited read and write access to the WebAdmininterface. By
default, this is the group of SuperAdmins. How to add a user is explained on the Defin
itions & Users > Users & Groups > Users page.
62
UTM 9 WebAdmin
4 Management
4.2 WebAdmin Settings
Allowed Networks: The Allowed Networks box lets you define the networks that should
be able to connect to the WebAdmin interface. For the sake of a smooth installation of
UTM, the default is Any. This means that the WebAdmin interface can be accessed from
everywhere. Change this setting to your internal network(s) as soon as possible. The
most secure solution, however, would be to limit the access to only one administrator
PC through HTTPS. How to add a definition is explained on the Definitions & Users > Net
work Definitions > Network Definitions page.
Log access traffic: If you want to log all WebAdmin access activities in the firewall log,
select Log access traffic checkbox.
4.2.2 Access Control
On the WebAdmin Settings > Access Control tab you can create WebAdmin roles for spe
cific users. This allows for a fine-grained definition of the rights a WebAdmin user can
have.
There are two user roles predefined:
Auditor: Users having this role can view logging and reporting data.
Readonly: Users having this role can view everything in WebAdmin without being able
to edit, create, or delete anything.
To assign users or groups one of these roles, click the Edit button and add the respect
ive user(s) or group(s) to the Members box.
You can create further roles, according to your security policies. Proceed as follows:
1. On the Access Control tab, click New Role.
The Add Role dialog box opens.
2. Make the following settings:
Name: Enter a descriptive name for this definition.
Members: Add or select users or groups who are to have this role. How to add a
user is explained on the Definitions & Users > Users & Groups > Users page.
Grant read-only access (optional): Select this checkbox to grant read-only access
to all areas of WebAdmin to the given members.
Rights: This box contains different rights levels for the different functions of
WebAdmin: auditor and manager. A manager has several rights for the respective
UTM 9 WebAdmin
63
4.2 WebAdmin Settings
4 Management
function(s), whereas an auditor has only viewing rights. A manager has not the
right to create new users. User creation is only allowed by the SuperAdmin. You
can choose one or more rights by selecting the respective checkbox in front of a
right.
Example: You could give the user Jon Doe manager rights for Email Protection
and additionally select the checkbox Grant read-only access. He would then be
able to change settings in the Email Protection section and view all other areas
of WebAdmin without being able to change anything there.
Comment (optional): Add a description or other information.
3. Click Save.
Your settings will be saved.
To either edit or delete a role, click the corresponding buttons. Note that the Auditor and
Readonly roles cannot be deleted.
4.2.2.1 User Rights
Define multiple user rights for different areas of WebAdmin. In general an auditor has
viewing rights and a manager additionally has writing rights. All user rights (except
Report Auditor, Mail Manager and Log File Auditor) have permissions to view or edit,
respectively:
l
Definitions & Users > Network Definitions
l
Definitions & Users > Service Definitions
l
Definitions & Users > Time Period Definitions
l
Logging & Reporting > View Log Files
Additionally, the following user rights are available:
User Right
Permission to Read
Permission to Read/Write
Management > Sophos Mobile
Control
Log File Auditor
Endpoint Protection > Web Con
trol
Logging & Reporting > View Log
Files
64
UTM 9 WebAdmin
4 Management
User Right
4.2 WebAdmin Settings
Permission to Read
Permission to Read/Write
Email Protection > Mail Manager
Logging & Reporting > View Log
Mail Manager
Files
Logging & Reporting > Email Pro
tection
Email Protection
Mail Protection Manager
Logging & Reporting >
Email Protection
Interfaces & Routing Overview
Network Protection
Network Protection
Auditor
Logging & Reporting > Network
Usage
Logging & Reporting > Network
Protection
Interfaces & Routing Over
view
Network Protection
Network Protection
Manager
Logging & Reporting > Net
work Usage
Logging & Reporting > Net
work Protection
Remote Access
Remote Access Auditor
Logging & Reporting > Remote
Access
Remote Access
Remote Access Manager
Logging & Reporting >
Remote Access
UTM 9 WebAdmin
65
4.2 WebAdmin Settings
User Right
4 Management
Permission to Read
Permission to Read/Write
Dashboard
Interfaces & Routing Overview
Advanced Protection
> Advanced Threat Protection
Web Protection > Policy Help
desk
Email Protection Overview
Site-to-site VPN
Remote Access Overview
Logging & Reporting:
Report Auditor
Hardware
Network Usage
Network Pro
tection
Web Protection
Email Protection
Wireless Pro
tection
Remote Access
Webserver Pro
tection
Executive Report
Webserver Protection
Web Application Protection Auditor
Logging & Reporting
> Webserver Protection
Webserver Protection
Web Application Protection Manager
Logging & Reporting
> Webserver Protection
66
UTM 9 WebAdmin
4 Management
User Right
4.2 WebAdmin Settings
Permission to Read
Permission to Read/Write
Web Protection
Web Protection Auditor
Logging & Reporting > Web Pro
tection
Web Protection
Web Protection Manager
Logging & Reporting > Web
Protection
Wireless Protection
Wireless Protection
Auditor
Logging & Reporting > Wireless
Protection
Wireless Protection
Wireless Protection
Manager
Logging & Reporting > Wire
less Protection
It is possible to combine multiple user rights.
4.2.3 HTTPS Certificate
On the Management > WebAdmin Settings > HTTPS Certificate tab you can import the
WebAdmin CA certificate into your browser, regenerate the WebAdmin certificate, or
choose a signed certificate to use for WebAdmin and User Portal.
During the initial setup of the WebAdmin access you have automatically created a local
CA certificate on UTM. The public key of this CA certificate can be installed into your
browser to get rid of the security warnings when accessing the WebAdmin interface.
I mport CA into Brow ser
To import the CA certificate, proceed as follows:
1. On the HTTPS Certificate tab, click Import CA Certificate.
The public key of the CA certificate will be exported.
You can either save it to disk or install it into your browser.
2. Install the certificate (optional).
The browser will open a dialog box letting you choose to install the certificate
immediately.
UTM 9 WebAdmin
67
4.2 WebAdmin Settings
4 Management
Note – Due to different system times and time zones the certificate might not be
valid directly after its creation. In this case, most browsers will report that the cer
tificate has expired, which is not correct. However, the certificate will automatically
become valid after a maximum of 24 hours and will stay valid for 27 years.
I mport CA Certif icate under iOS/Saf ari
To import the CA certificate under iOS with Safari browser, proceed as follows:
1. On the HTTPS Certificate tab, click Import CA Certificate.
The public key of the CA certificate will be exported and downloaded.
The file WebAdmin.cer is ready on your system and need to be installed manu
ally. By default, you find the file WebAdmin.cer in your download folder.
2. Double click on WebAdmin.cer.
The Keychain Access will open a window letting you choose to trust the cer
tificate.
3. Click Always Trust.
The CA certificate is listed in the key chain list.
Re- generate W ebAdmin Certif icate
The WebAdmin certificate refers to the hostname you have specified during the initial
login. If the hostname has been changed in the meantime, the browser will display a
security warning. To avoid this, you can create a certificate taking the new hostname
into account. For that purpose, enter the hostname as desired and click Apply. Note that
due to the certificate change, to be able to continue working in WebAdmin, you probably
need to reload the page via your web browser, accept the new certificate, and log back
into WebAdmin.
Choose W ebAdmin/User Portal Certif icate
If you do not want to import the CA certificate but instead use your own signed cer
tificate for WebAdmin/User Portal, you can select it here. However, for the certificate
to be selectable from the drop-down list, you need to upload it first on the Remote
Access > Certificate Management > Certificates tab in PKCS#12 format, containing the
certificate, its CA and its private key. To use the uploaded certificate, select it from the
Certificates drop-down list and click Apply.
68
UTM 9 WebAdmin
4 Management
4.2 WebAdmin Settings
4.2.4 RESTful API
On this page you can create and delete API tokens.
RESTful API allows a user to write programs or scripts to configure one or more UTMs
automatically. Before a program or script can use the RESTful API, the UTM has to
authenticate against it. There are two ways to authenticate against the RESTful API:
Using the name of a UTM user with a password or an API token. API tokens are ran
domly generated strings that are associated with a UTM user with the same access
rights as the user. Authentication always uses HTTP basic authentication. If you use an
API token instead of a UTM user, the HTTP basic authentication username is "token"
and the API token is the password.
To configure an API token, proceed as follows:
1. Enable RESTful API.
Click the toggle switch.
Note – When the UTM instance is running on Amazon Web Service (AWS), REST
ful API is enabled by default.
2. Click the New API Token button.
The Add API Token dialog box opens.
3. Make the following settings:
API Token: Enter the API token or use the automatic generated API token.
Note – API token is an alternative authentication method like a password but
without a username. It is recommended to use the automatic generated API
token, generated by the UTM, to ensure that the API token is unique and suf
ficiently complex.
User: Select a user for the API token.
4. Click Save.
The API token is added to the API Token list.
UTM 9 WebAdmin
69
4.2 WebAdmin Settings
4 Management
4.2.5 User Preferences
On the Management > WebAdmin Settings > User Preferences tab you can configure
some user preferences such as global shortcuts and items per page for the currently
logged in user.
W ebAdmin Shortcuts Conf iguration
Here you can configure keyboard shortcuts to open and close the drag-and-drop object
lists used in many configurations (for more information, see WebAdmin > Object Lists)
or to set the cursor focus on the menu search box (see also WebAdmin > WebAdmin
Menu). Use the drop-down list to select a different modifier key and the text box to
enter a different character. You can also turn off the keyboard shortcut by selecting Off
from the drop-down list.
If you want to return to the default settings, click the Reset to Defaults button. Click
Apply to save your settings.
T able P ager Options
Here you can globally define the pagination of tables for WebAdmin, i.e. how many
items are displayed per page. Click the drop-down list and select a value. Click Apply to
save your settings.
W ebAdmin Brow ser T itle Customiz ation
Here you can change the label which is displayed on the WebAdmin browser window or
tab. You can enter plain text and/or use the following variables:
l
%h: hostname
l
%u: username
l
%i: remote IP address
The default setting is WebAdmin - User %u - Device %h which translates for example
into WebAdmin - User admin - Device my_gateway.example.com. Click Apply to save
your settings.
70
UTM 9 WebAdmin
4 Management
4.2 WebAdmin Settings
4.2.6 Advanced
W ebAdmin I dle T imeout
Log out after: In this field you can specify the period of time (in seconds) how long a
WebAdmin session can remain idle before the administrator is forced to log in again.
By default, the idle timeout is set to 1,800 seconds. The range is from 60 to 86,400
seconds.
Log out on dashboard: By default, when you have opened the Dashboard page of
WebAdmin, the auto logout function is enabled. You can, however, select this option to
disable the auto logout function for Dashboard only.
W ebAdmin T CP Port
By default, port 4444 is used as WebAdmin TCP port. In the TCP Port box you can enter
either 443 or any value between 1024 and 65535. However, certain ports are reserved
for other services. In particular, you can never use port 10443, and you cannot use the
same port you are using for the User Portal or for SSL remote access. Note that you
must add the port number to the IP address (separated by a colon) in the browser's
address bar when accessing WebAdmin, for example https://192.168.0.1:4444
T erms of Use
Your company policies might demand that users accept terms of use when they want
to access WebAdmin. Select the checkbox Display "Terms of Use" after login to enforce
that users must accept the terms of use each time they log into WebAdmin. Users will
then be presented the terms of use after having logged in. If they do not accept them
they will be logged out again.
You can change the terms of use text according to your needs. Click Apply to save your
settings.
Sophos Adaptive Learning
You can help improving Sophos UTM by allowing it to transfer anonymous general
information of your current configuration as well as information about detected vir
uses, or anonymous application fingerprints to Sophos. That kind of information cannot
and will not be tracked back to you. No user-specific information is collected, i.e., no
user or object names, no comments, or other personalized information. However, URLs
UTM 9 WebAdmin
71
4.2 WebAdmin Settings
4 Management
for which a virus was found will be transmitted if web filter antivirus scanning is
enabled.
The information is encrypted and transmitted to SophosLabs using SSL. Once delivered,
the data is stored in an aggregated form and made available to Sophos' software archi
tects for making educated design decisions and thus improve future versions of
Sophos UTM.
Send anonymous telemetry data: If enabled, the UTM gathers the following information:
l
Configuration and usage data: The system will send the following data to Sophos'
servers once a week.
l
Hardware and license information (not the owner), for example:
processor Intel(R) Core(TM)2 Duo CPU E8200 @ 2.66GHz
memory 512MiB System Memory
eth0 network 82545EM Gigabit Ethernet Controller
id: UTM
version: 9.000000
version: 4.000000
type: virtual
license: standard
mode: standalone
active_ips: 2
system_id: 58174596-276f-39b8-854b-ffa1886e3c6c
The system ID identifies your UTM only in the way that information of your
system is not accidentally collected twice, e.g. after a re-installation.
l
Features in use (only whether they are turned on or off), for example:
main->backup->status: 1
main->ha->status: off
l
Amount of configured objects, for example:
objects->interface->ethernet: 2
objects->http->profile: 5
72
l
Enabled web filtering categories and exceptions
l
CPU, memory and swap usage values in percent over the last seven days
UTM 9 WebAdmin
4 Management
l
4.3 Licensing
Virus data: The system writes the following data into a file that will be uploaded
automatically to Sophos' servers every 15 minutes.
l
l
Information about viruses found by web protection, for example threat
name, MIME type, URL of the request, or file size.
Intrusion prevention data: The IPS log will be checked every minute for new
alerts. If there is a new alert, the following data will be sent instantly to Sophos:
l
l
Information about the alert, for example snort rule identifier and time
stamp.
Hardware and license information (not the owner), for example CPU total
and CPU usage, memory total and memory usage, SWAP total and SWAP
usage, system ID, engine version and pattern version.
The data is sent every 24 hours.
l
Advanced Threat Protection data: The system generates and uploads advanced
threat protection data every 30 minutes.
l
Gathered information: system ID, time stamp, Sophos threat name, source
IP, destination host, detection component, detection detail, number of
threats, rule identifier.
Send anonymous application accuracy telemetry data: You can help to improve the
recognition and classification abilities of network visibility and application control by
participating in the Sophos UTM AppAccuracy Program. If enabled, the system will col
lect data in form of anonymous application fingerprints and will send that to Sophos'
research team. There the fingerprints will be used to identify unclassified applications
and to improve and enlarge the network visibility and application control library.
4.3 Licensing
The availability of certain features on Sophos UTM is defined by licenses and sub
scriptions, i.e. the licenses and subscriptions you have purchased with your UTM enable
you to use certain features and others not.
UTM 9 WebAdmin
73
4.3 Licensing
4 Management
4.3.1 How to Obtain a License
Sophos UTM ships with a 30-day trial license with all features enabled. After expiration,
you must install a valid license to further operate Sophos UTM. All licenses (including
free home use licenses) are created in the MyUTM Portal.
Once you have received the activation keys by email after purchasing a UTM license,
you must use these keys in order to create your license or upgrade an existing license.
To activate a license, you have to log in to the MyUTM Portal and visit the license man
agement page. At the top of the page is a form where you can cut and paste the activ
ation key from the email into this field. For more information, see the MyUTM User
Guide.
Figure 8 MyUTM Portal
Another form appears asking you to fill in information about the reseller you purchased
the license from as well as your own details. The portal tries to pre-fill as much of this
form as possible. Also, Sophos collects the UTM hardware serial number on this form if
appropriate. After submitting this form, your license is created, and you are forwarded
to the license detail page to download the license file.
74
UTM 9 WebAdmin
4 Management
4.3 Licensing
To actually use the license, you must download the license file to your hard drive and
then log in to your WebAdmin installation. In WebAdmin, navigate to the Management >
Licensing > Installation tab and use the upload function to find the license text file on
your hard drive. Upload the license file, and WebAdmin will process it to activate any
subscriptions and other settings that the license outlines.
Note – The activation key you received by email cannot be imported into WebAdmin.
This key is only used to activate the license. Only the license file can be imported to
UTM.
4.3.2 Licensing Model
The modular licensing model of Sophos is very flexible. First, there is a base license,
providing basic functions for free (see table below). Second, there are six additional sub
scriptions:
l
Network Protection
l
Web Protection
l
Email Protection
l
Endpoint Protection
l
Wireless Protection
l
Webserver Protection
l
Sandstorm
Those can be purchased separately or in combination according to your needs. The
FullGuard license contains all subscriptions. Each of the subscriptions enables certain
features of the product. The table below gives you an overview which features are
enabled with which subscription.
UTM 9 WebAdmin
75
4.3 Licensing
Feature
4 Management
Base
License
Network
We- Emab
il
Endpoint
Wireless
Webserver
Sandstorm
Management
(Backup,
Notifications,
SNMP,
SUM, ...)
Local
Authentication (Users,
Groups)
Basic Networking
(Static Routing, DHCP,
DNS, Auto
QoS, NTP,
...)
Firewall/NAT
(DNAT,
SNAT, ...)
PPTP &
L2TP
Remote
Access
Local Logging, standard
executive
reports
76
UTM 9 WebAdmin
4 Management
Feature
Base
License
4.3 Licensing
Network
We- Emab
il
Endpoint
Wireless
Webserver
Sandstorm
Intrusion Prevention (Patterns, DoS,
Flood, Portscan ...)
IPsec & SSL
Site-to-site
VPN, IPsec
& SSL
Remote
Access
Advanced
Networking
(Link Aggregation, link balancing,
Policy Routing, OSPF,
Multicast,
custom QoS,
Server Load
Balancing,
Generic
Proxy ...)
(
)
(
)
User Portal
High Availability
Remote
Auth (AD,
eDir,
RADIUS, ...)
UTM 9 WebAdmin
77
4.3 Licensing
Feature
4 Management
Base
License
Network
We- Emab
il
Endpoint
Wireless
Webserver
Sandstorm
Remote Logging,
advanced
executive
reports
(archiving,
configuration)
Basic Web
Filtering &
FTP Proxy
Web & FTP
malware filtering
Application
Control
Basic SMTP
Proxy, Quarantine
Report, Mail
Manager
SMTP &
POP3 malware filtering
Endpoint
Protection,
Antivirus
Endpoint
Protection,
Device Control
Wireless Protection
78
UTM 9 WebAdmin
4 Management
Feature
4.3 Licensing
Base
License
Network
We- Emab
il
Endpoint
Wireless
Webserver
Sandstorm
Webserver
Protection
Sandstorm
(
)
(
)
There is also a BasicGuard subscription, available for UTM appliance model 100, which
offers its own subset of the above mentioned features (for more information, visit the
UTM website).
UTMs can also be managed and licensed by Sophos UTM Manager (SUM). In this case,
the SUM provides the MSP (Managed Service Provider) license to the UTM, and the
Installation tab is disabled. Subscriptions can only be enabled by your SUM service pro
vider.
For more detailed information on subscriptions and their feature set please refer to
your certified UTM Partner or the Sophos UTM webpage.
Missing subscriptions result in disabled tabs in WebAdmin. Above the tabs a licensing
warning message is displayed.
Figure 9 Licensing: Subscription Warning Message
Up2Dates
Each subscription enables full automatic update support, i.e. you will be automatically
informed about new firmware updates. Also, firmware and pattern updates can be
downloaded (and installed) automatically.
UTM 9 WebAdmin
79
4.3 Licensing
4 Management
A base license without any subscriptions supports only limited automatic updates:
solely pattern updates such as online help updates and the like will continue to be
downloaded and installed automatically. You will, however, not be informed about avail
able firmware updates, and the firmware updates have to be downloaded manually.
Announcements for new firmware updates can be found in the Sophos UTM Up2Date
Blog.
Support and Maintenance
The base license comes with Web Support. You can use the Sophos UTM Support Forum
and the Sophos Knowledgebase.
As soon as you purchase one of the subscriptions you will be automatically upgraded
to Standard Support, where you can additionally open a support case in MyUTM Portal
or contact your certified UTM Partner.
There is also the possibility to purchase a Premium Support subscription, which offers
24/7 support with a UTM Engineer being your contact person.
4.3.3 Overview
The Licensing > Overview tab provides detailed information about your license and is
divided into multiple areas:
l
l
Base License: Shows basic license parameters such as ID, registration date, or
type.
Network Protection, Email Protection, Web Protection, Webserver Protection,
Wireless Protection, Sandstorm, Endpoint AntiVirus, BasicGuard: These sections
show information for subscriptions, such as whether they have been purchased
and are therefore enabled, their expiration date, and a short description of the fea
tures they provide.
Note – When using MSP licensing, no expirations will be displayed, as licenses
are managed by Sophos UTM Manager (SUM). Traditional keys and subscriptions
are replaced with the SUM MSP system. For information about the managing
SUM, see Central Management > Sophos UTM Manager.
l
80
Support Services: Shows the support level plus the date until it is valid.
UTM 9 WebAdmin
4 Management
4.3 Licensing
4.3.4 Installation
On the Management > Licensing > Installation tab you can upload and install a new
license.
Note – When using MSP licensing, the tab is disabled, as licenses are managed by
Sophos UTM Manager (SUM). New licenses can be installed by your SUM service pro
vider. For information about the managing SUM, see Central Management > Sophos
UTM Manager.
To install a license, proceed as follows:
1. Open the Upload File dialog window.
Click the Folder icon next to the License file box.
The Upload File dialog window opens.
2. Select the license file.
Browse to the directory where your license file resides.
Select the license file you want to upload.
3. Click Start Upload.
Your license file will be uploaded.
4. Click Apply.
Your license will be installed. Note that the new license will automatically
replace any other license already installed.
The installation of the license will take approximately 60 seconds.
4.3.5 Active IP Addresses
The free Sophos UTM Manager license allows for unlimited IP addresses.
If you do not have a license allowing unlimited users (IP addresses), this tab displays
information on IP addresses covered by your license. IP addresses that exceed the
scope of your license are listed separately. If the limit is exceeded you will receive an
email notification at regular intervals.
UTM 9 WebAdmin
81
4.4 Up2Date
4 Management
Note – IP addresses not seen for a period of seven days will automatically be
removed from the license counter.
4.4 Up2Date
The Management > Up2Date menu allows the configuration of the update service of
Sophos UTM. Regularly installed updates keep your UTM up-to-date with the latest bugfixes, product improvements, and virus patterns. Each update is digitally signed by
Sophos—any unsigned or forged update will be rejected. By default new update pack
ages are automatically downloaded to UTM. This option can be configured in the Man
agement > Up2Date > Configuration menu.
There are two types of updates available:
l
l
Firmware updates: A firmware update contains bug-fixes and feature enhance
ments for Sophos UTM Software.
Pattern updates: A pattern update keeps the antivirus, antispam, intrusion pre
vention definitions as well as the online help up-to-date.
In order to download Up2Date packages, UTM opens a TCP connection to the update
servers on port 443—allowing this connection without any adjustment to be made by
the administrator. However, if there is another firewall in between, you must explicitly
allow the communication via the port 443 TCP to the update servers.
4.4.1 Overview
The Management > Up2Date > Overview tab provides a quick overview whether your sys
tem is up-to-date. From here, you can install new firmware and pattern updates.
Up2Date P rogress
This section is only visible when you have triggered an installation process. Click the
button Watch Up2Date Progress in New Window to monitor the update progress. If your
browser does not suppress pop-up windows, a new window showing the update pro
gress will be opened. Otherwise you will have to explicitly allow the pop-up window.
82
UTM 9 WebAdmin
4 Management
4.4 Up2Date
Note – A backup will be sent to the standard backup email recipients before an install
ation process is started.
Figure 10 Up2Date: Progress Window
Firmw are
The Firmware section shows the currently installed firmware version. If an update pack
age is available, a button Update to Latest Version Now is displayed. Additionally, you
will see a message in the Available Firmware Up2Dates section. You can directly down
load and install the most recent update that is displayed from here. Once you have
clicked Update To Latest Version Now, you can watch the update progress in new a win
dow. For this, click the Reload button of WebAdmin.
Available Firmw are Up2Dates
If you have selected Manual on the Configuration tab, you can see a Check for Up2Date
Packages Now button in this section, which you can use to download firmware Up2Date
packages manually. If there are more than one Up2Dates available, you can select
which one you are going to install. You can use the Update to Latest Version Now button
in the Firmware section if you want to install the most recent version directly.
UTM 9 WebAdmin
83
4.4 Up2Date
4 Management
There is a Schedule button available for each Up2Date with which you can define a spe
cific date and time where an update is to be installed automatically. To cancel a sched
uled installation, click Cancel.
A note on "implicit" installations: There can be a constellation, where you schedule an
Up2Date package which requires an older Up2Date package to be installed first. This
Up2Date package will be automatically scheduled for installation before the actual
Up2Date package. However, you can define a specific time for this package, too, but
you cannot prevent its installation.
Pattern
The Pattern section shows the current version of the installed patterns. If you have
selected Manual on the Configuration tab, you can see a Update Patterns Now button.
Use this button to download and install new patterns if available.
Note – The current pattern version does not need to be identical with the latest avail
able pattern version in order for the UTM unit to be working correctly. A deviation
between the current and the latest available pattern version might occur when new
patterns are available, which, however, do not apply to the unit you are using. What
patterns are downloaded is dependent on your settings and hardware configuration.
For example, if you do not use the intrusion prevention feature of Sophos UTM, newly
available IPS patterns will not be installed, thus increasing the divergence between
the currently installed and the latest available pattern version.
4.4.2 Configuration
By default, new update packages are automatically downloaded to UTM.
Firmw are Dow nload I nterval
This option is set to 15 minutes by default, that is Sophos UTM checks every 15
minutes for available firmware updates. Sophos UTM will automatically download (but
not install) available firmware update packages. The precise time when this happens is
distributed randomly within the limits of the selected interval. You can change the inter
val up to Monthly or you can disable automatic firmware download by selecting Manual
from the drop-down list. If you select Manual you will find a Check for Up2Date Pack
ages Now button on the Overview tab.
84
UTM 9 WebAdmin
4 Management
4.4 Up2Date
P attern Dow nload/I nstallation I nterval
This option is set to 15 minutes by default, that is Sophos UTM checks every 15
minutes for available pattern updates. Sophos UTM will automatically download and
install available pattern update packages. The precise time when this happens is dis
tributed randomly within the limits of the selected interval. You can change the interval
up to Monthly or you can disable automatic pattern download and installation by select
ing Manual from the drop-down list. If you select Manual you will find a Update Patterns
Now button on the Overview tab.
4.4.3 Advanced
The Management > Up2Date > Advanced tab lets you configure further Up2Date options
such as selecting a parent proxy or Up2Date cache for your UTM.
Note – Update packages can be downloaded from Sophos UTM Downloads.
Manual Up2Date Package Upload: If your UTM does not have direct access to the Inter
net or an Up2Date cache to download new update packages directly, you can upload the
update package manually. To do so, proceed as follows:
1. Open the Upload File dialog window.
Click the Folder icon next to the Up2Date file box.
The Upload File dialog window opens.
2. Select the update package.
Click Browse in the Upload File dialog window and select the update package you
want to upload.
3. Click Start Upload.
The update package will be uploaded to UTM.
4. Click Apply.
Your settings will be saved.
P arent P roxy
A parent proxy is often required in those countries that require Internet access to be
routed through a government-approved proxy server. If your security policy requires the
use of a parent proxy, you can set it up here by selecting the host definition and port.
UTM 9 WebAdmin
85
4.5 Backup/Restore
4 Management
Use a parent proxy:
1. Select the checkbox to enable parent proxy use.
2. Select or add the host.
3. Enter the port of the proxy.
How to add a definition is explained on the Definitions & Users > Network Defin
itions > Network Definitions page.
4. Click Apply.
Your settings will be saved.
Proxy requires authentication: If the parent proxy requires authentication, enter user
name and password here.
Note – The parent proxy is disabled when the option Use SUM Server as Up2Date
Cache is enabled on the Central Management > Sophos UTM Manager tab.
If a parent proxy is configured, Sophos UTM fetches both firmware and pattern
Up2Dates from it.
4.5 Backup/Restore
The backup restoring function allows you to save the UTM settings to a file on a local
disk. This backup file allows you to install a known good configuration on a new or mis
configured system.
Be sure to make a backup after every system change. This will ensure that the most
current settings are always available. In addition, keep your backups in a safe place, as
it also contains security-relevant data such as certificates and cryptographic keys.
After generating a backup, you should always check it for readability. It is also a good
idea to use an external program to generate MD5 checksums, for this will allow you to
check the integrity of the backup later on.
4.5.1 Backup/Restore
On the Management > Backup/Restore > Backup/Restore tab you can create backups,
import backups, as well as restore, download, send, and delete existing backups.
86
UTM 9 WebAdmin
4 Management
4.5 Backup/Restore
Available Backups
This section is only visible if at least one backup has been created before, either by the
automatic backup function or manually (see section Create Backup).
All backups are listed giving date and time of their creation, their UTM version number,
the user who created it, and the comment.
You can decide whether to download, restore, delete, or send a backup.
l
Download: Opens a dialog window where you can decide to download the file
encrypted (provide password) or unencrypted. Click Download Backup. You are
prompted to select a location in the file system for the downloaded backup to
reside.
l
Encrypt before downloading: Before downloading or sending it, you have the
option to encrypt the backup. Encryption is realized with Blowfish cipher in
CBC mode. Provide a password (second time for verification). You will be
asked for this password when importing the backup. The file extension for
encrypted backups is ebf, for unencrypted backups abf.
Note – A backup does include administrator passwords, the high avail
ability passphrase if configured, as well as all RSA keys and X.509 cer
tificates. Since this information is confidential, it is good practice to
enable encryption.
l
Restore: Replaces the current system settings by the settings stored in a
backup. You will have to log in again afterwards. If the selected backup contains
all data you can log in directly. If the selected backup does not contain all data
(see section Create Backup) you will have to enter the necessary data during the
login procedure. If only the host data has been removed in the selected backup
you can add an additional administrative email address if you want. It will be
used where no recipient is given and as additional address where multiple recip
ients are possible.
Note – Backup restoration is only backward compatible. Only backups from ver
sions smaller than the current one are considered functional. If there is a ver
sion conflict the version number in the Available backups list will be orange.
UTM 9 WebAdmin
87
4.5 Backup/Restore
l
4 Management
Restoring backups from USB flash drive: You can also restore unencrypted
backup files (file extension abf) from a FAT formatted USB flash drive such
as a simple USB stick. To restore a backup from a USB flash drive, copy the
backup file to the USB flash drive and plug the device into Sophos UTM
prior to boot up. If several backup files are stored on the device, the lex
icographically first file will be used (numbers precede letters). For example,
suppose the backup files gateway_backup_2012-04-17.abf and 2011-0320_gateway_backup.abf are both stored on the USB flash drive. During the
boot up, the second file will be used because it begins with a number,
although it is much older than the other one.
In addition, a lock file is created after the successful recovery of a backup,
preventing the installation of the same backup over and over again while
the USB flash drive is still being plugged in. However, if you want to install
a previous backup once again, you must first reboot with no USB flash
drive plugged in. This will delete all lock files. When you now boot with the
USB flash drive plugged in again, the same backup can be installed.
l
l
Delete: Deletes a backup from the list. Using the Delete icon on the bottom of the
list, you can delete all selected backups. To select backups, click the checkboxes
to the left of the backups or use the checkbox on the bottom to select all
backups.
Send: In a dialog window you can specify the email recipients. By default, the
address(es) provided on the Automatic Backups tab are selected. Then decide if
you want to send the file encrypted (provide password) or unencrypted. Click
Send Now to send the backup.
l
Encrypt before sending: See Encrypt before downloading above.
Create Backup
Backups are not only useful to restore your system after an (unwanted) change or fail
ure. Moreover, they can be used as templates to set up systems that should have a sim
ilar configuration so that those systems are already pre-configured in some way which
can save you a lot of time. For that, you can strip certain information from a backup
before it is created, e.g. hostname, certificates, etc.
To create a backup with the current system state, proceed as follows:
1. In the Create Backup section, enter a comment (optional).
The comment will be displayed along with the backup in the backup list.
88
UTM 9 WebAdmin
4 Management
4.5 Backup/Restore
2. Make the following settings (optional):
Remove unique site data: Select this option to create the backup without hostspecific data. This includes hostname, system ID, SNMP data, HA data, license,
shell user passwords, and anonymization passwords as well as all certificates,
public and private keys, fingerprints and secrets of Email Protection, Web Pro
tection, Client Authentication, IPsec, SSL VPN, RED, WebAdmin, Web Application
Firewall, and proxies.
Such backups are a convenient means to set up multiple similar systems. There
are some things to consider though: 1) After restoring you are presented the
basic system setup. 2) Only the first interface is configured, the primary IP
address being the one that has been configured during installation. All other inter
faces will be disabled and set to IP address 0.0.0.0.
Caution – Although most of the host-specific data is being removed, such a
backup template still contains confidential information, such as user pass
words. Therefore it is good practice to always encrypt it.
Remove administrative mail addresses: Select this option to additionally remove
the administrator email addresses used in various parts of UTM, e.g. postmaster
addresses in Email Protection, notifications, etc. This option is especially useful
for IT partners who set up Sophos UTM devices at customers' sites.
3. Click Create Backup Now.
The backup appears in the list of available backups.
If a backup is created with one or both of the options selected, the backup entry
contains a respective additional comment.
Note – The HA settings are part of the hardware configurations and cannot be
saved in a backup. This means that the HA settings will not be overwritten by a
backup restore.
I mport Backup
To import a backup, proceed as follows:
1. Click the Folder icon and select a backup file to upload.
2. Click Start Upload.
UTM 9 WebAdmin
89
4.5 Backup/Restore
4 Management
3. Decrypt the backup.
If you want to upload an encrypted backup file, you must provide the correct pass
phrase prior to importing the backup.
4. Click Import Backup to import the backup.
Note that the backup will not instantly be restored. Instead, it will be added to the
Available backups list.
4.5.2 Automatic Backups
On the Management > Backup/Restore > Automatic Backup tab you can configure sev
eral options dealing with the automatic generation of backups. To have backups cre
ated automatically, proceed as follows:
1. Enable automatic backups on the Automatic Backups tab.
Click the toggle switch.
The toggle switch turns green and the Options and Send Backups by Email areas
become editable.
2. Select the interval.
Automatic backups can be created at various intervals.
You can choose between daily, weekly, and monthly.
3. Specify the maximum number of backups to be stored.
Automatically created backups are stored up to the number you enter here. Once
the maximum has been reached, the oldest automatic backups will be deleted.
Note that this applies to automatically created backups only. Backups created
manually and backups created automatically before a system update will not be
deleted.
4. Click Apply.
Your settings will be saved.
The toggle switch turns green.
To save you the work of backing up your UTM manually, the backup feature supports
emailing the backup file to a list of defined email addresses.
Recipients: Automatically generated backups will be sent to users contained in the
Recipients box. Multiple addresses can be added. By default, the first administrator's
email address is used.
90
UTM 9 WebAdmin
4 Management
4.6 User Portal
Encrypt email backups: In addition, you have the option to encrypt the backup (Triple
DES encryption).
Password: Once you have selected the Encrypt email backups option, provide a pass
word (second time for verification). You will be prompted for this password when
importing the backup.
Automatically created backups will appear in the Available Backups list on the
Backup/Restore tab, marked with the System flag indicating the Creator. From there,
they can be restored, downloaded, or deleted as any backup you have created by your
self.
4.6 User Portal
The User Portal of Sophos UTM is a special browser-based application on the unit
providing personalized email and remote access services to authorized users. It can be
accessed by browsing to the URL of Sophos UTM, for example,
https://192.168.2.100 (note the HTTPS protocol and the missing port number 4444
you would normally enter for accessing the WebAdmin interface).
Among other things, the User Portal contains the email quarantine, which holds mes
sages that are infected by malicious software, contain suspicious attachments, are
identified as spam, or contain certain expressions you have explicitly declared for
bidden.
On the login page, users can select a language from the drop-down list located on the
right side of the header bar.
UTM 9 WebAdmin
91
4.6 User Portal
4 Management
Figure 11 User Portal: Welcome Page
On the User Portal, users have access to the following services:
l
l
l
l
l
92
SMTP Quarantine: Users can view and release messages held in quarantine.
Which types of messages they are allowed to release can be determined on the
Email Protection > Quarantine Report > Advanced tab. (The tab is called Mail Quar
antine when POP3 is disabled.)
SMTP Log: Here, users can view the SMTP log of their mail traffic. (The tab is
called Mail Log when POP3 is disabled.)
POP3 Quarantine: Users can view and release messages held in quarantine.
Which types of messages they are allowed to release can be determined on the
Email Protection > Quarantine Report > Advanced tab. (The tab is called Mail Quar
antine when SMTP is disabled.)
POP3 Accounts: Users can enter their credentials of POP3 accounts they use.
Only those spam emails will appear in the User Portal for which POP3 account
credentials are given. A user for whom POP3 account credentials are stored will
receive an individual Quarantine Report for each email address. Note that allowed
POP3 servers must be specified on the Email Protection > POP3 > Advanced tab.
Sender Whitelist: Here, senders can be whitelisted, thus messages from them
are not regarded as spam. However, emails with viruses or unscannable emails
will still be quarantined. Whitelisted senders can be specified by either entering
valid email addresses (e.g., jdoe@example.com) or all email addresses of a spe
cific domain using an asterisk as wildcard (e.g., *@example.com). If the exact
email address is listed on both, whitelist and blacklist, the address is blacklisted.
UTM 9 WebAdmin
4 Management
l
l
l
l
l
l
l
l
l
4.6 User Portal
Sender Blacklist: Here, users can blacklist email senders, e.g.
phishing@hotmail.com, or whole domains, e.g. *@hotmail.com. The blacklist is
applied to both SMTP and POP3 email, if these are in use on the system. Black
listed senders can be specified by clicking the Plus icon, entering the address
and clicking the Tick icon to save it.
Hotspots: Here, users can find and manage access data for hotspots. The tab is
only available if at least one hotspot has been enabled for the specific user. For
hotspots of the type password-of-the-day, the current password is available and
can be changed. For hotspots of the type voucher, vouchers can be generated,
printed, exported, and deleted. A list of generated vouchers shows information on
their usage. For more information see Wireless Protection > Hotspots.
Client Authentication: Here, users can download the setup file of Sophos
Authentication Agent (SAA). The SAA can be used as authentication mode for the
Web Filter. The Client Authentication tab is only available if Client Authentication
is enabled. For more information see Definitions & Users > Client Authentication.
OTP Token: Here, users find one or more QR codes and the respective detail
information for configuring the UTM's one-time password service on their mobile
devices. For more information see Definitions & Users > Authentication Services >
One-time Password.
Remote Access: Users can download remote access client software and con
figuration files provided for them. However, the Remote Access tab is only avail
able if at least one remote access mode has been enabled for the specific user.
HTML5 VPN Portal: Here, users can open VPN connections to predefined hosts
using predefined services. The tab is only available if at least one VPN con
nection has been enabled for the specific user. For more information, see Remote
Access > HTML5 VPN Portal.
Change Password: Users can change the password for accessing the User Portal.
HTTPS Proxy: Users can import the HTTP/S Proxy CA certificate to get rid of error
messages when visiting secure websites. After clicking Import Proxy CA Cer
tificate, users will be prompted by their browser to trust the CA for different pur
poses. For more information see Web Protection > Filtering Options > HTTPS CAs.
Log out: Click here to log out of the User Portal. This is only necessary when you
have selected Remember My Login at login (which creates a cookie) and you
want to explicitly logout and have this cookie deleted. Otherwise, there is no need
to use the Log out link—closing the browser tab or window is sufficient.
UTM 9 WebAdmin
93
4.6 User Portal
4 Management
4.6.1 Global
On the Management > User Portal > Global tab you can enable the User Portal. Addi
tionally you can specify which networks and which users should be granted access to
the User Portal.
To enable User Portal access, proceed as follows:
1. Enable the User Portal.
Click the toggle switch.
The toggle switch turns amber and the User Portal Options area becomes edit
able.
2. Select the allowed networks.
Add or select the networks that should be allowed to access the User Portal. How
to add a definition is explained on the Definitions & Users > Network Definitions >
Network Definitions page.
3. Select the allowed users.
Select the users or user groups or add new users that should be able to access
the User Portal. How to add a user is explained on the Definitions & Users > Users
& Groups > Users page.
If you do not want to grant access to all users, unselect the Allow all users check
box and select the users and user groups individually.
4. Click Apply.
Your settings will be saved.
The toggle switch turns green.
4.6.2 Advanced
On the Advanced tab you can configure an alternative hostname and port number for
the User Portal as well as language and security options.
Language
During login, the User Portal fetches the language settings of the web browser and
loads the respective locales to display the portal in the same language as the browser
defaults. For browser language settings that are not available for the User Portal, you
94
UTM 9 WebAdmin
4 Management
4.6 User Portal
can select here which language will be the fallback language. Users have additionally
the option to select a language on the User Portal login page.
Security
The User Portal uses cookies to track sessions. Persistent cookies permit to return
after having closed a session without having to log in again. They can always be
deleted from user-side, however, by using the Log Out button of the User Portal.
Disable P ortal I tems
For the features listed here a menu item is displayed in the User Portal when the
respective feature has been enabled in WebAdmin. However, here you can define menu
items that should not be displayed in the User Portal. To do so, select the respective
option(s) and click Apply.
Netw ork Settings
Hostname: By default, this is UTM's hostname as given on the Management > System
Settings > Hostname tab. However, if you want to grant access to the User Portal for
users gaining access over the Internet, it might be necessary to enter an alternative
hostname here that can be publicly resolved.
Listen address: Default value is Any. When using the web application firewall you need
to give a specific interface address for the service to listen for User Portal con
nections. This is necessary for the User Portal connection handler and the web applic
ation firewall to be able to differentiate between the incoming SSL connections.
Port: By default, port 443 for HTTPS is selected. You can change the port to any value in
the range from 1024 to 65535. Note that you cannot select either 10443 or the
WebAdmin TCP Port, which is configured on the Management > WebAdmin Settings >
Advanced tab. Independent of the defined port, the User Portal can always be accessed
via HTTPS only.
W elcome Message
You can customize the welcome message of the User Portal. Simple HTML markup and
hyperlinks are allowed.
Note – Changing the welcome message is not possible when using a home use
license.
UTM 9 WebAdmin
95
4.7 Notifications
4 Management
4.7 Notifications
Sophos UTM comes with a notification feature that informs you immediately about all
sorts of security-relevant events occurring on UTM, either by email or SNMP trap. All
events that might possibly be of interest to an administrator are represented by vari
ous error, warning, and information codes. What notifications are sent depends on the
selection you have configured on the Notifications tab.
4.7.1 Global
On the Management > Notifications > Global tab you can configure the sender address
(i.e., the From address) to be taken for notification emails sent by UTM. By default, this
is do-not-reply@fw-notify.net. If you want to change this address, it is advisable to
enter an email address of your domain, as some mail servers might be configured to
check whether a given sender address really exists.
In addition, you can specify the recipients of UTM notifications. By default, this is the
administrator's email address you had entered during the initial setup.
Limit notifications: Some security-relevant events such as detected intrusion attempts
will create a lot of notifications, which may quickly clog the notification recipients'
email inboxes. For this reason, Sophos UTM has sensible default values to limit the num
ber of notifications sent per hour. If you disable this option, every security-relevant
event will create a notification, provided the event is configured so as to send a noti
fication on the Management > Notifications > Notifications tab.
Device Specif ic T ext
Here you can enter a description of Sophos UTM, e.g. its location, which will be dis
played in the notifications sent.
4.7.2 Notifications
Notifications are divided into three categories:
96
UTM 9 WebAdmin
4 Management
l
l
l
4.8 Customization
CRIT: Messages informing about critical events that might render UTM inoperable.
WARN: Warnings about potential problems that need your attention, for example,
exceeding thresholds.
INFO: Merely informational messages such as the restart of a system com
ponent, for example.
You can select whether you want to send the notification as email or SNMP trap.
4.7.3 Advanced
In case your UTM cannot send emails directly, you can configure a smarthost to send
the emails. Proceed as follows:
1. Enable External SMTP server status on the Management > Notifications >
Advanced tab.
Click the toggle switch.
The toggle switch turns amber and the External SMTP Server area becomes edit
able.
2. Enter your smarthost.
You can use drag-and-drop. The port is preset to the default SMTP port 25.
l
Use TLS: Select this checkbox if you want to enforce STARTTLS when send
ing notifications. Note that notifications will not be sent if the smarthost
does not support TLS.
3. Specify the authentication settings.
If the smarthost requires authentication, check the Authentication checkbox and
enter the corresponding username and password.
4. Click Apply.
Your settings will be saved.
The toggle switch turns green.
4.8 Customization
The tabs under Management > Customization allow you to customize and localize email
notifications and status messages created by Sophos UTM, making it possible to adapt
those messages to both your policy and your corporate identity.
UTM 9 WebAdmin
97
4.8 Customization
4 Management
In addition, you can edit and upload custom web templates to further change the way
that users receive block messages and other notifications.
Note – Customization is not possible when using a home use license.
4.8.1 Global
On the Management > Customization > Global tab you can customize global display
options for the system messages presented to users. Note that UTF-8/Unicode is sup
ported.
The example below shows the customizable global options (Company Logo and Custom
Company Text), along with an example of a "Content Block" message, which is con
figured on the Management > Customization > Web Messages page.
Figure 12 Customization: Example Blocked Page and Its Customizable Parts
Company Logo
You can upload your own logo/banner (in png format only), which is used in the fol
lowing contexts:
l
Web messages
l
POP3 blocked messages
l
l
98
Quarantine release status messages (which will appear in the Quarantine Report
after a spam email has been released from the quarantine or whitelisted.)
Quarantine Report
UTM 9 WebAdmin
4 Management
4.8 Customization
Some of the messages displayed to users have been optimized for the default logo
(195 x 73 pixels with a transparent background). For the best-looking results, use an
image that has the same attributes.
Note – With HTTPS connections, if the logo is larger than 512 KB, it will not be embed
ded.
To upload a logo:
1. Open the Upload file dialog window.
Click the Folder icon next to the Upload new logo box.
The Upload File dialog window opens.
2. Select the logo.
Browse to the location where the logo that you want to upload resides.
Once you have selected the logo, click Start Upload.
3. Click Apply.
The logo will be uploaded, replacing the file that is already installed.
Custom Company T ext
Customize the message that will be displayed beneath the company logo whenever a
website was blocked by the virus scanner or the content filter of Sophos UTM. For
example, you might want to enter the administrator's contact data here.
4.8.2 Web Messages
Customize the text for web filtering messages displayed by Sophos UTM. Some mes
sages are displayed when users are restricted from downloading files that are too
large, are of a certain type, or contain a virus. Other messages are displayed when
users attempt to access restricted websites or applications, while users are down
loading files, or when users are required to authenticate with the UTM. You can trans
late messages into other languages or, for example, modify the messages to show cus
tomer support contact information.
Note – The text entered in the fields of the Web Messages tab can be referenced in cus
tom web templates. For more information, see chapter Web Templates.
UTM 9 WebAdmin
99
4.8 Customization
4 Management
The following messages are configurable:
l
Content Block
l
Surf Protection: This message is displayed when a user attempts to
access a webpage whose URL matches a category that is configured to be
blocked or the site's reputation falls below the specified threshold. For
more information, see Web Protection > Web Filtering.
l
l
l
l
l
l
l
l
100
MIME Type: This message is displayed when a user requests a file that is a
blocked MIME type. For more about specifying MIME types, see Web Pro
tection > Web Filtering > Policies > Downloads.
File Extension: This message is displayed when a user requests a blocked
file extension. For more about specifying file extensions, see Web Pro
tection > Web Filtering > Policies > Downloads.
File Size: This message is displayed when a user requests a file that
exceeds the file size limit. To configure download size limits, see Web Pro
tection > Web Filtering > Policies > Downloads.
Application Control: This message is displayed when a user attempts to
use a type of network traffic that is configured to be blocked by Application
Control. For more information, see Web Protection > Application Control.
Virus Detected: This message is displayed when a file is blocked due to a
virus infection. For more information on configuring virus protection, see
Web Protection > Web Filtering > Policies > Antivirus.
Download/Scan
l
Download in Progress: This message is displayed while a file is being down
loaded. See Download Manager.
l
l
Blacklist: This message is displayed when a user attempts to retrieve a
webpage that matches a blacklisted URL. To blacklist URLs, see Web Pro
tection > Web Filtering > Policies > Website Filtering.
Virus Scan in Progress: This message is displayed while the UTM scans
files for malicious content. See Download Manager.
Download Complete: This message is displayed after a file has been fully
downloaded, scanned, and determined safe. See Download Manager.
Authentication
l
Transparent Mode Authentication: This option only applies if you use Web
Filtering in Transparent Mode, and you have selected the "Browser"
UTM 9 WebAdmin
4 Management
4.8 Customization
authentication mode. For more information, see Web Protection > Web Fil
ter Profiles > Filter Profiles. The text is displayed on the authentication
page, where users must log in before using the Web Filter. If the Terms of
Use field is filled in, a disclaimer is displayed on the authentication page. If
this field is empty (as it is by default), a disclaimer is not displayed.
l
l
Error
l
l
Bypass Content Block: This message is displayed when a page is blocked
by Surf Protection and the option to bypass blocking option is enabled (see
Web Protection > Filtering Options > Bypass Users). If the Terms of Use field
is filled in, a disclaimer is displayed on the authentication page. If this field
is empty (as it is by default), a disclaimer is not displayed.
Server Error: This message is displayed if an error occurs while processing
the user's request.
Administrator Information: Here you can enter information about the admin
istrator managing the Web Filter, including the administrator's email address.
4.8.2.1 Modifying a Web Message
To modify a message, do the following:
1. Select the message.
From the Page drop-down list, select the end user message that you want to edit.
The Subject and Description for that message are displayed.
2. Modify the subject and/or description.
Modify the default text as necessary.
3. Click Apply.
The text changes are saved.
4.8.2.2 Download Manager
If the Web Filter is enabled, the web browser will display the following download pages
while downloading content greater than 1 MB in size that is neither text nor an image.
The download page will not be displayed when video or audio streams are requested or
more than 50 % of the file has been downloaded within five seconds.
The information provided on the download pages can be customized on the Web Mes
sages tab.
UTM 9 WebAdmin
101
4.8 Customization
4 Management
Figure 13 Customization: HTTP Download Page Step 1 of 3: Downloading File
Figure 14 Customization: HTTP Download Page Step 2 of 3: Virus Scanning
102
UTM 9 WebAdmin
4 Management
4.8 Customization
Figure 15 Customization: HTTP Download Page Step 3 of 3: File Download Completed
4.8.3 Web Templates
To customize both the appearance and content of messages that are displayed to
users, you can upload HTML files to Sophos UTM. As a guide, Sophos provides several
sample templates. These templates show you how to use variables that can dynam
ically insert information that is relevant for individual user messages. For example, if a
file is blocked because it contains a virus, you can include a variable that inserts the
name of the virus that was blocked.
4.8.3.1 Customizing Web Templates
Caution – Customizing Sophos UTM notifications is an advanced topic. Only those
with sufficient knowledge of HTML and JavaScript should attempt these tasks.
You can upload custom versions of Sophos UTM notifications, including block mes
sages, status messages, error messages, and authentication prompts. The four sample
templates contain working examples of variables as well as several sample images.
Either use the sample templates as a basis for your custom messages and noti
fications or upload your own HTML files. Valid variables are described in Using Vari
ables in UTM Web Templates in the Sophos Knowledgebase.
UTM 9 WebAdmin
103
4.8 Customization
4 Management
If you want to use the text from a message configured on the Web Messages tab, you
can insert the appropriate variable in your custom template. For more information, see
chapter Web Messages.
To download the sample templates and images, click the link below, and save the .zip
file:
http://www.astaro.com/lists/Web_Templates.zip
Note – The zip file contains examples with and without embedded images. If an image
is embedded into an HTML file, you do not need to upload the corresponding image.
4.8.3.2 Uploading Custom Web Templates and Images
Once you have edited and saved your custom template, you are ready to upload it to
the UTM.
To upload a web template or image:
1. Open the Upload File dialog window.
Click the Folder icon next to the name of the type of template that you want to
upload, or click the Folder icon next to Images if you want to upload an image.
Note – The supported file types are .png,.jpg, .jpeg, and .gif. Use embedded
images and stylesheets with HTTPS connections.
The Upload File dialog window opens.
2. Select the template or image.
Browse to the location of the template or image that you want to upload.
Once you have selected the template or image, click Start Upload.
The Upload File dialog window closes.
3. Click Apply.
The template or image will be uploaded.
4.8.4 Email Messages
Customize the text that is displayed in user messages generated by the SMTP/POP3
proxies of Sophos UTM. You can translate these messages into other languages or
104
UTM 9 WebAdmin
4 Management
4.8 Customization
modify them to show customer support contact information, for example. The following
messages can be customized:
Quarantine
Email released from quarantine: This message is shown when an email was suc
cessfully released from the quarantine.
Error on releasing email from quarantine: This message is shown when an error
occurred while releasing an email from the quarantine.
P OP 3
POP3 message blocked: This message is sent to the recipient when a POP3 email mes
sage was blocked.
Figure 16 Customization: POP3 Proxy Blocked Message
SP X
These notification emails are sent when SPX Encryption is enabled and something
went wrong. The notifications are sent to the specified persons (see Email Encryption >
SPX Encryption > SPX Configuration tab).
Sender specified password missing: This email is sent to the specified person(s) when
the email sender did not specify a password for SPX encryption.
Sender specified password too short: This email is sent to the specified person(s)
when the password specified by the email sender is too short.
UTM 9 WebAdmin
105
4.9 SNMP
4 Management
Sender specified password does not include special characters: This email is sent to
the specified person(s) when the password specified by email sender does not contain
the required special character.
Internal error: This email is sent to the specified person(s) when the email could not be
delivered due to technical problems.
Internal error – sender notification: This email is sent to the specified person(s) when
the email could not be delivered due to an error during the creation of SPX mail.
Reply portal URL not found: This message will be displayed on the reply portal page,
when the recipient clicks the Reply button in the encrypted email, and the underlying
URL cannot be found.
As the default settings show, some variables can be used in the notifications:
l
%%SENDER%% (only in the email subject): The email sender
l
%%RECIPIENT%%: The email recipient
l
%%REASON%% (only in the email description): The reason for the message. Will be
replaced by an appropriate error text
4.9 SNMP
The Simple Network Management Protocol (SNMP) is used by network management
systems to monitor network-attached devices such as routers, servers, and switches.
SNMP allows the administrator to make quick queries about the condition of each mon
itored network device. You can configure Sophos UTM to reply to SNMP queries or to
send SNMP traps to SNMP management tools. The former is achieved with so-called
management information bases (MIBs). An MIB specifies what information can be quer
ied for which network device. Sophos UTM supports SNMP version 2 and 3 and the fol
lowing MIBs:
l
DISMAN-EVENT-MIB: Event Management Information Base
l
HOST-RESOURCES-MIB: Host Resources Management Information Base
l
IF-MIB: Interfaces Group Management Information Base
l
IP-FORWARD-MIB: IP Forwarding Table Management Information Base
l
IP-MIB: Management Information Base for the Internet Protocol (IP)
l
NOTIFICATION-LOG-MIB: Notification Log Management Information Base
106
UTM 9 WebAdmin
4 Management
l
l
l
l
4.9 SNMP
RFC1213-MIB: Management Information Base for Network Management of
TCP/IP-based Internet: MIB II
SNMPv2-MIB: Management Information Base for the Simple Network Management
Protocol (SNMP)
TCP-MIB: Management Information Base for the Transmission Control Protocol
(TCP)
UDP-MIB: Management Information Base for the User Datagram Protocol (UDP)
In order to get Sophos UTM system information, an SNMP manager must be used that
has at least the RFC1213-MIB (MIB II) compiled into it.
4.9.1 Query
On the Management > SNMP > Query page you can enable the usage of SNMP queries.
To configure SNMP queries, proceed as follows:
1. Enable SNMP Queries.
Click the toggle switch.
The sections SNMP Version and SNMP Access Control become editable.
2. Select the SNMP version.
In the SNMP Version section, select a version from the drop-down list. SNMP ver
sion 3 requires authentication.
3. Select allowed networks.
Networks listed in the Allowed Networks box are able to query the SNMP agent
running on Sophos UTM. You should only add networks to the Allowed Networks
that will query the SNMP agent, it is not advisable to add any none private net
works to the list. Note that the access is always read-only.
l
Community string: When using version 2, enter a community string. An
SNMP community string acts as a password that is used to protect access
to the SNMP agent. By default, the SNMP community string is "public", but
you can change it to any setting that best suits your needs.
Note – Allowed characters for the community string are: (a-z), (A-Z), (0-9),
(+), (_), (@), (.), (-), (blank).
UTM 9 WebAdmin
107
4.9 SNMP
l
4 Management
Username/Password: When using version 3, authentication is required.
Enter a username and password (second time for verification) to enable
the remote administrator to send queries. The password must have at least
eight characters. SNMP v3 uses SHA for authentication and AES for encryp
tion. Note that username and password are used for both of them.
4. Click Apply.
Your settings will be saved.
Furthermore, you can enter additional information about UTM.
Device I nf ormation
The Device Information text boxes can be used to specify additional information about
UTM such as its name, location, and administrator. This information can be read by
SNMP management tools to help identify UTM.
Note – All SNMP traffic (protocol version 2) between UTM and the Allowed Networks is
not encrypted and can be read during the transfer over public networks.
Astaro Notif ier MI B
This section allows you to download the Astaro MIB which contains the definitions of
the Sophos UTM notification SNMP traps. For historical reasons the MIB uses the Astaro
Private Enterprise Code (SNMPv2-SMI::enterprises.astaro).
4.9.2 Traps
In the Traps tab you can define an SNMP trap server to which notifications of relevant
events occurring on UTM can be sent as SNMP traps. Note that special SNMP mon
itoring software is needed to display those traps.
The messages that are sent as SNMP traps contain so-called object identifiers (OID),
for example, .1.3.6.1.4.1.9789, which belong to the private enterprise numbers
issued by IANA. Note that .1.3.6.1.4.1 is the
iso.org.dod.internet.private.enterprise prefix, while 9789 is Astaro's Private
Enterprise Number. The OID for notification events is 1500, to which are appended the
OIDs of the type of the notification and the corresponding error code (000-999). The fol
lowing notification types are available:
108
UTM 9 WebAdmin
4 Management
l
DEBUG = 0
l
INFO = 1
l
WARN = 2
l
CRIT = 3
4.9 SNMP
Example: The notification "INFO-302: New firmware Up2Date installed" will use the OID
.1.3.6.1.4.1.9789.1500.1.302 and has the following string assigned:
[<HOST>][INFO][302]
Note that <HOST> is a placeholder representing the hostname of the system and that
only type and error code from the notification's subject field are transmitted.
To select an SNMP v2c trap server, proceed as follows:
1. Click New SNMP Trap Sink.
The Add SNMP Trap Sink dialog box opens.
2. Make the following settings:
SNMP version: Select SNMP v2c from the drop-down list.
Host: The host definition of the SNMP trap server.
Community: An SNMP community string acts as a password that is used to pro
tect access to querying SNMP messages. By default, the SNMP community string
is set to "public". Change it to the string that is configured on the remote SNMP
trap server.
Note – Allowed characters for the community string are: (a-z), (A-Z), (0-9), (+),
(_), (@), (.), (-), (blank).
Comment (optional): Add a description or other information.
3. Click Save.
The new SNMP trap server will be listed on the Traps tab.
The SNMP version 3 requires authentication. To select an SNMP v3 trap server, proceed
as follows:
1. Click New SNMP Trap Sink.
The Add SNMP Trap Sink dialog box opens.
UTM 9 WebAdmin
109
4.10 Central Management
4 Management
2. Make the following settings:
SNMP version: Select SNMP v3 from the drop-down list.
Host: The host definition of the SNMP trap server.
Username: Enter username for authentication.
Authentication type: Select authentication type from the drop-down list.
Password: Enter password for authentication.
Repeat: Repeat password for authentication.
Encryption type: Select encryption type from the drop-down list.
Password: Enter password for encryption.
Repeat: Repeat password for encryption.
Engine ID: Enter the Engine ID.
Comment (optional): Add a description or other information.
3. Click Save.
The new SNMP trap server will be listed on the Traps tab.
4.10 Central Management
The pages of the Central Management menu let you configure interfaces to man
agement tools that can be used to monitor or remotely administer the gateway.
4.10.1 Sophos UTM Manager
Sophos UTM Manager (SUM) is Sophos' central management product. You can connect
several UTM appliances to a SUM where they centrally can be monitored, configured
and maintained. SUM 4.2 supports configuring UTM 9.2 only. Other UTM versions will
appear in SUM as well and can be monitored. If for example a UTM 9.2 connects with a
SUM 4.1 it falls into legacy mode. Then backups and up2date installations are still
allowed.
On this tab, you can configure the connection of your UTM to one or two SUMs.
110
UTM 9 WebAdmin
4 Management
4.10 Central Management
Note – When using MSP licensing, disabling SUM, changing the SUM host, or modifying
the rights of the SUM administrator can only be done by Sophos UTM Manager (SUM).
To prepare Sophos UTM to be monitored by a SUM server, proceed as follows:
1. On the Sophos UTM Manager tab, enable SUM.
Click the toggle switch.
The toggle switch turns amber and the SUM Settings area becomes editable.
2. Specify the SUM host.
Select or add the SUM server UTM should connect to. How to add a definition is
explained on the Definitions & Users > Network Definitions > Network Definitions
page.
l
l
Authentication (optional): If the SUM server requires authentication, select
this option and enter the same password (shared secret) as configured on
the SUM server.
Use SUM server as Up2Date cache (optional): Up2Date packages can be
fetched from a cache located on the SUM server. If you want to use this
functionality for your gateway, select the option Use SUM server as Up2Date
cache. Please ensure that on your managing SUM server the Up2Date cache
functionality is enabled accordingly. Note that usage of the Up2Date cache
functionality is mutually exclusive with using a parent proxy configuration
for Up2Dates.
3. Define the rights of the SUM administrator.
On SUM, the administrator responsible for this UTM can only administer those
areas of your UTM which are explicitly allowed to be administered here. The
rights listed here correspond to the SUM Gateway Manager main menu and admin
istrative options.
Administration: If selected, the administrator can use all features located in the
Maintenance and Management menus. He can, for example, view the inventory,
create and restore backups, and schedule actions like firmware updates.
Reporting: If selected, the administrator can use all features located in the Report
ing menu. He can, for example, request reports from UTM.
UTM 9 WebAdmin
111
4.10 Central Management
4 Management
Monitoring: If selected, UTM will be displayed on the Monitoring pages and the
administrator can use all associated features.
Configuration: If selected, the administrator can use all features located in the
Configuration menu. He can, for example, deploy objects (networks, hosts, VPNs)
to UTM.
Note – Please refer to the Sophos UTM Manager Administration Guide for
detailed information.
4. Click Apply.
Your settings will be saved.
The toggle switch turns green.
UTM will now try to establish a connection to Sophos UTM Manager. Once the con
nection between both systems is established, the connection status will turn
green. Then UTM can be monitored and administered by the SUM server selected
here. You will be able to see the current connection status and health in the SUM
Health section. Reloading the page will update this data. Please use the Open Live
Log button and read carefully the messages from the message board to be able
to diagnose connection problems should they occur.
Settings f or a Second SUM
In this section, you can optionally add a second SUM. This is useful in case for example
you do the configuration by yourself (first SUM server) but want your machines still to
be monitored by a third party, e.g. your MSSP (second SUM server). The settings are
almost identical to the first SUM's settings, except that the Configuration option is
missing because they are limited to the first SUM. The UTM will also not appear in the
MSP section of the second SUM, which means MSP licensing is only possible from the
first SUM.
Note – The communication between the gateway and SUM takes place on port 4433,
whereas the Sophos UTM Manager can be accessed through a browser via the HTTPS
protocol on port 4444 for the WebAdmin and on port 4422 for the Gateway Manager
interface.
112
UTM 9 WebAdmin
4 Management
4.11 Sophos Mobile Control
SUM Health
You will be able to see the current connection status and health in the section called
SUM Health. Reloading the page will update this data.
SUM Objects
This area is disabled (grayed-out) unless there are objects that have been created via a
SUM and if this SUM is now disconnected from the Sophos UTM. SUM-created objects
can be network definitions, remote host definitions, IPsec VPN tunnels, etc.
The button Cleanup Objects can be pressed to release any objects that were created by
the SUM the device has formerly been managed with. These objects are normally
locked and can only be viewed on the local device. After pressing the button, the
objects become fully accessible and can be reused or deleted by a local administrator.
In case there are objects which are not in use, they will be deleted directly and are not
reusable.
Note – In case former SUM-created objects are cleaned up, they cannot be re-trans
formed when reconnecting to that same SUM. This means that if the remote SUM still
hosts object definitions for a device which later re-establishes a connection to it,
those objects will be deployed to the device again—although local copies will then
already exist.
Live Log
You can use the live log to monitor the connection between your Sophos UTM and the
SUM. Click the Open Live Log button to open the live log in a new window.
4.11 Sophos Mobile Control
With Sophos Mobile Control (SMC) you can manage, secure, update, control which apps
are allowed to be installed, locate, secure company emails mobile devices like smart
phones and tablets with iOS, Android or Windows Phone. The Sophos Mobile Control
WebAdmin interface gives you the possibility to define compliant devices and users,
set network access control and push the settings to the SMC server
For more information, visit the Sophos Mobile Control website.
UTM 9 WebAdmin
113
4.11 Sophos Mobile Control
4 Management
SMC Server
SMC runs on a separate server. In the Sophos UTM you can connect to the SMC server
to get an overview of the compliant and non-compliant devices and users, define net
work access for VPN and wireless networks and push network configurations to the
SMC server.
You can run an SMC server in two different ways:
l
With an on-premise installation to keep your data in-house on your own server.
l
Using the SMC as a service version where no hardware is necessary on your part.
Note – To use SMC you need a valid license. After downloading the software from the
Sophos Mobile Control Website, you receive a trial license. You can get a full license
from your Sophos partner.
For more information on SMC server and licenses, see the Sophos Mobile Control Docu
mentation.
SMC Apps
To use SMC on your mobile devices you need to download the SMC app to your smart
phone or tablet. You can download the app for free in each app store (Apple iTunes,
Google Play or Windows App Store).
l
Download SMC app on iTunes for iOS
l
Download SMC app on Google Play for Android
l
Download SMC app on Windows App Store for Windows Phone
4.11.1 General
The Management > Sophos Mobile Control > General tab allows you to define the
Sophos Mobile Control host and specify customer details and credentials for logging
into the SMC Server. The SMC administrator creates customer accounts and login data.
114
UTM 9 WebAdmin
4 Management
4.11 Sophos Mobile Control
Note – You cannot create a SMC server on this tab. More information about creating a
SMC server can be found in the Sophos Mobile Control Documentation.
1. Enable Sophos Mobile Control:
Click the toggle switch.
The toggle switch turns amber and the Global Settings area becomes editable.
2. Make the following settings:
SMC Server: Add or select the server to host SMC.
Customer: Enter the SMC customer.
Username: Enter the SMC username.
Password: Enter the SMC password.
Note – You cannot create a new customer or define a user or password in the
Sophos UTM. New customers can only be created directly in SMC.
CA certificate: Select the Official Web CA or a custom Certificate Authority. On
the Site-to-site VPN > Certificate Management > Certificate Authority tab you can
add new Certificate Authorities to the unit.
3. The Information dialog window opens.
l
Connection test passed: Connecting to the SMC server was successful.
l
Connection test failed: Connecting to the SMC server failed.
Note – If connecting to the SMC server failed, use the Sophos Mobile Control live
log to discover the problem.
4. Optionally, make the following advanced settings:
Enable debug mode: This option controls how much debug output is generated in
the Sophos Mobile Control log. Select this option if you, for example encounter
connection problems or need detailed information about the negotiation of client
parameters.
5. Click Apply.
UTM 9 WebAdmin
115
4.11 Sophos Mobile Control
4 Management
Your settings will be saved.
The toggle switch turns green.
Live Log
The Sophos Mobile Control live log logs all activities on the Sophos Mobile Control inter
face. Click the Open Live Log button to open the Sophos Mobile Control live log in a new
window.
4.11.2 Compliance Overview
The Management > Sophos Mobile Control > Compliance Overview tab lists all mobile
devices which are connected to the Sophos UTM. The SMC server sets specific policies
which allow mobile devices or users to connect. If mobile devices or users not comply
to the policies they will be listed as non-compliant devices/users on a blacklist. Noncompliant to the policies could be if, for example the device has not the right platform
or uses specific apps which are not allowed. Compliant devices are listed on a whitel
ist.
l
l
l
Non-compliant devices: MAC addresses of all non-compliant devices which are
on the wireless network blacklist.
Compliant devices: MAC addresses of all compliant devices which are on the
wireless network whitelist.
Non-compliant users: Non-compliant user names which are on the VPN blacklist.
4.11.3 Network Access Control
The Management > Sophos Mobile Control > Network Access Control tab allows you to
set the access settings for the VPN connections and wireless networks. Non-compliant
devices will be blocked for the defined VPN or wireless networks.
Block access to specif ic VPN netw orks
Define the VPN and wireless networks which will be blocked for users if their mobile
devices are not compliant with your company policies.
l
116
Enforce for L2TP over IPsec: If selected, non-compliant users cannot connect via
L2TP over IPsec to the Sophos Mobile Control.
UTM 9 WebAdmin
4 Management
l
l
4.11 Sophos Mobile Control
Enforce for Cisco™ VPN: If selected, non-compliant users cannot connect via Cis
co™ VPN to the Sophos Mobile Control.
Also deny access for other VPN protocols: If selected, non-compliant users can
not connect via other VPN protocols to the Sophos Mobile Control.
Enforce for Wireless Networks: Non-compliant devices connecting over these wireless
network(s) to Sophos Mobile Control will be blocked.
Poll compliance status: Enter an interval in minutes (1-60) at which the current com
pliance status will be polled from the SMC server.
4.11.4 Configuration Settings
The Management > Sophos Mobile Control > Configuration Settings tab allows you to
push VPN and wireless network configurations from the WebAdmin to the SMC server.
These configurations define in which way the mobile devices and users connect to the
UTM. Configurations are sent from the SMC to the connected mobile devices. VPN and
wireless network configuration do not have to be set manually.
Conf iguration Settings f or Sophos Mobile Control
Define which VPN and wireless network configuration you want to push to the SMC
server.
l
l
L2TP over IPsec configuration: If selected, the L2TP over IPsec configuration will
be pushed to the SMC server.
Cisco™ VPN configuration: If selected, the Cisco™ VPN configuration will be
pushed to the SMC server.
Wireless Networks: Select the wireless network(s) you want to push to the SMC
server.
EAP methods: Select the EAP method (Extensible Authentication Protocol) you want to
use for wireless network enterprise authentication.
P ush Conf iguration
To transfer the current configuration to the SMC server, click the Push Configuration
Now button.
UTM 9 WebAdmin
117
4.12 High Availability
4 Management
Note – Use this function in exceptional cases only, for example when the servers
were offline during transmission. Normally, this button does not need to be used to
push the configuration.
4.12 High Availability
The main cause for an Internet security system to fail is because of a hardware failure.
The ability of any system to continue providing services after a failure is called fail
over. Sophos UTM provides high availability (HA) failover, allowing you to set up a hot
standby system in case the primary system fails (active-passive). Alternatively, you
can use Sophos UTM to set up a cluster, which operates by distributing dedicated net
work traffic to a collection of nodes (active-active) similar to conventional load-bal
ancing approaches in order to get optimal resource utilization and decrease computing
time.
Note – If your Sophos UTM runs on Amazon Web Service (AWS), see Management >
HA/Autoscaling.
The concepts high availability and cluster as implemented in Sophos UTM are closely
related. For a high availability system can be considered a two-node cluster, which is
the minimum requirement to provide redundancy.
Each node within the cluster can assume one of the following roles:
l
l
l
Master: The primary system in a hot standby/cluster setup. Within a cluster, the
master is responsible for synchronizing and distributing of data.
Slave: The standby system in a hot standby/cluster setup which takes over oper
ations if the master fails.
Worker: A simple cluster node, responsible for data processing only.
All nodes monitor themselves by means of a so-called heart-beat signal, a periodically
sent multicast UDP packet used to check if the other nodes are still alive. If any node
fails to send this packet due to a technical error, the node will be declared dead.
Depending on the role the failed node had assumed, the configuration of the setup
changes as follows:
118
UTM 9 WebAdmin
4 Management
l
l
l
4.12 High Availability
If the master node fails, the slave will take its place and the worker node with
the highest ID will become slave.
If the slave node fails, the worker node with the highest ID will become slave.
If a worker node fails, you may notice a performance decrease due to the lost pro
cessing power. However, the failover capability is not impaired.
Note – HA settings are part of the hardware configurations and cannot be saved in a
backup. This also means that HA settings will not be overwritten by a backup restore.
Reporting
All reporting data is consolidated on the master node and is synchronized to the other
cluster nodes at intervals of five minutes. In case of a takeover, you will therefore lose
not more than five minutes of reporting data. However, there is a distinction in the data
collection process. The graphs displayed in the Logging & Reporting > Hardware tabs
only represent the data of the node currently being master. On the other hand, account
ing information such as shown on the Logging & Reporting > Network Usage page rep
resents data that was collected by all nodes involved. For example, today's CPU usage
histogram shows the current processor utilization of the master node. In the case of a
takeover, this would then be the data of the slave node. However, information about top
accounting services, for example, is a collection of data from all nodes that were
involved in the distributed processing of traffic that has passed the unit.
Notes
l
l
l
The Address Resolution Protocol (ARP) is only used by the actual master. That is
to say, slave and worker nodes do not send or reply to ARP requests.
In case of a failover event, the unit that takes over operations performs an ARP
announcement (also known as gratuitous ARP), which is usually an ARP request
intended to update the ARP caches of other hosts which receive the request. Gra
tuitous ARP is utilized to announce that the IP of the master was moved to the
slave.
All interfaces configured on the master must have a physical link, that is, the port
must be properly connected to any network device.
UTM 9 WebAdmin
119
4.12 High Availability
4 Management
4.12.1 Hardware and Software Requirements
The following hardware and software requirements must be met to provide HA failover
or cluster functionality:
l
l
l
l
l
Valid license with the high availability option enabled (for the stand-by unit you
only need an additional base license).
Two UTM units with identical software versions and hardware or two UTM appli
ances of the same model.
Heartbeat-capable Ethernet network cards. Check the HCL to figure out which net
work cards are supported. The HCL is available at the Sophos Knowledgebase
(use "HCL" as search term).
Ethernet crossover cable (for connecting master and slave in a hot standby sys
tem). UTM appliance models 320, 425, and 525, whose dedicated HA interface is a
Gigabit auto-MDX device, can be connected through a standard IEEE 802.3 Eth
ernet cable as the Ethernet port will automatically exchange send/receive pairs.
Network switch (for connecting cluster nodes).
4.12.2 Status
The Management > High Availability > Status tab lists all devices involved in a hot
standby system or cluster and provides the following information:
l
ID: The device's node ID. In a hot standby system, the node ID is either 1 or 2.
The node ID in a cluster can range from 1-10, as a cluster can have up to a max
imum of 10 nodes.
l
Role: Each node within the cluster can assume one of the following roles:
l
l
l
l
120
MASTER: The primary system in a hot standby/cluster setup. It is respons
ible for synchronizing and distributing of data within a cluster.
SLAVE: The standby system in a hot standby/cluster setup which takes
over operations if the master fails.
WORKER: A simple cluster node, responsible for data processing only.
Device name: The name of the device.
UTM 9 WebAdmin
4 Management
l
4.12 High Availability
Status: The state of the device concerning its HA status; can be one of the fol
lowing:
l
l
l
ACTIVE: The node is fully operational. In case of a hot standby (activepassive) setup, this is the status of the active node.
READY: The node is fully operational. In case of a hot standby (activepassive) setup, this is the status of the passive node.
RESERVED: The node has no matching version and is not involved in the pro
cess.
l
UNLINKED: One ore more interface links are down.
l
UP2DATE: An Up2Date is in progress.
l
UP2DATE-FAILED: An Up2Date has failed.
l
DEAD: The node is not reachable.
l
SYNCING: Data synchronization is in progress. This status is displayed
when a node connects to a master. The initial synchronizing time is at least
5 minutes. It can, however, be lengthened by all synchronizing-related pro
grams. While a SLAVE is synchronizing and in state SYNCING, there is no
graceful takeover, e.g. due to link failure on master node.
l
Version: Version number of Sophos UTM Software installed on the system.
l
Last status change: The time when the last status change occurred.
Reboot/Shutdown: With these buttons, a device can be manually rebooted or shut
down.
Remove Node: Use this button to remove a dead cluster node via WebAdmin. All nodespecific data like mail quarantine and spool is then taken over by the master.
Click the button Open HA Live Log in the upper right corner to open the high availability
live log in a separate window.
4.12.3 System Status
The Management > High Availability > System Status tab lists all devices involved in a
hot standby system or cluster and provides information about the resource usage of
each device:
UTM 9 WebAdmin
121
4.12 High Availability
l
l
4 Management
The CPU utilization in percent
The RAM utilization in percent. Please note that the total memory displayed is the
part that is usable by the operating system. With 32-bit systems, in some cases
that does not represent the actual size of the physical memory installed, as part
of it is reserved for hardware.
l
The swap utilization in percent
l
The amount of hard disk space consumed by the log partition in percent
l
The amount of hard disk space consumed by the root partition in percent
l
The status of the UPS (uninterruptible power supply) module (if available)
4.12.4 Configuration
The high availability functionality of Sophos UTM covers four basic settings:
l
Off
l
Automatic configuration
l
Hot Standby (Active-Passive)
l
Cluster (Active-Active)
Automatic configuration: Sophos UTM features a plug-and-play configuration option for
UTM appliances that allows the setup of a hot standby system/cluster without requir
ing reconfiguration or manual installation of devices to be added to the cluster. Simply
connect the dedicated HA interfaces (eth3) of your UTM appliances with one another,
select Automatic configuration for all devices, and you are done.
Note – Automatic configuration is only enabled by default on appliances with a fixed
eth3 port. On appliances which only offer modular (removable) FlexiPort modules this
feature is disabled by default but can be enabled on any preferred port (Sync NIC) as
described further below.
Note – For Automatic configuration to work, all UTM appliances must be of the same
model. For example, you can only use two UTM 320 appliances to set up a HA system;
one UTM 220 unit on the one hand and one UTM 320 unit on the other hand cannot be
combined.
122
UTM 9 WebAdmin
4 Management
4.12 High Availability
If you connect two UTM appliances through this dedicated interface, all devices will
recognize each other and configure themselves automatically as an HA system—the
device with the longer uptime becoming master. If the unlikely case should occur that
the uptime is identical, the decision which device is becoming master will be made
based on the MAC address.
Using UTM Software, the Automatic Configuration option is to be used on dedicated
slave systems to automatically join a master or already configured hot standby sys
tem/cluster. For that reason, Automatic Configuration can be considered a transition
mode rather than a high availability operation mode in its own right. For the high avail
ability operation mode will change to Hot Standby or Cluster as soon as a device with
Automatic Configuration selected joins a hot standby system or cluster, respectively.
The prerequisite, however, for this feature to work is that the option Enable Automatic
Configuration of New Devices is enabled on the master system. This function will make
sure that those devices will automatically be added to the hot standby system/cluster
whose high availability operation mode is set to Automatic Configuration.
Hot Standby (active-passive): Sophos UTM features a hot standby high availability
concept consisting of two nodes, which is the minimum required to provide redund
ancy. One of the major improvements introduced in Sophos UTM Software 9 is that the
latency for a takeover could be reduced to less than two seconds. In addition to firewall
connection synchronization, the gateway also provides IPsec tunnel synchronization.
This means that road warriors as well as remote VPN gateways do not need to reestablish IPsec tunnels after the takeover. Also, objects residing in the quarantine are
also synchronized and are still available after a takeover.
Cluster (active-active): (Not available with BasicGuard subscription.) To cope with the
rising demand of processing large volumes of Internet traffic in real time, Sophos UTM
features a clustering functionality that can be employed to distribute processing-intens
ive tasks such as content filtering, virus scanning, intrusion prevention, or decryption
equally among multiple cluster nodes. Without the need of a dedicated hardware-based
load balancer, the overall performance of the gateway can be increased considerably.
Note – When configuring a cluster, make sure you have configured the master node
first before connecting the remaining units to the switch.
Setting up the master, slaves, or workers is pretty similar. Proceed as follows:
UTM 9 WebAdmin
123
4.12 High Availability
4 Management
1. Select a high availability operation mode.
By default, high availability is turned off. The following modes are available:
l
Automatic Configuration
l
Hot Standby (active-passive)
l
Cluster (active-active)
Note – If you want to change the high availability operation mode, you must
always set the mode back to Off before you can change it to either Automatic
Configuration, Hot Standby, or Cluster.
Note – If the license/subscription has expired or is non-existent, the operation
mode changing is limited to Off and the current operation mode.
Depending on your selection, one or more options will be displayed.
2. Make the following settings:
Sync NIC: Select the network interface card through which master and slave sys
tems will communicate. If link aggregation is active you can select here a link
aggregation interface, too.
Note – It is recommended to separate the HA synchronization from the other
network traffic. For example VLAN.
Note – Only those interfaces are displayed that have not been configured yet. It
is possible to change the synchronization interface in a running configuration.
Note that afterwards all nodes are going to reboot.
The following options can only be configured if you either select Hot Standby or
Cluster as operation mode:
Device name: Enter a descriptive name for this device.
Device node ID: Select the node ID of the device. In a case of a failure of the
primary system, the node with the highest ID will become master.
124
UTM 9 WebAdmin
4 Management
4.12 High Availability
Encryption key: The passphrase with which the communication between master
and slave is encrypted (enter the passphrase twice for verification). Maximum
key length is 16 characters.
3. Click Apply.
The high-availability failover is now active on the device.
The gateway in hot standby mode will be updated at regular intervals over the data
transfer connection. Should the active primary system encounter an error, the sec
ondary will immediately and automatically change to normal mode and take over the
primary system’s functions.
Note – When you deactivate a hot standby system/cluster, the slave and worker
nodes will perform a factory reset and shut down.
More information (especially use cases) can be found in the HA/Cluster Guide, which is
available at the Sophos Knowledgebase.
Advanced
This section allows you to make some advanced settings.
Enable automatic configuration of new devices: If you have configured a hot standby
system/cluster manually, this option will make sure that those devices will auto
matically be added to the hot standby system/cluster whose high-availability oper
ation mode is set to Automatic configuration. However, this option is of no effect on
slave systems, so you can leave it enabled, which is the default setting.
Keep node(s) reserved during Up2Date: If selected, during an update to a new system
version, half of the HA/Cluster nodes will keep the current system version. When the
new version is stable, you can update the remaining nodes on the Management > High
Availability > Status page. In case the new version leads to a failure of all updated
nodes, the remaining nodes will build a new HA/Cluster with the old version. You can
then install the old version on the failed nodes or wait for the next update.
If Keep Node(s) Reserved During Up2Date is enabled, reserved nodes will not be syn
chronized anymore after an update, because synchronization is restricted to nodes hav
ing the same system version. Instead, the state of the reserved nodes will be pre
served. So, if for whatever reason you decide to reactivate the reserved nodes,
configuration changes or reporting data coming up in the time span between update
start and reactivation will be lost.
UTM 9 WebAdmin
125
4.13 Shutdown and Restart
4 Management
Preferred master: Here you can define a designated master node by selecting a node
from the drop-down list. In case of a failover, the selected node will not stay in Slave
mode after the link recovers but instead will switch back to Master mode.
Backup interface: To prevent that both master and slave become master at the same
time (master-master situations), for example, because of a failure of the HA syn
chronization interface or an unplugged network cable, a backup heartbeat interface can
be selected. This additional heartbeat interface can be any of the configured and active
Ethernet interfaces (not Ethernet Bridge or Ethernet VLAN). If a backup interface is
selected, an additional heartbeat signal is sent via this interface in one direction from
the master to the slave to make sure that the master-slave configuration stays intact.
If the master-slave connection is disabled and the backup interface becomes involved,
the administrator will receive a notification informing that one of the cluster nodes is
dead. However, this option is of no effect on slave systems, so you can leave it uncon
figured.
Note – In case of a failure of the HA synchronization interface, no configuration is syn
chronized anymore. The backup interface only prevents master-master situations.
4.13 Shutdown and Restart
On this tab you can manually shut down or restart Sophos UTM.
Shutdown: This action allows you to shut down the system and to stop all services in a
proper manner. For systems without a monitor or LCD display, the end of the shutdown
process is signaled by an endless series of beeps at intervals of one second.
To shut down Sophos UTM, proceed as follows:
1. Click Shutdown (Halt) the System Now.
2. Confirm the warning message.
When asked "Really shut down the system?", click OK.
The system is going down for halt.
Depending on your hardware and configuration, this process may take several minutes
to complete. Only after the system has completely shut down you should turn off the
power. If you turn off the power without the system being shut down properly, the sys
tem will check the consistency of its file system during the next booting, meaning that
126
UTM 9 WebAdmin
4 Management
4.13 Shutdown and Restart
the boot-up process will take much longer than usual. In the worst case, data may have
been lost.
The system will beep five times in a row to indicate a successful system start.
Restart: This action will shut down the system completely and reboot. Depending on
your hardware and configuration, a complete restart can take several minutes.
To restart Sophos UTM, proceed as follows:
1. Click Restart (Reboot) the System Now.
2. Confirm the warning message.
When asked "Really restart the system?", click OK.
The system is going down for halt and reboot.
UTM 9 WebAdmin
127
5 Definitions & Users
This chapter describes how to configure network, service, and time period definitions
used throughout Sophos UTM. The Definitions Overview page in WebAdmin shows the
number of network definitions according to type as well as the numbers of service
definitions according to protocol type.
The pages of the Definitions & Users menu allow you to define networks and services
that can be used in all other configuration menus in one central place. This allows you
to work with the names you define rather than struggling with IP addresses, ports, and
network masks. Another benefit of definitions is that you can group individual networks
and services together and configure them all at once. If, for example, you assign certain
settings to these groups at a later time, these settings will apply to all networks and
services within this group.
Additionally, this chapter describes how to configure user accounts, user groups, and
external authentication servers of Sophos UTM as well as authentication for client PCs.
The following topics are included in this chapter:
l
Network Definitions
l
Service Definitions
l
Time Period Definitions
l
Users & Groups
l
Client Authentication
l
Authentication Services
5.1 Network Definitions
The Definitions & Users > Network Definitions menu lets you create hosts, networks, and
network groups as well as MAC address definitions. The definitions created here can be
used in many other WebAdmin configurations.
5.1 Network Definitions
5 Definitions & Users
5.1.1 Network Definitions
The Definitions & Users > Network Definitions > Network Definitions tab is the central
place for defining hosts, networks, and network groups on UTM. The definitions created
here can be used on many other WebAdmin configuration menus.
Opening the tab, by default, all network definitions are displayed. Using the drop-down
list on top of the list, you can choose to display network definitions with certain prop
erties.
Tip – When you click on the Info icon of a network definition in the Network Definitions
list, you can see all configuration options in which the network definition is used.
The network table also contains static networks, which were automatically created by
the system and which can neither be edited nor deleted:
l
l
l
l
Internal (Address): A definition of this type will be added for each network inter
face. It contains the current IP address of the interface. Its name consists of the
interface name with "(Address)" appended to it.
Internal (Broadcast): A definition of this type will be added for each Ethernet-type
network interface. It contains the current IPv4 broadcast address of the inter
face. Its name consists of the interface name with "(Broadcast)" appended to it.
Internal (Network): A definition of this type will be added for each Ethernet-type
network interface. It contains the current IPv4 network of the interface. Its name
consists of the interface name with "(Network)" appended to it.
Any (IPv4/IPv6): A network definition (for IPv4 and IPv6 each, if IPv6 is enabled)
bound to the interface which serves as default gateway. Making use of it in your
configuration should make the configuration process easier. With uplink bal
ancing enabled, the definition Internet is bound to Uplink Interfaces.
Note – IPv6 entries are only visible if it is activated in Interfaces & Routing >
IPv6.
Note – User network objects authenticated via client authentication will always be
shown as unresolved due to performance reasons.
To create a network definition, proceed as follows:
130
UTM 9 WebAdmin
5 Definitions & Users
5.1 Network Definitions
1. On the Network Definitions tab, click New Network Definition.
The Add Network Definition dialog box opens.
2. Make the following settings:
(Note that further parameters of the network definition will be displayed depend
ing on the selected definition type.)
Name: Enter a descriptive name for this definition.
Type: Select the network definition type. The following types are available:
l
Host: A single IP address. Provide the following information:
l
l
IPv4 address/IPv6 address: The IP address of the host (note that you
cannot enter the IP address of a configured interface).
DHCP Settings (optional): In this section you can create static map
pings between hosts and IP address. For that purpose, you need a con
figured DHCP server (see Network Services > DHCP > Servers).
Note – To avoid an IP address clash between regularly assigned
addresses from the DHCP pool and those statically mapped make
sure that the latter are not in the scope of the DHCP pool. For
example, a static mapping of 192.168.0.200 could result in two
systems receiving the same IP address if the DHCP pool is
192.168.0.100 – 192.168.0.210.
IPv4 DHCP: Select the IPv4 DHCP server to be used for static map
ping.
MAC addresses: Enter the MAC addresses of the hosts' network inter
face cards. The MAC addresses are usually specified in a format con
sisting of six groups of two hexadecimal digits, separated by colons
or hyphens (e.g., 00:04:76:16:EA:62).
Note – The MAC address range 00:1a:8c:f0.xx.xx is used by
HA/Cluster. You cannot use this range for other purpose as
MAC addresses within this range will be overwritten by the system.
UTM 9 WebAdmin
131
5.1 Network Definitions
5 Definitions & Users
IPv6 DHCP: Select the IPv6 DHCP server to be used for static map
ping.
DHCP unique IDs: Enter the DUIDs of the hosts. With e.g. Windows
operating systems, the DUID can be found in the Windows Registry:
HKEY_LOCAL_
MACHINE\SYSTEM\CurrentControlSet\services\TCPIP6\Paramete
rs
Please note that you have to enter the groups of two hexadecimal
digits separated by colons (e.g.,
00:01:00:01:13:30:65:56:00:50:56:b2:07:51).
l
DNS Settings (optional): If you do not want to set up your own DNS
server but need static DNS mappings for a few hosts of your net
work, you can enter these mappings in this section of the respective
hosts. Note that this only scales for a limited number of hosts and is
by no means intended as a replacement of a fully operable DNS
server.
Hostname: Enter the fully qualified domain name (FQDN) of the host.
Reverse DNS: Select the checkbox to enable the mapping of the
host's IP address to its name. Note that although several names can
map to the same IP address, one IP address can only ever map to
one name.
Additional Hostnames: Click the Plus icon to add additional host
names for the host.
l
DNS host: A DNS hostname, dynamically resolved by the system to pro
duce an IP address. DNS hosts are useful when working with dynamic IP
endpoints. The system will re-resolve these definitions periodically accord
ing to the TTL (Time To Live) values and update the definition with the new
IP address (if any). Provide the following information:
l
l
132
Hostname: The hostname you want to resolve.
DNS group: Similar to DNS host, but can cope with multiple RRs (Resource
Records) in DNS for a single hostname. It is useful for defining firewall
rules and exceptions in transparent proxies.
UTM 9 WebAdmin
5 Definitions & Users
l
5.1 Network Definitions
Network: A standard IP network, consisting of a network address and a net
mask. Provide the following information:
l
l
l
IPv4 address/IPv6 address: The network address of the network
(note that you cannot enter the IP address of a configured interface).
Netmask: The bit mask used to tell how many bits in an octet(s)
identify the subnetwork, and how many bits provide room for host
addresses.
Range: Select to define a whole IPv4 address range. Provide the following
information:
l
IPv4 from: First IPv4 address of the range.
l
IPv4 to: Last IPv4 address of the range.
l
IPv6 from: First IPv6 address of the range.
l
IPv6 to: Last IPv6 address of the range.
Network range objects cannot be used with every network configuration
throughout WebAdmin. For more information on network range objects, see
section Where Network Range Objects Can Be Used.
l
Multicast group: A network that comprises a defined multicast network
range.
l
l
l
l
IPv4 address: The network address of the multicast network, which
must be in the range 224.0.0.0 to 239.255.255.255.
Netmask: The bit mask used to tell how many bits in an octet(s)
identify the subnetwork, and how many bits provide room for host
addresses.
Network group: A container that includes a list of other network definitions.
You can use them to bundle networks and hosts for better readability of
your configuration. Once you have selected Network group, the Members
box appears where you can add the group members.
Availability group: A group of hosts and/or DNS hosts sorted by priority.
Alive status of all hosts is checked with ICMP pings at an interval of 60
seconds, by default. The host with the highest priority and an alive status is
used in configuration. Once you have selected Availability group, the Mem
bers box appears where you can add the group members.
UTM 9 WebAdmin
133
5.1 Network Definitions
5 Definitions & Users
Comment (optional): Add a description or other information.
3. Optionally, make the following advanced settings:
The options displayed depend on the selected Type above.
Interface (optional): You can bind the network definition to a certain interface, so
that connections to the definition will only be established via this interface.
Caution – Be careful with binding network definitions to particular interfaces, as
this might lead to conflicts with other configurations. Data packets sent
through these particular interfaces could get lost and this would be hard to
detect.
Monitoring type (only with type Availability group): Select the service protocol for
the alive status checks. Select either TCP (TCP connection establishment), UDP
(UDP connection establishment), Ping (ICMP Ping), HTTP host (HTTP requests), or
HTTPS hosts (HTTPS requests) for monitoring. When using UDP a ping request
will be sent initially which, if successful, is followed by a UDP packet with a pay
load of 0. If ping does not succeed or the ICMP port is unreachable, the host is
regarded as down.
Port (only with monitoring type TCP or UDP): Number of the port the
request will be sent to.
URL (optional, only with monitoring types HTTP host or HTTPS host): URL to
be requested. You can use other ports than the default ports 80 or 443 by
adding the port information to the URL, e.g.,
http://example.domain:8080/index.html. If no URL is entered, the root
directory will be requested.
Interval: Enter a time interval in seconds at which the hosts are checked.
Timeout: Enter a maximum time span in seconds for the hosts to send a
response. If a host does not respond during this time, it will be regarded as
dead.
Always resolved: This option is selected by default, so that if all hosts are
unavailable, the group will resolve to the host which was last available.
Otherwise the group will be set to unresolved if all hosts are dead.
4. Click Save.
134
UTM 9 WebAdmin
5 Definitions & Users
5.1 Network Definitions
The new definition appears on the network definition list.
To either edit or delete a network definition, click the corresponding buttons.
Where Network Range Objects Can Be Used
Network range objects can be used in the following configurations:
l
l
l
l
Management > System Settings > Shell Access, section Allowed Networks
Management > WebAdmin Settings > General, section WebAdmin Access Con
figuration, Allowed Networks box
Management > SNMP > Query, section SNMP Access Control, Allowed Networks
box
Interfaces & Routing > Quality of Service (QoS) > Traffic Selectors, section Add
Traffic Selector, Source and Destination field
l
Network Services > DNS > Global, section Allowed Networks
l
Network Services > NTP, section NTP Options, Allowed Networks box
l
l
l
l
l
l
l
l
Network Protection > Firewall > Rules, section Add Rule, Source and Destination
box
Network Protection > Firewall > Country Blocking Exceptions, section Add Excep
tion List, Host/Networks box
Network Protection > NAT > Masquerading, section Add Masquerading Rule, Net
work field
Network Protection > NAT > NAT, section Add NAT Rule, For Traffic from and Going
to field
Network Protection > Advanced > SOCKS Proxy, section SOCKS Proxy Options,
Allowed Networks box
Web Protection > Filtering Options > Misc, section Transparent Mode Skiplist, Skip
Transparent Mode Source Hosts/Nets and Skip Transparent Mode Destination Host
s/Nets box
Web Protection > FTP > Global, section FTP Settings, Allowed Networks box
Email Protection > SMTP > Relaying, section Host-Based Relay, Allowed Host
s/Networks box
UTM 9 WebAdmin
135
5.1 Network Definitions
l
l
5 Definitions & Users
Email Protection > SMTP > Advanced, section Transparent Mode, Skip Transparent
Mode Hosts/Nets box
Wireless Protection > Hotspots > Advanced, section Walled Garden, Allowed Host
s/Networks box
5.1.2 MAC Address Definitions
The Definitions & Users > Network Definitions > MAC Address Definitions tab is the cent
ral place for defining MAC address definitions, i.e., lists of MAC addresses. A MAC
address definition can be used like a network definition. Additionally it can be used to
further restrict a rule based on hosts/IP addresses to only match devices which have
one of the defined MAC addresses.
Tip – When you click on the Info icon of a MAC address definition, you can see all con
figuration options in which the definition is used.
To create a MAC address definition, proceed as follows:
1. On the MAC Address Definitions tab, click New MAC Address List.
The Add MAC Address List dialog box opens.
2. Make the following settings:
Name: Enter a descriptive name for this definition.
MAC Addresses: Click the Plus icon to enter individual MAC addresses sub
sequently or use the Action icon to import a list of MAC addresses via copy and
paste. The MAC addresses are usually specified in a format consisting of six
groups of two hexadecimal digits, separated by colons or hyphens (e.g.,
00:04:76:16:EA:62).
Note – The MAC address range 00:1a:8c:f0.xx.xx is used by HA/Cluster. You can
not use this range for other purpose as MAC addresses within this range will be
overwritten by the system.
Hosts: Add or select the hosts whose MAC addresses you want to add to the MAC
address definition. The MAC addresses defined in the DHCP Settings section of
the host definition will be added to the MAC address list. How to add a definition
136
UTM 9 WebAdmin
5 Definitions & Users
5.2 Service Definitions
is explained on the Definitions & Users > Network Definitions > Network Definitions
page.
Note – The number of addresses per address definition is limited for the fol
lowing uses: To restrict access to a wireless network,it is not recommended to
have more than 5000. To restrict access to a RED appliance, the maximum is
200 for RED 10 and 400 for RED 50.
Note – You can either enter MAC addresses or hosts or both.
Comment (optional): Add a description or other information.
3. Click Save.
The new definition appears on the MAC Address Definition list.
To either edit or delete a MAC address definition, click the corresponding buttons.
5.2 Service Definitions
On the Definitions & Users > Service Definitions page you can centrally define and man
age services and service groups. Services are definitions of certain types of network
traffic and combine information about a protocol such as TCP or UDP as well as pro
tocol-related options such as port numbers. You can use services to determine the
types of traffic accepted or denied by UTM.
Tip – When you click on the Info icon of a service definition in the Service Definitions
list, you can see all configuration options in which the service definition is used.
To create a service definition, proceed as follows:
1. On the Service Definitions page, click New Service Definition.
The Add Service Definition dialog box opens.
2. Make the following settings:
(Note that further parameters of the service definition will be displayed depend
ing on the selected definition type.)
Name: Enter a descriptive name for this definition.
UTM 9 WebAdmin
137
5.2 Service Definitions
5 Definitions & Users
Type of definition: Select the definition type. The following types are available:
l
TCP: Transmission Control Protocol (TCP) connections use port numbers
ranging from 0 to 65535. Lost packets can be recognized through TCP and
be requested again. In a TCP connection, the receiver notifies the sender
when a data packet was successfully received (connection related pro
tocol). TCP sessions begin with a three way handshake and connections
are closed at the end of the session. Provide the following information:
l
l
l
l
l
l
l
138
Destination port: Enter the destination port either as single port num
ber (e.g., 80) or as a range (e.g., 1024:64000), using a colon as delim
iter.
Source port: Enter the source port either as single port number (e.g.,
80) or as a range (e.g., 1024:64000), using a colon as delimiter.
UDP: The User Datagram Protocol (UDP) uses port numbers between 0 and
65535 and is a stateless protocol. Because it does not keep state, UDP is
faster than TCP, especially when sending small amounts of data. This state
lessness, however, also means that UDP cannot recognize when packets
are lost or dropped. The receiving computer does not signal the sender
when receiving a data packet. When you have selected UDP, the same con
figuration options can be edited as for TCP.
TCP/UDP: A combination of TCP and UDP appropriate for application pro
tocols that use both sub protocols such as DNS. When you have selected
TCP/UDP, the same configuration options can be edited as for TCP or UDP.
ICMP/ICMPv6: The Internet Control Message Protocol (ICMP) is chiefly used
to send error messages, indicating, for example, that a requested service is
not available or that a host or router could not be reached. Once you have
opted for ICMP or ICMPv6, select the ICMP code/type. Note that IPv4 fire
wall rules do not work with ICMPv6 and IPv6 firewall rules do not work with
ICMP.
IP: The Internet Protocol (IP) is a network and transport protocol used for
exchanging data over the Internet. Once you have selected IP, provide the
number of the protocol to be encapsulated within IP, for example 121 (rep
resenting the SMP protocol).
ESP: The Encapsulating Security Payload (ESP) is a part of the IPsec tun
neling protocol suite that provides encryption services for tunneled data
UTM 9 WebAdmin
5 Definitions & Users
5.3 Time Period Definitions
via VPN. Once you have selected ESP or AH, provide the Security Para
meters Index (SPI), which identifies the security parameters in combination
with the IP address. You can either enter a value between 256 and
4,294,967,296 or keep the default setting given as the range from 256 to
4,294,967,296 (using a colon as delimiter), especially when using automatic
IPsec key exchange. Note that the numbers 1-255 are reserved by the Inter
net Assigned Numbers Authority (IANA).
l
l
AH: The Authentication Header (AH) is a part of the IPsec tunneling protocol
suite and sits between the IP header and datagram payload to maintain
information integrity, but not secrecy.
Group: A container that includes a list of other service definitions. You can
use them to bundle service definitions for better readability of your con
figuration. Once you have selected Group, the Members box opens where
you can add group members (i.e., other service definitions).
Comment (optional): Add a description or other information.
3. Click Save.
The new definition appears on the Service Definitions list.
To either edit or delete a definition, click the corresponding buttons.
Note – The type of definition cannot be changed afterwards. If you want to change the
type of definition, you must delete the service definition and create a new one with
the desired settings.
5.3 Time Period Definitions
On the Definitions & Users > Time Period Definitions page you can define single or recur
ring time slots that can in turn be used to limit for example firewall rules or content fil
ter profile assignments to specific time ranges.
Tip – When you click on the Info icon of a time period definition in the Time Period
Definitions list, you can see all configuration options in which the time period defin
ition is used.
To create a time period definition, proceed as follows:
UTM 9 WebAdmin
139
5.4 Users & Groups
5 Definitions & Users
1. On the Time Period Definitions tab, click New Time Period Definition.
The Add Time Period Definition dialog box opens.
2. Make the following settings:
Name: Enter a descriptive name for this time period definition.
Type: Select the time period definition type. The following types are available:
l
l
Recurring event: These events will be repeated periodically. You can select
the start time, the end time, and the weekdays on which the time period
definition should be applied. If the time span extends into the next day, the
selected weekdays refer to the start time. Start and stop dates cannot be
selected for this type.
Single event: These events will only take place once. You can both select a
start date/time and an end date/time. As these definitions do not recur, the
option Weekdays cannot be selected for this type.
Comment (optional): Add a description or other information.
3. Click Save.
The new time period definition appears on the Time Period Definitions list.
To either edit or delete a time period definition, click the corresponding buttons.
5.4 Users & Groups
The Definitions & Users > Users & Groups menu lets you create users and groups for
WebAdmin access as well as for remote access, User Portal access, email usage etc.
5.4.1 Users
On the Definitions & Users > Users & Groups > Users tab you can add user accounts to
UTM. In its factory default configuration, Sophos UTM has one administrator called
admin.
Tip – When you click on the Info icon of a user definition in the Users list, you can see
all configuration options in which the user definition is used.
When you specify an email address in the New User dialog box, an X.509 certificate for
this user will be generated simultaneously while creating the user definition, using the
140
UTM 9 WebAdmin
5 Definitions & Users
5.4 Users & Groups
email address as the certificate's VPNID. On the other hand, if no email address is spe
cified, a certificate will be created with the user's Distinguished Name (DN) as VPN ID.
That way, if a user is authenticated by means of a backend group such as eDirectory, a
certificate will be created even if no email address is set in the corresponding backend
user object.
Because the VPN ID of each certificate must be unique, each user definition must have
a different and unique email address. Creating a user definition with an email address
already present in the system will fail. The certificates can be used for various remote
access methods supported by Sophos UTM with the exception of PPTP, L2TP over
IPsec using PSK, and native IPsec using RSA or PSK.
To add a user account, proceed as follows:
1. On the Users tab, click New User.
The Add User dialog box opens.
2. Make the following settings:
Username: Enter a descriptive name for this user (e.g. jdoe). Note that for using
remote access via PPTP or L2TP over IPsec, the username may only contain
ASCII printable characters 1.
Real name: Enter the user's real name (e.g. John Doe).
Email address: Enter the user's primary email address.
Additional email addresses (optional): Enter additional email addresses of this
user. Spam emails sent to any of these addresses will be listed in an Quarantine
Report, which will be send to the primary email address specified above.
Authentication: Select the authentication method. The following methods are
available:
l
l
Local: Select to authenticate the user locally on UTM.
Remote: Select to authenticate the user using one of the external authen
tication methods supported by Sophos UTM. For more information, see
Definitions & Users > Authentication Services.
1http://en.wikipedia.org/wiki/ASCII#ASCII_printable_characters
UTM 9 WebAdmin
141
5.4 Users & Groups
l
5 Definitions & Users
None: Select to prevent the user from authentication completely. This is
useful, for example, to disable a user temporarily without the need to delete
the user definition altogether.
Password: Enter a user password (second time for verification). Only available if
you selected Local as authentication method. Note that Basic User Authentic
ation does not support umlauts. Note that for using remote access via PPTP or
L2TP over IPsec, the password may only contain ASCII printable characters 1.
Backend sync: Some basic settings of the user definition such as the real name
or the user's email address can be updated automatically by synchronizing the
data with external backend authentication servers (only available if you selected
Remote as authentication method). Note that the option will automatically be set
according to the Enable Backend Sync on Login option on the Authentication Ser
vices > Advanced tab, if the user is selected for prefetching.
Note – Currently, only data with Active Directory and eDirectory servers can be
synchronized.
X.509 certificate: Once the user definition has been created, you can assign an
X.509 certificate for this user when editing the user definition. By default, this is
the certificate that was automatically generated upon creating the user defin
ition. However, you can also assign a third-party certificate, which you can upload
on the Remote Access > Certificate Management > Certificates tab.
Use static remote access IP (optional): Select if you want to assign a static IP
address for a user gaining remote access instead of assigning a dynamic IP
address from an IP address pool. For IPsec users behind a NAT router, for
example, it is mandatory to use a static remote access IP address.
Note – The static remote access IP can only be used for remote access through
PPTP, L2TP, and IPsec. It cannot be used, however, for remote access through
SSL.
Comment (optional): Add a description or other information.
1http://en.wikipedia.org/wiki/ASCII#ASCII_printable_characters
142
UTM 9 WebAdmin
5 Definitions & Users
5.4 Users & Groups
3. Optionally, make the following advanced settings:
Users can create and maintain their own email whitelist and blacklist (see
chapter User Portal). You can view those lists here and, if necessary, modify
them.
4. Click Save.
The new user account appears on the Users list.
If you want to make this user a regular administrator having access to the web-based
administrative interface WebAdmin, add the user to the group of SuperAdmins, which is
configured on the Definitions & Users > Users & Groups > Groups tab in WebAdmin.
Note – If you have deleted a user object and want to create a user object with the
same name, make sure you have also deleted the certificate associated with this
user on the Remote Access > Certificate Management > Certificates tab. Otherwise
you will get an error message stating that an item with that name already exists.
You can download remote access certificates and/or configurations of users for whom
some sort of remote access has been enabled. For that, select the checkbox in front of
the respective users and select the desired option from the Actions drop-down list in
the list header. Remote access users can also download those files themselves when
they are allowed to use the User Portal.
5.4.2 Groups
On the Definitions & Users > Users & Groups > Groups page you can add user groups to
UTM. In its factory default configuration, Sophos UTM has one user group called Super
Admins. If you want to assign administrative privileges to users, that is, granting
access to WebAdmin, add them to the group of SuperAdmins; this group should not be
deleted.
Tip – When you click on a group definition in the Groups list, you can see all con
figuration options in which the group definition is used.
To add a user group, proceed as follows:
1. On the Groups tab, click New Group.
The Add Group dialog box opens.
UTM 9 WebAdmin
143
5.4 Users & Groups
5 Definitions & Users
2. Make the following settings:
Group name: Enter a descriptive name for this group. Note that this name does
not need to correspond to the names of your backend groups.
Group type: Select the type of the group. You can choose between a group of
static members and two group types promoting dynamic membership.
l
l
l
Static members: Select the local users who shall become member of this
group.
IPsec X509 DN mask: Users are dynamically added to an IPsec X509 DN
group definition if they have successfully logged in to the gateway through
an IPsec connection and if specific parameters of their distinguished
names match the values specified in the DN Mask box.
Backend membership: Users are dynamically added to a group definition if
they have been successfully authenticated by one of the supported authen
tication mechanisms. To proceed, select the appropriate backend authen
tication type:
l
l
l
l
l
144
Active Directory: An Active Directory user group of UTM provides
group memberships to members of Active Directory server user
groups configured on a Windows network. For more information, see
Definitions & Users > Authentication Services > Servers.
eDirectory: An eDirectory user group of UTM provides group mem
berships to members of eDirectory user groups configured on an eDir
ectory network. For more information, see Definitions & Users >
Authentication Services > Servers.
RADIUS: Users are automatically added to a RADIUS backend group
when they have been successfully authenticated using the RADIUS
authentication method.
TACACS+: Users are automatically added to a TACACS+ backend
group when they have been successfully authenticated using the
TACACS+ authentication method.
LDAP: Users are automatically added to an LDAP backend group
when they have been successfully authenticated using the LDAP
authentication method.
UTM 9 WebAdmin
5 Definitions & Users
5.5 Client Authentication
Limit to backend group(s) membership (optional; only with backend groups
Active Directory or eDirectory): For all X.500-based directory services you
can restrict the membership to various groups present on your backend
server if you do not want all users of the selected backend server to be
included in this group definition. The group(s) you enter here once selected
this option must match a Common Name as configured on your backend
server. Note that if you select this option for an Active Directory backend,
you can omit the CN= prefix. If you select this option for an eDirectory
backend, you can use the eDirectory browser that lets you conveniently
select the eDirectory groups that should be included in this group definition.
However, if you do not use the eDirectory browser, make sure to include
the CN= prefix when entering eDirectory containers.
Check an LDAP attribute (optional; only with backend group LDAP): If you
do not want all users of the selected backend LDAP server to be included in
this group definition, you can select this checkbox to restrict the mem
bership to those users matching a certain LDAP attribute present on your
backend server. This attribute is then used as an LDAP search filter. For
example, you could enter groupMembership as attribute with
CN=Sales,O=Example as its value. That way you could include all users
belonging to the sales department of your company into the group defin
ition.
Comment (optional): Add a description or other information.
3. Click Save.
The new user group appears on the Groups list.
To either edit or delete a group, click the corresponding buttons.
5.5 Client Authentication
Sophos provides an authentication client for Windows and Mac OS so that users dir
ectly authenticate at the UTM. This gives you user-based control on web surfing and net
work traffic by, for example, creating firewall rules based on user networks or group
networks. Additionally, wherever possible, IP addresses, hostnames, and the like are
replaced by usernames to provide a better readability of reporting data and objects.
UTM 9 WebAdmin
145
5.5 Client Authentication
5 Definitions & Users
Note – In WebAdmin, user network objects authenticated via client authentication will
always be shown as unresolved due to performance reasons.
This page shows the Transparent Client Authentication status, online users connected
and enables administrators to configure Client Authentication and the Sophos Trans
parent Authentication Suite.
5.5.1 Global
The Client Authentication > Global tab gives an overview of all online users that have
been configured for Sophos Transparent Authentication Suite (STAS).
Once STAS is configured each logon to a Windows workstation is reflected by UTM and
is displayed as Online User record with username, real name, and IP address. After
logout from the workstation, the respective entry is deleted from the display after a
maximum of 20 minutes.
This status display applies only for Sophos Transparent Authentication Suite, there is
no status display for Client Authentication.
5.5.2 Client Authentication
Users who want or should use Client Authentication need to install the Sophos
Authentication Agent (SAA) on their client PC or Mac OS computer. The SAA can be
downloaded either via this WebAdmin page or via the User Portal. Note that only users
who are within the user group of the Client Authentication configuration will find a
download link on their User Portal page.
To configure Client Authentication, do the following:
1. On the Client Authentication tab, enable client authentication.
Click the toggle switch.
The toggle switch turns green and the Client Authentication Options area
becomes editable.
2. Select the allowed networks.
Add or select the networks that should use Client Authentication. Note that those
networks need to be directly connected to the UTM for Client Authentication to
146
UTM 9 WebAdmin
5 Definitions & Users
5.5 Client Authentication
work. How to add a definition is explained on the Definitions & Users > Network
Definitions > Network Definitions page.
3. Select the allowed users and groups.
Select single users or groups or add new users into the Allowed Users and Groups
box. This can be also your already existing authentication group, e.g. an Active Dir
ectory user group. How to add a user is explained on the Definitions & Users >
Users & Groups > Users page.
4. Click Apply.
Your settings will be saved.
Client Authentication is now available for the selected networks.
Client Authentication Program
When Client Authentication is enabled, you can download the Sophos Authentication
Agent (SAA) here. You can either distribute the SAA manually or have your users down
load the client from the User Portal.
Download EXE: Downloads the Client Authentication program including the CA cer
tificate for direct installation on client PCs. This is the same file as can be downloaded
from the User Portal.
Download MSI: Downloads the Client Authentication MSI package. This package is
designed for automatic package installation via domain controller (DC) and does not
contain the CA certificate.
Download DMG: Downloads the Client Authentication Mac OS X disk image. This image
is designed for installation on client computers having an OS X operating system.
Download CA: Downloads the CA certificate that has to be rolled out in addition to the
MSI package.
The SAA can be used as authentication mode for the Web Filter. For more information,
see Web Protection > Web Filtering > Global.
5.5.3 Sophos Transparent Authentication Suite
Sophos Transparent Authentication Suite (STAS) enables transparent authentication
whereby Microsoft Windows credentials can be used to authenticate. The user has to
login only once to access the network resources. A client installation on the user's
machine is not required.
UTM 9 WebAdmin
147
5.6 AWS Profiles
5 Definitions & Users
The Sophos Transparent Authentication Suite program can be fetched from the UTM
Support Downloads page in section Sophos Transparent Authentication Suite (STAS).
There, you can also download the Sophos Transparent Authentication installation guide.
To configure Sophos Transparent Authentication Suite, do the following:
1. On the Sophos Transparent Authentication Suite tab, enable transparent Client
Authentication.
Click the toggle switch.
Note – STAS requires automatic user creation and an Active Directory server to
be configured as backend server. You can enable automatic user creation under
Definitions & Users > Authentication Services > Global Settings and add an Act
ive Directory server under Definitions & Users > Authentication Services > Serv
ers > Active Directory.
2. Click New STAS Collector.
The Add STAS Collectors dialog box opens.
3. Make the following settings:
Name: Enter a descriptive name for the STAS collector.
Host: Select a host from the list or add a new one. For each new host you must
specifiy an IP address.
Port: Select a special port or choose the default port (STAS Collector).
Comment: Enter a comment if desired.
4. Click Save.
Your settings will be saved.
Login to Windows workstations and logout will be reflected as Online User dis
play in the Global tab.
Disabling or removing the Active Directory will lead to a warning message and
disable the STAS feature.
5.6 AWS Profiles
On the AWS Profiles page you can configure AWS profiles to use them for AWS specific
services. To use this, you need to have an AWS account.
148
UTM 9 WebAdmin
5 Definitions & Users
5.7 Authentication Services
To create an AWS profile, proceed as follows:
1. On the Profiles page click New Profile.
The Add Profile dialog box opens.
2. Make the following settings:
Profile name: Enter the name for the AWS profile.
Region: Select the region where your AWS instance is located.
Access key ID: Enter your AWS access key.
Note – For more information on access keys, see the AWS Documentation.
Secret access key: Enter your AWS secret access key.
Output format: If required, change the output format.
Note – This is only required if you use the CLI. For more information on session
tokens, see the AWS Documentation.
Comment (optional): Add a description or other information.
3. Optionally, make the following advanced settings:
Session token: Enter your session token for temporary access to your AWS
instance.
Note – For more information on session tokens, see the AWS Documentation.
4. Click Save.
The profile appears in the list.
5.7 Authentication Services
On the Definitions & Users > Authentication Services page databases and backend serv
ers of external user authentication services like Single Sign-On or One-time Password
can be managed. External user authentication allows you to validate user accounts
against existing user databases or directory services on other servers of your network.
Authentication services currently supported are:
UTM 9 WebAdmin
149
5.7 Authentication Services
l
Novell's eDirectory
l
Microsoft's Active Directory
l
RADIUS
l
TACACS+
l
LDAP
5 Definitions & Users
5.7.1 Global Settings
The Definitions & Users > Authentication Services > Global Settings tab lets you con
figure basic authentication options. The following options are available:
Create users automatically: When this option is selected, Sophos UTM will auto
matically create a user object whenever an unknown user of a configured backend
group successfully authenticates against one of the various authentication services
supported by Sophos UTM. For example, if you configure a RADIUS backend group and
you add this group as a member to one of the roles defined on the Management >
WebAdmin Settings > Access Control tab, Sophos UTM will automatically create a user
definition for a RADIUS user who has successfully logged in to WebAdmin.
Note – To use the Sophos Transparent Authentication Suite, you need to enable the
automatic user creation for STAS.
l
Automatic User Creation for Facilities: Automatic user creation can be enabled or
disabled for specific services. Users are only created for enabled services. This
option is not available—and automatic user creation is disabled for all facilities—
when the Create users automatically option is not selected.
Note – This feature does not work for Active Directory Single Sign-On (SSO).
Those user objects are also needed to grant access to the User Portal of Sophos UTM.
In addition, for all user objects created automatically an X.509 certificate will be gen
erated. Note, however, that automatic user creation will fail in case of an email address
conflict, for the user definition to be created automatically must not have configured an
email address that is already present on the system. All email addresses must be
unique within the system because they are used as identifiers for X.509 certificates.
150
UTM 9 WebAdmin
5 Definitions & Users
5.7 Authentication Services
Important Note – Authentication (i.e., the action of determining who a user is) and
authorization (i.e., the action of determining what a user is allowed to do) for a user
whose user object was created automatically are always done on the remote
backend server/directory service. Therefore, automatically created user objects in
Sophos UTM are useless if the corresponding backend server is not available or if the
user object has been deleted on the remote site.
Note also that except for Active Directory Single Sign-On (SSO) Sophos UTM caches
user authentication data it has retrieved from a remote authentication server for 300
seconds. For this reason, changes made to the remote user settings will only take
effect after the cache has expired.
Authentication Cache
Every time Sophos UTM gets a user request, e.g., http, from a yet unknown user and
authentication is required, the Sophos User Authentication (SUA) writes an entry to the
authentication cache. Over time, in environments with frequently changing users it can
be reasonable to empty the cache from time to time. Also, if you want to force an
immediate new authentication for all users. Use the button Flush Authentication Cache
to empty the authentication cache.
An authentication is valid for 300 seconds. During this time, other authentication
requests by the same user are looked up directly in the cache. This technique takes
load off backend authentication services like eDirectory.
Note – Flushing the cache does not affect users that are remotely logged on.
Live Log
Open Live Log: Click the button to see the log of the Sophos User Authentication (SUA)
in a new window.
5.7.2 Servers
On the Definitions & Users > Authentication Services > Servers tab, you can create one
or more authentication servers. Follow the links to create them:
l
eDirectory
l
Active Directory
UTM 9 WebAdmin
151
5.7 Authentication Services
l
LDAP
l
RADIUS
l
5 Definitions & Users
TACACS+
5.7.2.1 eDirectory
Novell eDirectory is an X.500 compatible directory service for centrally managing
access to resources on multiple servers and computers within a given network. eDir
ectory is a hierarchical, object-oriented database that represents all the assets in an
organization in a logical tree. Those assets can include people, servers, workstations,
applications, printers, services, groups, and so on.
To configure eDirectory authentication, proceed as follows:
1. On the Servers tab, click New Authentication Server.
The dialog box Add Authentication Server opens.
2. Make the following settings:
Backend: Select eDirectory as backend directory service.
Position: Select a position for the backend server. Backend servers with lower
numbers will be queried first. For better performance, make sure that the
backend server that is likely to get the most requests is on top of the list.
Server: Select or add an eDirectory server. How to add a definition is explained on
the Definitions & Users > Network Definitions > Network Definitions page.
SSL: Select this option to enable SSL data transfer. The Port will then change
from 389 (LDAP) to 636 (ldaps = LDAP over SSL).
Port: Enter the port of the eDirectory server. By default, this is port 389.
Bind DN: The Distinguished Name (DN) of the user to bind to the server with. This
user is needed if anonymous queries to the eDirectory server are not allowed.
Note that the user must have sufficient privileges to obtain all relevant user
object information from the eDirectory server in order to authenticate users. eDir
ectory users, groups, and containers can be specified by the full distinguished
name in LDAP notation, using commas as delimiters (e.g.,
CN=administrator,DC=intranet,DC=example,DC=com).
Password: Enter the password of the bind user.
152
UTM 9 WebAdmin
5 Definitions & Users
5.7 Authentication Services
Test server settings: Pressing the Test button performs a bind test with the con
figured server. This verifies that the settings on this tab are correct, and the
server is up and accepts connections.
Base DN: The starting point relative to the root of the LDAP tree where the users
are included who are to be authenticated. Note that the base DN must be spe
cified by the full distinguished name (FDN) in LDAP notation, using commas as
delimiters (e.g., O=Example,OU=RnD). Base DN may be empty. In this case, the
base DN is automatically retrieved from the directory.
Username: Enter the username of a test user to perform a regular authentication.
Password: Enter the password of the test user.
Authenticate example user: Click the Test button to start the authentication test
for the test user. This verifies that all server settings are correct, the server is up
and accepting connections, and users can be successfully authenticated.
3. Click Save.
The server will be displayed in the Servers list.
UTM 9 WebAdmin
153
5.7 Authentication Services
5 Definitions & Users
Figure 17 Groups: eDirectory Browser of Sophos UTM
5.7.2.2 Active Directory
Active Directory (AD) is Microsoft's implementation of a directory service and is a cent
ral component of Windows 2000/2003 servers. It stores information about a broad
range of resources residing on a network, including users, groups, computers, printers,
applications, services, and any type of user-defined objects. As such it provides a
means of centrally organizing, managing, and controlling access to these resources.
Note – UTM supports Active Directory 2003 and newer.
The Active Directory authentication method allows you to register Sophos UTM at a Win
dows domain, thus creating an object for Sophos UTM on the primary domain controller
(DC). UTM is then able to query user and group information from the domain.
154
UTM 9 WebAdmin
5 Definitions & Users
5.7 Authentication Services
Note – The default group Domain User, which is automatically created by the AD, can
not be used for reverse authentication as this is denied by the UTM. The default group
Domain User is not returned by the AD in the memberOf attribute. If your want to use
AD groups for reverse authentication, create new groups in AD. Manual created groups
are returned by the AD in the memberOf attribute.
To configure Active Directory authentication, proceed as follows:
1. On the Servers tab, click New Authentication Server.
The dialog box Add Authentication Server opens.
2. Make the following settings:
Backend: Select Active Directory as backend directory service.
Position: Select a position for the backend server. Backend servers with lower
numbers will be queried first. For better performance, make sure that the
backend server that is likely to get the most requests is on top of the list.
Server: Select or add an Active Directory server. How to add a definition is
explained on the Definitions & Users > Network Definitions > Network Definitions
page.
SSL: Select this option to enable SSL data transfer. The Port will then change
from 389 (LDAP) to 636 (ldaps = LDAP over SSL).
Port: Enter the port of the Active Directory server. By default, this is port 389.
Bind DN: The full Distinguished Name (DN) of the user to bind to the server in
LDAP notation. This user is needed if anonymous queries to the Active Directory
server are not allowed. The bind user must have sufficient privileges to obtain all
relevant user object information from the Active Directory server in order to
authenticate users; a requirement usually met by the administrator of the
domain.
Each DN consists of one or more Relative Distinguished Names (RDN) constructed
from some attributes of the Active Directory user object and includes its user
name, the node where it resides, and the top-level DN of the server, all specified
in LDAP notation and separated by commas.
l
The username must be the name of the user who is able to access the dir
ectory and is to be specified by the CN designator (e.g., CN=user). While
UTM 9 WebAdmin
155
5.7 Authentication Services
5 Definitions & Users
using a popular account with domain permissions, such as "admin" is pos
sible, it is highly recommended for best practices that the user not have
admin rights, as it is sufficient for them to have read permission on all
objects of the subtree starting at the given base DN.
l
l
The information of the node where the user object resides must include all
subnodes between the root node and the user object and is usually com
prised of so-called organizational units and common name components.
Organizational units (indicated by the combined folder/book icon in the
Microsoft Management Console) are to be specified by the OU designator.
Note that the order of the nodes is from the lowest to the highest node, that
is, the more specific elements come first (e.g., OU=Management_
US,OU=Management). On the other hand, default Active Directory containers
(indicated by a simple Folder icon) such as the pre-defined Users node are
to be specified using the CN designator (e.g., CN=Users).
The top-level DN of the server can consist of several domain components,
each specified by the DC designator. Note that the domain components are
given in the same order as the domain name (for example, if the domain
name is example.com, the DN part would be DC=example,DC=com).
An example bind user DN for a user named administrator whose object is
stored in the Users container in a domain called example.com would look like
this: CN=administrator,CN=Users,DC=example,DC=com
Figure 18 Authentication: Microsoft Management Console
Now, suppose you create an organizational unit called Management with the sub
node Management_US and move the administrator user object into it, the DN of
156
UTM 9 WebAdmin
5 Definitions & Users
5.7 Authentication Services
the administrator would change to: CN=administrator,OU=Management_
US,OU=Management,​DC=example,​DC=com
Password: Enter the password of the bind user.
Test server settings: Pressing the Test button performs a bind test with the con
figured server. This verifies that the settings on this tab are correct, and the
server is up and accepts connections.
Base DN: The starting point relative to the root of the LDAP tree where the users
are included who are to be authenticated. Note that the base DN must be spe
cified by the full distinguished name (FDN) in LDAP notation, using commas as
delimiters (e.g., O=Example,OU=RnD). Base DN may be empty. In this case, the
base DN is automatically retrieved from the directory.
Username: Enter the username of a test user to perform a regular authentication.
Password: Enter the password of the test user.
Authenticate example user: Click the Test button to start the authentication test
for the test user. This verifies that all server settings are correct, the server is up
and accepting connections, and users can be successfully authenticated.
3. Optionally, make the following advanced settings:
Timeout: Enter the timeout for the communication with the server to support
higher latency scenarios if you use third party authentication solutions.
4. Click Save.
The server will be displayed in the Servers list.
Cross Reference – Find information about configuring user authentication with Active
Directory in the Sophos Knowledgebase.
User P rincipal Name
Sometimes users should be required to use the User Principal Name notation 'user
@domain' when entering their credentials, for example when using Exchange servers in
combination with Active Directory servers.
l
Clone a desired server to start a new server
l
Change Backend to LDAP
UTM 9 WebAdmin
157
5.7 Authentication Services
l
Change User Attribute to >
l
Enter userPrincipalname into Custom field.
5 Definitions & Users
If not present already, this will set up a 'LDAP Users' group which you will have to use
instead of the 'Active Directory Users' group.
Note – The format domain\user is not supported. Use the format user@domain
instead.
5.7.2.3 LDAP
LDAP, an abbreviation for Lightweight Directory Access Protocol, is a networking pro
tocol for querying and modifying directory services based on the X.500 standard.
Sophos UTM uses the LDAP protocol to authenticate users for several of its services,
allowing or denying access based on attributes or group memberships configured on
the LDAP server.
To configure LDAP authentication, proceed as follows:
1. On the Servers tab, click New Authentication Server.
The dialog box Add Authentication Server opens.
2. Make the following settings:
Backend: Select LDAP as backend directory service.
Position: Select a position for the backend server. Backend servers with lower
numbers will be queried first. For better performance, make sure that the
backend server that is likely to get the most requests is on top of the list.
Server: Select or add an LDAP server. How to add a definition is explained on the
Definitions & Users > Network Definitions > Network Definitions page.
SSL: Select this option to enable SSL data transfer. The Port will then change
from 389 (LDAP) to 636 (ldaps = LDAP over SSL).
Port: Enter the port of the LDAP server. By default, this is port 389.
Bind DN: The Distinguished Name (DN) of the user to bind to the server with. This
user is mandatory. For security reasons, anonymous queries to the LDAP server
are not supported. Note that the user must have sufficient privileges to obtain all
relevant user object information from the LDAP server in order to authenticate
users. LDAP users, groups, and containers can be specified by the full
158
UTM 9 WebAdmin
5 Definitions & Users
5.7 Authentication Services
distinguished name in LDAP notation, using commas as delimiters (e.g.,
CN=administrator,DC=intranet,DC=example,DC=com).
Password: Enter the password of the bind user.
Test server settings: Pressing the Test button performs a bind test with the con
figured server. This verifies that the settings on this tab are correct, and the
server is up and accepts connections.
User attribute: Select the user attribute that is to be used as the filter for search
ing the LDAP directory. The user attribute contains the actual login name each
user is prompted for, for example by remote access services. The following user
attributes can be selected:
l
CN (Common Name)
l
SN (Surname)
l
UID (User ID)
If usernames in your LDAP directory are not stored in any of these forms, select
<<Custom>> from the list and enter your custom attribute into the Custom field
below. Note that this attribute must be configured on your LDAP directory.
Base DN: The starting point relative to the root of the LDAP tree where the users
are included who are to be authenticated. Note that the base DN must be spe
cified by the full distinguished name (FDN) in LDAP notation, using commas as
delimiters (e.g., O=Example,OU=RnD). Base DN may be empty. In this case, the
base DN is automatically retrieved from the directory.
Username: Enter the username of a test user to perform a regular authentication.
Password: Enter the password of the test user.
Authenticate example user: Click the Test button to start the authentication test
for the test user. This verifies that all server settings are correct, the server is up
and accepting connections, and users can be successfully authenticated.
3. Click Save.
The server will be displayed in the Servers list.
5.7.2.4 RADIUS
RADIUS, the acronym of Remote Authentication Dial In User Service is a widespread pro
tocol for allowing network devices such as routers to authenticate users against a
UTM 9 WebAdmin
159
5.7 Authentication Services
5 Definitions & Users
central database. In addition to user information, RADIUS can store technical inform
ation used by network devices, such as supported protocols, IP addresses, routing
information, and so on. This information constitutes a user profile, which is stored in a
file or database on the RADIUS server.
The RADIUS protocol is very flexible, and servers are available for most operating sys
tems. The RADIUS implementation on UTM allows you to configure access rights on the
basis of proxies and users. Before you can use RADIUS authentication, you must have a
running RADIUS server on the network. Whereas passwords are encrypted using the
RADIUS secret, the username is transmitted in plain text.
To configure RADIUS authentication, proceed as follows:
1. On the Servers tab, click New Authentication Server.
The dialog box Add Authentication Server opens.
2. Make the following settings:
Backend: Select RADIUS as backend directory service.
Position: Select a position for the backend server. Backend servers with lower
numbers will be queried first. For better performance, make sure that the
backend server that is likely to get the most requests is on top of the list.
Server: Select or add a RADIUS server. How to add a definition is explained on the
Definitions & Users > Network Definitions > Network Definitions page.
Port: Enter the port of the RADIUS server. By default, this is port 1812.
Shared Secret: The shared secret is a text string that serves as a password
between a RADIUS client and a RADIUS server. Enter the shared secret.
Test server settings: Pressing the Test button performs a bind test with the con
figured server. This verifies that the settings on this tab are correct, and the
server is up and accepts connections.
Username: Enter the username of a test user to perform a regular authentication.
Password: Enter the password of the test user.
NAS identifier: Select the appropriate NAS identifier from the list. For more
information see the Note and the table below.
Authenticate example user: Click the Test button to start the authentication test
for the test user. This verifies that all server settings are correct, the server is up
and accepting connections, and users can be successfully authenticated.
160
UTM 9 WebAdmin
5 Definitions & Users
5.7 Authentication Services
3. Optionally, make the following advanced settings:
Timeout: Enter the timeout for the communication with the server to support
higher latency scenarios if you use third party authentication solutions.
4. Click Save.
The server will be displayed in the Servers list.
Note – Each user authentication service of Sophos UTM such as PPTP or L2TP query
ing the RADIUS server sends a different identifier (NAS identifier) to the RADIUS
server. For example, the PPTP service sends the NAS identifier pptp to the RADIUS
server when trying to authenticate this user.That way, the various services can be dif
ferentiated on the RADIUS server, which is useful for authorization purposes, that is,
the granting of specific types of service to a user. Below you can find the list of user
authentication services and their corresponding NAS identifier.
User Authentication Service
NAS Identifier
SSL VPN
ssl
PPTP
pptp
IPsec
ipsec
L2TP over IPsec
l2tp
SMTP proxy
smtp
User Portal
portal
WebAdmin
webadmin
SOCKS proxy
socks
Web Filter
http
Authentication Client
agent
Web Application Filter (WAF)
reverseproxy
Wireless Access Points
NAS ID is the wireless network name.
Table 1: RADIUS NAS Identifiers
UTM 9 WebAdmin
161
5.7 Authentication Services
5 Definitions & Users
5.7.2.5 TACACS+
TACACS+ (the acronym of Terminal Access Controller Access Control System) is a pro
prietary protocol by Cisco Systems, Inc. and provides detailed accounting information
and administrative control over authentication and authorization processes. Whereas
RADIUS combines authentication and authorization in a user profile, TACACS+ sep
arates these operations. Another difference is that TACACS+ utilizes the TCP protocol
(port 49) while RADIUS uses the UDP protocol.
To configure TACACS+ authentication, proceed as follows:
1. On the Servers tab, click New Authentication Server.
The dialog box Add Authentication Server opens.
2. Make the following settings:
Backend: Select TACACS+ as backend directory service.
Position: Select a position for the backend server. Backend servers with lower
numbers will be queried first. For better performance, make sure that the
backend server that is likely to get the most requests is on top of the list.
Server: Select or add a TACACS+ server. How to add a definition is explained on
the Definitions & Users > Network Definitions > Network Definitions page.
Port: Enter the port of the TACACS+ server. By default, this is port 49.
Key: Enter the authentication and encryption key for all TACACS+ communication
between Sophos UTM and the TACACS+ server. The value for the key to be
entered here should match the one configured on the TACACS+ server. Enter the
key (second time for verification).
Test server settings: Pressing the Test button performs a bind test with the con
figured server. This verifies that the settings on this tab are correct, and the
server is up and accepts connections.
Username: Enter the username of a test user to perform a regular authentication.
Password: Enter the password of the test user.
Authenticate example user: Click the Test button to start the authentication test
for the test user. This verifies that all server settings are correct, the server is up
and accepting connections, and users can be successfully authenticated.
162
UTM 9 WebAdmin
5 Definitions & Users
5.7 Authentication Services
3. Click Save.
The server will be displayed in the Servers list.
5.7.3 Single Sign-On
On the Definitions & Users > Authentication Services > Single Sign-On tab you can con
figure single sign-on functionality for Active Directory and/or eDirectory.
Active Directory Single Sign- On (SSO)
Note that the Active Directory SSO facility is currently only used with the Web Filter to
provide single sign-on with browsers that support NTLMv2 or Kerberos authentication.
To activate the single sign-on functionality, UTM must join the Active Directory domain.
In order for the domain joining to work, the following prerequisites must be met:
l
l
l
There MUST NOT be a time difference of more than five minutes between the
gateway clock and the DC clock.
The UTM hostname must exist in the ADDNS system.
UTM must use the AD DNS as forwarder, or must have a DNS request route for the
AD domain which points to the AD DNS server.
Note – Active Directory Group Membership Synchronization uses the Single Sign-On
(SSO) password to communicate with the AD server. If this password is changed, the
new password needs to be entered and the UTM re-joined, for the UTM to sync with
the server again.
To configure Active Directory SSO, do the following:
1. Create an Active Directory server on the Servers tab.
2. Make the following settings:
Domain: Name of the domain (for example intranet.mycompany.com). UTM
searches all DCs retrievable via DNS.
Admin username: User with administrative privileges who is allowed to add com
puters to that domain (usually "Administrator").
Password: The password of the admin user.
UTM 9 WebAdmin
163
5.7 Authentication Services
5 Definitions & Users
3. Click Apply.
Your settings will be saved.
Note on Kerberos authentication support: In order for opportunistic SSO Kerberos sup
port to work, the clients MUST use the FQDN hostname of UTM in their proxy set
tings—using the IP address will not work. NTLMv2 mode is not affected by this
requirement, and will automatically be used if it is not met, or if the browser does not
support Kerberos authentication.
eDirectory Single Sign- On (SSO)
Here, you can configure SSO for eDirectory. If you have configured eDirectory SSO as
authentication method in Web Protection > Web Filtering, the eDirectory server selec
ted here will be used.
To configure eDirectory SSO, do the following:
1. Create an eDirectory server on the Servers tab.
2. Make the following settings:
Server: eDirectory server for which you want to enable SSO.
Sync interval: Time (in seconds) between two synchronization events between
UTM and eDirectory server.
3. Click Apply.
Your settings will be saved.
5.7.4 One-time Password
On the Definitions & Users > Authentication Services > One-time Password tab you can
configure the one-time password (OTP) service, and you can monitor or edit the tokens
of the one-time password users. One-time passwords are a method to improve secur
ity for password-based authentication. The user-specific password, which is some
times too weak, will be amended with a one-time password that is valid for only one
login. Thus, even if an attacker gets hold of it, he will not be able to log in with it.
One-time passwords generally change consistently, in regular intervals, being cal
culated automatically by a specific algorithm. Soon after a new password is calculated,
the old password expires automatically. To calculate one-time passwords, the user
needs to have either a mobile device with an appropriate software, or a special
164
UTM 9 WebAdmin
5 Definitions & Users
5.7 Authentication Services
hardware or security token. Hardware tokens are ready to use from the start. On the
mobile device, the end user needs to install Google Authenticator or a similar software
and deploy the configuration, which is available in the User Portal as a QR code, on the
start page or on the OTP Token page (see User Portal page). Having done that, the
device calculates one-time passwords in token-specific intervals. It is important that
date and time are correct on the mobile device as the time stamp is used for one-time
password generation.
Note – To authenticate on the facilities where the one-time password is required, the
user has to enter his user-specific UTM password, directly followed by the one-time
password.
The administrator can also generate one-time passwords, also known as passcodes,
manually. In this case, you have to ensure that these not time-limited one-time pass
words are safely transmitted to the end user. This process, however, should only be
considered as a temporary solution, for example when a user temporarily has no
access to his or her password calculating device.
Note – Once an OTP token is created an information icon appears on the right side for
each token. You can view the QR code and its details by clicking on the information
icon.
Enabling and Configuring One-time Password Service
To configure the one-time password service, do the following:
1. In the OTP Settings section, make the following settings:
All users must use one-time passwords: By default, this checkbox is enabled and
all users have to use one-time passwords. If only specific users should use onetime passwords, disable the checkbox and select or add users or groups to the
box.
Caution – If you disabled the function All users must use one-time passwords,
this automatically affects the Users/Groups in other parts of the UTM. For
example, Reverse Authentication.
UTM 9 WebAdmin
165
5.7 Authentication Services
5 Definitions & Users
Note – The option Create users automatically must be activated for users with
backend authentication. You can find the option under Definitions & Users >
Authentication Services > Global Settings > Automatic User Creation.
Auto-create OTP tokens for users: If selected, a QR code for configuring the
mobile device software will be presented to the authorized users the next time
they log in to the User Portal. For this to work, make sure that the users have
access to the User Portal (see Management > User Portal pages). When a user
logs in to the User Portal, the respective token will appear in the OTP Tokens list.
Enabling this feature is recommended when you are using soft tokens on mobile
devices. If your users only use hardware tokens you should instead disable the
checkbox and add or import the tokens before enabling the OTP feature.
Hash algorithm used: Select a hash algorithm (RFC 6234) to encrypt the
auto-created OTP tokens.
Enable OTP for facilities: Here you select the UTM facilities that should be
accessed with one-time passwords by the selected users. When you select the
Auto-create OTP tokens for users checkbox, the User Portal needs to be enabled
for security reasons: As the User Portal gives access to the OTP tokens, it should
have no weaker protection itself. To activate OTP for secure shell access, you
have to additionally enable shell access usage for the respective tokens (see
Adding or Editing OTP Tokens Manually). The corresponding users then have to log
in as loginuser with the loginuser password, appended by the one-time password.
Caution – Especially when selecting WebAdmin or Shell Access for OTP usage,
you have to ensure that the selected users have access to the one-time pass
word tokens. Otherwise you may log them out permanently.
2. In the Timestep Settings section, make the following settings:
Default token timestep: To synchronize one-time password generation on the
mobile device and on the UTM, the timestep has to be identical on both sides.
Some hardware tokens use 60 seconds. Other software OTP tokens use a
timestep of 30 seconds which is the default value here. If the timestep does not
match, authentication fails. The value entered here is used automatically for each
new OTP token. The allowed range for the timestep is 10-120.
166
UTM 9 WebAdmin
5 Definitions & Users
5.7 Authentication Services
Maximum passcode offset: With help of this option you can set the maximum
passcode offset steps. This means if you for example set 3 steps you restrict the
clock of a token to drift no more than 3 timesteps between two logins. The max
imum passcode offset requires a range of 0-10.
Maximum initial passcode offset: With help of this option you can set the max
imum initial passcode offset steps. This means if you for example set 10 steps
you restrict the clock of a token to drift no more than 10 timesteps between two
logins. The maximum initial passcode offset requires a range of 0-600.
3. Click Apply.
Your settings will be saved.
4. If you use hardware tokens, import or add them into the OTP Tokens section.
Click the Import icon on the top right of the list. Select the method CSV Import.
Then paste the CSV separated data into the text box and click Save.
PSKC Upload: OTP tokens which are using the OATH-TOTP standard are mostly
delivered in a file which contains serial numbers and secrets using PSKC format.
For encrypted files the decryption key is being supplied by out-of-band (paperbased). The standardized PSKC schema version 1.0 is supported (see
https://tools.ietf.org/html/rfc6030).
Note – Please refer to the following draft for additional information about the
TOTP profile: draft-hoyer-keyprov-pskc-algorithm-profiles-01.txt.
Click the Import icon on the top right of the list. Select the method PSKC Upload.
Select the requested file and click Start Upload. If the file is encrypted, enter the
Decryption Key and click Save.
Note – Sophos does not support public key encryption/authentication, only pre
shared key with AES/SHA1.
CSV Import: Use the data received from the hardware token vendor to generate a
CSV file, using semicolons, in UTF-8 encoding. The file needs to contain three
columns with the following content: secret, timestep, and comment. The secret, a
unique, device-specific string, is mandatory, and should have a hexadecimal
format and a length of minimum 128 bit. The other columns may be empty. If
UTM 9 WebAdmin
167
5.7 Authentication Services
5 Definitions & Users
timestep is empty, the default token timestep defined in the OTP Settings section
is used.
After the import/upload you can modify the entries using the Edit icon. Addi
tionally, you can always add single entries by clicking the Plus icon (see Adding
or Editing OTP Tokens Manually).
5. Enable the one-time password service.
Click the toggle switch on top of the page. The toggle switch turns green.
If Auto-create OTP tokens for users is enabled, as soon as one of the users specified for
one-time password authentication logs in to the User Portal for the first time, the UTM
auto-creates the OTP token entry if it was not generated up front. Additionally, the
Reset icon of the entry is enabled.
Using the toggle switch of an entry you can disable it, for example in case the user lost
his hardware token. Using the appropriate icon, you can delete an entry, for example if a
hardware token is broken. Be aware that in both cases, if the Auto-create OTP tokens
for users option is enabled, the user can still re-authenticate because he has access to
the token secret. In the OTP Tokens list, a new entry will be displayed.
On the top right of the OTP Tokens list, a search box and navigation icons are available
to navigate through and to filter the list.
Cross Reference – Find information about configuring OTP in the Sophos Know
ledgebase.
I cons
In the OTP Tokens area are some additional functional icons.
Functional
icons
Meaning
Sets the token to a 'never-used' state, the so-called initial state. If the reset
was performed the user will see the QR code again when logging in to the
User Portal. The reset function is available if the user logged in with
OTP at least one time.
Shows that the token is configured to be used for remote shell access.
Shows that the token information will not be displayed in the User Portal.
168
UTM 9 WebAdmin
5 Definitions & Users
Functional
icons
5.7 Authentication Services
Meaning
Shows additional token codes.
Allows you to show the token time-offsets.
Shows the QR code of the token and its information.
Adding or Editing OTP Tokens Manually
You can add or edit OTP tokens.
Tip – Usually you would not add single OTP tokens but either import them—in case of
hardware tokens—or, using mobile devices, automatically generate them, using the
Auto-create OTP tokens for users option.
1. Open the dialog to add or edit the OTP token.
To add an OTP token, click the green Plus icon on the top right of the OTP Tokens
list.
To edit an OTP token, click the Edit icon in front of the respective entry in the
OTP Tokens list.
2. Make the following settings:
User: Select or add the user to whom the token should be assigned.
Secret: This is the shared secret of the user's hardware token or soft token. A
hardware token has an unchangeable secret, given by the hardware producer. The
soft token is created randomly by the UTM, when Auto-create OTP tokens for
users is enabled. The secret should have a hexadecimal format and a length of
128 bit.
Comment (optional): Add a description or other information. This text will be dis
played with the QR code in the User Portal. If you define different tokens for one
person, e.g., a hardware token and a soft token for the mobile phone, it is useful to
enter some explanation here as the user will be displayed all QR codes side by
side.
3. Optionally, make the following advanced settings:
UTM 9 WebAdmin
169
5.7 Authentication Services
5 Definitions & Users
Use custom token timestep: If you need another timestep for a token than the
default token timestep defined in the OTP Settings section, enable this checkbox
and enter the value. The timestep defined here has to correspond with the
timestep of the user's password generation device, otherwise authentication
fails.
Hide token information in User Portal: If enabled, the token will not be displayed
in the User Portal. This can be useful for hardware tokens, where no configuration
is needed, or for example when the soft tokens should not be configured by the
end user, but centrally, by the administrator.
Token can be used for shell access: If enabled, the token can be used for com
mand-line access to the UTM. For this to work, shell access has to be enabled in
the OTP Settings section, and shell access with password authentication has to
be enabled for the UTM in general (see Management > System Settings > Shell
Access). OTP tokens with permission for shell access have a Command Shell
icon on the right. For one-time password shell access, the user then has to log in
as loginuser with the loginuser password, appended by the one-time password.
Additional codes (only when editing an OTP token): You can add one-time pass
words manually for a token. Either click the green Plus icon to enter one one-time
password at a time, or use the Generate button to generate 10 one-time pass
words at once. You can also import or export the one-time passwords using the
Action icon. These one-time passwords are not time-limited. A one-time pass
word will be deleted automatically when the user logged in with it. OTP tokens
with additional one-time passwords have a Plus icon on the right. Hovering the
cursor on it shows the list of one-time passwords.
4. Click Save.
Your settings will be saved.
Synchronizing OTP Token Time
When hardware OTP tokens, their build-in quartz clocks might run slower or faster than
'real world' clocks. VASCO token specification for example allows a time-drift of about
2 seconds each day. After some month, the time drift of the hardware token might be
so big, that the OTP code on the token will not match the UTM's calculated OTP any
more and also be so high that it does not match the default accepted OTP windows of
+/- one token code. So the OTP code will be denied by the UTM.
170
UTM 9 WebAdmin
5 Definitions & Users
5.7 Authentication Services
Each time a user logs on to UTM using a valid hardware token code the UTM calculates
whether the token code is more than one time-step value away or not. If yes, the UTM
changes the token-specific time drift value automatically.
With UTM you can calculate the time-offset and synchronize it. Proceed as follows:
1. In the OTP Tokens area click on the Stopwatch icon.
The check OTP token time-offset dialog box opens. The current offset for this
token is displayed.
2. Enter the Token Passcode.
The token passcode is a six digit number created by the hardware device.
3. Click Check.
The result will be displayed after a few seconds. If the passcode was vaild the
message says if and how many timesteps the token is off.
4. If you want to set the offset for the token, click OK.
The token time-offset is updated.
5. Click Cancel.
The dialog box closes.
5.7.5 Advanced
Block P assw ord Guessing
This function can be used to prevent password guessing. After a configurable number
of failed login attempts (default: 3), the IP address trying to gain access to one of the
facilities will be blocked for a configurable amount of time (default: 600 seconds).
Drop packets from blocked hosts: If enabled, all packets coming from blocked hosts
will be dropped for the specified time. This option serves to avoid DoS attacks.
Facilities: The check will be performed for the selected facilities.
Never block networks: Networks listed in this box are exempt from this check.
Local Authentication Passw ords
Using this option, you can force the use of strong passwords for administrators or loc
ally registered users having administrative privileges. You can configure password com
plexity to adhere to the following security requirements:
UTM 9 WebAdmin
171
5.7 Authentication Services
l
Minimum password length, default is eight characters
l
Require at least one lowercase character
l
Require at least one uppercase character
l
Require at least one numeral
l
Require at least one non-alphanumeric character
5 Definitions & Users
To enable the selected password properties select the Require complex passwords
checkbox and click Apply.
Active Directory Group Membership Synchroniz ation
Use this option to enable background syncing of AD group membership information.
The UTM can periodically synchronize group membership information and cache it loc
ally to reduce traffic to the Active Directory server. When this option is enabled, group
membership information will be synchronized with the configured Active Directory
Single Sign-On server.
Click Synchronize Now to immediately synchronize group membership information.
Pref etch Directory Users
Users from eDirectory or Active Directory can be synchronized with UTM. This will precreate user objects on UTM such that these user objects already exist, when the user
logs in. The synchronization process can run weekly or daily.
To enable prefetching, make the following settings:
Server: The drop-down list contains servers that have been created on the Servers tab.
Select a server for which you want to enable prefetching.
Prefetch interval: Select an interval to prefetch users. To run the synchronization
weekly, select the day of the week when synchronization should start. To run the syn
chronization daily, select Daily.
Prefetch time: Select a time to prefetch users.
Groups: To specify which groups should be pre-created, enter the groups here. You can
use the integrated LDAP browser to select these groups.
Click Apply to save your settings.
Prefetch Now: Click this button to start prefetching immediately.
Open Prefetch Live Log: Click this button to open the prefetch live log.
172
UTM 9 WebAdmin
5 Definitions & Users
5.7 Authentication Services
Enable backend sync on login (optional): With every prefetch event, the Backend sync
option of the involved users (Users & Groups > Users tab) will be set to the value
defined here. If the option is enabled, the users' Backend sync option will be enabled, if
the option is disabled, the users' Backend sync option will be disabled.
UTM 9 WebAdmin
173
6 Interfaces & Routing
This chapter describes how to configure interfaces and network-specific settings in
Sophos UTM. The Network Statistics page in WebAdmin provides an overview of today's
top ten accounting services, top source hosts, and concurrent connections. Each of the
sections contains a Details link. Clicking the link redirects you to the respective report
ing section of WebAdmin, where you can find more statistical information.
The following topics are included in this chapter:
l
Interfaces
l
Quality of Service (QoS)
l
Uplink Monitoring
l
IPv6
l
Static Routing
l
Dynamic Routing (OSPF)
l
Border Gateway Protocol
l
Multicast Routing (PIM-SM)
6.1 Interfaces
A gateway requires at least two network interface cards to connect an internal LAN to
an external one (e.g., the Internet) in a secure fashion. In the following examples, the net
work card eth0 is always the interface connected to the internal network. Network
card eth1 is the interface connected to the external network (for example, to the Inter
net). These interfaces are also called the trusted and untrusted interfaces, respectively.
Network cards are automatically recognized during the installation. With the Software
Appliance, if new network cards are added later, a new installation will be necessary.
To reinstall the system, simply make a backup of your configuration, install the soft
ware, and restore your backup.
The gateway must be the only point of contact between internal and external networks.
All data must pass through UTM. We strongly recommend against connecting both
internal and external interfaces to one hub or switch, except if the switch is configured
6.1 Interfaces
6 Interfaces & Routing
as a VLAN switch. There might be wrong ARP resolutions (Address Resolution Pro
tocol), also known as "ARP clash", which cannot be administered by all operating sys
tems (for example, such as those from Microsoft). Therefore, one physical network seg
ment has to be used for each gateway network interface.
The Interfaces menu allows you to configure and manage all network cards installed on
UTM and also all interfaces with the external network (Internet) and interfaces to the
internal networks (LAN, DMZ).
Note – While planning your network topology and configuring UTM, take care to note
which interface is connected to which network. In most configurations, the network
interface with SysID eth1 is chosen as the connection to the external network. In
order to install the high availability (HA) failover, the selected network cards on both
systems must have the same SysID. Installing the HA failover is described in more
detail on page Management > High Availability.
The following sections explain how to manage and configure different interface types
on the tabs Interfaces, Additional Addresses, Link Aggregation, Uplink Balancing, Mul
tipath Rules, and Hardware.
6.1.1 Interfaces
On the Interfaces tab you can configure network cards and virtual interfaces. The list
shows the already defined interfaces with their symbolic name, hardware device, and
current addresses. The interface status is also displayed. By clicking the toggle switch,
you can activate and deactivate interfaces. Please note that interface groups do not
have a toggle switch.
Tip – When you click the Info icon of an interface definition in the Interfaces list, you
can see all configuration options in which the interface definition is used.
Newly added interfaces may show up as Down while they are in the process of being
set up. You can select to edit and delete interfaces by clicking the respective buttons.
6.1.1.1 Automatic Interface Network Definitions
Each interface on your UTM has a symbolic name and a hardware device assigned to it.
The symbolic name is used when you reference an interface in other configuration
176
UTM 9 WebAdmin
6 Interfaces & Routing
6.1 Interfaces
settings. For each interface, a matching set of network definitions is automatically cre
ated by UTM:
l
l
l
A definition containing the current IP address of the interface, its name con
sisting of the interface name and the (Address) suffix.
A definition containing the network attached to the interface, its name consisting
of the interface name and the (Network) suffix. This definition is not created for
Point-to-Point (PPP) type interfaces.
A definition containing the broadcast address of the interface, its name con
sisting of the interface name and the (Broadcast) suffix. This definition is not cre
ated for Point-to-Point (PPP) type interfaces.
When the interface uses a dynamic address allocation scheme (such as DHCP or
remote assignment), these definitions are automatically updated. All settings referring
to these definitions, for example firewall and NAT rules, will also automatically be
updated with the changed addresses.
One interface with the symbolic name Internal is already predefined. It is the man
agement interface and will typically be used as the "internal" UTM interface. If you want
to rename it, you should do so right after the installation.
6.1.1.2 Interface Types
The following list shows which interface types can be added to UTM, and what type of
hardware is needed to support them:
Group: You can organize your interfaces in groups. In appropriate configurations, you
can then select a single interface group instead of multiple interfaces individually.
3G/UMTS: This is an interface based on a USB modem stick. The stick needs to be
plugged in and UTM needs to be rebooted before interface creation.
DSL (PPPoA/PPTP): PPP over ATM. A DSL PPPoA device lets you attach your gateway
to PPP-over-ATM compatible DSL lines. These devices use the PPTP protocol to tunnel
IP packets. They require a dedicated Ethernet connection (they cannot co-exist with
other interfaces on the same hardware). You must attach a DSL modem to the inter
faces network segment. The network parameters for these device types can be
assigned by the remote station (typically, your ISP). In addition, you need to enter user
name and password for your ISP account. You also need to enter the IP address of your
modem. This address is usually hardwired in the modem and cannot be changed. To
communicate with the modem, you have to enter a NIC IP address and netmask. The
UTM 9 WebAdmin
177
6.1 Interfaces
6 Interfaces & Routing
modem's IP address must be inside the network defined by these parameters. The Ping
Address must be a host on the other side of the PPTP link that responds to ICMP ping
requests. You can try to use the DNS server of your ISP. If this address cannot be
pinged, the connection is assumed to be dead, and will be reinitiated.
DSL (PPPoE): PPP over Ethernet. A DSL PPPoE device lets you attach your gateway to
PPP-over-Ethernet compatible DSL lines. These devices require a dedicated Ethernet
connection (they cannot co-exist with other interfaces on the same hardware). You
must attach a DSL modem to the interfaces network segment. The network para
meters for these device types can be assigned by the remote station (typically, your
ISP). In addition, you need to enter username and password for your ISP account.
Ethernet DHCP: This is a standard Ethernet interface with DHCP.
Ethernet: This is a normal Ethernet interface, with 10, 100, or 1000 Mbit/s bandwidth.
Ethernet Bridge: This is a Ethernet interface using a bridge to connect Ethernet net
works or segments to each other.
Ethernet VLAN: VLAN (Virtual LAN) is a method to have multiple layer-2 separated net
work segments on a single hardware interface. Every segment is identified by a "tag",
which is just an integer number. When you add a VLAN interface, you will create a "hard
ware" device that can be used to add additional interfaces (aliases), too. PPPoE and
PPPoA devices cannot be run over VLAN virtual hardware.
Modem (PPP): This type of interface lets you connect UTM to the Internet through a
PPP modem. For the configuration you need a serial interface and an external modem
on the UTM. And you also need the DSL access data including username and password.
You will get these data from your (ISP).
About Flexible Slots
Certain types of Sophos hardware appliances allow to easily change interface hard
ware by providing so-called slots where slot modules can be inserted and switched
flexibly. If such hardware is being used, WebAdmin displays the slot information along
with the hardware interfaces. This looks for example like eth1 [A6] Intel Corporation
82576 Gigabit Network Connection, where the slot information is provided in the square
brackets, A6 being the 6th port in slot A. Currently, up to three slots are possible,
labeled A-C with up to eight ports each. Onboard interface cards will be labeled
[MGMT1] and [MGMT2].
Slot information is provided in the following places of WebAdmin:
178
UTM 9 WebAdmin
6 Interfaces & Routing
l
Interfaces & Routing > Interfaces > Interfaces
l
Interfaces & Routing > Interfaces > Hardware
l
6.1 Interfaces
Throughout WebAdmin in Hardware drop-down lists and lists where hardware
interface information is displayed
For up-to-date information on which appliance types come with flexible slots, please
refer to the Sophos UTM webpage.
6.1.1.3 Group
You can combine two or more interfaces to a group. Groups can ease your configuration
tasks. When creating multipath rules, you need to configure a group if you want to bal
ance traffic over a defined group of uplink interfaces only instead of using all uplink
interfaces.
To configure a Group interface, proceed as follows:
1. On the Interfaces tab, click New Interface.
The Add Interface dialog box opens.
2. Make the following settings:
Name: Enter a descriptive name for the interface.
Type: Select Group from the drop-down list.
Interfaces: Add the interfaces to be grouped.
Comment (optional): Add a description or other information.
3. Click Save.
The group is added to the interface list. Groups do not have a status.
To show only interfaces of a certain type, select the type of the interfaces you want to
have displayed from the drop-down list. To either edit or delete an interface, click the
corresponding buttons.
6.1.1.4 3G/UMTS
Sophos UTM supports network connections via 3G/UMTS USB sticks.
To configure a 3G/UMTS interface, proceed as follows:
1. On the Interfaces tab, click New Interface.
The Add Interface dialog box opens.
UTM 9 WebAdmin
179
6.1 Interfaces
6 Interfaces & Routing
2. Make the following settings:
Name: Enter a descriptive name for the interface.
Type: Select 3G/UMTS from the drop-down list.
Hardware: Select a USB modem stick from the drop-down list. Note that you need
to reboot after you plugged the USB stick in.
Network: Select the mobile network type, which is either GSM/W-CDMA, CDMA, or
LTE.
IPv4/IPv6 default GW (optional): Select this option if you want to use the default
gateway of your provider.
PIN (optional): Enter the PIN of the SIM card if a PIN is configured.
APN autoselect (optional): By default, the APN (Access Point Name) used is
retrieved from the USB modem stick. If you unselect the checkbox, enter APN
information into the APN field.
Username/Password (optional): If required, enter a username and password for
the mobile network.
Dial string (optional): If your provider uses a different dial string, enter it here.
Default is *99#.
Comment (optional): Add a description or other information.
3. Optionally, make the following advanced settings:
Init string: Enter the string to initialize the USB modem stick. Remember that it
might become necessary to adjust the init string to the USB modem stick. In this
case, the init string can be gathered from the associated USB modem stick
manual. If you do not have the required documentation available, keep the default
setting ATZ.
Reset string: Enter the reset string for the USB modem stick. Keep in mind that it
might be necessary to adjust the reset string to the USB modem stick. In this
case you can gather it from the associated USB modem stick manual. If you do
not have the required documentation available, keep the default setting ATZ.
MTU: Enter the maximum transmission unit for the interface in bytes. You must
enter a value fitting your interface type here if you want to use traffic man
agement. A sensible value for the interface type is entered by default. Changing
180
UTM 9 WebAdmin
6 Interfaces & Routing
6.1 Interfaces
this setting should only be done by technically adept users. Entering wrong val
ues here can render the interface unusable. An MTU size greater than 1500 bytes
must be supported by the network operator and the network card (e.g., Gigabit
interface).By default, an MTU of 1500 bytes is set for the 3G/UMTS interface type.
Default route metric: Enter the default route metric for the interface. The metric
value is used to distinguish and prioritize routes to the same destination and is
valid for all interfaces.
Asymmetric (optional): Select this option if your connection's uplink and down
link bandwidth are not identical and you want the Dashboard to reflect this. Then,
two textboxes are displayed, allowing you to enter the maximum uplink band
width in either MB/s or KB/s. Select the appropriate unit from the drop-down list.
Displayed max (optional): Here you can enter the maximum downlink bandwidth
of your connection, if you want the Dashboard to reflect it. The bandwidth can be
given in either MB/s or KB/s. Select the appropriate unit from the drop-down list.
4. Click Save.
The system will now check the settings for validity. After a successful check the
new interface will appear in the interface list. The interface is not yet enabled
(toggle switch is gray).
5. Enable the interface.
Click the toggle switch to activate the interface.
The interface is now enabled (toggle switch is green). The interface might still be
displayed as being Down. The system requires a short time to configure and load
the settings. Once the Up message appears, the interface is fully operable.
To show only interfaces of a certain type, select the type of the interfaces you want to
have displayed from the drop-down list. To either edit or delete an interface, click the
corresponding buttons.
6.1.1.5 Ethernet
To configure a network card for a static Ethernet connection to an internal or external
network, you must configure the network card with an IP address and netmask.
To configure a static Ethernet interface, proceed as follows:
UTM 9 WebAdmin
181
6.1 Interfaces
6 Interfaces & Routing
1. On the Interfaces tab, click New Interface.
The Add Interface dialog box opens.
2. Make the following settings:
Name: Enter a descriptive name for the interface.
Type: Select Ethernet from the drop-down list.
Hardware: Select an interface from the drop-down list.
Tip – For an external connection (e.g., to the Internet) choose the network card
with SysID eth1. Please note that one network card cannot be used as both an
Ethernet interface and a PPP over Ethernet (PPPoE DSL) or PPTP over Ethernet
(PPPoA DSL) connection simultaneously.
Dynamic IP Activate if you want to use a dynamic IP address.
IPv4/IPv6 address: Enter the IP address of the interface.
Netmask: Select a network mask (IPv4) and/or enter an IPv6 network mask.
IPv4/IPv6 default GW (optional): Select this option if you want to use a statically
defined default gateway.
Default GW IP (optional): Enter the IP address of the default gateway.
Note – You can configure an interface to have an IPv4 and an IPv6 address sim
ultaneously.
Comment (optional): Add a description or other information.
3. Optionally, make the following advanced settings:
Hostname: If your ISP requires to receive the hostname of your system, enter it
here.
MTU: Enter the maximum transmission unit for the interface in bytes. You must
enter a value fitting your interface type here if you want to use traffic man
agement. A sensible value for the interface type is entered by default. Changing
this setting should only be done by technically adept users. Entering wrong val
ues here can render the interface unusable. An MTU size greater than 1500 bytes
182
UTM 9 WebAdmin
6 Interfaces & Routing
6.1 Interfaces
must be supported by the network operator and the network card (e.g., Gigabit
interface).By default, an MTU of 1500 bytes is set for the Ethernet interface type.
Default route metric: Enter the default route metric for the interface. The metric
value is used to distinguish and prioritize routes to the same destination and is
valid for all interfaces.
Proxy ARP: To enable the function, select the checkbox. By default, the Proxy ARP
function is disabled (Off).This option is available on broadcast-type interfaces.
When you switch it on, UTM will "attract" traffic on that interface for hosts
"behind" it and pass it on. It will do that for all hosts that it has a direct interface
route for. This allows you to build "transparent" network bridging while still doing
firewalling. Another use for this feature is when your ISP's router just puts your
"official" network on its Ethernet interface (does not use a host route).
Asymmetric (optional): Select this option if your connection's uplink and down
link bandwidth are not identical and you want the Dashboard to reflect this. Then,
two textboxes are displayed, allowing you to enter the maximum uplink band
width in either MB/s or KB/s. Select the appropriate unit from the drop-down list.
Displayed max (optional): Here you can enter the maximum downlink bandwidth
of your connection, if you want the Dashboard to reflect it. The bandwidth can be
given in either MB/s or KB/s. Select the appropriate unit from the drop-down list.
4. Click Save.
The system will now check the settings for validity. After a successful check the
new interface will appear in the interface list. The interface is not yet enabled
(toggle switch is gray).
5. Enable the interface.
Click the toggle switch to activate the interface.
The interface is now enabled (toggle switch is green). The interface might still be
displayed as being Down. The system requires a short time to configure and load
the settings. Once the Up message appears, the interface is fully operable.
To show only interfaces of a certain type, select the type of the interfaces you want to
have displayed from the drop-down list. To either edit or delete an interface, click the
corresponding buttons.
UTM 9 WebAdmin
183
6.1 Interfaces
6 Interfaces & Routing
6.1.1.6 Ethernet Bridge
Bridging is a packet forwarding technique primarily used in Ethernet networks. Unlike
routing, bridging makes no assumptions about where in a network a particular address
is located. Instead, it depends on broadcasting to locate unknown devices.
Through bridging, several Ethernet networks or segments can be connected to each
other. The data packets are forwarded through bridging tables, which assign the MAC
addresses to a bridge port. The resulting bridge will transparently pass traffic across
the bridge interfaces.
Note – Such traffic must explicitly be allowed by means of appropriate firewall rules.
Most virtual hosts do not permit MAC address changes or promiscuous mode by
default on their virtual interfaces. For bridging to work on virtual hosts, make sure
that on the virtual host MAC address validation is disabled and promiscuous mode is
allowed.
Note – If you had an configured bridge in UTM version 9.2 under the Interfaces & Rout
ing > Bridging > Status tab, this configuration will be displayed and marked with a
note of the former version under the interface overview.
To configure a Ethernet Bridge, proceed as follows:
1. On the Interfaces tab, click New Interface.
The Add Interface dialog box opens.
2. Make the following settings:
Name: Enter a descriptive name for the interface.
Type: Select Ethernet Bridge from the drop-down list.
Note – If you edit an existing interface you can change the type and convert the
interface into an Ethernet Bridge. After the conversion a note will be displayed
under the changed interface in the interface overview. An converted Ethernet
Bridge can also be converted back to an Ethernet interface.
Bridge selected NICs: You can select individual NICs that should form the bridge.
This requires that there are unused network interface cards available. Select one
184
UTM 9 WebAdmin
6 Interfaces & Routing
6.1 Interfaces
or more of them to form the bridge. It is also possible to specify a Convert Inter
face that will be copied to the new bridge.
Dynamic IP Activate if you want to use a dynamic IP address.
IPv4 Address: Enter the IP address of the interface.
Note – IP address 0.0.0.0 is possible in Ethernet Bridge. In this case you have an
bridge without address.
Netmask: Select a network mask (IPv4) and/or enter an IPv6 network mask.
IPv4/IPv6 default GW (optional): Select this option if you want to use a statically
defined default gateway.
Default GW IP (optional): Enter the IP address of the default gateway.
Note – You can configure an interface to have an IPv4 and an IPv6 address sim
ultaneously.
Comment (optional): Add a description or other information.
3. Optionally, make the following advanced settings:
MTU: Enter the maximum transmission unit for the interface in bytes. You must
enter a value fitting your interface type here if you want to use traffic man
agement. A sensible value for the interface type is entered by default. Changing
this setting should only be done by technically adept users. Entering wrong val
ues here can render the interface unusable. An MTU size greater than 1500 bytes
must be supported by the network operator and the network card (e.g., Gigabit
interface).By default, an MTU of 1500 bytes is set for the Ethernet interface type.
Default route metric: Enter the default route metric for the interface. The metric
value is used to distinguish and prioritize routes to the same destination and is
valid for all interfaces.
Proxy ARP: To enable the function, select the checkbox. By default, the Proxy ARP
function is disabled (Off).This option is available on broadcast-type interfaces.
When you switch it on, UTM will "attract" traffic on that interface for hosts
"behind" it and pass it on. It will do that for all hosts that it has a direct interface
route for. This allows you to build "transparent" network bridging while still doing
UTM 9 WebAdmin
185
6.1 Interfaces
6 Interfaces & Routing
firewalling. Another use for this feature is when your ISP's router just puts your
"official" network on its Ethernet interface (does not use a host route).
4. Optionally, make the following advanced bridge settings:
Allow ARP broadcasts: This function allows you to configure whether global ARP
broadcasts should be forwarded by the bridge. If enabled, the bridge will allow
broadcasts to the MAC destination address FF:FF:FF:FF:FF:FF. This, however,
could be used by an alleged attacker to gather various information about the net
work cards employed within the respective network segment or even the secur
ity product itself. Therefore, the default setting is not to let such broadcasts pass
the bridge.
Spanning Tree Protocol: Enabling this option will activate the Spanning Tree Pro
tocol (STP). This network protocol detects and prevents bridge loops.
Caution – Be aware that the Spanning Tree Protocol is known to provide no
security, therefore attackers may be able to alter the bridge topology.
Ageing timeout: The amount of time in seconds after which an inactive MAC
address will be deleted. The default time is 300 seconds.
Allow IPv6 pass through: Enabling this option will allow IPv6 traffic to pass the
bridge without any inspection.
Virtual MAC address: Here you can enter a static MAC address for the bridge. By
default (and as long as the entry is 00:00:00:00:00:00), the bridge uses the low
est MAC address of all member interfaces.
Forwarded EtherTypes: By default, a bridge configured on the Sophos UTM only
forwards IP packets. If you want additional protocols to be forwarded, you have
to add their EtherType to this box. The types have to be entered as four-digit hexa
decimal numbers. Popular examples are AppleTalk (type 809B), Novell (type
8138), or PPPoE (types 8863 and 8864). A typical use case would be a bridge
between your RED interfaces which should forward additional protocols between
the connected networks.
5. Click Save.
The system will now check the settings for validity. After a successful check the
new interface will appear in the interface list. The interface is not yet enabled
(toggle switch is gray).
186
UTM 9 WebAdmin
6 Interfaces & Routing
6.1 Interfaces
6. Enable the interface.
Click the toggle switch to activate the interface.
The interface is now enabled (toggle switch is green). The interface might still be
displayed as being Down. The system requires a short time to configure and load
the settings. Once the Up message appears, the interface is fully operable.
To show only interfaces of a certain type, select the type of the interfaces you want to
have displayed from the drop-down list. To either edit or delete an interface, click the
corresponding buttons.
6.1.1.7 Ethernet VLAN
In order to connect UTM to the virtual LANs, the system requires a network card with a
tag-capable driver. A tag is a 2-byte header attached to packets as part of the Ethernet
header. The tag contains the number of the VLAN that the packet should be sent to: the
VLAN number is a 12-bit number, allowing up to 4095 virtual LANs. In WebAdmin this
number is referred to as the VLAN tag.
Note – Sophos maintains a list of supported tag-capable network interface cards. The
Hardware Compatibility List (HCL) is available at the Sophos Knowledgebase. Use
"HCL" as search term to locate the corresponding page.
To configure an Ethernet VLAN interface, proceed as follows:
1. On the Interfaces tab, click New Interface.
The Add Interface dialog box opens.
2. Make the following settings:
Name: Enter a descriptive name for the interface.
Type: Select Ethernet VLAN from the drop-down list.
Hardware: Select an interface from the drop-down list.
Dynamic IP: Select this option if you want to use a dynamic IP address.
VLAN Tag: Enter the VLAN tag to use for this interface.
IPv4/IPv6 address: Enter the IP address of the interface.
Netmask: Select a network mask (IPv4) and/or enter an IPv6 network mask.
UTM 9 WebAdmin
187
6.1 Interfaces
6 Interfaces & Routing
IPv4/IPv6 default GW (optional): Select this option if you want to use a statically
defined default gateway.
Default GW IP (optional): Enter the IP address of the default gateway.
Note – You can configure an interface to have an IPv4 and an IPv6 address sim
ultaneously.
Comment (optional): Add a description or other information.
3. Optionally, make the following advanced settings:
MTU: Enter the maximum transmission unit for the interface in bytes. You must
enter a value fitting your interface type here if you want to use traffic man
agement. A sensible value for the interface type is entered by default. Changing
this setting should only be done by technically adept users. Entering wrong val
ues here can render the interface unusable. An MTU size greater than 1500 bytes
must be supported by the network operator and the network card (e.g., Gigabit
interface). By default, an MTU of 1500 bytes is set for the Ethernet VLAN inter
face type.
Default route metric: Enter the default route metric for the interface. The metric
value is used to distinguish and prioritize routes to the same destination and is
valid for all interfaces.
Proxy ARP: To enable the function, select the checkbox. By default, the Proxy ARP
function is disabled (Off).This option is available on broadcast-type interfaces.
When you switch it on, UTM will "attract" traffic on that interface for hosts
"behind" it and pass it on. It will do that for all hosts that it has a direct interface
route for. This allows you to build "transparent" network bridging while still doing
firewalling. Another use for this feature is when your ISP's router just puts your
"official" network on its Ethernet interface (does not use a host route).
Asymmetric (optional): Select this option if your connection's uplink and down
link bandwidth are not identical and you want the Dashboard to reflect this. Then,
two textboxes are displayed, allowing you to enter the maximum uplink band
width in either MB/s or KB/s. Select the appropriate unit from the drop-down list.
Displayed max (optional): Here you can enter the maximum downlink bandwidth
of your connection, if you want the Dashboard to reflect it. The bandwidth can be
given in either MB/s or KB/s. Select the appropriate unit from the drop-down list.
188
UTM 9 WebAdmin
6 Interfaces & Routing
6.1 Interfaces
4. Click Save.
The system will now check the settings for validity. After a successful check the
new interface will appear in the interface list. The interface is not yet enabled
(toggle switch is gray).
5. Enable the interface.
Click the toggle switch to activate the interface.
The interface is now enabled (toggle switch is green). The interface might still be
displayed as being Down. The system requires a short time to configure and load
the settings. Once the Up message appears, the interface is fully operable.
To show only interfaces of a certain type, select the type of the interfaces you want to
have displayed from the drop-down list. To either edit or delete an interface, click the
corresponding buttons.
6.1.1.8 DSL (PPPoE)
The configuration will require the DSL connection information, including username and
password, provided by your ISP. VDSL is also supported by this interface type.
Note – Once the DSL connection is activated, the UTM will be connected to your ISP
24 hours a day. You should therefore ensure that your ISP bills on a flat-rate or band
width-based system rather than based on connection time.
To configure a DSL (PPPoE) interface, proceed as follows:
1. On the Interfaces tab, click New Interface.
The Add Interface dialog box opens.
2. Make the following settings:
Name: Enter a descriptive name for the interface.
Type: Select DSL (PPPoE) from the drop-down list.
Hardware: Select an interface from the drop-down list.
VDSL: Select this checkbox if and only if your connection is a VDSL connection.
The MTU changes to 1476.
UTM 9 WebAdmin
189
6.1 Interfaces
6 Interfaces & Routing
Static PPPoE IP (optional): Select the checkbox if you have a static IP address
assigned by your ISP, and enter the IP address and corresponding netmask into
the appearing textboxes.
l
l
IPv4/IPv6 Address: Enter the IP address of the interface.
Netmask: Select a netmask from the drop-down list and/or enter an IPv6
netmask.
Note – You can configure an interface to have an IPv4 and an IPv6 address sim
ultaneously.
IPv4/IPv6 Default GW (optional): Select this option if you want to use the default
gateway of your provider.
Username: Enter the username, provided by your ISP.
Password: Enter the password, provided by your ISP.
Comment (optional): Add a description or other information.
3. Optionally, make the following advanced settings:
MTU: Enter the maximum transmission unit for the interface in bytes. You must
enter a value fitting your interface type here if you want to use traffic man
agement. A sensible value for the interface type is entered by default. Changing
this setting should only be done by technically adept users. Entering wrong val
ues here can render the interface unusable. An MTU size greater than 1500 bytes
must be supported by the network operator and the network card (e.g., Gigabit
interface). By default, an MTU of 1492 bytes is set for the DSL (PPPoE) interface
type.
Default route metric: Enter the default route metric for the interface. The metric
value is used to distinguish and prioritize routes to the same destination and is
valid for all interfaces.
VLAN tag (only if VDSL is enabled): Enter the VLAN tag to be added to the PPPoE
packets. For the correct tag, refer to your VDSL provider. Default is 7, which is cur
rently used for the PPPoE connection of the Deutsche Telekom.
Daily reconnect: Define at what time you want the connection to close and
reopen. You can select either Never or pick a specific time.
190
UTM 9 WebAdmin
6 Interfaces & Routing
6.1 Interfaces
Reconnect delay: Here you can change the reconnect delay. By default, it is set to
5 Seconds. If your ISP demands a longer delay you can set it to One Minute or Fif
teen Minutes.
Asymmetric (optional): Select this option if your connection's uplink and down
link bandwidth are not identical and you want the Dashboard to reflect this. Then,
two textboxes are displayed, allowing you to enter the maximum uplink band
width in either MB/s or KB/s. Select the appropriate unit from the drop-down list.
Displayed max (optional): Here you can enter the maximum downlink bandwidth
of your connection, if you want the Dashboard to reflect it. The bandwidth can be
given in either MB/s or KB/s. Select the appropriate unit from the drop-down list.
Multilink: If enabled, you can bundle multiple PPP connections. A multilink
PPP connection only works if your ISP supports Multilink PPP.
Multilink slaves: Select the interfaces you want to bundle with the hardware
selected above to one multilink.
4. Click Save.
The system will now check the settings for validity. After a successful check the
new interface will appear in the interface list. The interface is not yet enabled
(toggle switch is gray).
5. Enable the interface.
Click the toggle switch to activate the interface.
The interface is now enabled (toggle switch is green). The interface might still be
displayed as being Down. The system requires a short time to configure and load
the settings. Once the Up message appears, the interface is fully operable.
To show only interfaces of a certain type, select the type of the interfaces you want to
have displayed from the drop-down list. To either edit or delete an interface, click the
corresponding buttons.
6.1.1.9 DSL (PPPoA/PPTP)
To configure a connection using the PPP over ATM Protocol (PPPoA), you will need an
unused Ethernet interface on the UTM as well as an external ADSL modem with an Eth
ernet port. The connection to the Internet proceeds through two separate connections.
Between the UTM and the ADSL modem, a connection using the PPTP over Ethernet Pro
UTM 9 WebAdmin
191
6.1 Interfaces
6 Interfaces & Routing
tocol is established. The ADSL modem is, in turn, connected to the ISP using the PPP
over ATM Dialing Protocol.
The configuration will require the DSL connection information, including username and
password, provided by your Internet Service Provider (ISP).
Note – Once the DSL connection is activated, the UTM will be connected to your ISP
24 hours a day. You should therefore ensure that your ISP bills on a flat-rate or band
width-based system rather than based on connection time.
To configure a DSL (PPPoA/PPTP) interface, proceed as follows:
1. On the Interfaces tab, click New Interface.
The Add Interface dialog box opens.
2. Make the following settings:
Name: Enter a descriptive name for the interface.
Type: Select DSL (PPPoA/PPTP) from the drop-down list.
Hardware: Select an interface from the drop-down list.
IPv4/IPv6 default GW (optional): Select this option if you want to use the default
gateway of your provider.
Username: Enter the username, provided by your ISP.
Password: Enter the password, provided by your ISP.
Comment (optional): Add a description or other information.
3. Optionally, make the following advanced settings:
Modem IP: Enter the IP address of your ADSL modem here. This address will usu
ally be provided by your ISP or the modem hardware and cannot be changed.
Example: 10.0.0.138 (with AonSpeed).
NIC address: Enter the IP address of the network card on the UTM which is
attached to the modem here. This address must be in the same subnet as the
modem. Example: 10.0.0.140 (with AonSpeed).
NIC netmask: Enter the network mask to use here. Example: 255.255.255.0
(with AonSpeed).
192
UTM 9 WebAdmin
6 Interfaces & Routing
6.1 Interfaces
Ping address (optional): Enter the IP address of a host on the Internet that
responds to ICMP ping requests. In order to test the connection between the UTM
and the external network, you have to enter an IP address of a host on the other
side of the PPTP link. You can try to use the DNS server of your ISP. The UTM will
send ping requests to this host: if no answer is received, the connection will be
broken.
MTU: Enter the maximum transmission unit for the interface in bytes. You must
enter a value fitting your interface type here if you want to use traffic man
agement. A sensible value for the interface type is entered by default. Changing
this setting should only be done by technically adept users. Entering wrong val
ues here can render the interface unusable. An MTU size greater than 1500 bytes
must be supported by the network operator and the network card (e.g., Gigabit
interface). By default, an MTU of 1492 bytes is set for the DSL (PPPoA) interface
type.
Default route metric: Enter the default route metric for the interface. The metric
value is used to distinguish and prioritize routes to the same destination and is
valid for all interfaces.
Daily reconnect: Define at what time you want the connection to close and
reopen. You can select either Never or pick a specific time.
Reconnect delay: Here you can change the reconnect delay. By default, it is set to
5 Seconds. If your ISP demands a longer delay you can set it to One Minute or Fif
teen Minutes.
Asymmetric (optional): Select this option if your connection's uplink and down
link bandwidth are not identical and you want the Dashboard to reflect this. Then,
two textboxes are displayed, allowing you to enter the maximum uplink band
width in either MB/s or KB/s. Select the appropriate unit from the drop-down list.
Displayed max (optional): Here you can enter the maximum downlink bandwidth
of your connection, if you want the Dashboard to reflect it. The bandwidth can be
given in either MB/s or KB/s. Select the appropriate unit from the drop-down list.
4. Click Save.
The system will now check the settings for validity. After a successful check the
new interface will appear in the interface list. The interface is not yet enabled
(toggle switch is gray).
5. Enable the interface.
UTM 9 WebAdmin
193
6.1 Interfaces
6 Interfaces & Routing
Click the toggle switch to activate the interface.
The interface is now enabled (toggle switch is green). The interface might still be
displayed as being Down. The system requires a short time to configure and load
the settings. Once the Up message appears, the interface is fully operable.
To show only interfaces of a certain type, select the type of the interfaces you want to
have displayed from the drop-down list. To either edit or delete an interface, click the
corresponding buttons.
6.1.1.10 Modem (PPP)
For the configuration you need a serial interface and an external PPP modem on the
UTM. And you also need the DSL access data including username and password. You
will get these data from your Internet Service Provider (ISP).
To configure a Modem (PPP) interface, proceed as follows:
1. On the Interfaces tab, click New Interface.
The Add Interface dialog box opens.
2. Make the following settings:
Name: Enter a descriptive name for the interface.
Type: Select Modem (PPP) from the drop-down list.
Hardware: Select an interface from the drop-down list.
IPv4/IPv6 default GW (optional): Select this option if you want to use the default
gateway of your provider.
Username: Enter the username, provided by your ISP.
Password: Enter the password, provided by your ISP.
Dial String: Enter the phone number. Example: 5551230
Comment (optional): Add a description or other information.
3. Optionally, make the following advanced settings:
Line speed: Set the speed in bits per seconds for the connection between the
UTM and the modem. Common values are 57,600 Bits/s and 115,200 Bits/s.
Flow control: Select the method to control the data flow.
194
UTM 9 WebAdmin
6 Interfaces & Routing
6.1 Interfaces
If the data is transferred via the serial connection it might happen that the sys
tem cannot process incoming data fast enough. To ensure that no data is lost,
this method of controlling the data flow becomes necessary. With the serial con
nection two methods are available:
l
Hardware signals
l
Software signals
Since in a PPP connection all eight bits are used for the data transfer line and the
transferred data contains the bytes of the command signs Control S and Control
Q, we recommend keeping the default setting Hardware and using a serial con
nection cable.
Init string: Enter the string to initialize the modem. Remember that it might
become necessary to adjust the init string to the modem. In this case, the init
string can be gathered from the associated modem manual. If you do not have
the required documentation available, keep the default setting ATZ.
Reset string: Enter the reset string for the modem. Keep in mind that it might be
necessary to adjust the reset string to the modem. In this case you can gather it
from the associated modem manual. If you do not have the required doc
umentation available, keep the default setting ATZ.
MTU: Enter the maximum transmission unit for the interface in bytes. You must
enter a value fitting your interface type here if you want to use traffic man
agement. A sensible value for the interface type is entered by default. Changing
this setting should only be done by technically adept users. Entering wrong val
ues here can render the interface unusable. An MTU size greater than 1500 bytes
must be supported by the network operator and the network card (e.g., Gigabit
interface).By default, an MTU of 1492 bytes is set for the Modem (PPP) interface
type.
Default route metric: Enter the default route metric for the interface. The metric
value is used to distinguish and prioritize routes to the same destination and is
valid for all interfaces.
Asymmetric (optional): Select this option if your connection's uplink and down
link bandwidth are not identical and you want the Dashboard to reflect this. Then,
two textboxes are displayed, allowing you to enter the maximum uplink band
width in either MB/s or KB/s. Select the appropriate unit from the drop-down list.
UTM 9 WebAdmin
195
6.1 Interfaces
6 Interfaces & Routing
Displayed max (optional): Here you can enter the maximum downlink bandwidth
of your connection, if you want the Dashboard to reflect it. The bandwidth can be
given in either MB/s or KB/s. Select the appropriate unit from the drop-down list.
4. Click Save.
The system will now check the settings for validity. After a successful check the
new interface will appear in the interface list. The interface is not yet enabled
(toggle switch is gray).
5. Enable the interface.
Click the toggle switch to activate the interface.
The interface is now enabled (toggle switch is green). The interface might still be
displayed as being Down. The system requires a short time to configure and load
the settings. Once the Up message appears, the interface is fully operable.
To show only interfaces of a certain type, select the type of the interfaces you want to
have displayed from the drop-down list. To either edit or delete an interface, click the
corresponding buttons.
6.1.2 Additional Addresses
One network card can be configured with additional IP addresses (also called aliases).
This function allows you to manage multiple logical networks on one physical network
card. It can also be used to assign further addresses to a UTM running NAT (Network
Address Translation).
To configure additional addresses on standard Ethernet interfaces, proceed as follows:
1. On the Additional Addresses tab, click New Additional Address.
The Add Additional Address dialog box opens.
2. Make the following settings:
Name: Enter a descriptive name for the new additional address.
On interface: Select an interface from the drop-down list to which the address is
to be assigned.
IPv4/IPv6 address: Enter the additional IP address of the interface.
Netmask: Select a netmask from the drop-down list and/or enter an IPv6 net
mask.
196
UTM 9 WebAdmin
6 Interfaces & Routing
6.1 Interfaces
Assigned to node: This option is only available when the UTM is set up in a
cluster. Select a node from the drop-down list for the additional address. If you
assign an additional address to a HA/Cluster node, then the traffic will be send to
this dedicated node for monitoring. This can be useful to monitor individual nodes
of a HA/Cluster.
Note – All traffic for the additional address will be send exclusively to the ded
icated node. If the node is down, no other node will handle the traffic for the
additional address.
Note – You can configure an interface to have an IPv4 and an IPv6 address sim
ultaneously.
Comment (optional): Add a description or other information.
3. Click Save.
The system will now check the settings for validity. After a successful check the
new interface will appear in the interface list. The interface is not yet enabled
(toggle switch is gray).
4. Enable the additional address.
Click the toggle switch to activate the additional address.
The additional address is now enabled (toggle switch is green). The additional
address might still be displayed as being Down. The system requires a short time
to configure and load the settings. Once the Up message appears, the additional
address is fully operable.
To either edit or delete an additional address, click the corresponding buttons.
6.1.3 Link Aggregation
Link aggregation, which is also known as "port trunking" or "NIC bonding", allows you to
aggregate multiple Ethernet network ports into one virtual interface. The aggregated
ports appear as a single IP address to your system. Link aggregation is useful to
increase the link speed beyond the speed of any one single NIC or to provide basic fail
over and fault tolerance by redundancy in the event any port or switch fails. All traffic
that was being routed over the failed port or switch is automatically re-routed to use
UTM 9 WebAdmin
197
6.1 Interfaces
6 Interfaces & Routing
one of the remaining ports or switches. This failover is completely transparent to the
system using the connection.
Note – In a high-availability environment, Ethernet connections can even be on dif
ferent HA units.
You can define up to four different link aggregation groups. A group can consist of one
or multiple interfaces.
To create a link aggregation group (LAG), proceed as follows:
1. For each LAG, select the interfaces you want to add.
A group can consist of a configured interface and/or one or more unconfigured
interfaces.
To use a configured interface, select it from the Convert Interface drop-down list.
To use unconfigured interfaces, select the respective checkbox(es).
2. Enable the LAG.
Activate a group by clicking the button Enable this group.
Once the link aggregation group has been configured, a new LAG interface (e.g.,
lag0) becomes available for selection if you are going to create an interface
definition on the Interfaces tab. On top of the bonding interface you can create
one of the following:
l
Ethernet Static
l
Ethernet VLAN
l
Ethernet DHCP
l
Alias interfaces
To disable a LAG, clear the checkboxes of the interfaces that make up the LAG, click
Update this Group, and confirm the warning message. The status of the LAG interface is
shown on the Support > Advanced > Interfaces Table tab.
6.1.4 Uplink Balancing
With the uplink balancing function you can combine more than one Internet uplink,
either for having backup uplinks available or for using load balancing among multiple
198
UTM 9 WebAdmin
6 Interfaces & Routing
6.1 Interfaces
uplinks. Combining up to 32 different uplinks is supported. Note that with BasicGuard
subscription, only two uplinks can be combined.
Uplink balancing is automatically enabled when you assign a default gateway to an
interface in addition to an already existing interface with a default gateway. All inter
faces possessing a default gateway will be added to the Active Interfaces box and
uplink balancing automatically organizes the balancing between those interfaces from
then on. Any other interface with a default gateway will automatically be added, too.
On the Multipath Rules tab you can define specific rules for the traffic to be balanced.
To manually set up uplink balancing, proceed as follows:
1. Enable uplink balancing.
Click the toggle switch.
The toggle switch turns amber and the Uplink Balancing area becomes editable.
2. Select active interfaces.
Add one or more interfaces by clicking the Folder icon and dragging interfaces
from the object list. With multiple interfaces, traffic coming from clients is bal
anced by source, i.e., all traffic coming from one source uses the same interface,
whereas traffic from another source can be sent to another interface. If one of
the interfaces is unavailable, traffic will be taken over by the remaining interface
(s).
Note – Initially, when uplink balancing has been enabled automatically, the Act
ive Interfaces list already contains all interfaces having a default gateway. If
you remove an interface from the list, the Default gateway checkbox of the inter
face will automatically be unselected. Thus, every interface having a default
gateway has to be either on this list or on the Standby Interfaces box below.
However, you can add interfaces without default gateway and enter the default
gateway address later on.
Note – The sequence of the interfaces is important: In configurations where
only one interface can be used, and for packets sent from the UTM itself, by
default the first available active interface is used. You can change the interface
sequence by clicking the Sort icons in the box.
UTM 9 WebAdmin
199
6.1 Interfaces
6 Interfaces & Routing
Using the Edit Scheduler icon on the box header, you can set individual balancing
behavior and interface persistence of the active interfaces:
Weight: Weight can be set from 0 to 100 and specifies how much traffic is pro
cessed by an interface relative to all other interfaces. A weighted round robin
algorithm is used for this, a higher value meaning that more traffic is routed to
the respective interface. The values are evaluated relative to each other so they
need not add up to 100. Instead, you can have a configuration for example, where
interface 1 has value 100, interface 2 has value 50 and interface 3 has value 0.
Here, interface 2 gets only half the traffic of interface 1, whereas interface 3 only
comes into action when none of the other interfaces is available. A value of zero
means that always another interface with a higher value is chosen if available.
Persistence: Interface persistence is a technique which ensures that traffic hav
ing specific attributes is always routed over the same uplink interface. Per
sistence has a default timeout of one hour.
3. Select standby interfaces (optional).
Here, you can optionally add failover interfaces that should only come into action
if all active interfaces become unavailable. In this case, the first available
standby interface in the given order will be used. You can change the interface
sequence by clicking the Sort icons in the box.
4. Change monitoring settings (optional).
By default, Automatic monitoring is enabled to detect possible interface failures.
This means that the health of all uplink interfaces is monitored by having them
contact a specific host on the Internet at an interval of 15 seconds. By default,
the monitoring host is the third ping-allowing hop on the route to one of the root
DNS servers. However, you can define the hosts for monitoring the server pool
yourself. For these hosts you can select another service instead of ping, and
modify the monitoring interval and timeout.
If the monitoring hosts do not send a response anymore, the respective interface
is regarded as dead and not used anymore for distribution. On the Dashboard, in
the Link column of the interface, Error will be displayed.
Note – Automatically, the same monitoring settings are used for both uplink
monitoring (Uplink Monitoring > Advanced) and uplink balancing (Interfaces
> Uplink Balancing).
200
UTM 9 WebAdmin
6 Interfaces & Routing
6.1 Interfaces
5. Click Apply.
Your settings will be saved.
The toggle switch turns green.
A new virtual network interface named Uplink Interfaces is automatically created and
now available for use by other functions of the Sophos UTM, e.g. IPsec rules. The virtual
network interface Uplink Interfaces comprises all uplink interfaces added to the inter
face list.
Additionally, a new network group named Uplink Primary Addresses is automatically cre
ated and now available for use by other functions of the Sophos UTM, e.g. firewall rules.
It refers to the primary addresses of all Uplink Interfaces.
In case of an interface failure, open VPN tunnels can be automatically re-established
over the next available interface provided DynDNS is used or the remote server accepts
the IP addresses of all uplink interfaces. As a prerequisite, the IPsec rule must use the
Uplink Interfaces as Local interface.
Defining Monitoring Hosts
To define hosts for monitoring the server pool yourself, proceed as follows:
1. Unselect the Automatic monitoring checkbox.
The Monitoring hosts box becomes editable.
2. Add monitoring hosts.
Select or add one or more hosts that you want to use for monitoring instead of
random hosts. If an interface is monitored by more than one host, it will only be
regarded as dead if all monitoring hosts do not respond in the defined time span.
How to add a definition is explained on the Definitions & Users > Network Defin
itions > Network Definitions page.
Note – If a selected host is bound to an interface, it will only be used to monitor
this interface. If a host is not bound to an interface, it will be used to monitor all
interfaces. Interfaces not covered by the selected hosts will be monitored by
automatic monitoring.
Click the Monitoring Settings icon in the box header to set the monitoring details:
UTM 9 WebAdmin
201
6.1 Interfaces
6 Interfaces & Routing
Monitoring type: Select the service protocol for the monitor checks. Select either
TCP (TCP connection establishment), UDP (UDP connection establishment), Ping
(ICMP Ping), HTTP Host (HTTP requests), or HTTPS Host (HTTPS requests) for mon
itoring. When using UDP a ping request will be sent initially which, if successful,
is followed by a UDP packet with a payload of 0. If ping does not succeed or the
ICMP port is unreachable, the connection is regarded as down.
Port (only with monitoring types TCP and UDP): Port number the request will be
sent to.
URL (optional, only with monitoring types HTTP/S Host): URL to be requested. You
can use other ports than the default ports 80 or 443 by adding the port inform
ation to the URL, e.g., http://example.domain:8080/index.html. If no URL is
entered, the root directory will be requested.
Interval: Enter a time interval in seconds at which the hosts are checked.
Timeout: Enter a maximum time span in seconds for the monitoring hosts to
send a response. If all monitoring hosts of an interface do not respond during this
time, the interface will be regarded as dead.
3. Click Apply.
Your settings will be saved.
6.1.5 Multipath Rules
On the Interfaces & Routing > Interfaces > Multipath Rules tab you can set rules for
uplink balancing. The rules are applied to the active interfaces on the Uplink Balancing
tab when there is more than one interface to balance traffic between. Without mul
tipath rules, all services are balanced by source, i.e., all traffic coming from one source
uses the same interface, whereas traffic from another source can be sent to another
interface. Multipath rules allow you to change this default interface persistence.
Note – Multipath rules can be set up for the service types TCP, UDP, or IP.
To create a multipath rule, proceed as follows:
1. On the Multipath Rules tab, click New Multipath Rule.
The Add Multipath Rule dialog box opens.
202
UTM 9 WebAdmin
6 Interfaces & Routing
6.1 Interfaces
2. Make the following settings:
Name: Enter a descriptive name for the multipath rule.
Position: The position number, defining the priority of the rule. Lower numbers
have higher priority. Rules are matched in ascending order. Once a rule has
matched, rules with a higher number will not be evaluated anymore. Place the
more specific rules at the top of the list to make sure that more vague rules
match last.
Source: Select or add a source IP address or network to match.
Service: Select or add the network service to match.
Destination: Select or add a destination IP address or network to match.
Tip – How to add a definition is explained on the Definitions & Users > Network
Definitions > Network Definitions page.
Itf. persistence: Interface persistence is a technique which ensures that traffic
having specific attributes is always routed over the same uplink interface. Per
sistence has a default timeout of one hour, however you can change this timeout
on the Uplink Balancing tab. You can decide what should be the basis for per
sistence:
l
l
By connection: (default) Balancing is based on the connection, i.e., all traffic
belonging to a particular connection uses the same interface, whereas
traffic of another connection can be sent to another interface.
By source: Balancing is based on the source IP address, i.e., all traffic com
ing from one source uses the same interface, whereas traffic from another
source can be sent to another interface.
Note – Basically, persistence by source cannot work when using a proxy
because the original source information is lost. The HTTP proxy however
is an exception: Traffic generated by the HTTP proxy will match against
the original client source IP address and thus complies with interface per
sistence rules By source, too.
UTM 9 WebAdmin
203
6.1 Interfaces
l
l
l
6 Interfaces & Routing
By destination: Balancing is based on the destination IP address, i.e., all
traffic going to one destination uses the same interface, whereas traffic to
another destination can be sent to another interface.
By source/destination: Balancing is based on the source/destination IP
address combination, i.e., all traffic coming from a specific source A and
going to a specific destination B uses the same interface. Traffic with
another combination can be sent to another interface. Also, please notice
the note above.
By interface: Select an interface from the Bind Interface drop-down list. All
traffic applying to the rule will be routed over this interface. In case of an
interface failure and if no subsequent rules match, the connection falls
back to default behavior.
Comment (optional): Add a description or other information.
3. Optionally, make the following advanced settings:
Balanced to (not with persistence by interface): Add an interface group to the
field. All traffic applying to the rule will be balanced over the interfaces of this
group. By default, Uplink Interfaces is selected, so connections are balanced over
all uplink interfaces.
Skip rule on interface error (only available if the Itf. Persistence is set to By Inter
face): If selected, in case of an interface failure, the next matching multipath rule
will be used for the traffic. If unselected, no other multipath rule will be used for
the defined traffic in case of an interface failure. This for example makes sense
when you want to ensure that SMTP traffic is only sent from a specific static
IP address to prevent your emails from being classified as spam by the recip
ients due to an invalid sender IP address.
4. Click Save.
The new multipath rule is added to the Multipath Rules list.
Enable the multipath rule.
5. The new rule is disabled by default (toggle switch is gray). Click the toggle
switch to enable the rule.The rule is now enabled (toggle switch is green).
To either edit or delete a rule, click the corresponding buttons.
204
UTM 9 WebAdmin
6 Interfaces & Routing
6.1 Interfaces
6.1.6 Hardware
The Interfaces & Routing > Interfaces > Hardware tab lists all configured interfaces
showing information such as the Ethernet mode of operation or the MAC address. On
UTM hardware devices, for each interface, auto negotiation can be enabled or disabled.
Auto Negotiation: Usually, the Ethernet mode of operation (1000BASE-T full-duplex,
100BASE-T full-duplex, 100BASE-T half-duplex, 10BASE-T full-duplex, 10BASE-T halfduplex, and so on) between two network devices is automatically negotiated by choos
ing the best possible mode of operation supported by both devices, where higher speed
(e.g. 1000 Mbit/sec) is preferred over lower speed (e.g. 100 Mbit/sec), and full duplex
is preferred over half duplex at the same speed.
Caution – For proper 1000 Mbit/sec operation, auto negotiation is always required
and mandatory by IEEE Std 802.3ab. Thus, be careful to never switch Auto Negotiation
off for any interface with Link mode 1000BASE-T. The timing of your network link
may fail, causing service degradation or failure. For 100 Mbit/sec and 10 Mbit/sec
operation, auto negotiation is optional, but still recommended for use whenever pos
sible.
Auto negotiation is enabled by default. In the rare case that you need to switch it off,
click the Edit button of the corresponding interface card and change the setting in the
appearing dialog box Edit NIC Parameters via the drop-down list Link Mode. Note that
the drop-down list is only available with UTM hardware devices. Click Save to save your
changes.
Caution – Be careful when disabling auto negotiation, as this might lead to mis
matches, resulting in a significant performance decrease or even disconnect. If the
respective network interface card is your interface to WebAdmin you may lose
access to WebAdmin!
In case one of your interfaces lost its network link due to manipulation of auto nego
tiation or speed settings, just changing the settings back will typically not bring the
interface back to normal operation: Changing auto negotiation or speed settings on dis
connected interfaces is not reliable. Therefore first switch on auto negotiation and then
reboot UTM to bring back normal operation.
UTM 9 WebAdmin
205
6.2 Quality of Service (QoS)
6 Interfaces & Routing
HA Link Monitoring: If high availability is enabled, all configured interfaces are mon
itored for link status. In case of a link failure, a takeover is triggered. If a configured
interface is not always connected (e.g. management interface) please disable HA link
monitoring for the corresponding interface. Otherwise all HA nodes will stay in status
UNLINKED. To disable HA link monitoring click the Edit button of the corresponding inter
face card and change the setting in the appearing dialog box Edit NIC Parameters. Click
Save to save your changes.
Set Virtual MAC: Sometimes it is useful to be able to change the MAC address of a
device. For example, there are some ISPs where the modem must be reset when the
device connected to it changes and by that the MAC address of that device. By setting
the MAC address to the value of the former device, a reset of the modem can be
avoided.
UTM, however, does not overwrite the original MAC address of the device but instead
sets a virtual MAC address. To do so, click the Edit button of the corresponding inter
face card. In the appearing dialog box Edit NIC Parameters, select the checkbox Set Vir
tual MAC and enter a valid MAC address. Click Save to save your changes.
To restore the original MAC address, click the Edit button of the corresponding interface
card. In the appearing dialog box Edit NIC Parameters, unselect the checkbox Set Virtual
MAC. Click Save to save your changes.
Enable Power over Ethernet (PoE): This option is only available if the configured inter
faces support PoE. If enabled, you can provide connected access points with electric
power and data through one ethernet cable.
Note – Power over Ethernet requires an additional power adapter in the UTM appli
ance. If the PoE interface runs without power adapter, the interface works as an nor
mal LAN port without PoE support.
6.2 Quality of Service (QoS)
Generally speaking, Quality of Service (QoS) refers to control mechanisms to provide
better service to selected network traffic, and to provide priority in terms of guar
anteed bandwidths in particular. In Sophos UTM, priority traffic is configured on the Qual
ity of Service (QoS) tabs, where you can reserve guaranteed bandwidths for certain
types of outbound network traffic passing between two points in the network, whereas
206
UTM 9 WebAdmin
6 Interfaces & Routing
6.2 Quality of Service (QoS)
shaping of inbound traffic is optimized internally by various techniques such as
Stochastic Fairness Queuing (SFQ) or Random Early Detection (RED).
6.2.1 Status
The Quality of Service (QoS) > Status tab lists the interfaces for which QoS can be con
figured. By default, QoS is disabled for each interface.
To configure QoS for an interface, proceed as follows:
1. Click the Edit button of the respective interface.
The Edit Interface dialog box opens.
2. Make the following settings:
Downlink Mbit/sec/Uplink Mbit/sec: Enter the uplink and downlink bandwidth (in
Mbit/s) provided by your ISP. For example, for a 5 Mbit/s Internet connection for
both uplink and downlink, enter 5.
Note – Enter the uplink and downlink bandwidth in Mbit/s - even if an error mes
sage assumes Kbit/s (which is displayed if the entered value is invalid).
If you have a fluctuating bandwidth, enter the lowest value that is guaranteed by
your ISP. For example, if you have a 5 Mbit/s Internet connection for both uplink
and downlink with a variation of 0.8 Mbit/s, enter 4.3 Mbit/s. Note that if the avail
able bandwidth becomes temporarily higher than the configured lowest guar
anteed value, the gateway can make a projection taking the new bandwidth into
account, so that the percentage bandwidth for the priority traffic will be
increased as well; unfortunately, this does not work vice versa.
Limit uplink: Selecting this option tells the QoS function to use the configured
downlink and uplink bandwidth as the calculation base for prioritizing traffic that
passes this interface. The Limit uplink option is selected by default and should be
used for the following interface types:
l
l
l
Ethernet interface (with a router sitting in between the gateway and the
Internet—the bandwidth provided by the router is known)
Ethernet VLAN interface (with a router sitting in between the gateway and
the Internet—the bandwidth provided by the router is known)
DSL (PPPoE)
UTM 9 WebAdmin
207
6.2 Quality of Service (QoS)
l
DSL (PPPoA/PPTP)
l
Modem (PPP)
6 Interfaces & Routing
Unselect the Limit uplink checkbox for these interfaces whose traffic shaping cal
culation base can be determined by the maximum speed of the interface.
However, this only applies to the following interface types:
l
Ethernet interface (directly connected to the Internet)
l
Ethernet VLAN interface (directly connected to the Internet)
For interfaces with no specific uplink limit given, the QoS function shapes the
entire traffic proportionally. For example, if you have configured 512 Kbit/s for
VoIP traffic on a Ethernet DHCP interface and the available bandwidth has
decreased by half, then 256 Kbit/s would be used for this traffic (note that pro
portional shaping works in both directions in contrast to interfaces that rely on a
fix maximum limit).
Limit Downlink: If enabled, Stochastic Fairness Queuing (SFQ) and Random Early
Detection (RED) queuing algorithms will avoid network congestion. In case the
configured downlink speed is reached, packets from the most downlink con
suming stream will be dropped.
Upload optimizer: If enabled, this option will automatically prioritize outgoing TCP
connection establishments (TCP packets with SYN flag set), acknowledgment
packets of TCP connections (TCP packets with ACK flag set and a packet length
between 40 and 60 bytes) and DNS lookups (UDP packets on port 53).
3. Click Save.
Your settings will be saved.
4. Enable QoS for the interface.
Click the toggle switch of the interface.
The toggle switch turns green.
6.2.2 Traffic Selectors
A traffic selector can be regarded as a QoS definition which describes certain types of
network traffic to be handled by QoS. These definitions later get used inside the band
width pool definition. There you can define how this traffic gets handled by QoS, like lim
iting the overall bandwidth or guarantee a certain amount of minimum bandwidth.
208
UTM 9 WebAdmin
6 Interfaces & Routing
6.2 Quality of Service (QoS)
To create a traffic selector, proceed as follows:
1. On the Traffic Selector tab, click New Traffic Selector.
The Add Traffic Selector dialog box opens.
2. Make the following settings:
Name: Enter a descriptive name for this traffic selector.
Selector type: You can define the following types:
l
l
l
Traffic selector: Using a traffic selector, traffic will be shaped based on a
single service or a service group.
Application selector: Using an application selector, traffic will be shaped
based on applications, i.e. which traffic belongs to which application, inde
pendent from the port or service used.
Group: You can group different service and application selectors into one
traffic selector rule. To define a group, there must be some already defined
single selectors.
Source: Add or select the source network for which you want to enable QoS.
Service: Only with Traffic selector. Add or select the network service for which
you want to enable QoS. You can select among various predefined services and
service groups. For example, select VoIP protocols (SIP and H.323) if you want to
reserve a fixed bandwidth for VoIP connections.
Destination: Add or select the destination network for which you want to enable
QoS.
Tip – How to add a definition is explained on the Definitions & Users > Network
Definitions > Network Definitions page.
Control by: Only with Application selector. Select whether to shape traffic based
on its application type or by a dynamic filter based on categories.
l
l
Applications: The traffic is shaped application-based. Select one or more
applications in the box Control these applications.
Dynamic filter: The traffic is shaped category-based. Select one or more
categories in the box Control these categories.
UTM 9 WebAdmin
209
6.2 Quality of Service (QoS)
6 Interfaces & Routing
Control these applications/categories: Only with Application selector. Click the
Folder icon to select applications/categories. A dialog window opens, which is
described in detail in the next section.
Productivity: Only with Dynamic filter. Reflects the productivity score you
have chosen.
Risk: Only with Dynamic filter. Reflects the risk score you have chosen.
Note – Some applications cannot be shaped. This is necessary to ensure a flaw
less operation of Sophos UTM. Such applications miss a checkbox in the applic
ation table of the Select Application dialog window, e.g. WebAdmin, Teredo and
SixXs (for IPv6 traffic), Portal (for User Portal traffic), and some more. When
using dynamic filters, shaping of those applications is also prevented auto
matically.
Comment (optional): Add a description or other information.
3. Optionally, make the following advanced settings:
TOS/DSCP (only with selector type Traffic Selector): In special cases it can be
useful to distinguish traffic to be handled by QoS not only by its source, des
tination, and service but additionally based on its TOS or DSCP flags in the IP
header.
l
l
Off: With this default option all traffic matching the source, service and des
tination selected above will be handled by QoS.
TOS bits: Select this option if you want to restrict the traffic handled by
QoS to IP packets with specific TOS bits (Type of Service) settings. You
can choose between the following settings:
l
210
l
Normal service
l
Minimize monetary cost
l
Maximize reliability
l
Maximize throughput
l
Minimize delay
DSCP bits: Select this option if you want to restrict the traffic handled by
QoS to IP packets with specific DSCP bits (Differentiated Services Code
UTM 9 WebAdmin
6 Interfaces & Routing
6.2 Quality of Service (QoS)
Point) settings. You can either specify a single DSCP Value (an integer in
the range from 0-63) or select a predefined value from the DSCP Class list
(e.g., BE default dscp (000000)).
Amount of data sent/received: Select the checkbox if you want the traffic
selector to match based on the amount of bytes transferred by a connection so
far. With this feature you can e.g. limit the bandwidth of large HTTP uploads
without constraining regular HTTP traffic.
l
l
Sent/Received: From the drop-down list, select More than to define the
traffic selector only for connections which exceed a certain amount of
traffic. Select Less than to define it for connections with less traffic so far.
kByte: Enter the threshold for the amount of traffic.
Helper: Some services use dynamic port ranges for data transmission. For each
connection, the ports to be used are negotiated between the endpoints via a con
trol channel. The UTM uses a special connection tracking helper monitoring the
control channel to determine which dynamic ports are being used. To include the
traffic sent through the dynamic ports in the traffic selector, select Any in the Ser
vice box above, and select the respective service from the Helper drop-down list.
4. Click Save.
The new selector appears on the Traffic Selectors list.
If you defined many traffic selectors, you can combine multiple selectors inside a
single traffic selector group, to make the configuration more convenient.
This traffic selector or traffic selector group can now be used in each bandwidth pool.
These pools can be defined on the Bandwidth Pools tab.
T he Select Application or Category Dialog W indow
When creating application control rules you need to choose applications or application
categories from a dialog window called Select one or more applications/categories to
control.
The table in the lower part of the dialog window displays the applications you can
choose from or which belong to a defined category. By default, all applications are dis
played.
The upper part of the dialog window provides three configuration options to limit the
number of applications in the table:
UTM 9 WebAdmin
211
6.2 Quality of Service (QoS)
l
l
l
6 Interfaces & Routing
Category: Applications are grouped by category. This list contains all available
categories. By default, all categories are selected, which means that the table
below displays all applications available. If you want to limit the displayed applic
ations to certain categories, click into the category list and select only one or
more categories relevant to you.
Productivity: Applications are also classified by their productivity impact which
means how much they influence productivity. Example: Salesforce, a typical busi
ness software, has the score 5 which means its usage adds to productivity. On
the contrary, Farmville, an online game, has the score 1 which means its usage is
counterproductive. The network service DNS has the score 3 which means its pro
ductivity impact is neutral.
Risk: Applications are also classified by the risk they carry when used with
regard to malware, virus infections, or attacks. A higher number means a higher
risk.
Tip – Each application has an Info icon which, when clicked, displays a description of
the respective application. You can search the table by using the filter field in the
table header.
Now, depending on the type of control you selected in the Create New Traffic Selector
dialog box, do the following:
l
l
Control by dynamic filter: Select the categories from the Category box and click
Apply to adopt the selected categories to your rule.
Control by application: From the table, select the applications you want to control
by clicking the checkbox in front. Click Apply to adopt the selected applications to
your rule.
After clicking Apply, the dialog window closes and you can continue to edit the settings
of your traffic selector rule.
6.2.3 Bandwidth Pools
On the Quality of Service (QoS) > Bandwidth Pools tab you can define and manage band
width pools for bandwidth management. With a bandwidth pool, you reserve a guar
anteed bandwidth for a specific outgoing traffic type, optionally limited by a maximum
bandwidth limit.
To create a bandwidth pool, proceed as follows:
212
UTM 9 WebAdmin
6 Interfaces & Routing
6.2 Quality of Service (QoS)
1. On the Bandwidth Pools tab, select an interface.
From the Bound to interface drop-down list, select the interface for which you
want to create a bandwidth pool.
2. Click New Bandwidth Pool.
The Add Bandwidth Pool dialog box opens.
3. Make the following settings:
Name: Enter a descriptive name for this bandwidth pool.
Position: The position number, defining the priority of the bandwidth pool. Lower
numbers have higher priority. Bandwidth pools are matched in ascending order.
Once a bandwidth pool has matched, bandwidth pools with a higher number will
not be evaluated anymore. Place the more specific pools at the top of the list to
make sure that more vague pools match last. For example, if you have configured
a traffic selector for web traffic (HTTP) in general and for web traffic to a par
ticular host, place the bandwidth pool that uses the latter traffic selector on top
of the bandwidth pool list, that is, select position 1 for it.
Bandwidth: Enter the uplink bandwidth (in Kbit) you want to reserve for this band
width pool. For example, if you want to reserve 1 Mbit/s for a particular type of
traffic, enter 1024.
Note – You can only assign up to 90 % of the entire available bandwidth to a
bandwidth pool. The gateway always reserves 10 % of the bandwidth for socalled unshaped traffic. To stay with the example above, if your uplink Internet
connection is 5 Mbit/s and you want to assign as much bandwidth as possible
to VoIP traffic, you can at most enter a value of 4608 Kbit/s.
Specify upper bandwidth limit: The value you entered in the Bandwidth field
above represents the guaranteed bandwidth to be reserved for a specific kind of
traffic. However, a bandwidth pool usually allocates more bandwidth for its
traffic if available. If you want a particular traffic not to consume more than a cer
tain amount of your bandwidth, select this option to restrict the allocation of
bandwidth to be used by this bandwidth pool to an upper limit.
Traffic selectors: Select the traffic selectors you want to use for this bandwidth
pool.
Comment (optional): Add a description or other information.
UTM 9 WebAdmin
213
6.2 Quality of Service (QoS)
6 Interfaces & Routing
4. Click Save.
The new bandwidth pool appears on the Bandwidth Pools list.
Enable the rule.
5. The new rule is disabled by default (toggle switch is gray). Click the toggle
switch to enable the rule.The rule is now enabled (toggle switch is green).
To either edit or delete a bandwidth pool, click the corresponding buttons.
6.2.4 Download Throttling
On the Quality of Service (QoS) > Download Throttling tab you can define and manage
rules to throttle incoming traffic. If packets are coming in faster than the configured
threshold, excess packets will be dropped immediately without being listed in the fire
wall rules log file. As a result of TCP congestion avoidance mechanisms, affected
senders should reduce their sending rates in response to the dropped packets.
To create a download throttling rule, proceed as follows:
1. On the Download Throttling tab, select an interface.
From the Bound to interface drop-down list, select the interface for which you
want to create a download throttling rule.
2. Click New Download Throttling Rule.
The Add Throttling Rule dialog box opens.
3. Make the following settings:
Name: Enter a descriptive name for this download throttling rule.
Position: The position number, defining the priority of the rule. Lower numbers
have higher priority. Rules are matched in ascending order. Once a rule has
matched, rules with a higher number will not be evaluated anymore. Place the
more specific rules at the top of the list to make sure that more vague rules
match last.
Limit (kbit/s): The upper limit (in Kbit) for the specified traffic. For example, if
you want to limit the rate to 1 Mbit/s for a particular type of traffic, enter 1024.
Limit: Combination of traffic source and destination where the above defined
limit should apply:
214
UTM 9 WebAdmin
6 Interfaces & Routing
l
l
l
l
6.2 Quality of Service (QoS)
shared: The limit is equally distributed between all existing connections.
I.e., the overall download rate of the traffic defined by this rule is limited to
the specified value.
each source address: The limit applies to each particular source address.
each destination address: The limit applies to each particular destination
address.
each source/destination: The limit applies to each particular pair of source
or destination address.
Traffic selectors: Select the traffic selectors for which you want to throttle the
download rates. The defined limit will be divided between the selected traffic
selectors.
Comment (optional): Add a description or other information.
4. Click Save.
The new download throttling rule appears on the Download Throttling list.
Enable the rule.
5. The new rule is disabled by default (toggle switch is gray). Click the toggle
switch to enable the rule.The rule is now enabled (toggle switch is green).
To either edit or delete a rule, click the corresponding buttons.
6.2.5 Advanced
K eep classif ication af ter encapsulation
Select this checkbox if you want to make sure that after encapsulation a packet will
still match the traffic selector of the original service if no other traffic selector
matches.
The assignment of an encapsulated IP packet to a traffic selector works as follows:
1. The original IP packet is compared with the existing traffic selectors in the given
order. The packet is assigned to the first matching traffic selector (e.g., Internal > HTTP -> Any).
2. The IP packet gets encapsulated, and the service changes (e.g., to IPsec).
UTM 9 WebAdmin
215
6.3 Uplink Monitoring
6 Interfaces & Routing
3. The encapsulated packet is compared with the existing traffic selectors in the
given order. The packet is assigned to the first matching traffic selector (e.g.,
Internal -> IPsec -> Any).
4. If no traffic selector matches, the assignment depends on the Keep classification
after encapsulation option:
l
l
If the option is selected, the encapsulated packet will be assigned to the
traffic selector found in step 1.
If the option is not selected, the encapsulated packet will not be assigned
to any traffic selector and therefore cannot be part of a bandwidth pool.
Explicit Congestion Notif ication support
ECN (Explicit Congestion Notification) is an extension to the Internet Protocol and
allows end-to-end notifications of network congestion without dropping packets. ECN
only works if both endpoints of a connection successfully negotiate to use it. Selecting
this checkbox, the UTM will send the information that it is willing to use ECN. If the
other endpoint agrees, they will exchange ECN information. Note that the underlying net
work and involved routers must support ECN as well.
6.3 Uplink Monitoring
The menu Interfaces & Routing > Uplink Monitoring gives you the possibility to monitor
your uplink connection and to define certain actions which will be automatically
applied in case the connection status changes.
For example, you can automatically turn on a backup VPN tunnel using another link, or
disable an alias IP address so that it will trigger a monitoring service.
6.3.1 Global
On the Uplink Monitoring > Global tab you can enable or disable uplink monitoring.
To enable uplink monitoring, click the toggle switch.
The toggle switch turns green.
If uplink monitoring is enabled, the Uplink Status section shows all current uplink inter
faces and their statuses:
216
UTM 9 WebAdmin
6 Interfaces & Routing
6.3 Uplink Monitoring
l
ONLINE: The uplink connection is established and functional.
l
OFFLINE: According to the monitoring, the uplink connection is defective.
l
l
DOWN: Either the uplink interface is disabled administratively, or—in case of a
dynamic interface—the remote PPP or DHCP server is not reachable.
STANDBY: The interface is defined as a standby interface on the Interfaces >
Uplink Balancing tab, and it is currently not in use.
Note – If uplink balancing is enabled, the uplinks will always be monitored, even if
uplink monitoring is disabled. Therefore, even if uplink monitoring is disabled, the
uplink interfaces are displayed on this page when uplink balancing is enabled. In this
case, the monitoring settings can be modified on the Interfaces > Uplink Balancing
tab.
6.3.2 Actions
On the Interfaces & Routing > Uplink Monitoring > Actions tab you can define actions
that will be automatically applied in case the uplink connection status changes. For
example, you might want to disable an additional address, when your uplink connection
is down.
To create a new action, do the following:
1. On the Actions tab, click New Action.
The dialog box Create New Action If Uplink Goes Offline opens.
2. Make the following settings:
Name: Enter a descriptive name for the action.
Type: Select the connection type for which you want to define an action.
l
l
IPsec tunnel: Select this option from the drop-down list if you want to
define an action for an IPsec tunnel.
Additional address: Select this option from the drop-down list if you want
to define an action for an additional address.
IPsec tunnel: (Only available with Type IPsec Tunnel.) If there are any IPsec tun
nels defined, you can select one of them here. For more information, see Remote
Access > IPsec.
UTM 9 WebAdmin
217
6.3 Uplink Monitoring
6 Interfaces & Routing
Add. address: (Only available with Type Additional Address.) If there are any addi
tional addresses defined, you can select one of them here. For more information,
see Interfaces & Routing > Interfaces > Additional Addresses.
Action: You can either select Enable or Disable here, which means that, in case of
an uplink interruption, the above selected IPsec tunnel or additional address is
going to be enabled or disabled.
Comment (optional): Add a description or other information.
3. Click Save.
The action will be saved and applied in case the uplink connection is interrupted.
To either edit or delete an action, click the corresponding buttons.
6.3.3 Advanced
On the Uplink Monitoring > Advanced tab you can disable automatic monitoring of the
uplink connection and define one or more hosts instead which are used for monitoring.
By default, Automatic monitoring is enabled to detect possible interface failures. This
means that the health of all uplink interfaces is monitored by having them contact a
specific host on the Internet at an interval of 15 seconds. By default, the monitoring
host is the third ping-allowing hop on the route to one of the root DNS servers. However,
you can define the hosts for monitoring the server pool yourself. For these hosts you
can select another service instead of ping, and modify the monitoring interval and
timeout.
The monitoring hosts will then be contacted in certain periods and if none of them is
reachable, the uplink connection is regarded as down. Subsequently, the actions
defined on the Actions tab will be carried out.
Note – Automatically, the same monitoring settings are used for both uplink mon
itoring (Uplink Monitoring > Advanced) and uplink balancing (Interfaces > Uplink Balan
cing).
To use your own hosts for monitoring, do the following:
1. Unselect the Automatic monitoring checkbox.
The Monitoring hosts box becomes editable.
218
UTM 9 WebAdmin
6 Interfaces & Routing
6.3 Uplink Monitoring
2. Add monitoring hosts.
Select or add one or more hosts that you want to use for monitoring instead of
random hosts. If an interface is monitored by more than one host, it will only be
regarded as dead if all monitoring hosts do not respond in the defined time span.
How to add a definition is explained on the Definitions & Users > Network Defin
itions > Network Definitions page.
Note – If a selected host is bound to an interface, it will only be used to monitor
this interface. If a host is not bound to an interface, it will be used to monitor all
interfaces. Interfaces not covered by the selected hosts will be monitored by
automatic monitoring.
Click the Monitoring Settings icon in the box header to set the monitoring details:
Monitoring type: Select the service protocol for the monitor checks. Select either
TCP (TCP connection establishment), UDP (UDP connection establishment), Ping
(ICMP Ping), HTTP Host (HTTP requests), or HTTPS Host (HTTPS requests) for mon
itoring. When using UDP a ping request will be sent initially which, if successful,
is followed by a UDP packet with a payload of 0. If ping does not succeed or the
ICMP port is unreachable, the connection is regarded as down.
Port (only with monitoring types TCP and UDP): Port number the request will be
sent to.
URL (optional, only with monitoring types HTTP/S Host): URL to be requested. You
can use other ports than the default ports 80 or 443 by adding the port inform
ation to the URL, e.g., http://example.domain:8080/index.html. If no URL is
entered, the root directory will be requested.
Interval: Enter a time interval in seconds at which the hosts are checked.
Timeout: Enter a maximum time span in seconds for the monitoring hosts to
send a response. If all monitoring hosts of an interface do not respond during this
time, the interface will be regarded as dead.
3. Click Apply.
Your settings will be saved.
UTM 9 WebAdmin
219
6.4 IPv6
6 Interfaces & Routing
6.4 IPv6
Since version 8, Sophos UTM supports IPv6, the successor of IPv4.
The following functions of UTM fully or partly support IPv6.
l
Access to WebAdmin and User Portal
l
SSH
l
NTP
l
SNMP
l
SLAAC (Stateless Address Autoconfiguration) and DHCPv6 client support for all
dynamic interface types
l
DNS
l
DHCP server
l
BGP
l
OSPF
l
IPS
l
Firewall
l
NAT
l
ICMP
l
Server Load Balancing
l
Web Filter
l
Application Control
l
Web Application Firewall
l
SMTP
l
IPsec (Site-to-site only)
l
Syslog server
220
UTM 9 WebAdmin
6 Interfaces & Routing
6.4 IPv6
6.4.1 Global
On the IPv6 > Global tab you can enable IPv6 support for Sophos UTM. Moreover, if
enabled, IPv6 information is provided here, e.g., status information or prefix delegation
information.
IPv6 support is disabled by default. To enable IPv6, do the following:
1. On the Global tab, enable IPv6.
Click the toggle switch.
The toggle switch turns green. If IPv6 has never been enabled or configured
before, the Connectivity area displays the string None.
As soon as IPv6 is enabled, you will find several network and other object definitions
referring explicitly to IPv6 around WebAdmin. You can generally use them as you are
used to from IPv4 objects.
Note – If IPv6 is enabled, the icons of network objects and the like bear an additional
mark that tells you whether the respective object is an IPv6 object or IPv4 object or
both. Between enabling and disabling IPv6 should be at least 10 seconds.
6.4.2 Prefix Advertisements
On the IPv6 > Prefix Advertisements tab you can configure your Sophos UTM to assign
clients an IPv6 address prefix which in turn enables them to pick an IPv6 address by
themselves. Prefix advertisement (or router advertisement) is an IPv6 feature where
routers (or in this case the UTM) behave like a DHCP server in IPv4, in a way. However,
the routers do not assign IPs directly to clients. Instead, clients in an IPv6 network
assign themselves a so-called link-local address for the primary communication with
the router. The router then tells the client the prefix for its network segment. Sub
sequently, the clients generate an IP address consisting of the prefix and their MAC
address.
To create a new prefix, do the following:
1. On the Prefix Advertisements tab, click New Prefix.
The dialog box Add Prefix opens.
2. Make the following settings:
UTM 9 WebAdmin
221
6.4 IPv6
6 Interfaces & Routing
Interface: Select an interface that has an IPv6 address with a 64 bit netmask con
figured.
DNS server 1/2 (optional): The IPv6 addresses of the DNS servers.
Domain (optional): Enter the domain name that will be transmitted to the clients
(e.g., intranet.example.com).
Valid lifetime: The time the prefix is to be valid. Default is 30 days.
Preferred lifetime: The time after which another prefix, whose preferred lifetime
has not yet expired, is to be selected by the client. Default is 7 days.
3. Optionally, make the following advanced settings:
Stateless integrated server: This option is selected by default. Creating a prefix
advertisement automatically starts a DHCPv6 server. Note that this DHCPv6 con
figuration is hidden and therefore not visible or editable via the DHCP con
figuration menu.
Managed (stateful): This option is not available when Stateless integrated server
is selected. It allows to start stateful DHCPv6 server in the same interface with
prefix advertisement. You can configure a DHCPv6 server under the Network Ser
vices > DHCP > Servers tab.
Other config: This option is not available when Stateless integrated server is
selected. It ensures that a given DNS server and domain name are additionally
announced via DHCPv6 for the given prefix. This is useful since, at the moment,
there are too few clients which are able to fetch the DNS information from the
prefix advertisement (RFC 5006/ RFC 6106).
4. Click Save.
The new prefix configuration appears on the Prefix Advertisements list.
6.4.3 Renumbering
On the IPv6 > Renumbering tab you can allow automatic renumbering of IPv6 addresses
managed by the UTM in case of a prefix change. Additionally, you can renumber IPv6
addresses manually.
The following IPv6 addresses will be modified:
222
UTM 9 WebAdmin
6 Interfaces & Routing
l
Hosts, networks, and range definitions
l
Primary and secondary interface addresses
l
DHCPv6 server ranges and mappings
l
DNS mappings
6.4 IPv6
An IPv6 prefix provided via tunnel brokerage will not be renumbered.
Automatic I P v6 Renumbering
By default, IPv6 addresses managed by your UTM are automatically renumbered in the
event that the IPv6 prefix changes. Prefix changes are initiated by your ISP via DHCPv6
prefix delegation. To deactivate renumbering, unselect the checkbox and click Apply.
Manual I P v6 Renumbering
You can renumber particular IPv6 addresses managed by the UTM manually. This can
be useful if you change your ISP, and your new provider assigns a new IPv6 prefix stat
ically to you instead of automatically via DHCPv6.
1. Specify the current prefix of the IPv6 addresses to be renumbered.
Enter the prefix into the Old prefix field.
2. Specify the new prefix.
Enter the prefix into the New prefix field.
3. Click Apply.
All IPv6 addresses with the defined current prefix will be renumbered using the
new prefix.
6.4.4 6to4
On the IPv6 > 6to4 tab you can configure your Sophos UTM to automatically tunnel IPv6
addresses over an existing IPv4 network. With 6to4, every IPv4 address has a /48 pre
fix from the IPv6 network to which it is mapped. The resulting IPv6 address consists of
the prefix 2002 and the IPv4 address in hexadecimal notation.
Note – You can either have 6to4 enabled or Tunnel Broker.
To enable IP address tunneling for a certain interface, do the following:
UTM 9 WebAdmin
223
6.4 IPv6
6 Interfaces & Routing
1. On the 6to4 tab, enable 6to4.
Click the toggle switch.
The toggle switch turns amber and the 6to4 area and the Advanced area become
editable.
2. Select an interface.
Select an interface from the Interface drop-down list which has a public IPv6
address configured.
3. Click Apply.
Your settings will be saved.
The toggle switch turns green and the interface status is displayed on the Global
tab.
Advanced
You can change the Server address to use a different 6to4 relay server. For that, enter a
new server address and click Apply to save your settings.
6.4.5 Tunnel Broker
On the IPv6 > Tunnel Broker tab you can enable the use of a tunnel broker. Tunnel broker
age is a service offered by some ISPs which allows you to access the Internet using an
IPv6 address.
Note – You can either have 6to4 enabled or Tunnel Broker.
Sophos UTM supports the following tunnel brokers:
l
Teredo (only anonymous)
l
Freenet6 (by GoGo6) (anonymous or with user account)
l
SixXS (user account necessary)
l
Hurricane Electric (user account necessary)
To use a tunnel broker, do the following:
1. On the Tunnel Broker tab, enable the use of tunnel broker.
Click the toggle switch.
224
UTM 9 WebAdmin
6 Interfaces & Routing
6.5 Static Routing
The toggle switch turns green and the Tunnel Broker area and the Advanced area
become editable. The tunnel broker is immediately active using anonymous
authentication at Teredo. The connection status is displayed on the Global tab.
If you use SixXS tunnels and the IPv6 connection gets lost the SixXS tunnels do not
restart automatically. In this case check the log files which appear in Logging
& Reporting > View Log Files > Today's Log Files.
T unnel Broker
You can change the default tunnel broker settings.
Authentication: Select an authentication method from the drop-down list.
l
l
Anonymous: Using this method you do not need a user account at the respective
broker. The IP address assigned will be, however, temporary.
User: You need to register at the respective broker to get a user account.
Broker: You can select another broker from the drop-down list.
Username (only available with User): Provide your username for the respective broker.
Password (only available with User): Provide your password for the username.
Click Apply to save your settings.
Advanced
Here you can provide another server address for your selected tunnel broker.
Click Apply to save your settings.
6.5 Static Routing
Every computer connected to a network uses a routing table to determine the path
along which an outbound data packet must be sent to reach its destination. For
example, the routing table contains the information whether the destination address is
on the local network or if the data packet must be forwarded to a router. If a router is
involved, the table contains information about which router is to be used for which net
work.
Two types of routes can be added to the routing table of Sophos UTM: standard static
routes and policy routes. With static routes, the routing target is exclusively
UTM 9 WebAdmin
225
6.5 Static Routing
6 Interfaces & Routing
determined by the packet's destination address. With policy routes, however, it is pos
sible to make routing decisions based on the source interface, source address, service,
or destination address.
Note – You do not need to set additional routes for networks attached to UTM's inter
faces, as well as default routes. The system inserts these routes automatically.
6.5.1 Standard Static Routes
The system automatically inserts routing entries into the routing table for networks
that are directly connected to the system. Manual entries are necessary in those cases
where there is an additional router which is to be accessed via a specific network.
Routes for networks, that are not directly connected and that are inserted to the routing
table via a command or a configuration file, are called static routes.
To add a standard static route, proceed as follows:
1. On the Standard Static Routes tab click New Static Route.
The Add Static Route dialog box opens.
2. Make the following settings:
Route type: The following route types are available:
l
l
l
Interface route: Packets are sent out on a particular interface. This is use
ful in two cases. First, for routing on dynamic interfaces (PPP), because in
this case the IP address of the gateway is unknown. Second, for defining a
default route having a gateway located outside the directly connected net
works.
Gateway route: Packets are sent to a particular host (gateway).
Blackhole route: Packets are discarded silently. This is useful in connection
with OSPF or other dynamic adaptive routing protocols to avoid routing
loops, route flapping, and the like.
Network: Select the destination networks of data packets UTM must intercept.
Interface: Select the interface through which the data packets will leave UTM
(only available if you selected Interface Route as route type).
Gateway: Select the gateway/router to which UTM will forward data packets
(only available if you selected Gateway Route as route type).
226
UTM 9 WebAdmin
6 Interfaces & Routing
6.5 Static Routing
Comment (optional): Add a description or other information.
3. Optionally, make the following advanced setting:
Metric: Enter a metric value which can be an integer from 0 to 4294967295 with
a default of 5. The metric value is used to distinguish and prioritize routes to the
same destination. A lower metric value is preferred over a higher metric value.
IPsec routes automatically have the metric 0.
4. Click Save.
The new route appears on the Standard Static Route list.
5. Enable the route.
Click the toggle switch to activate the route.
To either edit or delete a route, click the corresponding buttons.
6.5.2 Policy Routes
When a router receives a data packet, it normally decides where to forward it based on
the destination address in the packet, which is then used to look up an entry in a rout
ing table. However, in some cases, there may be a need to forward the packet based on
other criteria. Policy-based routing allows for forwarding or routing of data packets
according to your own policies.
To add a policy route, proceed as follows:
1. On the Policy Routes tab click New Policy Route.
The Add Policy Route dialog box opens.
2. Make the following settings:
Position: The position number, defining the priority of the policy route. Lower num
bers have higher priority. Routes are matched in ascending order. Once a route
has matched, routes with a higher number will not be evaluated anymore.
Route type: The following route types are available:
l
Interface route: Packets are sent out on a particular interface. This is use
ful in two cases. First, for routing on dynamic interfaces (PPP), because in
this case the IP address of the gateway is unknown. Second, for defining a
default route having a gateway located outside the directly connected net
UTM 9 WebAdmin
227
6.5 Static Routing
6 Interfaces & Routing
works.
l
Gateway route: Packets are sent to a particular host (gateway).
Source interface: The interface on which the data packet to be routed has arrived.
The Any setting applies to all interfaces.
Source network: The source network of the data packets to be routed. The Any
setting applies to all networks.
Service: The service definition that matches the data packet to be routed. The
drop-down list contains all predefined services as well as the services you have
defined yourself. These services allow you to specify precisely which kind of
traffic should be processed. The Any setting matches any combination of pro
tocols and source and destination ports.
Destination network: The destination network of the data packets to be routed.
The Any setting applies to all networks.
Note – Destination networks which are bound to interfaces are treated like nor
mal networks. The binding has no effect on policy routes. Therefore you have to
use the option Target interface. This option is only available with the route type
Interface Route.
Target interface: The interface for the data packets to be sent to (only available
with the route type Interface Route).
Gateway: Select the gateway/router to which the gateway will forward data
packets (only available if you selected Gateway Route as route type).
Comment (optional): Add a description or other information.
3. Click Save.
The new route appears on the Policy Routes list.
4. Enable the route.
Click the toggle switch to activate the route.
To either edit or delete a route, click the corresponding buttons.
228
UTM 9 WebAdmin
6 Interfaces & Routing
6.6 Dynamic Routing (OSPF)
6.6 Dynamic Routing (OSPF)
The Open Shortest Path First (OSPF) protocol is a link-state hierarchical routing pro
tocol primarily used within larger autonomous system networks. Sophos UTM supports
OSPF version 2. Compared to other routing protocols, OSPF uses cost as its routing met
ric. The cost of an OSPF-enabled interface is an indication of the overhead required to
send packets across a certain interface. The cost of an interface is inversely pro
portional to the bandwidth of that interface. Therefore, a higher bandwidth indicates a
lower cost. For example, there is more overhead (higher cost) and time delays involved
in crossing a 56 Kbit/s serial line than crossing a 10 Mbit/s Ethernet line.
The OSPF specification does not specify how the cost of an attached network should
be computed—this is left to the vendor. Therefore you are free to define your own com
putation formula. However, if your OSPF network is adjacent to other networks that
have cost already defined, you are advised to apply the same computation base.
By default, the cost of an interface is calculated based on the bandwidth. Cisco, for
example, computes the cost by dividing 10 8 through the bandwidth of the interface in
bits per second. Using this formula, it will cost 10 8/10000000 = 10 to cross a 10
Mbit/s Ethernet line, whereas it will cost 10 8/1544000 = 64 to cross a 1.544 Mbit/s
line (T1) (note that the cost is rounded down to the nearest integer).
6.6.1 Global
On the Interfaces & Routing > Dynamic Routing (OSPF) > Global tab you can make the
basic settings for OSPF. Before you can enable the OSPF function, you must have at
least one OSPF area configured (on the Area tab).
Caution – Configuring the OSPF function of Sophos UTM requires a technically adept
and experienced administrator who is familiar with the OSPF protocol. The descrip
tions of configuration options given here are by far not sufficient to provide a com
prehensive understanding of the OSPF protocol. You are thus advised to use this fea
ture with caution, as a misconfiguration may render your network inoperable.
To configure OSPF, proceed as follows:
UTM 9 WebAdmin
229
6.6 Dynamic Routing (OSPF)
6 Interfaces & Routing
1. On the Area tab, create at least one OSPF area.
2. On the Global tab, enable OSPF.
Click the toggle switch.
The toggle switch turns amber and the Router area becomes editable.
3. Enter the router ID.
Enter a unique router ID to identify the Sophos UTM device to other OSPF routers.
4. Click Apply.
Your settings will be saved.
The toggle switch turns green.
To disable OSPF click the toggle switch.
6.6.2 Area
An OSPF network is divided into areas. These are logical groupings of routers whose
information may be summarized towards the rest of the network. Areas are identified
by a 32-bit ID in dot-decimal notation similar to the notation of IP addresses.
Altogether, there are six types of OSPF areas:
l
l
l
l
230
Backbone: The area with ID 0 (or 0.0.0.0) is reserved for the OSPF network back
bone, which forms the core of an OSPF network—all other areas are connected to
it.
Normal: A normal or regular area has a unique ID ranging from 1 (or 0.0.0.1) to
4,294,967,295 (or 255.255.255.255). Normal areas handle external routes by
flooding them bi-directionally across the Area Border Router (ABR). Note that
external routes are defined as routes which were distributed in OSPF from
another routing protocol.
Stub: Typically, a stub area does not have direct connections to any external net
works. Injecting external routes into a stub area is unnecessary because all
traffic to external networks must be routed through an Area Border Router (ABR).
Therefore, a stub area substitutes a default route for external routes to send
traffic to external networks.
Stub no-summary: A Stub no-summary or Totally stubby area is similar to a stub
area, however this area does not allow so-called summary routes, that is, it
UTM 9 WebAdmin
6 Interfaces & Routing
6.6 Dynamic Routing (OSPF)
restricts type 3 summary link state advertisements (LSAs) from flowing into the
area.
l
l
NSSA: A not-so-stubby area (NSSA) is a type of stub area that in contrast to stub
areas can support external connections. Note that NSSAs do not support virtual
links.
NSSA no-summary: A NSSA no-summary is similar to a NSSA, however this area
does not allow so-called summary routes, that is, it restricts type 3 summary
link state advertisements (LSAs) from flowing into the area.
To create an OSPF area, proceed as follows:
1. On the Area tab, click New OSPF Area.
The Add OSPF Area dialog box opens.
2. Make the following settings:
Name: Enter a descriptive name for the area.
Area ID: Enter the ID of the area in dot-decimal notation (e.g., 0.0.0.1 for a nor
mal area or 0.0.0.0 for the backbone area).
Area type: Select an area type (see description above) to specify the char
acteristics of the network that will be assigned to the area in question.
Auth-type: Select the authentication type used for all OSPF packets sent and
received through the interfaces in the area. The following authentication types
are available:
l
l
l
MD5: Select to enable MD5 authentication. MD5 (Message-Digest algorithm
5) is a widely-used cryptographic hash function with a 128-bit hash value.
Plain-Text: Select to enable plain-text authentication. The password is trans
mitted in clear text over the network.
Off: Select to disable authentication.
Connect via Interface: Select an OSPF-enabled interface. Note that to specify an
OSPF-enabled interface here it must have been created on the Interfaces tab
first.
Connect Virtual Links: All areas in an OSPF autonomous system (AS) must be
physically connected to the backbone area (area 0). In some cases where this
physical connection is not possible, you can use a virtual link to connect to the
backbone through a non-backbone area. In the Connect Virtual Links box, enter the
UTM 9 WebAdmin
231
6.6 Dynamic Routing (OSPF)
6 Interfaces & Routing
router ID associated with the virtual link neighbor in decimal dot notation (e.g.,
10.0.0.8).
Cost: The cost of sending or receiving a data packet in this area. Valid values for
cost are in the range from 1 to 65535. Default is 0. If the user chooses 0, the sys
tem calculates an adequate value based on the formula reference bandwidth
divided by interface bandwidth. For example, in the case of Ethernet, it is 100
Mbps /10 Mbps = 10.
Comment (optional): Add a description or other information.
3. Click Save.
The new area definition appears on the Area tab.
To either edit or delete an OSPF area, click the corresponding buttons.
Open Live Log: The OSPF live log logs all activities on the OSPF interface. Click the but
ton to open the live log in a new window.
6.6.3 Interfaces
On the Interfaces & Routing > Dynamic Routing (OSPF) > Interfaces tab you can create
interface definitions to be used within an OSPF area. Each definition contains various
parameters that are specific for OSPF-enabled interfaces.
To create an OSPF interface definition, proceed as follows:
1. On the Interfaces tab, click New OSPF Interface.
The Add OSPF Interface dialog box opens.
2. Make the following settings:
Name: Enter a descriptive name for this interface.
Interface: Select the interface to associate with this OSPF interface definition.
Auth-type: Select the authentication type used for all OSPF packets sent and
received through this interface. The following authentication types are available:
l
l
232
MD5: Select to enable MD5 authentication. MD5 (Message-Digest algorithm
5) is a widely-used cryptographic hash function with a 128-bit hash value.
Plain-Text: Select to enable plain-text authentication. The password is trans
UTM 9 WebAdmin
6 Interfaces & Routing
6.6 Dynamic Routing (OSPF)
mitted in clear text over the network.
l
Off: Select to disable authentication.
Message Digest: Select the message digest (MD) to specify that MD5 authen
tication is used for this OSPF interface. Note that to select a message digest
here it must have been created on the Message Digests tab first.
Cost: The cost of sending a data packet on this interface. Valid values for cost
are in the range from 1 to 65535.
Advanced (optional): Select this checkbox to reveal further configuration options:
l
l
l
l
l
Hello interval: Specify the period of time (in seconds) that Sophos UTM
waits between sending Hello packets through this interface. The default
value is ten seconds.
Retransmit interval: Specify the period of time (in seconds) between link
state advertisement (LSA) retransmissions for the interface when an
acknowledgment for the LSA is not received. The default value is five
seconds.
Dead interval: Specify the period of time (in seconds) Sophos UTM waits to
receive a Hello data packet through the interface. The default value is 40
seconds. By convention, the Dead Interval value is four times greater than
the value for the Hello Interval.
Priority: Specify the router priority, which is an 8-bit number ranging from 0
to 255 primarily used in determining the designated router (DR) for the par
ticular network. The router with the highest priority will be more eligible to
become designated router. Setting the value to 0, makes the router
ineligible to become designated router. The default value is 1.
Transmit delay: Specify the estimated period of time (in seconds) it takes
to transmit a link state update packet on the interface. The range is from 1
to 65535 seconds; the default value is 1.
Comment (optional): Add a description or other information.
3. Click Save.
The OSPF interface definition appears on the Interfaces tab.
To either edit or delete an OSPF interface, click the corresponding buttons.
Open Live Log: The OSPF live log logs all activities on the OSPF interface. Click the but
ton to open the live log in a new window.
UTM 9 WebAdmin
233
6.6 Dynamic Routing (OSPF)
6 Interfaces & Routing
6.6.4 Message Digests
On the Interfaces & Routing > Dynamic Routing (OSPF) > Message Digests tab so-called
message digest keys can be generated. Message digest keys are needed to enable MD5
authentication with OSPF. MD5 authentication uses the password to generate a mes
sage digest, which is a 128-bit checksum of the data packet and password. The mes
sage digest is sent with the data packet along with a key ID associated with the pass
word.
Note – The receiving routers must be configured with an identical message digest
key.
To create a message digest key, proceed as follows:
1. On the Message Digest tab, click New Message Digest Key.
The Add Message Digest Key dialog box opens.
2. Make the following settings:
ID: Enter the key identifier for this message digest key; the range is from 1 to
255.
MD5-key: Enter the associated password, which must be a string of up to 16
alphanumeric characters.
3. Click Save.
The new key appears on the Message Digests list.
To either edit or delete a digest key, click the corresponding buttons.
6.6.5 Debug
The Interfaces & Routing > Dynamic Routing (OSPF) > Debug tab shows detailed inform
ation about relevant OSPF parameters in a separate browser window. The following
information is available:
l
Show IP OSPF Neighbor: Used to display OSPF neighbor information on a per-inter
face basis.
l
Show IP OSPF Routes: Used to display the current state of the routing table.
l
Show IP OSPF Interface: Used to display OSPF-related interface information.
234
UTM 9 WebAdmin
6 Interfaces & Routing
l
l
6.6 Dynamic Routing (OSPF)
Show IP OSPF Database: Used to display lists of information related to the OSPF
database for a specific router.
Show IP OSPF Border-Routers: Used to display the internal OSPF routing table
entries to an Area Border Router (ABR) and Autonomous System Boundary Router
(ASBR).
6.6.6 Advanced
On the Interfaces & Routing > Dynamic Routing (OSPF) > Advanced tab further OSPFrelated configuration options are located concerning the injection (redistribution) of
routing information from a domain other than OSPF into the OSPF domain.
Note – Policy routes cannot be redistributed.
Redistribute connected: Select if you want to redistribute routes of directly connected
networks; the default metric (cost) value is 10.
Redistribute static: Select if you want to redistribute static routes.
Note – IPsec tunnels must have Strict Routing disabled to be redistributed (see
chapter Connections).
Redistribute IPsec: Select if you want to redistribute the IPsec routes; the Bind To Inter
face option should be disabled.
Redistribute SSL VPN: Select if you want to redistribute SSL VPN; the default metric
(cost) value is 10.
Redistribute BGP: Select if you want to redistribute BGP routes; the default metric
(cost) value is 10.
Announce default route: Select if you want to redistribute a default route into the OSPF
domain; the default metric (cost) value is 25. Announce default route does not work
with IPv6.
Note – A default route will be advertised into the OSPF domain regardless of whether
it has a route to 0.0.0.0/0.
UTM 9 WebAdmin
235
6.7 Border Gateway Protocol
6 Interfaces & Routing
Interface link detection: Select if routes on interfaces should only be announced if an
interface link is detected.
6.7 Border Gateway Protocol
The Border Gateway Protocol (BGP) is a routing protocol used mainly by Internet Ser
vice Providers (ISP) to enable communication between multiple autonomous systems (AS), that is between multiple ISPs, thus being the backbone of the Internet. An
autonomous system is a collection of connected IP networks controlled by one or more
ISPs and connected via an internal routing protocol (e.g. IGP). BGP is described as path
vector protocol and, in contrast to IGP, makes routing decisions based on path, network
policies, and/or rulesets. For this reason it can be regarded as a reachability protocol
rather than a routing protocol.
Each ISP (or other network provider) must have an officially registered Autonomous
System Number (ASN) to identify themselves on the network. Although an ISP may sup
port multiple autonomous systems internally, to the Internet only the routing protocol
is relevant. ASN with a number of the range 64512-65534 are private and can only be
used internally.
BGP uses TCP as the transport protocol, on port 179.
When BGP is used between routers of a single AS it's called interior BGP (iBGP); when
it is used between routers of different AS it is called exterior BGP (eBGP).
A strength of eBGP is that it prevents routing loops, that is an IP packet never passes
an AS twice. This is accomplished in the following way: An eBGP router maintains a
complete list of all AS an IP packet needs to pass to reach a certain network segment.
When sending, it shares that information with neighbor eBGP routers which in turn
update their routing list if necessary. When an eBGP router finds that it is already on
such an UPDATE list it does not add itself again.
6.7.1 Global
On the Border Gateway Protocol > Global page, you can enable and disable BGP for the
UTM.
1. To be able to enable BGP, create at least one neighbor on the Neighbor page.
2. On the Global page, enable BGP.
236
UTM 9 WebAdmin
6 Interfaces & Routing
6.7 Border Gateway Protocol
Click the toggle switch.
The toggle switch turns amber and the BGP System section becomes editable.
3. Make the following settings:
AS number: Enter the Autonomous System Number (ASN) of your system.
Router ID: Enter an IPv4 address as router ID which is sent to neighbors during
session initialization.
Networks: Add or select the networks that should be announced to the neighbors
by the system. How to add a definition is explained on the Definitions & Users >
Network Definitions > Network Definitions page.
Note – The network which is to be announced have to be assigned to a physical
or virtual interface. Any request accessing a non-existing IP will loop between
BGP neighbor and UTM.
4. Click Apply.
The toggle switch turns green and BGP becomes active. After a short time, the
BGP Summary section displays status information.
6.7.2 Systems
On the Border Gateway Protocol > Systems page you can create an environment with
multiple autonomous systems.
Note – This page is only accessible if you enable the use of multiple AS on the
Advanced page.
To create a new BGP system, do the following:
1. On the Systems page, click New BGP System.
The Add BGP System dialog box opens.
2. Make the following settings:
Name: Enter a descriptive name for the system.
ASN: Enter the Autonomous System Number (ASN) of your system.
UTM 9 WebAdmin
237
6.7 Border Gateway Protocol
6 Interfaces & Routing
Router ID: Enter an IPv4 address as router ID which is sent to neighbors during
session initialization.
Neighbor: Select the checkboxes of those neighbors who belong to the AS of this
system. Note that you need to create the neighbors beforehand on the Neighbor
page.
Networks: Add or select the networks that should be announced by the system.
How to add a definition is explained on the Definitions & Users > Network Defin
itions > Network Definitions page.
Install routes: This option is enabled by default and should only be disabled if you
want a BGP router to know the routes but not to actively take part in the BGP rout
ing process. If there are multiple AS systems where this option is selected, filter
lists must be created to ensure that there are no duplicate networks. Otherwise
the routing behavior for identical networks is undefined.
3. Click Save.
The system appears on the Systems list.
6.7.3 Neighbor
On the Border Gateway Protocol > Neighbor page, you can create one or more BGP neigh
bor routers. A neighbor router (or peer router) builds the connection between multiple
autonomous systems (AS) or within a single AS. During the first communication, two
neighbors exchange their BGP routing tables. After that they send each other updates
about changes in the routing table. Keepalive packets are sent to ensure that the con
nection is up. In case of errors, notifications packets are sent.
Policy routing in BGP differentiates between inbound and outbound policies. This is why
defined route maps and filter lists can be applied separately for inbound or outbound
traffic.
You need to create at least one neighbor router to be able to enable BGP on the Global
page.
To create a new BGP neighbor, do the following:
1. On the Neighbor page, click New BGP Neighbor.
The Add BGP neighbor dialog box opens.
2. Make the following settings:
238
UTM 9 WebAdmin
6 Interfaces & Routing
6.7 Border Gateway Protocol
Name: Enter the name of the BGP neighbor router.
Host: Add or select the host definition of the neighbor. The defined IP address
must be reachable from the UTM. How to add a definition is explained on the Defin
itions & Users > Network Definitions > Network Definitions page.
Remote ASN: Enter the Autonomous System Number (ASN) of the neighbor.
Authentication: If the neighbor requires authentication, select TCP MD5 Signature
from the drop-down list and enter the password which must correspond to the
password the neighbor has set.
3. Make the following advanced settings, if required:
Route in/out: If you have defined a route map, you can select it here. With In or
Out you define whether to apply the route map to ingoing or outgoing announce
ments.
Filter in/out: If you have defined a filter list, you can select it here. With In or Out
you define whether to apply the filter to ingoing or outgoing announcements.
Next-Hop-Self: In an iBGP network, when a router announces an external eBGP net
work internally, iBGP routers with no direct external connection will not know
how to route packets to that network. Selecting this option, the eBGP router
announces itself as next hop to reach the external network.
Multihop: In some cases, a Cisco router can run eBGP with a third-party router
that does not allow direct connection of the two external peers. To achieve the
connection, you can use eBGP multihop. The eBGP multihop allows a neighbor
connection between two external peers that do not have direct connection. The
multihop is only for eBGP and not for iBGP.
Soft-Reconfiguration: Enabled by default. This option enables storing updates
sent by the neighbor.
Default Originate: Sends the default route 0.0.0.0 to the neighbor. The neighbor
uses this route only if he needs to reach a network that is not in his routing table.
Weight: Cisco-specific option. Sets a generic weight for all routes learned from
this neighbor. You can enter a value between 0 and 65535. The route with the
highest weight is preferred to reach a particular network. The weight given here
overrides route map weight.
4. Click Save.
UTM 9 WebAdmin
239
6.7 Border Gateway Protocol
6 Interfaces & Routing
The neighbor appears on the Neighbor list.
6.7.4 Route Map
In BGP, route-map is a command to set conditions for redistributing routes and to
enable policy routing. On the Border Gateway Protocol > Route Map page, you can create
route maps for particular networks, setting metric, weight, and/or preference values.
The best path algorithm, which decides which route to take, works as follows:
1. Weight is checked.*
2. Local preference is checked.*
3. Local route is checked.
4. AS path length is checked.
5. Origin is checked.
6. Metric is checked.*
This is only a short description. Since the calculation of the best path is very complex,
please refer to pertinent documentation for detailed information which is available on
the Internet.
Items followed by an asterisk (*) can be directly configured.
To create a BGP route map, do the following:
1. On the Route Map page, click New BGP Route Map.
The Add BGP Route Map dialog box opens.
2. Make the following settings:
Name: Enter a descriptive name for the route map.
Match by: Select whether the route map should match the IP address of a par
ticular router or a whole AS.
l
l
240
IP address: In the Networks dialog box, add or select hosts or networks the
filter should apply to. How to add a definition is explained on the Definitions
& Users > Network Definitions > Network Definitions page.
AS number: In the AS Regex box, use BGP regular expressions to define AS
numbers the filter should apply to. Example: _100_ matches any route
going through AS100.
UTM 9 WebAdmin
6 Interfaces & Routing
6.7 Border Gateway Protocol
Networks: Add or select networks and/or hosts the route map should apply to.
How to add a definition is explained on the Definitions & Users > Network Defin
itions > Network Definitions page.
Metric: By default, a router dynamically learns route metrics. However, you can
set your own metric value which can be an integer from 0 to 4294967295. A
lower metric value is preferred over a higher metric value.
Weight: Weight is used to select a best path. It is specified for a specific router
and it is not propagated. When multiple routes to the same destination exist,
routes with a higher weight value are preferred. Weight is based on the first
matched AS path and can be an integer from 0 to 4294967295.
Note – If a neighbor has been given a weight, it overrides the route map weight
if the route to a specified network matches.
Preference: You can set a preference value for the AS path which is sent only to
all routers in the local AS. Preference (or local preference) tells the routers in an
AS which path has to be preferred to reach a certain network outside the AS. It
can be an integer from 0 to 4294967295 and the default is 100.
AS prepend: AS path prepending is used if preference settings for some reason
do not suffice to avoid a certain route, for example a backup route which should
only be taken in case the main route is unavailable. It allows you to extend the AS
path attribute by repeating your own AS number, e.g. 65002 65002 65002. This
influences the BGP route selection since the shortest AS path is preferred. Note
that route maps with AS prepend set need to be selected in the Route Out field of
a neighbor to work as intended.
3. Click Save.
The route map appears on the Route Map list.
You can now use the route map on a neighbor definition.
6.7.5 Filter List
On the Border Gateway Protocol > Filter List page you can create filter lists used to reg
ulate traffic between networks based on IP address or AS number.
To create a filter list, do the following:
UTM 9 WebAdmin
241
6.7 Border Gateway Protocol
6 Interfaces & Routing
1. On the Filter List page, click New BGP Filter List.
The Add BGP Filter List dialog box opens.
2. Make the following settings:
Name: Enter a descriptive name for the filter list.
Filter by: Select whether the filter should match the IP address of a particular
router or a whole AS.
l
l
IP address: In the Networks dialog box, add or select hosts or networks the
filter should apply to. How to add a definition is explained on the Definitions
& Users > Network Definitions > Network Definitions page.
AS number: In the AS Regex box, use BGP regular expressions to define AS
numbers the filter should apply to. Example: _100_ matches any route
going through AS100.
Networks: Add or select networks and/or hosts that should be denied or per
mitted information on certain networks. How to add a definition is explained on
the Definitions & Users > Network Definitions > Network Definitions page.
Action: From the drop-down list, select an action that should be taken if a filter
matches. You can either deny or permit traffic.
l
l
Deny: If you deny a network for a particular neighbor via the Filter In field
on the Neighbor page, the UTM will ignore announcements for that network.
If you do the same via the Filter Out field, the UTM will not send announce
ments to that neighbor for that network.
Permit: If you permit a network for a particular neighbor via the Filter In
field on the Neighbor page, the UTM will receive announcements for that net
work only. If you do the same via the Filter Out field, the UTM will send
announcements to that neighbor for that network only, but not for any other
network you might have defined on the Global or Systems page.
3. Click Save.
The filter list appears on the Filter List list.
You can now use the filter list on a neighbor definition.
6.7.6 Advanced
On the Border Gateway Protocol > Advanced page you can make some additional set
tings for BGP and you can access BGP debug information windows.
242
UTM 9 WebAdmin
6 Interfaces & Routing
6.7 Border Gateway Protocol
Allow Multiple Autonomous Systems
Allow multiple AS: Select this checkbox if you want to configure multiple AS. This will
enable the Systems page, where you can then add multiple AS. At the same time, the
BGP System section on the Global page will be disabled, and the Global page will dis
play information for all AS.
Strict I P Address Match
Strict IP address match: Select this checkbox to strictly match IP addresses. Example:
10.0.0.0/8 will only match 10.0.0.0/8, but not 10.0.1.0/24.
Multiple P ath Routing
Normally only one route path is used, even if there are multiple routes with the same
cost. If selected, up to eight equal routes can be used at the same time. This allows
load balancing between multiple interfaces.
Note – The balancing between multiple interfaces only works with neighbors which
use the same ASN.
Multiple Path Routing for eBGP: Select this checkbox to activate multiple path routing
for eBGP (exterior BGP). eBGP does not need to use the same ASN as the neighbors to
load balance between multiple interfaces.
Multiple Path Routing for iBGP: Select this checkbox to activate multiple path routing
for iBGP (interior BGP). iBGP needs to use the same ASN as the neighbors to load bal
ance between multiple interfaces.
BGP Debug
This section provides access to three debug information windows. Click a button to
open a window. The name of a button corresponds to the BGP command you would nor
mally invoke on the command line. The window will then display the result of that com
mand in form of a command line output.
Show IP BGP Neighbor: Displays information on the neighbors of the UTM. Check that
the link state for each neighbor is Established.
Show IP BGP Unicast: Displays the current BGP routing table which gives the preferred
paths. This is especially useful to get an overview of your metric, weight, and pref
erence settings and their impact.
UTM 9 WebAdmin
243
6.8 Multicast Routing (PIM-SM)
6 Interfaces & Routing
Show IP BGP Summary: Displays the status of all BGP connections. This information is
also displayed in the BGP Summary section on the Global page.
6.8 Multicast Routing (PIM-SM)
The menu Interfaces & Routing > Multicast Routing (PIM-SM) enables you to configure
Protocol Independent Multicast Sparse Mode (PIM-SM) for use on your network. PIM is a
protocol to dynamically route multicast packets in networks. Multicast is a technique
to deliver packets that are to be received by more than one client efficiently using as
little traffic as possible. Normally, packets for more than one client are simply copied
and sent to every client individually, multiplying the consumed bandwidth by the num
ber of users. Thus servers which have a lot of clients requesting the same packets at
the same time, like e.g. servers for streaming content, need a lot of bandwidth.
Multicast, in contrast, saves bandwidth by sending packets only once over each link of
the network. To achieve this, multicast includes adequately configured routers in the
decision when to create copies on the way from the server (sender) to the client
(receiver). The routers use PIM-SM to keep track of active multicast receiver(s) and
use this information to configure routing.
A rough scheme of PIM-SM communication is as follows: A sender starts transmitting
its multicast data. The multicast router for the sender registers via PIM-SM with the RP
router which in turn sends a join message to the sender's router. Multicast packets now
flow from the sender to the RP router. A receiver registers itself via an IGMP broadcast
for this multicast group at its local PIM-SM router. This router sends a join request for
the receiver towards the RP router, which then in turn forwards multicast traffic to the
receiver.
Multicast has its own IP address range which is 224.0.0.0/4.
6.8.1 Global
On the Multicast Routing (PIM-SM) > Global tab you can enable and disable PIM. The
Routing Daemon Settings area displays the status of interfaces and routers involved.
Before you can enable PIM you need to define at least two interfaces to serve as PIM
interfaces on the Interfaces tab and one router on the RP Routers tab.
To enable PIM-SM, do the following:
244
UTM 9 WebAdmin
6 Interfaces & Routing
6.8 Multicast Routing (PIM-SM)
1. On the Global tab enable PIM-SM.
Click the toggle switch.
The toggle switch turns amber and the Routing Daemon Settings area becomes
editable.
2. Make the following settings:
Active PIM-SM interfaces: Select at least two interfaces to use for PIM-SM. Inter
faces can be configured on the Interfaces tab.
Active PIM-SM RP routers: Select at least one RP router to use for PIM-SM. RP
routers can be defined on the RP Routers tab.
3. Click Apply.
Your settings will be saved.
The toggle switch turns green and PIM-SM communication is now active in your
network.
To cancel the configuration, click the amber colored toggle switch. To disable PIM-SM
click the green toggle switch.
Live Log
Click the Open Live Log button to open the PIM live log in a new window.
6.8.2 Interfaces
On the Multicast Routing (PIM-SM) > Interfaces tab you can define over which interfaces
of Sophos UTM multicast communication should take place.
To create a new PIM-SM interface, do the following:
1. On the Interfaces tab, click New PIM-SM Interface.
The dialog box Add PIM-SM Interface opens.
2. Make the following settings:
Name: Enter a descriptive name for PIM-SM interface.
Interface: Select an interface that is to accept PIM and IGMP network traffic.
DR priority (optional): Enter a number that defines the designated router (DR) pri
ority for the interface. The router with the highest priority honors IGMP requests if
more than one PIM-SM routers are present on the same network segment.
UTM 9 WebAdmin
245
6.8 Multicast Routing (PIM-SM)
6 Interfaces & Routing
Numbers from 0 to 232 are possible. If you do not provide a priority, 0 is used by
default.
IGMP: Select the version of the Internet Group Management Protocol that is to be
supported. IGMP is used by recipients to establish multicast group memberships.
Comment (optional): Add a description or other information.
3. Click Save.
The new PIM-SM interface is added to the interfaces list.
To either edit or delete a PIM-SM interface, click the corresponding buttons.
6.8.3 RP Routers
In order to be able to use multicast on your network you need to configure one or more
rendezvous point routers (RP routers). An RP router accepts registrations both from
multicast receivers and senders. An RP router is a regular PIM-SM router that is chosen
to be the RP router for certain multicast groups as well. All PIM-SM routers must agree
on which router is to be the RP router.
To create an RP router, do the following:
1. On the RP Routers tab, click New Rendezvous Point Router.
The dialog box Add RP Router opens.
2. Make the following settings:
Name: Enter a descriptive name for the RP router.
Host: Create (or select) the host that should act as rendezvous point router.
Priority: Enter a number that defines the priority of the RP router. Join messages
are sent to the RP router with the lowest priority. Numbers from 0 to 255 are pos
sible. If you do not provide a priority, 0 is used by default.
Multicast Group Prefixes: Enter the multicast group the RP router is responsible
for. You can define group prefixes like 224.1.1.0/24 if the RP is responsible for
more than one multicast group. The multicast group (prefix) must be within the
multicast address range which is 224.0.0.0/4.
Comment (optional): Add a description or other information.
3. Click Save.
The new RP router is added to the routers list.
246
UTM 9 WebAdmin
6 Interfaces & Routing
6.8 Multicast Routing (PIM-SM)
To either edit or delete an RP router, click the corresponding buttons.
6.8.4 Routes
You need to set up a continuous communication route between receivers and sender
(s). If recipient, sender and/or RP router are not within the same network segment, you
will need to create a route to enable communication between them.
To create a PIM-SM route, do the following:
1. On the Routes tab, click New PIM-SM Route.
The dialog box Add PIM-SM Route opens.
2. Make the following settings:
Route type: The following route types are available:
l
l
Interface route: Packets are sent out on a particular interface. This is use
ful in two cases. First, for routing on dynamic interfaces (PPP), because in
this case the IP address of the gateway is unknown. Second, for defining a
default route having a gateway located outside the directly connected net
works.
Gateway route: Packets are sent to a particular host (gateway).
Network: Select the destination address range where the PIM traffic is to be
routed to.
Gateway: Select the gateway/router to which the gateway will forward data
packets (only available if you selected Gateway Route as route type).
Interface: Select the interface to which the gateway will forward data packets
(only available if you selected Interface Route as route type).
Comment (optional): Add a description or other information.
3. Click Save.
The new PIM-SM route is added to the routes list.
To either edit or delete a PIM-SM route, click the corresponding buttons.
6.8.5 Advanced
On the Interfaces & Routing > Multicast Routing (PIM-SM) > Advanced tab you can con
figure some advanced settings for PIM.
UTM 9 WebAdmin
247
6.8 Multicast Routing (PIM-SM)
6 Interfaces & Routing
Shortest P ath T ree Settings
In some networks the PIM communication route between sender, RP, and recipient is
not the shortest network path possible. The option Enable Switch to Shortest Path Tree
allows to move an existing communication between sender and recipient to the
shortest path available, omitting the RP as moderator, when a certain traffic threshold
is reached.
Auto Firew all Settings
With this option enabled, the system will automatically create all necessary firewall
rules needed to forward multicast traffic for the specified multicast groups.
Debug Settings
Select the option Enable Debug Mode to see additional debugging information in the
PIM-SM routing daemon log.
248
UTM 9 WebAdmin
7 Network Services
This chapter describes how to configure several network services of Sophos UTM for
your network.
The following topics are included in this chapter:
l
DNS
l
DHCP
l
NTP
7.1 DNS
The tabs of the Network Services > DNS menu contain miscellaneous configuration
options, all related to the Domain Name System (DNS), a system primarily used to trans
late domain names (computer hostnames) to IP addresses.
7.1.1 Global
Allow ed Netw orks
You can specify the networks that are to be allowed to use UTM as a recursive DNS
resolver. Typically, you will select your internal networks here.
Caution – It is extremely important not to select an Any network object, because this
introduces a serious security risk and opens your appliance up to abuse from the
Internet.
Note – If you already run an internal DNS server, for example as part of Active Dir
ectory, you should leave this box empty.
DNSSEC
The Domain Name System Security Extensions (DNSSEC) is a set of extensions to DNS
to enhance security. It works by digitally signing DNS lookup records using public-key
cryptography. If unselected, the UTM accepts all DNS records. If selected, the UTM
7.1 DNS
7 Network Services
validates incoming DNS requests with regard to DNSSEC signing. Only correctly signed
records will be accepted from signed zones.
Note – If selected, DNS records might be rejected by DNSSEC-incapable forwarders
that are manually installed or assigned by ISP. In this case, on the Forwarders tab,
remove the DNS forwarders from the box and/or disable the Use forwarders assigned
by ISP checkbox.
Flush Resolver Cache
The DNS proxy uses a cache for its records. Each record has an expiration date (TTL,
time-to-live) at which it will be deleted, which is normally one day. However, you can
empty the cache manually e.g. if you want recent changes in DNS records to take
effect immediately, not having to wait for the TTL to expire. To empty the cache, click
Flush Resolver Cache Now.
7.1.2 Forwarders
On the Network Services > DNS > Forwarders tab you can specify so-called DNS for
warders. A DNS forwarder is a Domain Name System (DNS) server on a network used to
forward DNS queries for external DNS names to DNS servers outside of that network. If
possible, add a DNS forwarder to your configuration. This should be a host "near" your
site, preferably one provided by your Internet provider. It will be used as a "parent"
cache. This will speed up DNS requests considerably. If you do not specify a forwarding
name server, the root DNS servers will be queried for zone information first, taking a
longer time to complete requests.
To create a DNS forwarder, proceed as follows:
1. Select a DNS forwarder.
Select or add a DNS forwarder. How to add a definition is explained on the Defin
itions & Users > Network Definitions > Network Definitions page.
Use forwarders assigned by ISP (optional): Select the Use forwarders
assigned by ISP checkbox to forward DNS queries to the DNS servers of
your ISP. When this box is checked, all forwarders automatically assigned
by your ISP will be listed in the line below the box.
2. Click Apply.
Your settings will be saved.
250
UTM 9 WebAdmin
7 Network Services
7.1 DNS
7.1.3 Request Routing
Suppose you run your own internal DNS server, this server could be used as an altern
ate server to resolve DNS queries for a domain you do not want to be resolved by DNS
forwarders. On the Network Services > DNS > Request Routing tab you can define routes
to your own DNS servers.
To create a DNS request route, proceed as follows:
1. On the Request Routing tab, click New DNS Request Route.
The Add DNS Request Route dialog box opens.
2. Make the following settings:
Domain: Enter the domain for which you want to use an alternate DNS server.
Target servers: Select or add one or more DNS servers to use for resolving the
domain entered above. How to add a definition is explained on the Definitions &
Users > Network Definitions > Network Definitions page.
Comment (optional): Add a description or other information.
3. Click Save.
The new route appears on the DNS Request Route list and is immediately active.
To either edit or delete a DNS request route, click the corresponding buttons.
7.1.4 Static Entries
If you do not want to set up your own DNS server but need a static DNS mapping for a
few hosts of your network, you can enter these mappings.
Starting with UTM version 9.1, this feature has moved to the Definitions & Users > Net
work Definitions tab. DNS mappings are now defined along with the involved hosts.
When you click the Static Entries button, the Definitions & Users > Network Definitions
tab opens. Automatically, only hosts with static entry are displayed. Use the drop-down
list on top of the list to change the filter settings.
UTM 9 WebAdmin
251
7.1 DNS
7 Network Services
7.1.5 DynDNS
Dynamic DNS, or DynDNS for short, is a domain name service which allows static Inter
net domain names to be assigned to a computer with a varying IP address. You can
sign up for the DynDNS service at the website of the respective DynDNS service pro
vider to get a DNS alias that will automatically be updated when your uplink IP address
changes. Once you have registered to this service, you will receive a hostname, user
name, and password, which are necessary for the configuration.
To configure DynDNS, proceed as follows:
1. On the DynDNS tab, click New DynDNS.
The Add DynDNS dialog box opens.
2. Make the following settings:
Type: The following DynDNS services are available:
l
l
DNSdynamic: Official website: www.dnsdynamic.org
l
DNS Park: Official website: www.dnspark.com
l
DtDNS: Official website: www.dtdns.com
l
l
252
DNS-O-Matic: The generic hostname all.dnsomatic.com can be used to
update all configured services at once instead of just a specific hostname
(see also: www.dnsomatic.com/wiki/api). Official website: www.dnso
matic.com
Dyn: Standard DNS service of the service provider Dynamic Network Ser
vices Inc. (Dyn). Official website: www.dyn.com
Dyn custom: Custom DNS service of the service provider Dynamic Network
Services Inc. (Dyn) (www.dyn.com). Custom DNS is designed primarily to
work with domains owned or registered by yourself.
l
easyDNS: Official website: www.easydns.com
l
FreeDNS: Official website: freedns.afraid.org
l
Namecheap: Official website: www.namecheap.com
l
No-IP.com: Official website: www.noip.com
l
OpenDNS IP update: Official website: www.opendns.com
l
selfHOST: Official website: www.selfhost.de
UTM 9 WebAdmin
7 Network Services
l
STRATO AG: Official website: www.strato.de
l
zoneedit: Official website: www.zoneedit.com
7.1 DNS
Note – In the Server field the URL is displayed to which the UTM sends the IP
changes.
Assign (not with type FreeDNS): Define the IP address the DynDNS name is to be
associated with. Selecting IP of Local Interface is useful when the interface in
question has a public IP address. Typically, you will use this option for your DSL
uplink. When you select First public IP on the default route no interface needs to
be specified. Instead, your UTM will send a WWW request to a public DynDNS
server which in return will respond with the public IP you are currently using. This
is useful when your UTM does not have a public IP address but is located inside a
private network, connected to the Internet via a masquerading router.
Note – FreeDNS always uses the first public IP address on the default route.
Interface (only with IP of local interface): Select the interface for which you want
to use the DynDNS service, most likely this will be your external interface con
nected to the Internet.
Record (only with Dyn and FreeDNS): Select the record you want to use for the
DynDNS service. Decide between A (IPv4), A & AAAA (dual stack) (only with Dyn)
and AAAA (IPv6) (only with FreeDNS).
Hostname (not with type Open DNS IP update): Enter the domain name you
received from your DynDNS service provider (e.g., example.dyndns.org). Note
that you need not adhere to a particular syntax for the hostname to be entered
here. What you must enter here exclusively depends on what your DynDNS ser
vice provider requires. Apart from that, you can also use your DynDNS hostname
as the gateway's main hostname, which, however, is not mandatory.
Label (only with type Open DNS IP update): Enter the label given to the network.
Please refer to the OpenDNS Knowledgebase for further information.
Aliases (optional, only with some types): Use this box to enter additional host
names which should point to the same IP address as the main hostname above
(e.g., mail.example.com, example.com).
UTM 9 WebAdmin
253
7.1 DNS
7 Network Services
MX (optional, only with type DNS Park, DynDNS, or easyDNS): Mail exchangers are
used for directing mail to specific servers other than the one a hostname points
to. MX records serve a specific purpose: they let you specify the host (server) to
which mail for a specific domain should be sent. For example, if you enter
mail.example.com as Mail Exchanger, mail addressed to user@example.com
would be delivered to the host mail.example.com.
MX priority (optional, only with type DNS Park): Enter a positive integer number
indicating whether the specified mail server should be preferred for delivery of
mail to the domain. Servers with lower numbers are preferred over servers with
higher numbers. You can usually leave the field blank because DNS Park uses a
default value of 5 which is appropriate for almost all purposes. For technical
details about mail exchanger priorities, see RFC 5321.
Backup MX (optional, only with type DynDNS or easyDNS): Select this checkbox
only if the hostname named in the Hostname text box is to serve as main mail
exchanger. Then the hostname from the MX text box will only be advertised as a
backup mail exchanger.
Wildcard (optional, only with type DynDNS or easyDNS): Select this option if you
want subdomains to point to the same IP address as your registered domain.
Using this option an asterisk (*) will be added to your domain serving as a wild
card (e.g., *.example.dyndns.org), thus making sure that, for example,
www.example.dyndns.org will point to the same address as
example.dyndns.org.
Username: Enter the username you received from the DynDNS service provider.
Password: Enter the password you received from the DynDNS service provider.
Comment (optional): Add a description or other information.
3. Click Save.
The new DynDNS appears on the DynDNS list. The service is still disabled (toggle
switch is gray).
4. Enable DynDNS.
Click the toggle switch to enable the DynDNS service.
The service is now enabled (toggle switch is green).
To either edit or delete a DynDNS, click the corresponding buttons.
254
UTM 9 WebAdmin
7 Network Services
7.2 DHCP
You can use multiple DynDNS objects at the same time. When all settings for two host
names are identical, it is recommended to use the Aliases option—instead of creating
two distinct objects.
7.2 DHCP
The Dynamic Host Configuration Protocol (DHCP) automatically distributes addresses
from a defined IP address pool to client computers. It is designed to simplify network
configuration on large networks, and to prevent address conflicts. DHCP distributes IP
addresses, default gateway information, and DNS configuration information to its cli
ents.
In addition to simplifying the configuration of client computers and allowing mobile
computers to move painlessly between networks, DHCP helps to localize and
troubleshoot IP address-related problems, as these are mostly issues with the con
figuration of the DHCP server itself. It also allows for a more effective use of address
space, especially when not all computers are active at the same time, as addresses
can be distributed as needed and reused when unneeded.
7.2.1 Servers
The tab Network Services > DHCP > Server allows to configure a DHCP server. Sophos
UTM provides the DHCP service for the connected network as well as for other net
works. The DHCP server can be used to assign basic network parameters to your cli
ents. You can run the DHCP service on multiple interfaces, with each interface and each
network to be provided having its own configuration set.
Note – On the Options tab you can define additional or different DHCP options to be
sent to the clients. A DHCP option defined on the Options tab overwrites a setting
made on the Servers tab if its scope is not set to be global. For example, defining
DHCP options for selected hosts only, you can assign them a DNS server or lease
time different from what is defined for the DHCP server.
To configure a DHCP server, proceed as follows:
1. On the Servers tab, click New DHCP Server.
The Add DHCP Server dialog box opens.
UTM 9 WebAdmin
255
7.2 DHCP
7 Network Services
2. Make the following settings:
Interface: The interface from which the IP addresses should be assigned to the
clients. You can only select an already configured interface.
Address type: This option is only available when IPv6 is globally enabled. Select
the IP version of the DHCP server.
Note – Prefix Advertisements with Stateful Autoconfiguration (managed flag),
either on UTM or via another device will be needed. You can configure prefix
advertisements under the Interfaces & Routing > IPv6 > Prefix Advertisements
tab.
Range start/end: The IP range to be used as an address pool on that interface. By
default, the configured address area of the network card will appear in the text
boxes. If the clients are in the same network, the range must be inside the net
work attached to the interface. If the clients are in another network, the range
must be inside the network where the relayed DHCP requests are forwarded
from.
Note – The bigger a defined DHCP IP range, the more memory the UTM will
reserve. Please make sure to reduce the DHCP range size to the values you
need. The maximum allowed range is a /9 network.
DNS server 1/2: The IP addresses of the DNS servers.
Default gateway (only with IPv4): The IP address of the default gateway.
Note – Both wireless access points and RED appliances need the default gate
way to be within the same subnet as the interface they are connected to.
Domain (optional): Enter the domain name that will be transmitted to the clients
(e.g., intranet.example.com).
Lease time (only with IPv4): The DHCP client automatically tries to renew its
lease. If the lease is not renewed during its lease time, the IP address lease
expires. Here you can define this time interval in seconds. The default is 86,400
256
UTM 9 WebAdmin
7 Network Services
7.2 DHCP
seconds (one day). The minimum is 600 seconds (10 minutes) and the maximum
is 2,592,000 seconds (one month).
Valid lifetime (only with IPv6): The DHCP client automatically tries to renew its
lease. If the lease is not renewed during its valid lifetime, the IP address lease
status becomes invalid, the address is removed from the interface, and it may be
assigned somewhere else. You can select an interval between five minutes and
infinity, however the valid lifetime must be equal or greater than the preferred
lifetime.
Preferred lifetime (only with IPv6): The DHCP client automatically tries to renew
its lease. If the lease is not renewed during its preferred lifetime, the IP address
lease status becomes deprecated, i.e., it is still valid but will not be used for new
connections. You can select an interval between 5 minutes and infinity.
Comment (optional): Add a description or other information.
3. Optionally, make the following advanced settings:
WINS node type (only with IPv4): Windows Internet Naming Service (WINS) is
Microsoft's implementation of NetBIOS Name Server (NBNS) on Windows, a name
server and service for NetBIOS computer names. A WINS server acts as a data
base that matches computer names with IP addresses, thus allowing computers
using NetBIOS to take advantage of the TCP/IP network. The following WINS node
types are available:
l
Do not set: The WINS node type is not set and will be chosen by the client.
l
B-node (no WINS): B-node systems use broadcasts only.
l
l
l
P-node (WINS only): P-node systems use only point-to-point name queries
to a Windows name server (WINS).
M-node (Broadcast, then WINS): M-node systems broadcast first, then
query the name server.
H-node (WINS, then Broadcast): H-node systems query the name server
first, then broadcast.
WINS server: Depending on your WINS node type selection, this text box appears.
Enter the IP address of the WINS server.
UTM 9 WebAdmin
257
7.2 DHCP
7 Network Services
Clients with static mappings only (optional): Select this option to have the DHCP
server assign IP addresses only to clients that have a static DHCP mapping (see
Definition & Users > Network Definitions > Network Definitions).
Enable HTTP proxy auto configuration: Select this option if you want to provide a
PAC file for automatic proxy configuration of browsers. For more information, see
chapter Web Protection > Filtering Options > Misc, section Proxy Auto Con
figuration.
Note – HTTP proxy auto configuration is currently not supported with IPv6 by
Microsoft Windows.
Clients via DHCP relay agent (only with IPv4): If selected, the DHCP server
assigns IP addresses to clients which are not in the network of the attached inter
face. In this case, the address range defined above has to be inside the network
where relayed DHCP requests are forwarded from, and not within the network of
the attached interface.
Netmask: Select the netmask of the network where relayed DHCP requests
are forwarded from.
4. Click Save.
The new DHCP server definition appears on the DHCP server list and is imme
diately active.
To either edit or delete a DHCP server definition, click the corresponding buttons.
7.2.2 Relay
The Network Services > DHCP > Relay tab allows you to configure a DHCP relay. The
DHCP service is provided by a separate DHCP server and the UTM works as a relay. The
DHCP relay can be used to forward DHCP requests and responses across network seg
ments. You need to specify the DHCP server and a list of interfaces between which
DHCP traffic shall be forwarded.
To configure a DHCP relay, proceed as follows:
1. On the Relay tab, enable DHCP Relay.
Click the toggle switch.
258
UTM 9 WebAdmin
7 Network Services
7.2 DHCP
The toggle switch turns amber and the DHCP Relay Configuration area becomes
editable.
2. Select the DHCP server.
3. Add the interfaces involved.
Add the interface to the DHCP server as well as all interfaces to the clients' net
work(s) between which DHCP requests and responses should be forwarded.
4. Click Apply.
Your settings will be saved.
The toggle switch turns green.
To cancel the configuration, click the amber colored toggle switch.
7.2.3 DHCPv6 Relay
The Network Services > DHCP > DHCPv6 Relay tab allows you to configure a DHCP relay
for IPv6. The DHCP service is provided by a separate DHCPv6 interface and the UTM
works as a relay. The DHCPv6 relay can be used to forward DHCP requests and
responses across network segments.
Note – You have to activate IPv6 on the Interfaces & Routing > IPv6 > Global tab to use
DHCPv6 relay.
To configure a DHCPv6 relay, proceed as follows:
1. On the DHCPv6 Relay tab, enable DHCPv6 Relay.
Click the toggle switch.
The toggle switch turns amber and the DHCPv6 Relay Configuration area
becomes editable.
2. Add the interfaces facing clients involved.
Add the interfaces to the clients' network(s) between which DHCPv6 requests
and responses should be forwarded.
3. Add the interfaces facing servers involved.
Add the interfaces facing the DHCPv6 server.
4. Click Apply.
UTM 9 WebAdmin
259
7.2 DHCP
7 Network Services
Your settings will be saved.
The toggle switch turns green.
To cancel the configuration, click the amber colored toggle switch.
7.2.4 Static Mappings
You can create static mappings between client and IP address for some or all clients.
Starting with UTM version 9.1, this feature has moved to the Definitions & Users > Net
work Definitions tab. DHCP mappings are now defined along with the involved hosts.
When you click the Static Mappings button, the Definitions & Users > Network Definitions
tab opens. Automatically, only hosts with static mapping are displayed. Use the dropdown list on top of the list to change the filter settings.
7.2.5 IPv4 Lease Table
Using DHCP, a client no longer owns an IP address, but rather leases it from the DHCP
server, which gives permission for a client to use the address for a period of time.
The lease table on the Network Services > DHCP > IPv4 Lease Table tab shows the cur
rent leases issued by the DHCP server, including information about the start date and
the date when the lease will expire.
Add Static Mapping to New Host Def inition
You can use an existing lease as template for a static MAC/IP mapping with a host to
be defined. Do the following:
1. For the desired lease, click the button Make Static in the Make static column.
The dialog window Make Static opens.
2. Make the following settings:
Action: Select Create a new host.
Name: Enter a descriptive name for the new host.
DHCP server: Select the DHCP server to be used for static mapping. The cor
responding DHCP range is displayed below the drop-down list.
IPv4 address: Change the IP address to an address outside the DHCP pool range.
260
UTM 9 WebAdmin
7 Network Services
7.2 DHCP
Note – When converting a lease to a static mapping you should change the IP
address so that it is no longer inside the scope of the DHCP pool. However, if
you change the IP address, the address used by the client will not change imme
diately, but only when it tries to renew its lease for the next time.
DNS hostname: If you provide a DNS hostname, it will be used as static DNS
entry of the host.
Reverse DNS: Select the checkbox to enable the mapping of the host's IP address
to its name. Note that although several names can map to the same IP address,
one IP address can only ever map to one name.
Comment (optional): Add a description or other information.
3. Click Save.
Your settings will be saved.
You can find the new host with the static mapping on the Definitions & Users > Network
Definitions tab.
Add Static Mapping to Existing Host Def inition
You can use an existing lease as template for a new static MAC/IP mapping with an
existing host definition. Do the following:
1. For the desired lease, click the Make Static button in the Make static column.
The dialog window Make Static opens.
2. Make the following settings:
Action: Select Use an existing host.
Host: Add the host by clicking the Folder icon.
3. Click Save.
Your settings will be saved.
You can find the host with the static mapping on the Definitions & Users > Network
Definitions tab.
UTM 9 WebAdmin
261
7.2 DHCP
7 Network Services
7.2.6 IPv6 Lease Table
Using DHCP, a client no longer owns an IP address, but rather leases it from the DHCP
server, which gives permission for a client to use the address for a period of time.
The lease table on the Network Services > DHCP > IPv6 Lease Table tab shows the cur
rent leases issued by the DHCP server, including information about the start date and
the date when the lease will expire.
Note – Leases that have been granted via prefix advertisements are not shown in the
table.
Add Static Mapping to New Host Def inition
You can use an existing lease as template for a static MAC/IP mapping with a host to
be defined. Do the following:
1. For the desired lease, click the button Make Static.
The dialog window Make Static opens.
2. Make the following settings:
Action: Select Create a new host.
Name: Enter a descriptive name for the new host.
DHCP server: Select the DHCP server to be used for static mapping. The cor
responding DHCP range is displayed below the drop-down list.
IPv6 address: Change the IP address to an address outside the DHCP pool range.
Note – When converting a lease to a static mapping you should change the IP
address so that it is no longer inside the scope of the DHCP pool. However, if
you change the IP address, the address used by the client will not change imme
diately, but only when it tries to renew its lease for the next time.
DNS hostname: If you provide a DNS hostname, it will be used as static DNS
entry of the host.
262
UTM 9 WebAdmin
7 Network Services
7.2 DHCP
Reverse DNS: Select the checkbox to enable the mapping of the host's IP address
to its name. Note that although several names can map to the same IP address,
one IP address can only ever map to one name.
Comment (optional): Add a description or other information.
3. Click Save.
Your settings will be saved.
Add Static Mapping to Existing Host Def inition
You can use an existing lease as template for a new static MAC/IP mapping with an
existing host definition. Do the following:
1. For the desired lease, click the Make Static button in the Make static column.
The dialog window Make Static opens.
2. Make the following settings:
Action: Select Use an existing host.
Host: Add the host by clicking the Folder icon.
3. Click Save.
Your settings will be saved.
You can find the host with the static mapping on the Definitions & Users > Network
Definitions tab.
7.2.7 Options
The Network Services > DHCP > Options tab allows to configure DHCP options.
DHCP options are additional configuration parameters provided by a DHCP server to
DHCP clients.
Example: For some VoIP phones, to provide them with the necessary information from
your DHCP servers you have to create and activate three additional DHCP options on
this page:
l
filename: Name of the boot file.
l
next-server: Name of the TFTP server which provides the boot file.
l
4 (time-servers): IP address of the time server.
UTM 9 WebAdmin
263
7.2 DHCP
7 Network Services
DHCP options can have different scopes: They can e.g. be provided to selected hosts
only, or from selected servers only, or even globally. For this reason it is possible to
define different parameters for the same host. Some DHCP options are already defined
on the DHCP > Servers tab, e.g., DNS server (option 6). In case of conflicting parameter
values, the parameters are provided to the client according to the following priority:
1. DHCP option with scope Host
2. DHCP option with scope MAC prefix
3. DHCP option with scope Vendor ID
4. DHCP option with scope Server
5. DHCP server parameter (DHCP > Servers tab)
6. DHCP option with scope Global
Note – With the DHCP request, a DHCP client submits the information which DHCP
options it can deal with. As a result the DHCP server only provides the DHCP options
the client understands, no matter which options are defined here.
To create a DHCP option, proceed as follows:
1. Click New DHCP Option.
The Add DHCP Option dialog box opens.
2. Make the following settings:
Address type (only if IPv6 is enabled): Select the IP version which you create the
DHCP option for.
Code: Select the code of the DHCP option you want to create.
Note – With the entry filename you can specify a file to be loaded into the
DHCP client to be executed there. With next-server you define the boot server.
The numbered DHCP option codes are defined in RFC 2132 and others.
Name: Enter a descriptive name for this option.
Type: Only available if you selected a code with the comment (unknown). Select
the data type of the option. The data types IP Address, Text and Hex are available.
264
UTM 9 WebAdmin
7 Network Services
7.2 DHCP
Depending on the selected data type enter the appropriate data in the cor
responding field below:
Address: Add or select the host or network group with the IP address(es) to
be submitted with this DHCP option to the DHCP client. How to add a defin
ition is explained on the Definitions & Users > Network Definitions > Network
Definitions page.
Text: Enter the text to be submitted with this DHCP option to the DHCP cli
ent.
Hex: Enter the hexadecimal value to be submitted with this DHCP option to
the DHCP client. Please note that you have to enter the groups of two hexa
decimal digits separated by colons (e.g., 00:04:76:16:EA:62).
Integer: Enter the integer value to be submitted with this DHCP option to
the DHCP client.
Scope: Define on which condition the DHCP option should be sent.
l
l
l
l
l
Global: The DHCP option will be sent by all defined DHCP servers to all
DHCP clients.
Server: In the Server box, select the DHCP servers which should send the
DHCP option. The box displays all DHCP servers defined on the DHCP Serv
ers tab.
Host: In the Host box, add or select the hosts which should be provided the
DHCP option. How to add a definition is explained on the Definitions & Users
> Network Definitions > Network Definitions page.
MAC prefix: Enter a MAC prefix. All DHCP clients with a matching MAC
address will be provided the DHCP option.
Vendor ID: Enter a vendor ID or the prefix of a vendor ID. All DHCP clients
which match this string will be provided the DHCP option.
Comment (optional): Add a description or other information.
3. Click Save.
The new DHCP option appears on the DHCP Options list and is immediately act
ive.
To either edit or delete a DHCP option, click the corresponding buttons.
UTM 9 WebAdmin
265
7.3 NTP
7 Network Services
7.3 NTP
The menu Network Services > NTP allows you to configure an NTP server for the con
nected networks. The Network Time Protocol (NTP) is a protocol used for synchronizing
the clocks of computer systems over IP networks. Instead of just synchronizing the
time of Sophos UTM, which can be configured on the Management > System Settings >
Time and Date tab, you can explicitly allow certain networks to use this service as well.
To enable the use of NTP time synchronization for specific networks, proceed as fol
lows:
1. Enable the NTP server.
Click the toggle switch.
The toggle switch turns amber and the NTP Options area becomes editable.
2. Select Allowed networks.
Add or select the networks that should be allowed to access the NTP server. How
to add a definition is explained on the Definitions & Users > Network Definitions >
Network Definitions page.
3. Click Apply.
Your settings will be saved.
The toggle switch turns green.
266
UTM 9 WebAdmin
8 Network Protection
This chapter describes how to configure basic network protection features of Sophos
UTM. The Network Protection Statistics page in WebAdmin shows an overview of intru
sion prevention events and dropped data packets for both source and destination hosts.
Each of the sections contains a Details link. Clicking the link redirects you to the
respective reporting section of WebAdmin, where you can find more statistical inform
ation.
Note – You can directly add a Network/Host Exception or a Threat Exception by click
ing the Plus icon in the Advanced Threat Protection: Recent Events list.
The following topics are included in this chapter:
l
Firewall
l
NAT (Network Address Translation)
l
Advanced Threat Protection
l
Intrusion Prevention
l
Server Load Balancing
l
VoIP (Voice over IP)
l
Advanced Settings
8.1 Firewall
The menu Network Protection > Firewall allows you to define and manage firewall rules
of the gateway. Generally speaking, the firewall is the central part of the gateway
which functions in a networked environment to prevent some communications for
bidden by the security policy. The default security policy of Sophos UTM states that all
network traffic is to be blocked and logged, except for automatically generated rule
sets that are necessary for other software components of the gateway to work.
However, those auto-generated rule sets are not shown on the Firewall > Rules tab. This
policy requires you to define explicitly which data traffic is allowed to pass the gate
way.
8.1 Firewall
8 Network Protection
8.1.1 Rules
On the Network Protection > Firewall > Rules tab you can manage the firewall rule set.
Opening the tab, by default, user-created firewall rules are displayed only. Using the
drop-down list on top of the list, you can choose to display automatic firewall rules
instead, or both types of rules combined. Automatic firewall rules are displayed with a
distinct background color. Automatic firewall rules are generated by UTM based on a
selected Automatic firewall rules checkbox in one of your configurations, e.g., when cre
ating IPsec or SSL connections.
All newly defined firewall rules are disabled by default once added to the rules table.
Automatic firewall rules and enabled user-created firewall rules are applied in the
given order until the first rule matches. Automatic firewall rules are always on top of
the list. The processing order of the user-created firewall rules is determined by the
position number, so if you change the order of the rules by their position numbers, the
processing order changes as well.
Caution – Once a firewall rule matched, all other rules are ignored. For that reason, the
sequence of rules is very important. Never place a rule such as Any (Source) – Any
(Service) – Any (Destination) – Allow (Action) at the top of the rule table, as this will
allow each packet to traverse the gateway in both directions, ignoring all other rules
that may follow.
To create a firewall rule, proceed as follows:
1. On the Rules tab, click New Rule.
The Add Rule dialog box opens.
2. Make the following settings:
Group: The Group option is useful to group rules logically. With the drop-down list
on top of the list you can filter the rules by their group. Grouping is only used for
display purposes, it does not affect rule matching. To create a new group select
the << New group >> entry and enter a descriptive name in the Name field.
Position: The position number, defining the priority of the rule. Lower numbers
have higher priority. Rules are matched in ascending order. Once a rule has
matched, rules with a higher number will not be evaluated anymore.
268
UTM 9 WebAdmin
8 Network Protection
8.1 Firewall
Sources: Add or select source network definitions, describing from which host(s)
or networks the packets are originating.
Tip – How to add a definition is explained on the Definitions & Users > Network
Definitions > Network Definitions page.
Services: Add or select service definitions, describing the protocol(s) and, in case
of TCP or UDP, the source and destination port(s) of the packets.
Destinations: Add or select destination network definitions, describing the target
host(s) or network(s) of the packets.
Note – When you select more than one source, service and/or destination, the
rule applies to every possible source-service-destination combination. A rule
with e.g. two sources, two services and two destinations equates to eight
single rules, from each source to each destination using both services.
Action: The action that describes what to do with traffic that matches the rule.
The following actions can be selected:
l
Allow: The connection is allowed and traffic is forwarded.
l
Drop: Packets matching a rule with this action will be silently dropped.
l
Reject: Connection requests matching rules with this action will be act
ively rejected. The sender will be informed via an ICMP message.
Comment (optional): Add a description or other information.
3. Optionally, make the following advanced settings:
Time period: By default, no time period definition is selected, meaning that the
rule is always valid. If you select a time period definition, the rule will only be
valid at the time specified by the time period definition. For more information,
see Time Period Definitions.
Log traffic: If you select this option, logging is enabled and packets matching the
rule are logged in the firewall log.
Source MAC addresses: Select a MAC address list definition, describing from
which MAC addresses the packets are originating. If selected, packets only
match the rule if their source MAC address is listed in this definition. Note that
UTM 9 WebAdmin
269
8.1 Firewall
8 Network Protection
you cannot use a MAC address list in combination with the source Any. MAC
address list definitions are defined on the Definitions & Users > Network Defin
itions > MAC Address Definitions tab.
4. Click Save.
The new rule appears on the Rules list.
Enable the firewall rule.
5. The new rule is disabled by default (toggle switch is gray). Click the toggle
switch to enable the rule.
The rule is now enabled (toggle switch is green).
To either edit or delete a rule, click the corresponding buttons.
Open Live Log: This will open a pop-up window containing a real-time log of filtered
packets, whose regularly updating display shows recent network activity. The back
ground color indicates which action has been applied:
l
Red: The packet was dropped.
l
Yellow: The packet was rejected.
l
Green: The packet was allowed.
l
Gray: The action could not be determined.
The live log also contains information about which firewall rule caused a packet to be
rejected. Such information is essential for rule debugging. Using the search function,
you can filter the firewall log for specific entries. The search function even allows to
negate expressions by typing a dash in front of the expression, e.g. -WebAdmin which
will successively hide all lines containing this expression.
Selecting the Autoscroll checkbox will automatically scroll down the window's scroll
bar to always show the most recent results.
Below are some basic hints for configuring the firewall:
l
270
Dropped Broadcasts: By default, all broadcasts are dropped, which in addition will
not be logged (for more information, see chapter Advanced). This is useful for net
works with many computers utilizing NetBIOS (for example, Microsoft Windows
operating systems), because broadcasts will rapidly clutter up your firewall log
file. To define a broadcast drop rule manually, group the definitions of the broad
cast addresses of all attached networks, add another "global_broadcast" defin
ition of 255.255.255.255/255.255.255.255, then add a rule to drop all traffic to
UTM 9 WebAdmin
8 Network Protection
8.1 Firewall
these addresses on top of your firewall configuration. On broadcast-heavy net
works, this also has the benefit of increasing the system performance.
l
Rejecting IDENT Traffic: If you do not want to use the IDENT reverse proxy, you
can actively reject traffic to port 113 (IDENT) of your internal networks. This may
prevent longer timeouts on services that use IDENT, such as FTP, IRC, and SMTP.
Note – If you use masquerading, IDENT requests for masqueraded networks will
arrive on the masquerading interface.
l
Since NAT will change the addresses of network packets, it has implications on
the firewall functionality.
l
l
DNAT is applied before the firewall. This means that the firewall will "see"
the already translated packets. You must take this into account when
adding rules for DNAT related services.
SNAT and Masquerading is applied after the firewall. This means that the
firewall still "sees" the untranslated packets with the original source
addresses.
The control panels in the table header can be used to filter firewall rules for specific cri
teria to rearrange rules for better readability. If you have defined groups you can select
a group from the drop-down menu and thus see all rules that belong to this group. Using
the search field you can look for a keyword or just a string to see the rules related to it.
The search comprises a rule's source, destination, service, group name, and comment.
8.1.2 Country Blocking
On the Network Protection > Firewall > Country Blocking tab you can enable blocking of
traffic coming from or going to a certain country or location. You can either block single
countries/locations or whole continents. The blocking is based on the GeoIP inform
ation of the host's IP address.
To enable country blocking, proceed as follows:
1. Enable country blocking.
Click the toggle switch.
The toggle switch turns amber and the Countries section becomes editable.
2. Select the locations to block.
UTM 9 WebAdmin
271
8.1 Firewall
8 Network Protection
Via the drop-down lists in front of the location names, specify the blocking status
for the respective location:
l
All: All traffic coming from or going to this location is blocked.
l
From: Traffic coming from this location is blocked.
l
To: Traffic going to this location is blocked.
l
Off: Traffic from as well as to this location is allowed.
Tip – You can easily select an identical blocking status for all locations of a
region. To do so, select the desired blocking status in the drop-down list in front
of the respective region name.
3. Click Apply.
Your settings will be saved.
The toggle switch turns green and traffic from and/or to selected locations will
be blocked now according to your settings. Note that you can define exceptions
for the blocked locations on the Country Blocking Exceptions tab.
Tip – Each section of this page can be collapsed and expanded by clicking the Col
lapse icon on the right of the section header.
8.1.3 Country Blocking Exceptions
On the Network Protection > Firewall > Country Blocking Exceptions tab you can define
exceptions for countries that are blocked on the Country Blocking tab. Exceptions can
be made for traffic between a blocked country/location and specific hosts or networks,
taking into account the direction and the service of the traffic.
To create a country blocking exception, proceed as follows:
1. Click New Exception List.
The Add Exception List dialog box opens.
2. Make the following settings:
Name: Enter a descriptive name for the exception.
Comment (optional): Add a description or other information.
272
UTM 9 WebAdmin
8 Network Protection
8.1 Firewall
Skip blocking of these:
l
l
Region: Using this drop-down list, you can narrow down the countries dis
played in the Countries box.
Countries: Select the checkboxes in front of the locations or countries you
want to make the exception for. To select all countries at once, enable the
Select all checkbox.
Note – To select all IP addresses, including those that are not associated
with any country, for example internal IP addresses, deselect all check
boxes using the Deselect all checkbox.
For all requests: Select the condition under which the country blocking should be
skipped. You can choose between outgoing and incoming traffic, referring to the
hosts/networks to be selected in the box below.
l
Hosts/networks: Add or select the hosts/networks that should be allowed
to send traffic to or receive traffic from the selected countries—depending
on the entry selected in the drop-down list above. How to add a definition is
explained on the Definitions & Users > Network Definitions > Network Defin
itions page.
Using these services: Optionally, add the services that should be allowed
between the selected hosts/networks and the selected countries/locations. If no
service is selected, all services are allowed.
3. Click Save.
The new country blocking exception appears on the Country Blocking Exception
list.
To either edit or delete an exception, click the corresponding buttons.
Using Country Blocking Exceptions
Use the country blocking exceptions as follows:
Interface/remote
host
Requests
Host/network
Countries
Local interface
Coming from
Enter a local interface
address
Choose countries to
skip
UTM 9 WebAdmin
273
8.1 Firewall
8 Network Protection
Interface/remote
host
Requests
Host/network
Countries
Local interface
Going to
Enter a local interface
address
Choose countries to
skip
Remote host (internal
network)
Coming from
Enter an internal
host/network
Choose countries to
skip
Remote host (external
network)
Coming from
Enter an external host
Do not choose countries
Remote host (internal
network)
Going to
Enter an internal
host/network
Choose countries to
skip
Remote host (external
network)
Going to
Enter an external host
Do not choose countries
8.1.4 ICMP
On the Network Protection > Firewall > ICMP tab you can configure the settings for the
Internet Control Message Protocol (ICMP). ICMP is used to exchange connection-related
status information between hosts. ICMP is important for testing network connectivity
or troubleshooting network problems.
Allowing any ICMP traffic on this tab will override ICMP settings being made in the fire
wall. If you only want to allow ICMP for certain hosts or networks, you should use the
Firewall > Rules tab instead.
Global I CMP Settings
The following global ICMP options are available:
l
l
l
274
Allow ICMP on Gateway: This option enables the gateway to respond to ICMP
packets of any kind.
Allow ICMP through Gateway: This option enables forwarding of ICMP packets
through the gateway if the packets originate from an internal network, i.e., a net
work without default gateway.
Allow ICMP through Gateway from external networks: This option enables for
warding of ICMP packets through the gateway from an external network, i.e., the
Internet.
UTM 9 WebAdmin
8 Network Protection
l
8.1 Firewall
Log ICMP redirects: ICMP redirects are sent from one router to another to find a
better route for a packet's destination. Routers then change their routing tables
and forward the packet to the same destination via the supposedly better route.
If you select this option, all ICMP redirects received by the gateway will be
logged in the firewall log.
Note – If enabled, the ICMP settings apply to all ICMP packets, including ping and
traceroute—if sent via ICMP—, even if the corresponding ping and traceroute settings
are disabled.
P ing Settings
The program ping is a computer network tool used to test whether a particular host is
reachable across an IP network. Ping works by sending ICMP echo request packets to
the target host and listening for ICMP echo response replies. Using interval timing and
response rate, ping estimates the round-trip time and packet loss rate between hosts.
The following ping options are available:
l
l
l
Gateway is ping visible: The gateway responds to ICMP echo request packets.
This feature is enabled by default.
Ping from gateway: You can use the ping command on the gateway. This feature
is enabled by default.
Gateway forwards pings: The gateway forwards ICMP echo request and echo
response packets originating from an internal network, i.e., a network without
default gateway.
Note – If enabled, the ping settings also allow traceroute ICMP packets, even if the cor
responding traceroute settings are disabled.
T raceroute Settings
The program traceroute is a computer network tool used to determine the route taken
by packets across an IP network. It lists the IP addresses of the routers that were
involved in transporting the packet. If the packet's route cannot be determined within a
certain time frame, traceroute will report an asterisk (*) instead of the IP address. After
a certain number of failures, the check will end. An interruption of the check can have
many causes, but most likely it is caused by a firewall along the network path that
blocks traceroute packets.
The following traceroute options are available:
UTM 9 WebAdmin
275
8.1 Firewall
l
l
8 Network Protection
Gateway is traceroute visible: The gateway responds to traceroute packets.
Gateway forwards traceroute: The gateway forwards traceroute packets ori
ginating from an internal network, i.e., a network without default gateway.
Note – The bridge mode in the UTM uses the packet filter to allow the traffic to pass
the UTM, e.g., web surfing traffic. In this case, the options Allow ICMP through gateway,
Gateway forwards pings and Gateway forwards traceroute will not work in bridge
mode.
Note – In addition, the UDP ports for UNIX traceroute applications are opened, too.
Note – If enabled, the traceroute settings also allow ping packets, even if the cor
responding ping settings are disabled.
8.1.5 Advanced
The Network Protection > Firewall > Advanced tab contains advanced settings for the
firewall and the NAT rules.
Connection T racking Helpers
So-called connection tracking helpers enable protocols that use multiple network con
nections to work with firewall or NAT rules. All connections handled by the firewall are
tracked by the conntrack kernel module, a process better known as connection track
ing. Some protocols such as FTP and IRC require several ports to be opened, and hence
require special connection tracking helpers supporting them to operate correctly. These
helpers are special kernel modules that help identify additional connections by marking
them as being related to the initial connection, usually by reading the related addresses
out of the data stream.
For example, for FTP connections to work properly, the FTP conntrack helper must be
selected. This is due to the specifics of the FTP protocol, which first establishes a
single connection that is called the FTP control connection. When commands are
issued through this connection, other ports are opened to carry the rest of the data (e.g.,
downloads or uploads) related to that specific command. The problem is that the gate
way will not know about these extra ports, since they were negotiated dynamically.
Therefore, the gateway will be unable to know that it should let the server connect to
276
UTM 9 WebAdmin
8 Network Protection
8.1 Firewall
the client over these specific ports (active FTP connections) or to let clients on the
Internet connect to the FTP server (passive FTP connections).
This is where the FTP conntrack helper becomes effective. This special helper is added
to the connection tracking module and will scan the control connection (usually on port
21) for specific information. When it runs into the correct information, it will add that
specific information to a list of expected connections as being related to the control
connection. This in return enables the gateway to track both the initial FTP connection
as well as all related connections properly.
Connection tracking helpers are available for the following protocols:
l
FTP
l
IRC (for DCC)
l
PPTP
l
TFTP
Note – The PPTP helper module needs to be loaded if you want to offer PPTP VPN ser
vices on the gateway. Otherwise PPTP sessions cannot be established. The reason
for this is that PPTP first establishes a TCP port 1723 connection before switching to
Generic Routing Encapsulation (GRE) communication, which is a separate IP protocol.
If the PPTP helper module is not loaded, all GRE packets will be blocked by the gate
way. Alternatively, if you do not want to use the PPTP helper module, you can manu
ally add firewall rules allowing GRE packets for incoming and outgoing traffic.
P rotocol Handling
Enable TCP window scaling: The TCP receive window (RWin) size is the amount of
received data (in bytes) that can be buffered during a connection. The sending host can
send only that amount of data before it must wait for an acknowledgment and window
update from the receiving host. For more efficient use of high bandwidth networks, a
larger TCP window size may be used. However, the TCP window size field controls the
flow of data and is limited to 2 bytes, or a window size of 65535 bytes. Since the size
field cannot be expanded, a scaling factor is used. TCP window scaling is a kernel
option of the TCP/IP stack and can be used to increase the maximum window size
from 65535 bytes to 1 Gigabyte. Window scaling is enabled by default. However, since
some network devices such as routers, load balancers, gateways, and so on still do not
fully support window scaling, depending on your environment it might be necessary to
turn it off.
UTM 9 WebAdmin
277
8.1 Firewall
8 Network Protection
Use strict TCP session handling: By default, the system can "pick up" existing TCP con
nections that are not currently handled in the connection tracking table due to a net
work facility reset. This means that interactive sessions such as SSH and Telnet will
not quit when a network interface is temporarily unavailable. Once this option is
enabled, a new three-way handshake will always be necessary to re-establish such
sessions. Additionally, this option does not allow the TCP connection methods sim
ultaneous open or TCP split handshakes. It is generally recommended to leave this
option turned off.
Validate packet length: If enabled, the firewall will check the data packets for minimal
length if the ICMP, TCP, or UDP protocol is used. If the data packets are smaller than the
minimal values, they will be blocked and a record will be written to the firewall log.
Block invalid packets: If enabled, the firewall will check the data packets for conntrack
entries. The conntrack entries will be generated by sending connection initializing pack
ets, for example, TCP SYN or ICMP echo requests. If someone tries to send a packet
which does not match to an existing connection, for example, TCP ACK or ICMP echo
reply and the UTM cannot find a matching TCP SYN or ICMP echo request via the con
ntrack entry the data packet is invalid and will be dropped. A record will be written to
the firewall log.
Spoof protection: By default, spoof protection is disabled. You can choose between the
following settings:
l
l
Normal: The gateway will drop and log packets which either have the same
source IP address as the interface itself or which arrive on an interface which
has a source IP of a network assigned to another of its interfaces.
Strict: The gateway will also drop and log all packets which have a destination IP
for an interface but arriving on an interface other than assigned, that is, if it
arrives on an interface for which it is not destined. For example, those packets
will be dropped that were sent from an external network to the IP address of the
internal interface which is supposed to accept packets from the internal network
only.
Logging Options
Log FTP data connections: The UTM will log the FTP data connections of (file and dir
ectory listings). The log records are marked by the string "FTP data".
Log unique DNS requests: The UTM will log all outgoing requests to DNS servers as well
as their outcome. The log records are marked by the string "DNS request".
278
UTM 9 WebAdmin
8 Network Protection
8.2 NAT
Log dropped broadcasts: By default, the firewall drops all broadcasts, which in addition
will not be logged. However, if you need broadcasts to be logged in the firewall log, for
example, for audit purposes, select this option.
Log invalid packets: The UTM will log all invalid packets. If Block invalid packets is
enabled the log records are marked by the string "INVALID_PKT".
8.2 NAT
The menu Network Protection > NAT allows you to define and manage NAT rules of the
gateway. Network Address Translation (NAT) is the process of rewriting the source
and/or destination addresses of IP packets as they pass through a router or gateway.
Most systems using NAT do so in order to enable multiple hosts on a private network to
access the Internet using a single public IP address. When a client sends an IP packet
to the router, NAT translates the sending address to a different, public IP address
before forwarding the packet to the Internet. When a response packet is received, NAT
translates the public address into the original address and forwards it to the client.
Depending on system resources, NAT can handle arbitrarily large internal networks.
8.2.1 Masquerading
Masquerading is a special case of Source Network Address Translation (SNAT) and
allows you to masquerade an internal network (typically, your LAN with private address
space) behind a single, official IP address on a network interface (typically, your
external interface connected to the Internet). SNAT is more generic as it allows to map
multiple source addresses to several destination addresses.
Note – The source address is only translated if the packet leaves the gateway sys
tem via the specified interface. Note further that the new source address is always
the current IP address of that interface (meaning that this address can be dynamic).
To create a masquerading rule, proceed as follows:
1. On the Masquerading tab, click New Masquerading Rule.
The Add Masquerading Rule dialog box opens.
2. Make the following settings:
Network: Select the (internal) network you want to masquerade.
UTM 9 WebAdmin
279
8.2 NAT
8 Network Protection
Position: The position number, defining the priority of the rule. Lower numbers
have higher priority. Rules are matched in ascending order. Once a rule has
matched, rules with a higher number will not be evaluated anymore.
Interface: Select the (external) interface that is connected to the Internet.
Use address: If the interface you selected has more than one IP address
assigned (see Interfaces & Routing > Interfaces > Additional Addresses), you can
define here which IP address is to be used for masquerading.
Comment (optional): Add a description or other information.
3. Click Save.
The new masquerading rule appears on the Masquerading rule list.
4. Enable the masquerading rule.
Click the toggle switch to activate the masquerading rule.
To either edit or delete a rule, click the corresponding buttons.
Note – You need to allow traffic from the internal network to the Internet in the fire
wall if you want your clients to access external servers.
IPsec packets are never affected by masquerading rules. To translate the source
address of IPsec packets create an SNAT or Full NAT rule.
8.2.2 NAT
Destination Network Address Translation (DNAT) and Source Network Address Trans
lation (SNAT) are both special cases of NAT. With SNAT, the IP address of the computer
which initiated the connection is rewritten, while with its counterpart DNAT, the des
tination addresses of data packets are rewritten. DNAT is especially useful when an
internal network uses private IP addresses, but an administrator wants to make some
services available to the outside.
This is best demonstrated with an example. Suppose your internal network uses the
address space 192.168.0.0/255.255.255.0 and a webserver running at IP address
192.168.0.20 port 80 should be available to Internet-based clients. Because the
192.168. address space is private, the Internet-based clients cannot send packets dir
ectly to the webserver. It is, however, possible for them to communicate with the
280
UTM 9 WebAdmin
8 Network Protection
8.2 NAT
external (public) address of the UTM. DNAT can, in this case, take packets addressed to
port 80 of the system’s address and forward them to the internal webserver.
Note – PPTP VPN Access is incompatible with DNAT.
In contrast to masquerading, which always maps to the primary network interface
address, SNAT maps the source address to the address specified in the SNAT rule.
1:1 NAT is a special case of DNAT or SNAT. In this case all addresses of an entire net
work are being translated one-to-one into the addresses of another network having the
same netmask. So the first address of the original network will be translated into the
first address of the other network, the second into the second and so on. A 1:1 NAT rule
can be applied to either the source or the destination address.
Note – By default, port 443 (HTTPS) is used for the User Portal. If you plan to forward
port 443 to an internal server, you need to change the TCP port of the User Portal to
another value (e.g., 1443) on the Management > User Portal > Advanced tab.
Because DNAT is done before firewalling, you must ensure that appropriate firewall
rules are defined. For more information, see Network Protection > Firewall > Rules.
To define a NAT rule, proceed as follows:
1. On the NAT tab, click New NAT Rule.
The Add NAT Rule dialog box opens.
2. Make the following settings:
Group: The Group option is useful to group rules logically. With the drop-down list
on top of the list you can filter the rules by their group. Grouping is only used for
display purposes, it does not affect rule matching. To create a new group select
the << New group >> entry and enter a descriptive name in the Name field.
Position: The position number, defining the priority of the rule. Lower numbers
have higher priority. Rules are matched in ascending order. Once a rule has
matched, rules with a higher number will not be evaluated anymore.
Rule type: Select the network address translation mode. Depending on your selec
tion, various options will be displayed. The following modes are available:
UTM 9 WebAdmin
281
8.2 NAT
8 Network Protection
l
SNAT (source): Maps the source address of defined IP packets to one new
source address. The service can be changed, too.
Note – You have to add the SNAT rules before you activate the Web Filter.
The UTM priorities Web Filter settings higher than SNAT rules. If you
select a SNAT rule while the Web Filter is activated the rule may not
work. You can activate or deactivate the Web Filter on the Web Protection
> Web Filtering > Global page.
l
l
l
l
DNAT (destination): Maps the destination address of defined IP packets to
one new destination address. The service can be changed, too.
1:1 NAT (whole networks): Maps IP addresses of a network to another net
work one-to-one. The rule applies either for the source or for the des
tination address of the defined IP packets.
Full NAT (source + destination): Maps both the source address and the des
tination address of defined IP packets to one new source and one new des
tination address. The source service and the target service can be changed,
too.
No NAT: This option can be regarded as a kind of exception rule. For
example, if you have a NAT rule for a defined network you can create a No
NAT rule for certain hosts inside this network. Those hosts will then be
exempted from NAT.
Matching Condition: Add or select the source and destination network/host and
the service for which you want to translate addresses. How to add a definition is
explained on the Definitions & Users > Network Definitions > Network Definitions
page.
l
l
For traffic from: The original source address of the packets. This can be
either a single host or an entire network, or, except for the 1:1 NAT rule type,
a network range.
Using service: The original service type of the packets (consisting of
source and destination ports as well as a protocol type).
Note – A traffic service can only be translated when the corresponding
addresses are translated as well. In addition, a service can only be
282
UTM 9 WebAdmin
8 Network Protection
8.2 NAT
translated to another service when the two services use the same pro
tocol.
l
Going to: The original destination address of the packets. This can be either
a single host or an entire network. With SNAT and No NAT, it can also be a
network range.
Action: Add or select the source and/or destination and/or the service type into
which you want to translate the original IP packet data. The displayed para
meters depend on the selected Rule type. How to add a definition is explained on
the Definitions & Users > Network Definitions > Network Definitions page.
l
l
l
l
Change the source to (only with SNAT or Full NAT mode): Select the source
host, that is, the new source address of the packets.
Change the destination to (only with DNAT or Full NAT mode): Select the
destination host, that is, the new destination address of the packets.
And the service to (only with DNAT, SNAT or Full NAT mode): Select the
new service of the packets. Depending on the selected Rule type this can
be the source and/or destination service.
1:1 NAT mode (only with 1:1 NAT rule type): Select one of the following
modes:
l
Map destination: Changes the destination address.
l
Map source: Changes the source address.
Note – You need to add an entire network into the field For traffic from
when you want to map the source, or into the field Going to when you
want to map the destination.
l
Map to (only with 1:1 NAT mode): Select the network you want to translate
the original IP addresses into. Please note that the original network and the
translated network must have the same netmask.
Automatic firewall rule (optional): Select this option to automatically generate
firewall rules to allow the corresponding traffic passing through the firewall.
Comment (optional): Add a description or other information.
UTM 9 WebAdmin
283
8.3 Intrusion Prevention
8 Network Protection
3. Optionally, make the following advanced settings:
Rule applies to IPsec packets (only with SNAT or Full NAT mode): Select this
option if you want to apply the rule to traffic which is going to be processed by
IPsec. By default this option is not selected, thus IPsec traffic is excluded from
source network address translation.
Log initial packets (optional): Select this option if you want to write the ini
tializing packet of a communication to the firewall log. Whenever the NAT rule is
used, you will then find a message in the firewall log saying "Connection using
NAT". This option works for stateful as well as stateless protocols.
4. Click Save.
The new rule appears on the NAT list.
Enable the NAT rule.
5. The new rule is disabled by default (toggle switch is gray). Click the toggle
switch to enable the rule.
To either edit or delete a rule, click the corresponding buttons.
8.3 Intrusion Prevention
On the menu Network Protection > Intrusion Prevention you can define and manage IPS
rules of the gateway. The Intrusion Prevention system (IPS) recognizes attacks by
means of a signature-based IPS rule set. The system analyzes the complete traffic and
automatically blocks attacks before they can reach the network. The existing rule set
and attack patterns are updated through the pattern updates. New IPS attack pattern
signatures are automatically imported to the rule set as IPS rules.
8.3.1 Global
On the Network Protection > Intrusion Prevention > Global tab you can activate the Intru
sion Prevention System (IPS) of Sophos UTM.
To enable IPS, proceed as follows:
1. Enable the intrusion prevention system.
Click the toggle switch.
The toggle switch turns amber and the Global IPS Settings area becomes edit
able.
284
UTM 9 WebAdmin
8 Network Protection
8.3 Intrusion Prevention
2. Make the following settings:
Local networks: Add or select the networks that should be protected by the intru
sion prevention system. If no local network is selected, intrusion prevention will
automatically be deactivated and no traffic is monitored. How to add a definition
is explained on the Definitions & Users > Network Definitions > Network Definitions
page.
Policy: Select the security policy that the intrusion prevention system should use
if a blocking rule detects an IPS attack signature.
l
l
Drop silently: The data packet will be dropped without any further action.
Terminate connection: A terminating data packet (RST for TCP and ICMP
Port Unreachable for UDP connections) will be sent to both communication
partners to close the connection.
Note – By default, Drop silently is selected. There is usually no need to change
this, especially as terminating data packets can be used by an alleged intruder
to draw conclusions about the gateway.
Restart policy: Select the policy for connection handling when an IPS engine
restart is required, for example when the engine is updated.
l
l
Drop (default): All incoming and outgoing connections will be dropped dur
ing engine restart.
Bypass: All incoming and outgoing connections will bypass IPS scanning
while the engine is restarting.
3. Click Apply.
Your settings will be saved.
The toggle switch turns green.
Cross Reference – Find information about configuring IPS in the Sophos Know
ledgebase.
Live Log
The intrusion prevention live log can be used to monitor the selected IPS rules. Click
the button to open the live log in a new window.
UTM 9 WebAdmin
285
8.3 Intrusion Prevention
8 Network Protection
8.3.2 Attack Patterns
The Network Protection > Intrusion Prevention > Attack Patterns tab contains IPS rules
grouped according to common attack patterns. Attack patterns have been combined as
follows:
l
l
l
l
l
Operating system specific attacks: Attacks trying to exploit operating system
related weaknesses.
Attacks against servers: Attacks targeted at all sorts of servers (for example,
webservers, mail servers, and so on).
Attacks against client software: Attacks aimed at client software such as web
browsers, mutimedia players, and so on.
Protocol anomaly: Attack patterns look out for network anomalies.
Malware: Software designed to infiltrate or damage a computer system without
the owner's informed consent (for example, trojans, DoS communication tools,
and the like).
To improve performance, you should clear the checkboxes that do not apply to services
or software employed in your local networks. For example, if you do not operate a web
server in your local network, you can cancel the selection for HTTP servers.
For each group, the following settings are available:
Action: By default, each rule in a group has an action associated with it. You can choose
between the following actions:
l
l
Drop: The default setting. If an alleged attack attempt has been determined, the
causing data packets will be dropped.
Alert: Unlike the Drop setting, critical data packets are allowed to pass the gate
way but will create an alert message in the IPS log.
Note – To change the settings for individual IPS rules, use the Modified Rules box on
the Intrusion Prevention > Advanced tab. A detailed list of IPS rules used in Sophos
UTM 9 is available at the Sophos webserver.
Rule age: By default, IPS patterns are restricted to those dating from the last 12
months. Depending on individual factors like overall patch level, legacy systems, or
286
UTM 9 WebAdmin
8 Network Protection
8.3 Intrusion Prevention
other security requirements, you can select another time span. Selecting a shorter time
span will reduce the number of rules and thus improve performance.
Add extra warnings: When this option is selected, each group will include additional
rules increasing the IPS detection rate. Note that these rules are more general and
vague than the explicit attack patterns and will therefore likely produce more alerts.
For that reason, the default action for these rules is Alert, which cannot be configured.
Notify: When this option is selected, a notification is sent to the administrator for every
IPS event matching this group. Note that this option only takes effect if you have
enabled the notification feature for the intrusion prevention system on the Management
> Notifications > Notifications tab. In addition, what type of notification (i.e., email or
SNMP trap) is to be sent depends on the settings made there. Note further that it might
take up to five minutes before changes of the notification settings will become effect
ive.
8.3.3 Anti-DoS/Flooding
On the Anti-DoS/Flooding tab you can configure certain options aimed at defending
Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks.
Generally speaking, DoS and DDoS attacks try to make a computer resource unavail
able for legitimate requests. In the simplest case, the attacker overloads the server
with useless packets in order to overload its performance. Since a large bandwidth is
required for such attacks, more and more attackers start using so-called SYN flood
attacks, which do not aim at overloading the bandwidth, but at blocking the system
resources. For this purpose, they send so-called SYN packets to the TCP port of the ser
vice often with a forged sender address, thus causing the server to spawn a half-open
connection by sending back a TCP/SYN-ACK packet, and waiting for an TCP/ACK
packet in response from the sender address. However, because the sender address is
forged, the response never comes. These half-open connections saturate the number of
available connections the server is able to make, keeping it from responding to legit
imate requests.
Such attacks, however, can be prevented by limiting the amount of SYN (TCP), UDP, and
ICMP packets being sent into your network over a certain period of time.
T CP SYN Flood Protection
To enable SYN (TCP) flood protection, proceed as follows:
UTM 9 WebAdmin
287
8.3 Intrusion Prevention
8 Network Protection
1. On the Anti-DoS/Flooding tab, select the checkbox Use TCP SYN Flood Protection.
2. Make the following settings:
Mode: The following modes are available:
l
l
l
Source and destination addresses: Select this option if you want to drop
SYN packets by both their source and destination IP address. First, SYN
packets matching the source IP address are restricted to the source
packet rate value specified below. Second, if there are still too many
requests, they will additionally be filtered according to their destination IP
address and restricted to the destination packet rate value specified below.
This mode is set as default.
Destination address only: Select this option if you want to drop SYN pack
ets according to the destination IP address and destination packet rate
only.
Source address only: Select this option if you want to drop SYN packets
according to the source IP address and source packet rate only.
Logging: This option lets you select the log level. The following levels are avail
able:
l
l
l
Off: Select this log level if you want to turn logging completely off.
Limited: Select this log level to limit logging to five packets per seconds.
This level is set as default.
Everything: Select this log level if you want verbose logging for all SYN
(TCP) connection attempts. Note that SYN (TCP) flood attacks may lead to
extensive logging.
Source packet rate: Here you can specify the rate of packets per second that is
allowed for source IP addresses.
Destination packet rate: Here you can specify the rate of packets per second that
is allowed for destination IP addresses.
Note – It is important to enter reasonable values here, for if you set the rate too
high, your webserver, for instance, might fail because it cannot deal with such
an amount of SYN (TCP) packets. On the other hand, if you set the rate too low,
your gateway might show some unpredictable behavior by blocking regular SYN
(TCP) requests. Reasonable settings for every system heavily depend on your
288
UTM 9 WebAdmin
8 Network Protection
8.3 Intrusion Prevention
hardware. Therefore, replace the default values by numbers that are appropriate
for your system.
3. Click Apply.
Your settings will be saved.
UDP Flood P rotection
UDP Flood Protection detects and blocks UDP packet floods. The configuration of UDP
Flood Protection is identical to TCP SYN Flood Protection.
I CMP Flood P rotection
ICMP Flood Protection detects and blocks ICMP packet floods. The configuration of
ICMP Flood Protection is identical to TCP SYN Flood Protection.
8.3.4 Anti-Portscan
The Network Protection > Intrusion Prevention > Anti-Portscan tab lets you configure
general portscan detection options.
Portscans are used by hackers to probe secured systems for available services: In
order to intrude into a system or to start a DoS attack, attackers need information on
network services. If this information is available, attackers might take advantage of
the security deficiencies of these services. Network services using the TCP and UDP
Internet protocols can be accessed via special ports and this port assignment is gen
erally known, for example the SMTP service is assigned to the TCP port 25. Ports that
are used by the services are referred to as open, since it is possible to establish a con
nection to them, whereas unused ports are referred to as closed; every attempt to con
nect with them will fail. Attackers try to find the open ports with the help of a particular
software tool, a port scanner. This program tries to connect with several ports on the
destination computer. If it is successful, the tool displays the relevant ports as open
and the attackers have the necessary information, showing which network services
are available on the destination computer.
Since there are 65535 distinct and usable port numbers for the TCP and UDP Internet
protocols, the ports are scanned at very short intervals. If the gateway detects an
unusually large number of attempts to connect to services, especially if these
attempts come from the same source address, the gateway is most likely being port
UTM 9 WebAdmin
289
8.3 Intrusion Prevention
8 Network Protection
scanned. If an alleged attacker performs a scan of hosts or services on your network,
the portscan detection feature will recognize this. As an option, further portscans from
the same source address can be blocked automatically. Please note that the portscan
detection is limited to Internet interfaces, i.e. interfaces with a default gateway.
Technically speaking, a portscan is detected when a detection score of 21 points in a
time range of 300 ms for one individual source IP address is exceeded. The detection
score is calculated as follows:
l
Scan of a TCP destination port less than 1024 = 3 points
l
Scan of a TCP destination port greater or equal 1024 = 1 point
To enable portscan detection, proceed as follows:
1. On the Anti-Portscan tab, enable Portscan Detection.
Click the toggle switch.
The toggle switch turns green and the Global Settings area becomes editable.
2. Make the following settings:
Action: The following actions are available:
l
l
l
Log event only: No measures are taken against the portscan. The event will
be logged only.
Drop traffic: Further packets of the portscan will be silently dropped. A port
scanner will report these ports as filtered.
Reject traffic: Further packets of the portscan will be dropped and an ICMP
"destination unreachable/port unreachable" response will be sent to the ori
ginator. A port scanner will report these ports as closed.
Limit logging: Enable this option to limit the amount of log messages. A portscan
detection may generate many logs while the portscan is being carried out. For
example, each SYN packet that is regarded as belonging to the portscan will gen
erate an entry in the firewall log. Selecting this option will restrict logging to five
lines per second.
3. Click Apply.
Your settings will be saved.
290
UTM 9 WebAdmin
8 Network Protection
8.3 Intrusion Prevention
8.3.5 Exceptions
On the Network Protection > Intrusion Prevention > Exceptions tab you can define
source and destination networks that should be excluded from intrusion prevention.
Note – A new IPS exception only applies to new connections. To apply a new IPS
exception to an existing connection, you can for example disconnect or restart the
respective device.
To create an exception, proceed as follows:
1. On the Exceptions tab, click New Exception List.
The Add Exception List dialog box opens.
2. Make the following settings:
Name: Enter a descriptive name for this exception.
Skip these checks: Select the security checks that should be skipped:
l
l
l
l
l
Intrusion Prevention: When you select this option, the IPS of Sophos UTM
will be disabled.
Portscan Protection: Selecting this option disables the protection from
attacks aimed at searching your network hosts for open ports.
TCP SYN Flood Protection: Once selected, the protection from TCP SYN
flooding attacks will be disabled.
UDP Flood Protection: Once selected, the protection from UDP flooding
attacks will be disabled.
ICMP Flood Protection: Once selected, the protection from ICMP flooding
attacks will be disabled.
For all requests: Select at least one condition for which the security checks are
to be skipped. You can logically combine several conditions by selecting either
And or Or from the drop-down list in front of a condition. The following conditions
can be set:
l
Coming from these source networks: Select to add source hosts/networks
that should be exempt from the security checks of this exception rule.
Enter the respective hosts or networks in the Networks box that opens after
UTM 9 WebAdmin
291
8.3 Intrusion Prevention
8 Network Protection
selecting the condition.
l
l
Using these services: Select to add services that should be exempt from
the security checks of this exception rule. Add the respective services to
the Services box that opens after selecting the condition.
Going to these destinations: Select to add hosts/networks that should be
exempt from the security checks of this exception rule. Enter the respect
ive hosts or networks in the Destinations box that opens after selecting the
condition.
Tip – How to add a definition is explained on the Definitions & Users > Network
Definitions > Network Definitions page.
Comment (optional): Add a description or other information.
3. Click Save.
The new exception appears on the Exceptions list.
4. Enable the exception.
The new exception is disabled by default (toggle switch is gray). Click the toggle
switch to enable the exception.
The exception is now enabled (toggle switch is green).
To either edit or delete an exception, click the corresponding buttons.
Note – If you want to make an intrusion prevention exception for packets with the des
tination address of the gateway, selecting Any in the Destinations box will not suc
ceed. You must instead select a definition that contains the gateway's IP address, for
example the Internal (Address) or the external WAN address.
Note – If you use a UTM proxy, an intrusion prevention exception has to reflect this: A
proxy replaces the original source address of a packet with its own address. Thus, to
except intrusion prevention for proxied packets, you need to add the appropriate UTM's
interface address definition to the source Networks box.
292
UTM 9 WebAdmin
8 Network Protection
8.3 Intrusion Prevention
8.3.6 Advanced
P attern Set Optimiz ation
Activate file related patterns: By default, patterns against file-based attacks are dis
abled as protection against those threats is usually covered by the Antivirus engine.
This default setting (disabled) provides maximum performance while enabling this
option will provide maximum recognition rate. Enabling file-related patterns may be a
sensible option where no other virus protection is available, e.g., Web Protection is
turned off or no client Antivirus program is installed.
Manual Rule Modif ication
In this section, you can configure manual modifications to each IPS rule overwriting the
default policy, which is taken from the attack pattern groups. Such modifications
should be configured by experienced users only.
To create a modified rule, proceed as follows:
1. In the Modified rules box, click the Plus icon.
The Modify Rule dialog box opens.
2. Make the following settings:
Rule ID: Enter the ID of the rule you want to modify. To look up the rule ID, go to
the list of IPS rules at the Sophos webserver. (In the folder, look for files with
IPS-rules in their names, available for different UTM versions and pattern ver
sions, and both in HTML and XML format.) In addition, they can either be determ
ined from the IPS log or the IPS report.
Disable this rule: When you select this option, the rule of the respective ID will be
disabled.
If you do not select this option, however, the following two options are available:
l
l
Disable notifications: Selecting this option will not trigger a notification in
case the rule in question was applied.
Action: The action each rule is associated with it. You can choose between
the following actions:
l
UTM 9 WebAdmin
Drop: If an alleged attack attempt has been determined, the causing
data packets will be dropped.
293
8.4 Server Load Balancing
l
8 Network Protection
Alert: Unlike the Drop setting, critical data packets are allowed to
pass the gateway but will create an alert message in the IPS log.
3. Click Save.
The rule appears in the Modified Rules box. Please note that you also need to click
Apply on the bottom of the page to commit the changes.
Note – If you add a rule ID to the Modified Rules box and set the action to Alert, for
example, this modification will only take effect if the group to which the rule belongs
is enabled on the Attack Patterns tab. If the corresponding attack pattern group is dis
abled, modifications to individual IPS rules will have no effect.
Perf ormance T uning
In addition, to increase the performance of the intrusion prevention system and to min
imize the amount of false positive alerts, you can limit the scope of IPS rules to only
some of your internal servers. For example, suppose you have activated the HTTP Serv
ers group on the Attack Patterns tab and you have selected a particular HTTP server
here. Then, even if the intrusion prevention system recognizes an attack against an
HTTP server, the associated action (Drop or Alert) will only be applied if the IP address
of the affected server matches the IP address of the HTTP server selected here.
You can limit the scope of IPS rules for the following server types:
l
HTTP: All attack pattern groups subsumed under HTTP Servers
l
DNS: Attack pattern group DNS
l
SMTP: Attack pattern groups Exchange and Sendmail
l
SQL: All attack pattern groups subsumed under SQL Servers
8.4 Server Load Balancing
With the server load balancing function you can distribute incoming connections (e.g.,
SMTP or HTTP traffic) to several servers behind the gateway. Balancing is based on the
source IP address with a persistence time of one hour. If the interval between two
requests from the same source IP address exceeds that interval, the balancing is
redecided. The traffic distribution is based on a simple round-robin algorithm.
294
UTM 9 WebAdmin
8 Network Protection
8.4 Server Load Balancing
All servers from the server pool are monitored either by ICMP ping, TCP connection
establishment, or HTTP/S requests. In case of a failure the affected server is not used
anymore for distribution, any possible source IP persistence is overruled.
Note – A return code of HTTP/S requests must either be 1xx Informational, 2xx
Success, 3xx Redirection, or 4xx Client Error. All other return codes are taken as
failure.
8.4.1 Balancing Rules
On the Network Protection > Server Load Balancing > Balancing Rules tab you can cre
ate load balancing rules for Sophos UTM Software. After having created a rule, you can
additionally define weight distribution between servers and set interface persistence.
To create a load balancing rule, proceed as follows:
1. On the Balancing Rules tab, click New Load Balancing Rule.
The Add Load Balancing Rule dialog box opens.
2. Make the following settings:
Service: The network service you want to balance.
Virtual server: The original target host of the incoming traffic. Typically, the
address will be the same as the gateway's external address.
Real servers: The hosts that will in turn accept traffic for the service.
Tip – How to add a definition is explained on the Definitions & Users > Network
Definitions > Network Definitions page.
Check type: Select one of the following check types to monitor the service.
l
TCP: TCP connection establishment
l
UDP: UDP connection establishment
l
Ping: ICMP Ping
l
HTTP host: HTTP requests
l
HTTPS hosts: HTTPS requests
UTM 9 WebAdmin
295
8.4 Server Load Balancing
8 Network Protection
When using UDP a ping request will be sent initially which, if successful, is fol
lowed by a UDP packet with a payload of 0. If ping does not succeed or the ICMP
port is unreachable, the server is regarded as down. For HTTP and HTTPS
requests you can enter a URL, which can either be with or without hostname, e.g.
index.html or http://www.example.com/index.html.
Interval: Enter a check interval in seconds. The default is 15 seconds, i.e., every
15 seconds the health status of all real servers is checked.
Timeout: Enter a maximum time span in seconds for the real servers to send a
response. If a real server does not respond during this time, it will be regarded as
dead.
Automatic firewall rules (optional): Select this checkbox to automatically gen
erate firewall rules. These rules allow forwarding traffic from any host to the real
servers.
Shutdown virtual server address (optional): If and only if you use an additional
address as virtual server for load balancing (see chapter Interfaces > Additional
Addresses) this checkbox can be enabled. In case all real servers become unavail
able that additional address interface will be automatically shut down.
Comment (optional): Add a description or other information.
3. Click Save.
The new rule appears on the Balancing Rules list.
Enable the load balancing rule.
4. The new rule is disabled by default (toggle switch is gray). Click the toggle
switch to enable the rule.
The rule is now enabled (toggle switch is green).
To either edit or delete a rule, click the corresponding buttons.
Example: Suppose that you have two HTTP servers in your DMZ with the IP addresses
192.168.66.10 and 192.168.66.20, respectively. Assumed further you want to dis
tribute HTTP traffic arriving on the external interface of your gateway equally to both
servers. To set up a load balancing rule, select or create a host definition for each
server. You may call them http_server_1 and http_server_2. Then, in the Create New Load
Balancing Rule dialog box, select HTTP as Service. In addition, select the external
address of the gateway as Virtual server. Finally, put the host definitions into the Real
servers box.
296
UTM 9 WebAdmin
8 Network Protection
8.4 Server Load Balancing
Weight Distribution and Interface Persistence
To distribute weight between the load balancing servers and/or to set interface per
sistence of them, do the following:
1. Click the Edit button of a load balancing rule.
The Edit Load Balancing Rule dialog box opens.
2. Click the Scheduler button on the header of the Real servers box.
The Edit Scheduler dialog window opens.
3. Make the following settings:
Weight: Weight can be set from 0 to 100 and specifies how much traffic is pro
cessed by a server relative to all other servers. A weighted round robin algorithm
is used for this, a higher value meaning more traffic is routed to the respective
server. The values are evaluated relative to each other so they need not add up to
100. Instead, you can have a configuration for example, where server 1 has value
100, server 2 has value 50 and server 3 has value 0. Here, server 2 gets only half
the traffic of server 1, whereas server 3 only comes into action when none of the
other servers is available. A value of zero means that always another server with
a higher value is chosen if available.
Persistence: Interface persistence is a technique which ensures that subsequent
connections from a client are always routed over the same uplink interface. Per
sistence has a default timeout of one hour. You can also disable interface per
sistence for this balancing rule.
4. Click Save.
The Edit Scheduler dialog window closes and your settings are saved.
5. Click Save.
The Edit Load Balancing Rule dialog box closes.
UTM 9 WebAdmin
297
9.1 SIP
9 VoIP
9 VoIP
Voice over Internet Protocol (VoIP) is the routing of voice conversations over the Inter
net or through any other IP-based network. Sophos UTM offers support for the most fre
quently employed protocols used to carry voice signals over the IP network:
l
SIP
l
H.323
9.1 SIP
The Session Initiation Protocol (SIP) is a signalization protocol for the setup, modi
fication, and termination of sessions between two or several communication partners.
It is primarily used in setting up and tearing down voice or video calls. To use SIP, you
first have to register your IP address and URLs at your ISP. SIP uses UDP or TCP on
port 5060 to indicate which IP addresses and port numbers are to be used between the
endpoints to exchange media data (video or voice). Since opening all ports for all
addresses would cause a severe security issue, the gateway is able to handle SIP
traffic on an intelligent basis. This is achieved by means of a special connection track
ing helper monitoring the control channel to determine which dynamic ports are being
used and then only allowing these ports to pass traffic when the control channel is
busy. For that purpose you must specify both a SIP server network and a SIP client net
work definition in order to create appropriate firewall rules enabling the communication
via the SIP protocol.
To enable support for the SIP protocol, proceed as follows:
1. On the SIP tab, enable SIP protocol support.
Click the toggle switch.
The toggle switch turns amber and the Global SIP Settings area becomes edit
able.
2. Make the following settings:
SIP Server Networks: Here you can add or select the SIP servers (provided by
your ISP) the SIP clients should be allowed to connect to; for security reasons, do
298
UTM 9 WebAdmin
9 VoIP
9.2 H.323
not select Any. How to add a definition is explained on the Definitions & Users >
Network Definitions > Network Definitions page.
SIP Client Networks: Add or select the hosts/networks of the SIP clients that
should be allowed to initiate or respond to a SIP communication. A SIP client is
an endpoint in the LAN that participates in real-time, two-way communications
with another SIP client. How to add a definition is explained on the Definitions &
Users > Network Definitions > Network Definitions page.
Expectation mode: Select how strict the initializing of communication sessions
should be:
l
l
l
Strict: Incoming calls are only allowed from the ISP's registrar, i.e. the IP
address the REGISTER SIP message was sent to. Additionally, the UTM only
accepts media (voice or video) data sessions from signaling endpoints, i.e.,
the devices that exchanged the SIP message. Some providers send the
media data from another IP address than the SIP message, which will be
rejected by the UTM.
Client/server networks: Incoming calls are allowed from all clients of the
defined SIP server or client networks. Media data is accepted from another
sender IP address than the one that sent the SIP message, provided that
the address belongs to the defined SIP server or client networks.
Any: Incoming calls as well as media data are permitted from anywhere.
Caution – Using the expectation mode Any without the necessary firewall
rules (Network Protection > Firewall > Rules), introduces a serious secur
ity risk and opens your appliance up to abuse from the Internet.
3. Click Apply.
Your settings will be saved.
The toggle switch turns green.
To cancel the configuration, click the amber colored toggle switch.
9.2 H.323
H.323 is an international multimedia communications protocol standard published by
the International Telecommunications Union (ITU-T) and defines the protocols to
UTM 9 WebAdmin
299
9.2 H.323
9 VoIP
provide audio-visual communication sessions on any packet-switched network. H.323
is commonly used in Voice over IP (VoIP) and IP-based videoconferencing.
H.323 uses TCP on port 1720 to negotiate which dynamic port range is to be used
between the endpoints when setting up a call. Since opening all ports within the
dynamic range would cause a severe security issue, the gateway is able to allow
H.323-related traffic on an intelligent basis. This is achieved by means of a special con
nection tracking helper monitoring the control channel to determine which dynamic
ports are being used and then only allowing these ports to pass traffic when the control
channel is busy. For that purpose you must specify both an H.323 gatekeeper and a cli
ent network definition in order to create appropriate firewall rules enabling the com
munication via the H.323 protocol.
To enable support for the H.323 protocol, proceed as follows:
1. On the H.323 tab, enable H.323 protocol support.
Click the toggle switch.
The toggle switch turns amber and the Global H.323 Settings area becomes edit
able.
2. Make the following settings:
H.323 Gatekeeper: Add or select an H.323 gatekeeper. An H.323 gatekeeper con
trols all H.323 clients (endpoints such as Microsoft's NetMeeting) in its zone. More
specifically, it acts as a monitor of all H.323 calls within its zone on the LAN. Its
most important task is to translate between symbolic alias addresses and IP
addresses. How to add a definition is explained on the Definitions & Users > Net
work Definitions > Network Definitions page.
H.323 Client: Here you can add or select the host/network to and from which
H.323 connections are initiated. An H.323 client is an endpoint in the LAN that par
ticipates in real-time, two-way communications with another H.323 client. How to
add a definition is explained on the Definitions & Users > Network Definitions > Net
work Definitions page.
3. Click Apply.
Your settings will be saved.
The toggle switch turns green.
To cancel the configuration, click the amber colored toggle switch.
300
UTM 9 WebAdmin
10 Advanced
10.1 Generic Proxy
10 Advanced
The tabs of the Network Protection > Advanced menu let you configure additional net
work protection features such as a generic proxy, SOCKS proxy, and IDENT reverse
proxy.
10.1 Generic Proxy
A generic proxy, also known as a port forwarder, combines both features of DNAT and
masquerading, forwarding all incoming traffic for a specific service to an arbitrary
server. The difference to standard DNAT, however, is that a generic proxy also replaces
the source IP address of a request with the IP address of the interface for outgoing con
nections. In addition, the destination (target) port number can be changed as well.
To add a generic proxy rule, proceed as follows:
1. On the Generic Proxy tab, click New Generic Proxy Rule.
The Add Generic Proxy Rule dialog box opens.
2. Make the following settings:
Interface: Select the interface for incoming connections.
Service: Add or select the service definition of the traffic to be proxied.
Host: Add or select the target host where the traffic should be forwarded to.
Service: Add or select the target service of the traffic to be proxied.
Allowed Networks: Add or select the networks to which port forwarding should
be applied.
Tip – How to add a definition is explained on the Definitions & Users > Network
Definitions > Network Definitions page.
Comment (optional): Add a description or other information.
3. Click Save.
The new rule appears on the Generic Proxy rule list.
UTM 9 WebAdmin
301
10.2 SOCKS Proxy
10 Advanced
Enable the generic proxy rule.
4. The new rule is disabled by default (toggle switch is gray). Click the toggle
switch to enable the rule.The rule is now enabled (toggle switch is green).
To either edit or delete a rule, click the corresponding buttons.
10.2 SOCKS Proxy
SOCKS is a versatile Internet protocol that allows client-server applications to trans
parently use the services of a network firewall. It is used by many client applications
behind a firewall to communicate with hosts on the Internet. Examples are IRC/Instant
Messaging clients, FTP clients, and Windows SSH/Telnet clients. Those clients behind a
firewall wanting to access exterior servers connect to a SOCKS proxy server instead.
This proxy server controls the eligibility of the client to access the external server and
passes the request on to the server. Your client application must explicitly support the
SOCKS 4 or SOCKS 5 protocol versions.
The default port for SOCKS is 1080. Almost all clients have implemented this default
port setting, so it normally does not have to be configured. The differences between
SOCKS and NAT are that SOCKS also allows "bind" requests (listening on a port on
behalf of a client—a feature which is supported by very few clients only) and that
SOCKS 5 allows user authentication.
When enabling the SOCKS proxy, you must define one or more networks which should
have access to the proxy. When you require user authentication, you can also select the
users or groups that should be allowed to use the SOCKS proxy.
Note – Without user authentication, the SOCKS proxy can be used with both the
SOCKS 4 and SOCKS 5 protocols. When user authentication is selected, only SOCKS 5
will work. If you want the proxy to resolve hostnames in SOCKS 5 mode, you must
also activate the DNS proxy, because otherwise DNS resolution will fail.
To configure the SOCKS proxy, proceed as follows:
1. On the SOCKS Proxy tab, enable the SOCKS proxy.
Click the toggle switch.
The toggle switch turns amber and the SOCKS Proxy Options area becomes edit
able.
302
UTM 9 WebAdmin
10 Advanced
10.3 IDENT Reverse Proxy
2. Make the following settings:
Allowed Networks: Add or select the networks that should be allowed to use the
SOCKS proxy. How to add a definition is explained on the Definitions & Users > Net
work Definitions > Network Definitions page.
Enable user authentication: If you select this option, users must provide a user
name and password to log in to the SOCKS proxy. Because only SOCKS 5 sup
ports user authentication, SOCKS 4 is automatically disabled.
Allowed Users: Select the users or groups or add new users that should be
allowed to use the SOCKS proxy. How to add a user is explained on the Definitions
& Users > Users & Groups > Users page.
3. Click Apply.
Your settings will be saved.
The toggle switch turns green.
10.3 IDENT Reverse Proxy
The IDENT protocol is used by remote servers for a simple verification of the identity of
accessing clients. Although this protocol is unencrypted and can easily be spoofed,
many services still use (and sometimes require) the IDENT protocol.
To configure the IDENT relay, proceed as follows:
1. On the IDENT Reverse Proxy tab, enable the IDENT relay.
Click the toggle switch.
The toggle switch turns green and the Global Settings area becomes editable.
2. Make the following settings:
Forward to internal hosts (optional): Since IDENT queries are not covered by the
gateway's connection tracking, they will get "stuck" if masquerading is used. You
can select the Forward to Internal Hosts option to pass on IDENT queries to mas
queraded hosts behind the gateway. Note that the actual IP connection will not be
forwarded. Instead, the gateway will in turn ask the internal client for an IDENT
reply and will forward that string to the requesting server. This scheme will work
with most "mini-IDENT" servers built into popular IRC and FTP clients.
UTM 9 WebAdmin
303
10.3 IDENT Reverse Proxy
10 Advanced
Default response: The gateway offers support for answering IDENT requests
when you enable the IDENT relay. The system will always reply with the string
entered in the Default response box, regardless of the local service that has ini
tiated the connection.
3. Click Apply.
Your settings will be saved.
304
UTM 9 WebAdmin
11 Web Protection
This chapter describes how to configure basic web protection features of Sophos UTM.
The following topics are included in this chapter:
l
Web Filtering
l
Web Filter Profiles
l
Filtering Options
l
Policy Test
l
Application Control
l
FTP
The Web Protection Statistics page in WebAdmin provides an overview of the most
used applications and application categories, the most surfed domains according to
time and traffic as well as the top users surfing. In addition, the top blocked website
categories are shown. Each of the sections contains a Details link. Clicking the link
redirects you to the respective reporting section of WebAdmin, where you can find
more statistical information.
Note – You can find detailed information on how the web usage data is collected and
how the statistics are calculated on the Logging & Reporting > Web Protection > Web
Usage Reports page.
In the Top Applications section, hovering the cursor on an application displays one or
two icons with additional functionality:
l
l
Click the Block icon to block the respective application from now on. This will cre
ate a rule on the Application Control Rules page. This option is unavailable for
applications relevant to the flawless operation of Sophos UTM. WebAdmin traffic,
for example, cannot be blocked as this might lead to shutting yourself out of
WebAdmin. Unclassified traffic cannot be blocked, either.
Click the Shape icon to enable traffic shaping of the respective application. A dia
log window opens where you are asked to define the rule settings. Click Save
when you are done. This will create a rule both on the Traffic Selectors and on the
11.1 Web Filtering
11 Web Protection
Bandwidth Pools page.Traffic shaping is not available when viewing the All Inter
faces Flow Monitor as shaping works interface-based.
l
Click the Throttle icon to enable traffic throttling of the respective application. A
dialog window opens where you are asked to define the rule settings. Click Save
when you are done. This will create a rule both on the Traffic Selectors and on the
Download Throttling page. Download throttling is not available when viewing the
All Interfaces Flow Monitor as throttling works interface-based.
11.1 Web Filtering
The tabs of the Web Protection > Web Filtering menu allow you to configure Sophos
UTM as an HTTP/S caching proxy. This includes Antivirus scanning on incoming and out
going web traffic, protecting against Spyware and detecting malicious websites. It can
also control access to websites of different categories, allowing an administrator to
enforce policies regarding access to things such as Gambling, Pornography, or Shop
ping, including blocking these sites or providing a click-though warning page.
Note – Web Filtering does not support HTTP pipelining.
Used in conjunction with Sophos Endpoint Software, Sophos UTM can enforce and mon
itor these same web policies on endpoint machines that are on external networks.
Users can take a laptop home or around the world and the same policies will apply. To
enable Endpoint Web Control, see Endpoint Protection > Web Control.
You can still manage your filter actions on the Web Filter Profiles > Filter Actions tab.
There you can add, modify, clone or delete filter actions. But now you can create,
modify, and assign filter actions by launching the Add/Edit Filter Action wizard on the
Web Filtering > Policies tab.
11.1.1 Web Filtering Changes
As of the 9.2 release, Sophos UTM includes a new simplified interface for creating and
managing your web filtering policies. While the interface has changed considerably,
functionality has not changed. All of your existing settings have been preserved and if
you make no changes the system will behave in the exact same way.
306
UTM 9 WebAdmin
11 Web Protection
11.1 Web Filtering
Previously, complex web policy involved creating web filtering profiles. These con
sisted of filter actions, created on the Filter Actions tab, which were then assigned to
users and groups through filter assignments on the Filter Assignments tab, and then
configured on the Proxy Profiles tab. Now, you can configure all aspects of your web fil
tering policy, including your default configuration and advanced filtering profiles from
the Web Filtering > Policies tab.
Note – Take some time to familiarize yourself with the new interface and read the fol
lowing overview. While it is different than previous releases, it should be much easier
to create and maintain complex web policies.
11.1.1.1 Some Key Differences
l
l
l
l
l
In 9.1 there were several tabs containing global options that were under Web Pro
tection > Web Filtering. These tabs have moved to Web Protection > Filtering
Options.
In 9.1 a proxy profile had filter assignments, which allowed you to select different
filter actions based on criteria. These are now called filter profiles with policies,
which are presented in a table on a second tab of the profile.
In 9.1 the default profile only supported a single filter assignment (called the
default assignment). Now you can have many policies within the default profile.
In 9.1 every profile had a fallback action. This is now called the base policy, how
ever the functionality is the same. The base policy contains the filter action that
is used if no other policies match.
In 9.1 you created filter actions using multiple tabs on the default profile, and a
very tall scrolling region for any additional. Now the creation of all filter actions is
done with a multi-tabbed dialog, the Filter Action Wizard.
11.1.1.2 Common Tasks
The following is a brief overview of how you perform common tasks in 9.2 and later
compared to the 9.1 interface.
UTM 9 WebAdmin
307
11.1 Web Filtering
How do I:
11 Web Protection
9.1
9.2
Configure the various tabs
under Web Filtering:
l
Edit the
default
policy?
l
l
Create or edit
a proxy profile?
Web Filtering > Antivir
us/Malware
Web Filtering >
Advanced
Web Filtering Profiles >
Proxy Profiles
1. Create a filter action
on Web Filtering Pro
files > Filter Actions
Assign a filter
assignment to
a proxy profile?
Web Filtering > Policies
Web Filtering > URL
Filtering
2. Create a filter assign
ment on Web Filtering
Profiles > Filter
Assignments
3. Edit or add a proxy
profile on Web Fil
tering Profiles > Proxy
Profiles
Add a website
to a blacklist in Web Filtering Profiles > Fil
my default filter ter Assignments
action?
Web Filtering > Web Filtering Profiles
1. On Web Filtering Profiles > Filter
Profiles, click on the name of a
Filter Profile, or create a profile
by clicking the green Plus icon.
2. On the Policies tab, click the
green Plus icon to add a policy.
3. Select a Filter Action, or click
the green Plus icon to create
one.
On Web Filtering > Policies, when creating or editing a policy, click the green
Plus icon next to Filter Action.
1. Web Filtering > Policies
Create a new
filter action for
my filter assignment?
308
Web Filtering > URL Fil
tering and click the green Plus
icon next to Additional
URLs/Sites to block
2. Select the Default content filter
action
3. On the Websites tab, click the
green Plus icon next to Block
these websites
UTM 9 WebAdmin
11 Web Protection
11.1 Web Filtering
How do I:
9.1
9.2
Modify
advanced settings?
Web Filtering > Advanced
Filtering Options > Misc
Manage trusted HTTPS
CAs?
Web Filtering > HTTPS CAs
Filtering Options > HTTPS CAs
11.1.1.3 Migration
When you upgrade to version 9.2, your previous configuration and settings are pre
served and your system will continue to behave the same. However, as the user inter
face has changed considerably, things may not be where you expect them to be. The
Web Filtering menu item contains all the settings you need to apply a set of policies
and actions to a single set of allowed networks. The Web Filter Profiles menu item con
tains corresponding settings, but allows you to create multiple profiles so you can
apply different settings to different networks. All global settings are now on tabs on the
Filtering Options menu item.
Some objects have been renamed. For example, Proxy Profiles are now Filter Profiles
and Filter Assignments are now Policies. The Fallback Action is now called the Base
Policy, as it is the policy/action that occurs if no other policies match. The relationship
between these objects is much clearer, as all Policies are now listed on a tab of the pro
file. The Filter Action can be added or modified using a pop-up tabbed dialog that con
tains everything that can be configured for an action.
One of the limitations of 9.1 is that the default profile could only have one set of users
assigned to it. This has been migrated to a policy called Default content filter profile
assignment with a migrated filter action called Default content filter action. If you had
other filter assignments created, these will now appear as disabled policies in the pro
file.
In 9.1 if you had created a profile just so that you could have multiple assignments you
can simplify your configuration by enabling those policies in the default profile in the
first menu option, making sure that your Allowed Networks is correct, and then deleting
the now unnecessary additional profile.
UTM 9 WebAdmin
309
11.1 Web Filtering
11 Web Protection
11.1.2 Global
On the Web Protection > Web Filtering > Global tab you can make the global settings for
the Web Filter.
To configure the Web Filter, proceed as follows:
1. On the Global tab, enable the Web Filter.
Click the toggle switch.
The toggle switch turns green and the Default Web Filter Profile area becomes
editable.
2. Select the allowed networks.
Select the networks that should be allowed to use the Web Filter. By default, the
Web Filter listens for client requests on TCP port 8080 and allows any client from
the networks listed in the Allowed Networks box to connect.
Caution – It is extremely important not to select an Any network object,
because this introduces a serious security risk and opens your appliance up to
abuse from the Internet.
3. Select a mode of operation.
Note that when you select an operation mode that requires user authentication,
you need to select the users and groups that shall be allowed to use the Web Fil
ter. The following modes of operation are available:
l
Standard mode: In standard mode, the Web Filter will listen for client
requests on port 8080 by default and will allow any client from the net
works listed in Allowed Networks box to connect. When used in this mode,
clients must have specified the Web Filter as HTTP proxy in their browser
configuration.
Select the default authentication mode.
l
l
310
None: Select to not use any authentication.
Active Directory SSO: This mode will attempt to authenticate the
user that is currently logged into the computer as the user of the
proxy (single sign on). If the currently logged in user is a valid AD
UTM 9 WebAdmin
11 Web Protection
11.1 Web Filtering
user with permission to use the proxy, the authentication should
occur with no user interaction. You must have configured Active Dir
ectory Single Sign-On (SSO) on the Definitions & Users > Authentic
ation Services > Servers tab. Clients can authenticate with NTLM or
Kerberos.
l
l
l
l
Agent: Select to use the Sophos Authentication Agent (SAA). Users
need to start the agent and authenticate in order to be able to use the
Web Filter. The agent can be downloaded from the User Portal. See:
User Portal.
Apple OpenDirectory SSO: Select when you have configured LDAP on
the Definitions & Users > Authentication Services > Servers tab and
you are using Apple OpenDirectory. Additionally, you have to upload a
MAC OS X Single Sign-On Kerberos keyfile on the Web Protection > Fil
tering Options > Misc tab for the proxy to work properly. When used in
this mode, clients must have specified the Web Filter as HTTP proxy
in their browser configuration. Note that the Safari browser does not
support SSO.
Basic user authentication: In this mode, each client must authen
ticate itself against the proxy before using it. For more information on
which authentication methods are supported, see Definitions & Users
> Authentication Services. When used in this mode, clients must have
specified the Web Filter as HTTP proxy in their browser configuration.
Browser: When selected the users will be presented a login dialog
window in their browser to authenticate themselves with the Web Fil
ter. This mode allows for username-based tracking, reporting, and
surfing without client-side browser configuration. Moreover, you can
enable a disclaimer that is additionally displayed on that dialog win
dow and needs to be accepted by users to be able to go on. For more
information on the disclaimer, see Management > Customization >
Web Messages.
Note – When using browser authentication, a pop-up will be gen
erated from passthrough.fw-notify.net. Users should ensure
passthrough.fw-notify.net is exempt from their browser's pop-up
blocker.
UTM 9 WebAdmin
311
11.1 Web Filtering
l
11 Web Protection
eDirectory SSO: Select when you have configured eDirectory on the
Definitions & Users > Authentication Services > Servers tab.
Note – For eDirectory Single-Sign-On (SSO) modes, the Web Filter caches
accessing IP addresses and credentials for up to fifteen minutes, for
Apple OpenDirectory and Active Directory SSO it caches only the group
information. This is done to reduce the load on the authentication servers.
However it also means that changes to users, groups, or the login status
of accessing users may take up to fifteen minutes to be reflected by the
Web Filter.
If you chose an authentication mode that requires user authentication,
select Block access on authentication failure to deny access to users that
fail authentication.
l
Transparent mode: In transparent mode, all connections made by client
browser applications on port 80 (and port 443 if SSL is used) are inter
cepted and redirected to the Web Filter without client-side configuration.
The client is entirely unaware of the Web Filter server. The advantage of
this mode is that for many installations no additional administration or cli
ent-side configuration is necessary. The disadvantage however is that only
HTTP requests can be processed. Thus, when you select the transparent
mode, the client's proxy settings will become ineffective.
Note – In transparent mode, the Web Filter will strip NTLM authentication
headers from HTTP requests. Furthermore, the Web Filter cannot handle
FTP requests in this mode. If your clients want to access such services,
you must open port (21) in the firewall. Note further that some web
servers transmit some data, in particular streaming video and audio, over
a port different from port 80. These requests will not be noticed when the
Web Filter operates in transparent mode. To support such traffic, you
must either use a different mode or enter an explicit firewall rule allowing
them.
312
l
None: Select to not use any authentication.
l
Active Directory SSO: This mode will attempt to authenticate the
UTM 9 WebAdmin
11 Web Protection
11.1 Web Filtering
user that is currently logged into the computer as the user of the
proxy (single sign on). If the currently logged in user is a valid AD
user with permission to use the proxy, the authentication should
occur with no user interaction. You must have configured Active Dir
ectory Single Sign-On (SSO) on the Definitions & Users > Authentic
ation Services > Servers tab. Clients can authenticate with NTLM (or
Kerberos if Mac). For some environments additional configuration is
required on the endpoint. If you are having problems with SSO in
transparent mode, please see: Sophos Knowledgebase Article
120791.
Note – When defining the Active Directory user group, we highly
recommend to add the desired entries to the Active Directory
groups box by manually entering the plain Active Directory group or
user names instead of the LDAP strings. Example: Instead of an
LDAP string CN=ads_group1,CN=Users,DC=example,DC=com, just
enter the name ads_group1.
Note – When using Kerberos, only add groups to the Active Directory
groups box, as entries for users are not be accepted by the Web Fil
ter.
l
l
UTM 9 WebAdmin
Agent: Select to use the Sophos Authentication Agent (SAA). Users
need to start the agent and authenticate in order to be able to use the
Web Filter.
Browser: When selected the users will be presented a login dialog
window in their browser to authenticate themselves with the Web Fil
ter. This mode allows for username-based tracking, reporting, and
surfing without client-side browser configuration. Moreover, you can
enable a disclaimer that is additionally displayed on that dialog win
dow and needs to be accepted by users to be able to go on. For more
information on the disclaimer, see Management > Customization >
Web Messages.
313
11.1 Web Filtering
11 Web Protection
Note – When using browser authentication, a pop-up will be gen
erated from passthrough.fw-notify.net. Users should ensure
passthrough.fw-notify.net is exempt from their browser's pop-up
blocker.
l
Full transparent (optional): Select to preserve the client source IP instead
of replacing it by the gateway's IP. This is useful if your clients use public
IP addresses that should not be disguised by the Web Filter. The option is
only available when running in bridged mode.
The available authentication modes for Full transparent are the same as
Transparent. See above.
Cross Reference – For more information on configuring browser authentication
in standard mode, see the Sophos Knowledgebase.
When configured to use authentication, you have the option to Block access on
authentication failure. If you are using AD SSO and do not block access on failure,
an SSO authentication failure will allow unauthenticated access without prompt
ing the user. If you are using Browser authentication and do not block access on
authentication failure, there will be an additional Guest login link on the login page
to allow unauthenticated access.
4. Enable device-specific authentication.
To configure authentication modes for specific devices, select the Enable devicespecific authentication checkbox. Once enabled you can click the green Plus icon
to add device types and associated authentication modes.
5. Click Apply.
Your settings will be saved.
Important Note – When SSL scanning is enabled in combination with the transparent
mode, certain SSL connections are destined to fail, e.g. SSL VPN tunnels. To enable
SSL VPN connections, add the respective target host to the Transparent Mode Skiplist
(see Web Protection > Filtering Options > Misc). Furthermore, to access hosts with a
self-signed certificate you need to create an exception for those hosts, selecting the
option Certificate Trust Check. The proxy will then not check their certificates.
314
UTM 9 WebAdmin
11 Web Protection
11.1 Web Filtering
Live Log
The Web Filtering live log gives you information on web requests. Click the Open Live
Log button to open the Web Filtering live log in a new window.
11.1.3 HTTPS
On the Web Protection > Web Filtering > HTTPS tab you can configure how Web Fil
tering handles HTTPS traffic.
l
l
l
URL filtering only: Select this option to filter based on domain name for cat
egorization, tags, and if the site is listed in a whitelist or blacklist.
Decrypt and scan: Select this option to perform URL Filtering and also perform
HTTPS decryption for full scanning.
Decrypt and scan the following: Select this option to perform URL Filtering, and to
decrypt and scan selected categories or tagged sites.
l
Scan These Tagged Websites: Use this box to select which tagged sites
will be decrypted and scanned. Select the folder icon to choose existing
tags, or click the plus icon to add a new tag. To add an existing tag, select
and drag it to the Scan These Tagged Websites list box.
l
l
Scan These Categorized Websites: Use this list box to choose which web
site categories will be decrypted and scanned. Click the trash icon next to a
category to remove it from the list. Select the folder icon to list available
categories. To add a category, select and drag it to the Scan These Cat
egorized Websites list box.
Do not proxy HTTPS traffic in transparent mode: Select this option to disable Web
Filtering for all HTTPS traffic. Use this option only for transparent mode. When
selected, the Web Filter will not proxy any HTTPS traffic. You must also create a
firewall rule to allow HTTPS traffic through the UTM.
11.1.4 Policies
Use the Web Protection > Web Filtering > Policies tab to create and manage web fil
tering policy assignments. Policies are used to apply different filtering actions to spe
cific users, groups, or time periods. These policies apply to the Allowed Networks that
are on the Global tab. The first policy that matches the user and time will be applied,
UTM 9 WebAdmin
315
11.1 Web Filtering
11 Web Protection
with the Base Policy applied if no others match. All profiles have a Base Policy that is
always last and cannot be disabled.
To create a new policy, proceed as follows:
1. Click the Plus icon on the upper right.
The Add Policy dialog is displayed.
2. Make the following settings:
Name: Enter a descriptive name for this policy.
Users/Groups: Select the users or user groups that this policy will apply to. You
can also create a new user or group. How to add a user is explained on the Defin
itions & Users > Users & Groups > Users page.
Time event: The policy will be active for the time period you select. Choose
Always to enable the policy at all times. You can also click the green Plus icon to
create a new time event. Time period definitions are managed on the Definitions
& Users > Time Period Definitions tab.
Filter action: Select an existing filter action, which defines the types of web pro
tection you want to apply in a policy. You can also click the green Plus icon to cre
ate a new filter action using the Filter Action Wizard. Filter actions can also be
managed on the Web Filter Profiles > Filter Actions tab.
Comment (optional): Add a description or other information.
Advanced Settings:
l
Apply this policy to requests that have skipped authentication due to an
exception: You can create exceptions on the Filtering Options > Exceptions
tab to e.g. skip authentication for automatic updates that cannot use
authentication. Select this checkbox to apply this policy to web requests
that have skipped authentication.
3. Click Save.
The new policy appears at the top of the Policies list.
4. Enable the policy.
The new policy is disabled by default (toggle switch is gray). Click the toggle
switch to enable the policy. The policy is now enabled (toggle switch is green).
316
UTM 9 WebAdmin
11 Web Protection
l
l
l
11.1 Web Filtering
To modify a policy, click on its name.
To change the order in which policies are executed, move them up or down in the
list by clicking the up or down arrow to the right.
To modify a filter action, click on the filter action name to display the Edit Filter
Action wizard or switch to the Web Filter Profiles > Filter Actions tab.
Cross Reference – Find information about UI changes since UTM version 9.1 in the
Sophos Knowledgebase.
11.1.4.1 Filter Action Wizard
The Add/Edit Filter Action wizard is used to create or edit filter actions for use in your
web policies. You can launch this wizard from the Add Policy or Edit Policy dialogs, or
by clicking on the name of an existing filter action on the Web Filtering > Policies tab.
You can still manage your filter actions on the Web Filter Profiles > Filter Actions tab.
There you can add, modify, clone or delete filter actions. But now you can create,
modify, and assign filter actions by launching the Add/Edit Filter Action wizard on the
Web Filtering > Policies tab.
11.1.4.2 Categories
Configure default settings for controlling access to certain kinds of websites.
Name: Enter a descriptive name for this filter action.
Allow/Block selection: Decide whether your selection of website categories should be
allowed or blocked. The following options are available:
l
Allow all content, except as specified below.
l
Block all content, except as specified below.
If you select Allow all content, except as specified below then all categories groups are
defaulted to Allow, and can be changed to either Warn, Block or Quota. If there are cat
egories that are not displayed here as part of a category group, they will also be
allowed. If a website is a member of multiple categories and any of the categories are
blocked, then the website is blocked.
If you select Block all content, except as specified below then all categories groups are
defaulted to Block, and can be changed to either Warn or Allow. If there are categories
UTM 9 WebAdmin
317
11.1 Web Filtering
11 Web Protection
that are not displayed here as part of a category group, they will also be blocked. If a
website is a member of multiple categories and any of the categories are allowed, then
the website is allowed.
Note – All site categories that have been set to Quota will count towards available
quota time. Available quota time resets at midnight, or can be reset manually on the
Web Protection > Policy Helpdesk > Quota Status page. You can set the available
quota time on the Additional Options page of the Filter Action wizard.
Block spyware infection and communication: Selecting this option will block the spy
ware category. If you Block all content, then this is always selected.
Note – Advanced Threat Detection can detect and block additional Malware com
munication. This can be configured in Advanced Protection > Advanced Threat Pro
tection > Global.
Categories: You can set whether you want users visiting websites of each category to
be allowed, warned, blocked, or to count towards the user's available quota time. If you
select Warn or Quota, users browsing to a site in that category will first be presented
with a warning page, but they can proceed to the site if they choose.
Note – There are 107 categories that are by default grouped together into 18 “Filter
Categories”. These can be configured under Web Protection > Filtering Options > URL
Filtering Categories. The Filter Action Wizard displays all Filter Categories that have
been configured.
Uncategorized websites: You can set whether uncategorized websites should be
Allowed, Warned, or Blocked.
Block websites with a reputation below a threshold of: Websites can be classified as
either Trusted, Neutral, Unverified, Suspicious, or malicious, the latter not being listed.
Unclassified websites are referred to as Unverified. You can select which reputation a
website requires in order to be allowed access from your network. Websites below the
selected threshold will be blocked. Note that this option is only available if the first
option on the page is set to Allow.
318
UTM 9 WebAdmin
11 Web Protection
11.1 Web Filtering
Note – For more information on website reputations, see https://se
cure2.sophos.com/en-us/threat-center/reassessment-request.aspx. Here, you can
request a categorization of yet uncategorized websites or inform yourself about exist
ing categories for Sophos UTM.
Click Next to proceed to the next configuration page, Save to save your configuration, or
Cancel to discard all changes and close the configuration dialog.
11.1.4.3 Websites
Block these websites: If you want to block a specific URL or website, or a subset of
webpages of a specific domain, regardless of its category, define it here. This has the
effect that websites defined here can be blocked even if they belong to a category you
want to allow.
1. Click the Plus icon to open the Add whitelist/blacklist object dialog window.
2. Make the following settings:
l
Name: Enter a descriptive name for the whitelist/blacklist object.
l
l
Match URLs based on: Domain Enter one or more domain names. If you
check Include subdomains subdomains will also be matched (example.com
will also match www.example.com and mail.example.com). If you do not
select Include subdomains only an exact domain name will match.
Match URLs based on: Regular Expression. Enter the regular expressions
that you want to use to match against the entire URL. If you check Perform
matching on these domains only you can specify a list of domains that
must match before the regular expression is applied. Using a regular expres
sion is useful if you need to match against the path.
Cross Reference – For detailed information on using regular expressions
for web filtering, see the Sophos Knowledgebase.
Note – Entries must be correct regular expressions. For instance, *.ex
ample.com is not valid. If you are trying to match a domain name, try not
to use .* as that can expand into the path. For example, the regular expres
sion http://.*example\.com will also match http://www.
google.com/search?www.example.com
UTM 9 WebAdmin
319
11.1 Web Filtering
l
11 Web Protection
Comment (optional): Add a description or other information.
3. Click Save.
Cross Reference – For more information on the end user blocking page, see the
Sophos Knowledgebase.
Allow these websites: If you want to allow a specific URL or website, or a subset of
webpages of a specific domain, regardless of its category, define it here. This has the
effect that websites defined here can be allow even if they belong to a category you
want to block.
1. Click the Plus icon to open the Add Whitelist/Blacklist Object dialog window.
2. Make the following settings:
l
Name: Enter a descriptive name for the whitelist/blacklist object.
l
l
Match URLs based on: Domain Enter one or more domain names. If you
check Include subdomains subdomains will also be matched (example.com
will also match www.example.com and mail.example.com). If you do not
select Include subdomains only an exact domain name will match.
Match URLs based on: Regular Expression. Enter the regular expressions
that you want to use to match against the entire URL. If you check Perform
matching on these domains only you can specify a list of domains that
must match before the regular expression is applied. Using a regular expres
sion is useful if you need to match against the path.
Cross Reference – For detailed information on using regular expressions
for web filtering, see the Sophos Knowledgebase.
Note – Entries must be correct regular expressions. For instance, *.ex
ample.com is not valid. If you are trying to match a domain name, try not
to use .* as that can expand into the path. For example, the regular expres
sion http://.*example\.com will also match http://www.
google.com/search?www.example.com
l
Comment (optional): Add a description or other information.
3. Click Save.
320
UTM 9 WebAdmin
11 Web Protection
11.1 Web Filtering
Control sites tagged in the Website List: For sites that have an associated tag, you can
control whether they are allowed, blocked, warned, or count toward available quota
time. You can associate a tag with a website on the Web Protection > Web Filter Pro
files > Filter Actions > Websites tab.
1. Click the Plus icon to add a new tag, or click the Folder icon to select from exist
ing tags.
2. For each tag, select Allow, Warn, Block, or Quota.
3. Click Save.
11.1.4.4 Downloads
Configure which file types and MIME types are blocked or warned.
Warned File Extensions: If a user tries to download a file with an extension in the
Warned file extension list, they will first be presented with a warning page. To add a file
extension, click the Plus icon in the Warned file extensions box and enter the file exten
sion you want to warn, for example exe. File extensions should not contain a leading
dot.
Blocked File Extensions: If a user tries to download a file with an extension in the
Blocked file extension list, they will be blocked. To add a file extension, click the Plus
icon in the Blocked file extensions box and enter the file extension you want to block,
for example exe. File extensions should not contain a leading dot.
Note – Files within archives (e.g. zip files) will not be scanned for blocked file types
or blocked extensions. To protect your network from these within archived files, con
sider blocking archive file types such as zip, rar, etc. MIME types within archives will
be blocked if MIME Blocking Inspects HTTP Body is enabled in Web Protection
> Filtering Options > Misc.
Warned MIME Types: If a user tries to download a file of a MIME type listed in the
Warned MIME type list, they will first be presented with a warning page. To add a MIME
type, click the Plus icon in the Warned MIME types box and enter the MIME type. You can
use wildcards (*) in the Warned MIME types list, such as audio/*.
Blocked MIME Types: If a user tries to download a file of a MIME type listed in the
Blocked MIME type list, they will be blocked. To add a MIME type, click the Plus icon in
UTM 9 WebAdmin
321
11.1 Web Filtering
11 Web Protection
the Blocked MIME types box and enter the MIME type. You can use wildcards (*) in the
Blocked MIME types list, such as audio/*.
Block downloads larger than: Specify this option to prevent users from downloading
files that exceed the specified size (in MB).
Click Next to proceed to the next configuration page, Save to save your configuration, or
Cancel to discard all changes and close the configuration dialog.
11.1.4.5 Antivirus
On the Filter Actions > Antivirus page you can configure webfilter settings for antivirus
and active content removal.
Antivirus
Use antivirus scanning: Select the option to have inbound and outbound web traffic
scanned for viruses. Sophos UTM features several antivirus engines:
l
l
l
Single scan: Default setting; provides maximum performance using the engine
defined on the System Settings > Scan Settings tab.
Dual scan: Provides maximum recognition rate by scanning the respective traffic
twice using different virus scanners. Note that dual scan is not available with
BasicGuard subscription.
Block potentially unwanted applications (PUAs): PUAs are programs that are not
malicious, but may be unsuitable for a business environment. This feature is only
available when using the Sophos anti-virus engine. To allow specific PUAs if you
enable blocking, add exceptions on Web Filtering > Filtering Options > PUAs.
Do not scan files larger than: Specify the maximum size of files to be scanned by the
antivirus engine(s). Files exceeding this size will be exempt from scanning.
Tip – If you want to prevent files larger than the maximum scanning size from being
downloaded, set the Block downloads larger than value on the Downloads page.
Active Content Removal
In the Active Content Removal area you can configure the automatic removal of spe
cific web content such as embedded objects in webpages. You can configure the fol
lowing settings:
322
UTM 9 WebAdmin
11 Web Protection
l
l
11.1 Web Filtering
Disable JavaScript: This feature will disable all <SCRIPT> tags in HTML pages, res
ulting in the deactivation of functions that are embedded in or included from
HTML pages.
Remove embedded objects (ActiveX/Java/Flash): This feature will remove all
<OBJECT> tags from HTML pages, stripping off dynamic content including ActiveX,
Flash, or Java from incoming HTTP traffic.
Note – Enabling this will cause downloaded items to be scanned by the scan
engine, even if AV scanning is disabled or excluded by an exception. This option
can impact the website usability.
Click Next to proceed to the next configuration page, Save to save your configuration, or
Cancel to discard all changes and close the configuration dialog.
11.1.4.6 Additional Options
Enf orce W ebsite Protection Features
SafeSearch: Certain search providers have a SafeSearch feature that is designed to
remove adult content from search results. You can enforce the use of SafeSearch for
Google, Bing or Yahoo. When enabled, a provider's SafeSearch will be enforced, and can
not be turned off or bypassed by Web Filter users. To configure this feature, select the
provider whose SafeSearch you want to enforce.
Enforce license on image search results: If enabled, search engines will only return
image results that have been labeled as being free to share, modify and reuse.
Enforce allowed domains for Google Apps: Google Apps can block users from access
ing certain services unless their Google account is a member of the Google Apps
domain. Turning this on enforces this feature, and cannot be turned off or bypassed by
Web Filter users. To configure this feature, select Enforce allowed domains for Google
Apps. Then, at the top of the Domains box, click the Plus icon or the Action icon to add
or import Google Apps domains.
Cross Reference – Find information about Google application control in the Sophos
Knowledgebase.
UTM 9 WebAdmin
323
11.1 Web Filtering
11 Web Protection
Quotas
Enter or change the time of the Allowed minutes for all categories and tags included in
quota option.
Note – All site categories and tags that have been set to Quota will count towards
available quota time. Available quota time resets at midnight, or can be reset manu
ally on the Web Protection > Policy Helpdesk > Quota Status page.
Netw ork Conf iguration
You can configure parent proxies, both globally and profile-based (see Web Protection >
Filtering Options > Parent Proxies).
Note – With parent proxies enabled, HTTPS requests are not possible in Transparent
mode when SSL scanning is enabled.
To configure a parent proxy, do the following:
1. Click the Plus icon at the top of the parent proxies list.
The Add Parent Proxy dialog box opens.
2. Make the following settings:
Name: Enter a descriptive name for the parent proxy.
Comment (optional): Add a description or other information.
Use Proxy for These Hosts: Add hosts to this box for which the parent proxy is to
be used, e.g. *.wikipedia.org. Note that you can use pattern matching here.
Regular expressions, however, are not allowed. If you leave the box empty, an
asterisk (*) is automatically added when clicking Save, which matches all hosts.
Such a proxy definition can therefore be regarded as a fallback proxy which
matches when none of the other proxies, if existent, do.
Parent proxy: Select or add the network definition of the parent proxy.
Port: The default port for the connection to the parent proxy is 8080. If your par
ent proxy requires a different port, you can change it here.
Proxy requires authentication: If the parent proxy requires authentication, select
the checkbox and enter username and password in the appearing textboxes.
3. Click Save.
324
UTM 9 WebAdmin
11 Web Protection
11.2 Web Filter Profiles
The new parent proxy appears in the Parent Proxies list and on the Web Pro
tection > Filtering Options > Parent Proxies page.
To edit or delete a parent proxy, click the name of the proxy.
Activity Logging
You can select which activities will be logged:
l
l
Log accessed pages: This feature will log information about all pages that have
been accessed through the UTM.
Log blocked pages: This feature will log information about pages that have been
blocked from being accessed.
Click Save to save your configuration, or Cancel to discard all changes and close the
configuration dialog.
11.2 Web Filter Profiles
Filter profiles can be used to create various content filtering policies, enabling you to
apply different policies to different addresses of your network. If you wish to apply the
same policies for every network in the company this can be done in Web Protection >
Web Filtering. In addition, each filter profile can have its own user authentication
method.
Multiple filter profiles allow you control authentication and web content for different
networks. For example you can have a set of policies for your corporate computers
using AD SSO, and a different authentication method and set of policies for a guest
wireless network.
11.2.1 Filter Profiles
If you want to apply different policy or authentication modes to multiple networks you
can create multiple filter profiles. For example on your wired network you may only
have corporate computers that are integrated with AD, and therefore wish to use Stand
ard mode with an explicit proxy and AD SSO. Your wireless network may have a
browser login portal for employees to enter in their AD credentials, as well as a guest
login that has limited access.
UTM 9 WebAdmin
325
11.2 Web Filter Profiles
11 Web Protection
Profiles can be created on the Web Filter Profiles > Filter Profiles tab. When a web
request is made, the UTM will look at the source IP and apply the first profile that has a
matching Allowed Network and Operation Mode. Traffic from transparent connections
will only match if the operation mode is set to Transparent. Traffic redirected to the
web filter with a client-side proxy configuration will match either Transparent or Stand
ard mode profiles.
The Default Web Filter Profile is configured on the Web Protection > Web Filtering page.
It is listed here to show that it is the last profile that will match. Once a profile is selec
ted, the UTM will perform authentication according to that profile and apply that pro
file's policy.
To create a filter profile:
1. Click the Plus icon on the upper right.
The Add Profile wizard opens.
2. Enter a Name and Comment.
3. Select the allowed networks.
Select the networks that should be allowed to use the Web Filter. By default, the
Web Filter listens for client requests on TCP port 8080 and allows any client from
the networks listed in the Allowed Networks box to connect.
4. Select the allowed endpoint groups.
If Endpoint Web Control is enabled, select the endpoint groups that should be
allowed to use the Web Filter.
5. Select a mode of operation.
Note that when you select an operation mode that requires user authentication,
you need to select the users and groups that shall be allowed to use the Web Fil
ter. The following modes of operation are available:
l
Standard mode: In standard mode, the Web Filter will listen for client
requests on port 8080 by default and will allow any client from the net
works listed in Allowed Networks box to connect. When used in this mode,
clients must have specified the Web Filter as HTTP proxy in their browser
configuration.
Select the default authentication mode.
326
UTM 9 WebAdmin
11 Web Protection
l
l
l
l
l
l
UTM 9 WebAdmin
11.2 Web Filter Profiles
None: Select to not use any authentication.
Active Directory SSO: This mode will attempt to authenticate the
user that is currently logged into the computer as the user of the
proxy (single sign on). If the currently logged in user is a valid AD
user with permission to use the proxy, the authentication should
occur with no user interaction. You must have configured Active Dir
ectory Single Sign-On (SSO) on the Definitions & Users > Authentic
ation Services > Servers tab. Clients can authenticate with NTLM or
Kerberos.
Agent: Select to use the Sophos Authentication Agent (SAA). Users
need to start the agent and authenticate in order to be able to use the
Web Filter. The agent can be downloaded from the User Portal. See:
User Portal.
Apple OpenDirectory SSO: Select when you have configured LDAP on
the Definitions & Users > Authentication Services > Servers tab and
you are using Apple OpenDirectory. Additionally, you have to upload a
MAC OS X Single Sign-On Kerberos keyfile on the Web Protection > Fil
tering Options > Misc tab for the proxy to work properly. When used in
this mode, clients must have specified the Web Filter as HTTP proxy
in their browser configuration. Note that the Safari browser does not
support SSO.
Basic user authentication: In this mode, each client must authen
ticate itself against the proxy before using it. For more information on
which authentication methods are supported, see Definitions & Users
> Authentication Services. When used in this mode, clients must have
specified the Web Filter as HTTP proxy in their browser configuration.
Browser: When selected the users will be presented a login dialog
window in their browser to authenticate themselves with the Web Fil
ter. This mode allows for username-based tracking, reporting, and
surfing without client-side browser configuration. Moreover, you can
enable a disclaimer that is additionally displayed on that dialog win
dow and needs to be accepted by users to be able to go on. For more
information on the disclaimer, see Management > Customization >
Web Messages.
327
11.2 Web Filter Profiles
11 Web Protection
Note – When using browser authentication, a pop-up will be gen
erated from passthrough.fw-notify.net. Users should ensure
passthrough.fw-notify.net is exempt from their browser's pop-up
blocker.
l
eDirectory SSO: Select when you have configured eDirectory on the
Definitions & Users > Authentication Services > Servers tab.
Note – For eDirectory Single-Sign-On (SSO) modes, the Web Filter caches
accessing IP addresses and credentials for up to fifteen minutes, for
Apple OpenDirectory and Active Directory SSO it caches only the group
information. This is done to reduce the load on the authentication servers.
However it also means that changes to users, groups, or the login status
of accessing users may take up to fifteen minutes to be reflected by the
Web Filter.
If you chose an authentication mode that requires user authentication,
select Block access on authentication failure to deny access to users that
fail authentication.
l
Transparent mode: In transparent mode, all connections made by client
browser applications on port 80 (and port 443 if SSL is used) are inter
cepted and redirected to the Web Filter without client-side configuration.
The client is entirely unaware of the Web Filter server. The advantage of
this mode is that for many installations no additional administration or cli
ent-side configuration is necessary. The disadvantage however is that only
HTTP requests can be processed. Thus, when you select the transparent
mode, the client's proxy settings will become ineffective.
Note – In transparent mode, the Web Filter will strip NTLM authentication
headers from HTTP requests. Furthermore, the Web Filter cannot handle
FTP requests in this mode. If your clients want to access such services,
you must open port (21) in the firewall. Note further that some web
servers transmit some data, in particular streaming video and audio, over
a port different from port 80. These requests will not be noticed when the
328
UTM 9 WebAdmin
11 Web Protection
11.2 Web Filter Profiles
Web Filter operates in transparent mode. To support such traffic, you
must either use a different mode or enter an explicit firewall rule allowing
them.
l
None: Select to not use any authentication.
l
Active Directory SSO: This mode will attempt to authenticate the
user that is currently logged into the computer as the user of the
proxy (single sign on). If the currently logged in user is a valid AD
user with permission to use the proxy, the authentication should
occur with no user interaction. You must have configured Active Dir
ectory Single Sign-On (SSO) on the Definitions & Users > Authentic
ation Services > Servers tab. Clients can authenticate with NTLM (or
Kerberos if Mac). For some environments additional configuration is
required on the endpoint. If you are having problems with SSO in
transparent mode, please see: Sophos Knowledgebase Article
120791.
Note – When defining the Active Directory user group, we highly
recommend to add the desired entries to the Active Directory
groups box by manually entering the plain Active Directory group or
user names instead of the LDAP strings. Example: Instead of an
LDAP string CN=ads_group1,CN=Users,DC=example,DC=com, just
enter the name ads_group1.
Note – When using Kerberos, only add groups to the Active Directory
groups box, as entries for users are not be accepted by the Web Fil
ter.
l
l
UTM 9 WebAdmin
Agent: Select to use the Sophos Authentication Agent (SAA). Users
need to start the agent and authenticate in order to be able to use the
Web Filter.
Browser: When selected the users will be presented a login dialog
window in their browser to authenticate themselves with the Web Fil
ter. This mode allows for username-based tracking, reporting, and
surfing without client-side browser configuration. Moreover, you can
329
11.2 Web Filter Profiles
11 Web Protection
enable a disclaimer that is additionally displayed on that dialog win
dow and needs to be accepted by users to be able to go on. For more
information on the disclaimer, see Management > Customization >
Web Messages.
Note – When using browser authentication, a pop-up will be gen
erated from passthrough.fw-notify.net. Users should ensure
passthrough.fw-notify.net is exempt from their browser's pop-up
blocker.
l
Full transparent (optional): Select to preserve the client source IP instead
of replacing it by the gateway's IP. This is useful if your clients use public
IP addresses that should not be disguised by the Web Filter. The option is
only available when running in bridged mode.
The available authentication modes for Full transparent are the same as
Transparent. See above.
Cross Reference – For more information on configuring browser authentication
in standard mode, see the Sophos Knowledgebase.
When configured to use authentication, you have the option to Block access on
authentication failure. If you are using AD SSO and do not block access on failure,
an SSO authentication failure will allow unauthenticated access without prompt
ing the user. If you are using Browser authentication and do not block access on
authentication failure, there will be an additional Guest login link on the login page
to allow unauthenticated access.
6. Enable device-specific authentication.
To configure authentication modes for specific devices, select the Enable devicespecific authentication checkbox. Once enabled you can click the green Plus icon
to add device types and associated authentication modes.
7. Click Next, or select Policies from the top of the wizard.
8. Review and create policies for your filter profile.
To create a new policy, proceed as follows:
1. Click the Plus icon on the upper right.
The Add Policy dialog is displayed.
330
UTM 9 WebAdmin
11 Web Protection
11.2 Web Filter Profiles
2. Make the following settings:
Name: Enter a descriptive name for this policy.
Users/Groups: Select the users or user groups that this policy will apply to.
You can also create a new user or group. How to add a user is explained on
the Definitions & Users > Users & Groups > Users page.
Time event: The policy will be active for the time period you select. Choose
Always to enable the policy at all times. You can also click the green Plus
icon to create a new time event. Time period definitions are managed on
the Definitions & Users > Time Period Definitions tab.
Filter action: Select an existing filter action, which defines the types of web
protection you want to apply in a policy. You can also click the green Plus
icon to create a new filter action using the Filter Action Wizard. Filter
actions can also be managed on the Web Filter Profiles > Filter Actions tab.
Comment (optional): Add a description or other information.
Advanced Settings:
l
Apply this policy to requests that have skipped authentication due to
an exception: You can create exceptions on the Filtering Options >
Exceptions tab to e.g. skip authentication for automatic updates that
cannot use authentication. Select this checkbox to apply this policy
to web requests that have skipped authentication.
3. Click Save.
The new policy appears at the top of the Policies list.
4. Enable the policy.
The new policy is disabled by default (toggle switch is gray). Click the
toggle switch to enable the policy. The policy is now enabled (toggle switch
is green).
9. Click Save.
The new profile appears on the Filter Profiles list.
Important Note – When SSL scanning is enabled in combination with the transparent
mode, certain SSL connections are destined to fail, e.g. SSL VPN tunnels. To enable
SSL VPN connections, add the respective target host to the Transparent Mode Skiplist
(see Web Protection > Filtering Options > Misc). Furthermore, to access hosts with a
UTM 9 WebAdmin
331
11.2 Web Filter Profiles
11 Web Protection
self-signed certificate you need to create an exception for those hosts, selecting the
option Certificate Trust Check. The proxy will then not check their certificates.
To either edit or delete a filter profile, click the name of the profile in the list.
11.2.2 Filter Actions
On the Web Filter Profiles > Filter Actions tab you can create and edit a set of web pro
tection configuration settings that can be used to customize different types and levels
of protection. Filter actions can be assigned to different users and user groups, provid
ing a flexible way to control web access.
You can create a new filter action by clicking the New Filter Action button, or edit an
existing filter action by clicking the corresponding Edit button. Either of these actions
will launch the Filter Action Wizard. For more information, see Web Filtering > Policies >
Filter Action Wizard.
On the Filter Actions page you can also search, clone, delete or browse the list of exist
ing filter actions.
11.2.3 Parent Proxies
Some network topologies require an upstream web proxy server. On the Web Protection
> Web Filter Profiles > Parent Proxies page you can configure a parent proxy.
To configure a parent proxy, do the following:
1. Click New Parent Proxy.
The Add Parent Proxy dialog box opens.
2. Make the following settings:
Name: Enter a descriptive name for this parent proxy.
Comment (optional): Add a description or other information.
Use Proxy for These Hosts: Add hosts to this box for which the parent proxy is to
be used, e.g. *.wikipedia.org. Note that you can use pattern matching here.
Regular expressions, however, are not allowed. If you leave the box empty, an
asterisk (*) is automatically added when clicking Save, which matches all hosts.
332
UTM 9 WebAdmin
11 Web Protection
11.3 Filtering Options
Such a proxy definition can therefore be regarded as a fallback proxy which
matches when none of the other proxies, if existent, do.
Parent proxy: Select or add the network definition of the parent proxy.
Port: The default port for the connection to the parent proxy is 8080. If your par
ent proxy requires a different port, you can change it here.
Proxy requires authentication: If the parent proxy requires authentication, select
the checkbox and enter username and password in the appearing textboxes.
3. Click Save.
The new parent proxy appears on the Parent Proxies list.
The proxy can now be used in filter actions or globally.
To either edit or delete a parent proxy, click the corresponding buttons.
11.3 Filtering Options
On the Web Protection > Filtering Options page you can configure various options to
web filtering. The tabs accessible from this page allow you to configure exceptions to
filtering, users that can bypass filtering, filtering categories, HTTPS certificates and
authorities, and various other options.
11.3.1 Exceptions
On the Web Protection > Filtering Options > Exceptions tab you can define whitelist cli
ent networks, users/groups, and domains. All entries contained in these lists can be
excluded from certain web protection services.
To create an exception, proceed as follows:
1. On the Exceptions tab, click New Exception List.
The Add Exception List dialog box opens.
2. Make the following settings:
Name: Enter a descriptive name for this exception.
Comment (optional): Add a description or other information.
Skip These Checks: Select the security checks that should be skipped:
UTM 9 WebAdmin
333
11.3 Filtering Options
l
l
l
l
l
l
l
l
l
l
l
334
11 Web Protection
Authentication: If the Web Filter runs in Authentication mode, you can skip
authentication for the source hosts/networks or target domains.
Caching: Select to disable caching for specific domains or source host
s/networks.
Block by download size: Select to disable blocking content according to the
size of the download.
Antivirus: Select to disable virus scanning, which checks messages for
unwanted content such as viruses, trojan horses and the like.
Refer to Sandstorm: Select to disable sending files to the Sophos Sand
storm service for analysis.
Extension blocking: Select to disable the file extension filter, which can be
used to block content that contains certain types of files based on their
extensions.
MIME type blocking: Select to disable the MIME type filter, which can be
used to block content that has a certain MIME type.
URL filter: Select to disable the URL filter, which controls the access to cer
tain kinds of websites.
Content removal: Select to bypass the removal of special content in
webpages such as embedded objects (e.g., multimedia files) or JavaScript.
SSL scanning: Select to skip SSL scanning for the webpage in request. This
is useful with online banking websites or with websites that do not play
well with SSL interception. Note that for technical reasons this option does
not work for any transparent Web Filter mode. With transparent mode, use
the Transparent Mode Skiplist instead (see Filtering Options > Misc tab). In
standard mode, exceptions can only be made based on the destination host
or IP address depending on what the client sends. With exceptions based
on categories, instead of the whole URL, only the hostname will be clas
sified.
Certificate trust check: Select to skip the trust check of the HTTPS server
certificate. Note that, when the Web Filter works in transparent mode with
authentication, skipping the certificate trust check based on a user
s/groups match (For all requests Coming from these users/groups) is tech
nically impossible.
UTM 9 WebAdmin
11 Web Protection
l
11.3 Filtering Options
Certificate date check: Select to skip the check of whether the HTTPS cer
tificate's date is valid.
The following two options are useful if there are persons whose activities must
not be logged at all:
l
l
Accessed pages: Select to not log pages that have been accessed. Those
page requests will also be excluded from reporting.
Blocked pages: Select to not log pages that have been blocked. Those page
requests will also be excluded from reporting.
Some software updates, and similar types of downloads, can be interrupted if a
progress page is displayed. If you are having problems with software updates, or
if some downloads never finish, select the following option.
l
Do not display Download/Scan progress page: Select to disable down
loading and scanning progress pages.
For all requests: Select at least one condition for which the security checks are
to be skipped. You can logically combine several conditions by selecting either
And or Or from the drop-down list in front of a condition. The following conditions
can be set:
l
l
l
Coming from these source networks: Select to add source hosts/networks
that should be exempt from the security checks of this exception rule.
Enter the respective hosts or networks in the Hosts/Networks box that
opens after selecting the condition.
Coming from these source endpoint groups: Select to add computer groups
(see Endpoint Protection > Computer Management > Manage Groups tab)
that should be exempt from the security checks of this exception rule.
Enter the respective groups in the Source Endpoint Groups box that opens
after selecting the condition.
Matching these URLs: Select to add target domains that should be exempt
from the security checks of this exception rule. Add the respective
domains to the Target Domains box that opens after selecting the condition.
Regular expressions are allowed here. Example: ^https?://
[^.]*\.domain.com matches HTTP(S) connections to all subdomains of
the domain.
UTM 9 WebAdmin
335
11.3 Filtering Options
11 Web Protection
Cross Reference – For detailed information on using regular expressions
for web filtering, see the Sophos Knowledgebase.
Note – When using Transparent mode with SSL scanning enabled, you
need to enter the target domain(s) as IP addresses. Otherwise the excep
tion will fail for technical reasons.
l
l
l
l
Coming from these users/groups: Select to add users or user groups that
should be exempt from the security checks of this exception rule. Enter the
respective users or groups in the Users/Groups box that opens after select
ing the condition. Also, in Standard mode, matching for certain user
s/groups does not work due to the missing authentication.
Going to these categories of websites: Select to skip security checks for
certain categories. Select then the categories from the list that opens after
selecting the condition.
Coming from these user agents: Select to skip security checks for
requests by user agent strings. Regular expressions are allowed.
Going to websites tagged as: Select to skip security checks for associated
tags. Click on the Plus icon to create a new tag or click on the Folder icon
to choose from existing tags.
3. Click Save.
The new exception appears on the Exceptions list.
To either edit or delete an exception, click the corresponding buttons.
11.3.2 Websites
On the Web Protection > Filtering Options > Websites tab you can maintain lists of sites
for which you want to override the default category, reputation, or associate a tag with
the site.
To add an entry to the Local Site List:
1. Click the Add Site button.
2. Enter the sites you wish to override or tag.
336
UTM 9 WebAdmin
11 Web Protection
11.3 Filtering Options
The text box in the Add Local Site(s) dialog will accept URLs, domains, IP
addresses, or CIDR ranges.
3. Optionally, select the Include subdomains checkbox.
Selecting this checkbox will apply the overrides to all subdomains. For instance,
if you add example.com and select the Include subdomains checkbox,
mail.example.com will be included in the override.
4. Select a Category or Reputation to override.
You can override either Category, Reputation, or both. Sites defined in the Local
Site List are processed by filter actions using these overridden values.
5. Select a Tag to associate with the sites.
You can click on the Plus icon to create a new tag or click on the Folder icon to
choose from existing tags. Sites tagged here can be controlled by creating a Fil
ter Action that references the tag.
6. Optionally, add a comment.
For large lists of sites you can page through entries by using the Next and Previous
icons at the top of the tab, or search for items using the search text box. To delete
entries click the Delete icon next to the entry, or select multiple items and click the
Delete icon at the top of the list.
Sites which have an associated tag can be controlled for blocked or allowed websites
on the Web Protection > Web Filter Profiles > Filter Action > Websites tab, section Con
trol sites tagged in the Website List.
Cross Reference – Find information about HTTP proxy site reclassification on Sophos
UTM in the Sophos Knowledgebase.
11.3.3 Bypass Users
On the Web Protection > Filtering Options > Bypass Users tab you can specify which
users are allowed to bypass block pages.
To add an existing group or user:
1. Click the Folder icon next to Users/Groups Allowed to Bypass Blocking.
The list of existing users and groups appears in the left navigation pane.
2. Select and drag the user or group to the Users/Groups Allowed to Bypass Blocking
UTM 9 WebAdmin
337
11.3 Filtering Options
11 Web Protection
box.
The item will now be listed on the Bypass Users tab.
To add a new user:
1. Click the green Plus icon next to Users/Groups Allowed to Bypass Blocking.
The Add User dialog window appears.
2. Enter user information into the Add User dialog window.
How to add a user is explained on the Definitions & Users > Users & Groups > Users
page.
3. Click Apply.
Your settings will be saved.
11.3.4 Potentially Unwanted Applications
On the Web Protection > Filtering Options > PUAs tab you can maintain lists of author
ized Potentially Unwanted Applications (PUAs). Your UTM can identify applications that
are potentially unwanted in a business environment and block them. To allow specific
PUAs when blocking is enabled, add the name as reported in the block page or the logs.
To add an entry to the Local Site List:
1. Click the Plus icon on the Authorized PUAs list.
2. Enter the PUA definition.
To find PUA definitions, go to Logging & Reporting > Web Protection > Web Usage
Report and select PUA Downloaders from the Available Reports drop-down list.
3. Click Apply.
By clicking the Open Actions menu icon, next to the green Plus icon, you can import or
export a text list of PUAs and clear the Authorized PUAs list.
Cross Reference – Find information about configuring PUA blocking on Sophos UTM in
the Sophos Knowledgebase.
11.3.5 Categories
On the Web Protection > Filtering Options > Categories tab you can customize the map
ping of website categories to category groups, which can be selected on the Filter
338
UTM 9 WebAdmin
11 Web Protection
11.3 Filtering Options
Action tab or on the Website Filtering page. Sophos UTM can identify and block access
to different categories of websites. Sophisticated URL classification methods ensure
accuracy and completeness in identifying questionable websites. If a user requests a
webpage that is not included in the database, the URL is sent to the web crawlers and
classified automatically.
Note – If you are of the opinion that a website is wrongly categorized, you can use the
following URL report form to suggest new categories.
To assign website categories to a category group, proceed as follows:
1. Click Edit in the category group you want to edit.
The Edit Filter Category dialog box opens.
2. Select the subcategories.
Select or clear the checkboxes of the subcategories you want to add to or
remove from the group.
3. Click Save.
The group will be updated with your settings.
Alternatively, you can also create a new filter category. Proceed as follows:
1. Click the New Filter Category button on the top of the page.
The Add Filter Category dialog box opens.
2. Enter a name.
Enter a descriptive name for the new filter category.
3. Select the subcategories.
Select the checkboxes of the subcategories you want to add to the group.
4. Click Save.
The group will be updated with your settings.
To either edit or delete a category, click the corresponding buttons.
11.3.6 HTTPS CAs
On the Web Protection > Filtering Options > HTTPS CAs tab you can manage Signing and
Verification Certificate Authorities (CAs) for HTTPS connections.
UTM 9 WebAdmin
339
11.3 Filtering Options
11 Web Protection
Signing CA
In this area you can upload your Signing CA certificate, regenerate the Signing CA cer
tificate, or download the existing Signing CA certificate. By default, the Signing CA cer
tificate is created according to the information provided during setup, i.e. it is con
sistent with the information on the Management > System Settings > Organizational
tab—unless there have been any changes applied since.
To upload a new Signing CA certificate, proceed as follows:
1. Click the button Upload.
The Upload PKCS#12 Certificate File dialog window opens.
2. Browse for the certificate to upload.
Click the Folder icon next to the File box, click Browse in the opening Upload File
dialog window, select the certificate to upload and click Start Upload.
You can only upload certificates in PKCS#12 format which are password pro
tected.
3. Enter the password.
Enter the password twice into the corresponding fields and click Save.
The new Signing CA certificate will be installed.
To regenerate your Signing CA certificate, proceed as follows:
1. Click the button Regenerate.
The Create New Signing CA dialog box opens.
2. Change the information.
Change the given information according to your needs and click Save.
The new Signing CA certificate will be generated. The Signing CA information in
the Signing CA area will change accordingly.
To download the Signing CA certificate, proceed as follows:
1. Click the button Download.
The Download Certificate File dialog window opens.
2. Select the file format to download.
You can choose between two different formats:
340
UTM 9 WebAdmin
11 Web Protection
11.3 Filtering Options
l
PKCS#12: This format will be encrypted, so enter an export password.
l
PEM: Unencrypted format.
3. Click Download.
The file will be downloaded.
If you use certificates for your internal webservers signed by a custom CA, it is advis
able to upload this CA certificate to WebAdmin as Trusted Certificate Authority. Other
wise users will be prompted with an error message by the Web Filter claiming to be
confronted with an untrustworthy server certificate.
To facilitate supplying client PCs with the proxy CA certificate, users can download the
certificate themselves via http://passthrough.fw-notify.net and install it in their
browser. The website request is directly accepted and processed by the proxy. It is
therefore necessary to enable the Web Filter on the Web Protection > Web Filtering >
Global tab first.
Note – In case the proxy's operation mode is not Transparent Mode the proxy has to be
enabled in the user's browser. Otherwise the certificate download link will not be
accessible.
Alternatively, if the User Portal is enabled, users can download the proxy CA certificate
from the User Portal, tab HTTPS Proxy.
Preventing HTTPS Problems
When using HTTPS, Windows system programs like Windows Update and Windows
Defender will not be able to establish connections because they are run with system
user rights. However, this user, by default, does not trust the proxy CA. It is therefore
necessary to import the HTTPS proxy CA certificate for the system user. Do the fol
lowing:
1. In Windows, open the Microsoft Management Console (mmc).
2. Click on the File menu and then Add/Remove Snap-in.
The Add or Remove Snap-ins dialog window opens.
3. Click Add at the bottom of the window.
The dialog window Add Standalone Snap-In opens.
4. Select Certificates from the list and click Add.
UTM 9 WebAdmin
341
11.3 Filtering Options
11 Web Protection
A wizard appears.
5. Select Computer account and click Next.
6. Make sure that Local computer is selected and click Finish and then Close.
The first dialog window now contains the item Certificates (Local Computer).
7. Click OK.
The dialog window closes and the Console Root now contains the item Cer
tificates (Local Computer).
8. In the Console Root window on the left open Certificates > Trusted Root Cer
tification Authorities, right-click Certificates and select All Tasks > Import from
the context menu.
The import dialog wizard opens.
9. Click Next.
The next wizard step is displayed.
10. Browse to the previously downloaded HTTPS proxy CA certificate, click Open and
then Next.
The next wizard step is displayed.
11. Make sure that Place all certificates in the following store is selected and click
Next and Close.
The wizard reports the import success.
12. Confirm the wizard's message.
The proxy CA certificate is now displayed among the trusted certificates.
13. Save the changes.
Click on the File menu and then Save to save the changes on the Console Root.
After importing, the CA is system-widely accepted and connection problems resulting
from the HTTPS proxy should not occur.
Verif ication CAs
This area allows you to manage Verifications CAs. Those are Certificate Authorities you
trust in the first place, i.e. websites presenting valid certificates signed by these CAs
are regarded trustworthy by the HTTPS proxy.
Local Verification CAs: You can upload Verification CAs additionally to the CA list
below. Proceed as follows:
342
UTM 9 WebAdmin
11 Web Protection
11.3 Filtering Options
1. Click the Folder icon next to the Upload local CA field.
The Upload File dialog window opens.
2. Select the certificate to upload.
Click Browse and select the CA certificate to upload. Only PEM certificate exten
sions are supported.
3. Upload the certificate.
Click Start Upload to upload the selected CA certificate.
The certificate will be installed and displayed in the Local Verification CAs area.
Global verification CAs: The list of Verification CAs shown here is identical to the Veri
fication CAs pre-installed by Mozilla Firefox. However, you can disable one or all Veri
fication CAs of the list if you do not regard them as trustworthy. To revoke a CA's cer
tificate click its toggle switch. The toggle switch turns gray and the HTTPS proxy will
no longer accept websites signed by this CA.
Tip – Click the blue Info icon to see the fingerprint of a CA.
The HTTPS proxy will present a "Blocked Content" error page to a client if the CA is
unknown or disabled. However, you can create an exception for such pages: either via
the Create Exception link on the error page of the Web Filter or via the Web Protection >
Filtering Options > Exceptions tab.
Note – When clicking the Create Exception link on the Web Filter error page a login dia
log window is presented. Only users with admin rights are allowed to create excep
tions.
11.3.7 Misc
The Web Protection > Filtering Options > Misc tab contains various other configuration
options of the Web Filter such as caching, streaming, or port settings.
Misc Settings
Web filtering port: Here you can define the port number that the Web Filter will use for
client requests. The default is 8080.
Note – This only applies if you do not operate the proxy in transparent mode.
UTM 9 WebAdmin
343
11.3 Filtering Options
11 Web Protection
Detect HTTP loopback: This option is enabled by default. Only disable HTTP Loopback
detection if you have a DNAT rule where the UTM is the original destination and the port
is 80.
MIME blocking inspects HTTP body: Not only the HTTP header but also the HTTP body is
checked for blocked MIME types. Note that turning on this feature may have a negative
impact on performance.
Block unscannable and encrypted files: Select this option to block files that could not
be scanned. The reason for that may be, among other things, that files are encrypted or
corrupt. Files larger than 2 GB are unscannable.
Allowed target services: In the Allowed target services box you can select the target ser
vices the Web Filter should be allowed to access. The default setting consists of target
services (ports) that are usually safe to connect to and which are typically used by
browsers, namely HTTP (port 80), HTTPS (port 443), FTP (port 21), LDAP (port 389),
LDAP-SSL (port 636), Web Filter (port 8080), UTM Spam Release (ports 3840-4840), and
UTM WebAdmin (port 4444).
Default charset: This option affects how the proxy displays file names in the Download
Manager window. URLs (and file names that they may reference) that are encoded in
foreign charsets will be converted to UTF-8 from the charset specified here unless the
server sends a different charset. If you are in a country or region that uses a doublebyte charset, you should set this option to the "native" charset for that country or
region.
Search domain: You can add an additional domain here, which will be searched when
the first DNS lookup returns no result ("NXDOMAIN"). Then, a second DNS request is ini
tiated which appends the domain given here to the original hostname. Example: A user
enters http://wiki, meaning to address wiki.intranet.example.com. However, the URL
can only be resolved when you enter intranet.example.com into the Search domain
field.
Authentication timeout: This setting allows you to set the length of time (in seconds)
that a user can browse after logging in with browser mode authentication. If the user
has a logout tab open, the user can continue to browse without re-authenticating until
that tab is closed, plus the authentication timeout.
This setting also allows you to set the length of time (in seconds) that a Block Override
or a Warning Proceed lasts.
344
UTM 9 WebAdmin
11 Web Protection
11.3 Filtering Options
Authentication realm: The authentication realm is the name of the source which a
browser displays along with the authentication request when the proxy works in Basic
User Authentication mode. It defines the protection space according to RFC 2617. You
can give any string here.
T ransparent Mode Skiplist
Using this option is only meaningful if the Web Filter runs in transparent mode. Hosts
and networks listed in the Skip transparent mode hosts/nets boxes will not be subject
to the transparent interception of HTTP traffic. There is one box for source and one for
destination hosts/networks. To allow HTTP traffic (without proxy) for these hosts and
networks, select the Allow HTTP/S traffic for listed hosts/nets checkbox. If you do not
select this checkbox, you must define specific firewall rules for the hosts and net
works listed here.
P roxy Auto Conf iguration
The proxy auto configuration is a feature that enables you to centrally provide a proxy
auto configuration file (PAC file) which can be fetched by browsers. The browsers will
in turn configure their proxy settings according to the details outlined in the PAC file.
The PAC file is named wpad.dat, has the MIME type application/x-ns-proxyautoconfig and will be provided by the UTM. It contains the information you enter into
the text box, for example:
function FindProxyForURL(url, host)
{ return "PROXY proxy.example.com:8080; DIRECT"; }
The function above instructs the browser to redirect all page requests to the proxy of
the server proxy.example.com on port 8080. If the proxy is not reachable, a direct con
nection to the Internet will be established.
The hostname can also be written as a variable called ${asg_hostname}. This is espe
cially useful when you want to deploy the same PAC file to several Sophos UTM appli
ances using Sophos UTM Manager. The variable will then be instantiated with the host
name of the respective UTM. Using the variable in the example above would look like
the following:
function FindProxyForURL(url, host)
{ return "PROXY ${asg_hostname}:8080; DIRECT"; }
To provide the PAC file for your network, you have the following possibilities:
UTM 9 WebAdmin
345
11.3 Filtering Options
l
l
11 Web Protection
Providing via browser configuration: If you select the option Enable Proxy Auto
Configuration, the PAC file will be available via the UTM Web Filter under the URL
of the following type: http://IP-of-UTM:8080/wpad.dat. To use this file, enter
its URL in the automatic proxy configuration setting of those browsers which are
to use the proxy.
Providing via DHCP: You can have your DHCP server(s) hand out the URL of the
PAC file together with the client IP address. To do that, select the option Enable
HTTP Proxy Auto Configuration in your DHCP server configuration (see chapter
Network Services > DHCP). A browser will then automatically fetch the PAC file
and configure its settings accordingly.
Note – Providing via DHCP works with Microsoft's Internet Explorer only. Regard
ing all other browsers you need to provide the PAC file manually.
URL Categoriz ation Parent Proxy
Enter a proxy server for URL categorization lookups if you do not have direct internet
access. This option is only available if you have endpoint protection enabled, or if you
are doing local lookups. For local lookups, this option sets the proxy that will be used to
download categorization updates to the UTM.
W eb Caching
Enable caching: When this option is enabled, the Web Filter keeps an on-disk object
cache to speed up requests to frequently visited webpages.
l
l
Cache SSL content: With this option enabled, SSL-encrypted data will be stored
unencrypted on disk as well.
Cache content that contains cookies: Cookies are often used for authentication
purposes. With this option enabled, HTTP answers containing cookies will be
cached as well. This may be critical, as users requesting the same page are
likely to get the cached page, containing the cookie of another user.
Important Note – Caching SSL and/or cookie content is an important security
issue as the content is readable by every user with SuperAdmin rights.
l
346
Force caching for Sophos Endpoint updates: If enabled, certain data related to
Sophos Auto Update (SAU) requests from endpoints will be cached. We recom
mend to enable this feature when using endpoint protection. If disabled, this type
UTM 9 WebAdmin
11 Web Protection
11.3 Filtering Options
of data will not be cached. This can lead to uplink saturation when many end
points simultaneously try to download data from the update servers in the Inter
net.
Clear Cache: You can delete all cached pages by clicking Clear Cache.
Streaming Settings
Bypass content scanning for streaming content: When this option is active, typical
audio and video streaming content is not subject to content scanning. Disabling this
option will effectively disable most media streams, since they cannot be scanned in a
reasonable timeframe. It is therefore recommended to leave this option turned on.
Apple OpenDirectory Single Sign- On
When you are using Apple OpenDirectory SSO as authentication method, you need to
upload a MAC OS X Single Sign-On Kerberos keyfile for authentication to work properly.
Generate that keyfile and upload it by clicking the Folder icon. For more information on
how to generate that keyfile, see the Kerberos documentation.
Certif icate f or End- User P ages
The UTM uses HTTPS to provide user notification, perform browser authentication and
secure other user interactions. By default, the UTM uses an automatically generated cer
tificate for these HTTPS connections. You can use this option to use a custom cer
tificate for HTTPS pages that are presented to the end user. To use your own custom
certificate for these HTTPS connections, first upload it using Remote Access > Cer
tificate Management > Certificates, then select it and update the settings here.
Note –The Hostname specified is the base domain for the certificate you are using.
The UTM will then prepend passthrough. or passthrough6. to that domain. The cer
tificate must be valid for passthrough (and passthrough6) as a Common Name, Sub
ject Alternate Name, or most commonly as a wildcard certificate, so you can prepend
any host at the domain. In addition, you must set up DNS for passthrough and
passthrough6 to external IP addresses. If you use the UTM as your DNS server this is
done automatically. By default, UTM uses the IP address 213.144.15.19. If you are
using an alternate DNS server you must create those entries there.
UTM 9 WebAdmin
347
11.4 Policy Helpdesk
11 Web Protection
11.4 Policy Helpdesk
On the Web Protection > Policy Helpdesk page you can test URLs against your existing
policy, and assess or reset the quota status for your users. Use the Policy Test tab to
test URLs, and the Quota Status tab to see the current quota status of your users.
11.4.1 Policy Test
Use the Web Protection > Policy Helpdesk > Policy Test page to test URLs against your
existing Web Filter Profiles. To test a URL against your current policy, proceed as fol
lows:
1. Enter the URL you want to test.
2. Set the source IP address.
Different source networks may have different Web Filter Profiles. If a network is
included in more than one profile, the profile with the highest priority will be used
by the policy tester.
3. Optionally, enter a user to test the request as.
Users can fall under different Web Filter Profiles.
4. Optionally, enter a time for the request.
Web Filter Profiles can be configured to have rules based on the time of day.
5. Click Test.
The results of your test parameters will be displayed in the Policy Test Results box.
Note – When you test a URL against your Web Filter Profiles, the Web Protection >
Policy Test page does not download content, or check for malware, MIME types, or file
extensions. The actual filtering behavior may be different depending on what content
the URL is hosting.
Note – The correct Authentication Server must be added on the Definitions & Users >
Authentication Services > Servers page for the test to work properly.
348
UTM 9 WebAdmin
11 Web Protection
11.5 Application Control
Cross Reference – For more information on the Policy Test, see the Sophos Know
ledgebase.
11.4.2 Quota Status
Use the Web Protection > Policy Helpdesk > Quota Status page to review the minutes of
quota remaining for users, and to optionally reset the quota for users who are out of
time.
To review quota for a user, or set of users:
1. On the Quota Status tab find users you wish to review.
All users who have used some quota time are listed. Use the search text box to
search for specific users or Filter Actions to limit results. The minutes remaining
for specific users quota are shown.
2. Select users to reset their quota time.
Select the checkbox next to the users you want to reset, or click the checkbox at
the top to select all users that are currently displayed.
3. Click Reset.
Quota time for selected users will be reset so the full quota time is available.
Normally quota time for all users resets at midnight.
11.5 Application Control
The Application Control functionality of UTM allows you to shape and block network
traffic based on the type of traffic. In contrast to the Web Filtering functionality of UTM
(see chapter Web Filtering), the application control classification engine distinguishes
network traffic not only by protocol or by URL but more fine-grained. This is especially
useful regarding web traffic: traffic to websites normally uses the HTTP protocol on
port 80 or the HTTPS protocol on port 443. When you want to block traffic to a certain
website, e.g. facebook.com, you can do that either based on that website's URL (Web Fil
tering). Or you can block facebook traffic independent from any URL by relying on net
work traffic classification.
The classification engine of UTM uses layer 7 packet inspection to classify network
traffic.
UTM 9 WebAdmin
349
11.5 Application Control
11 Web Protection
Application control can be used in two ways. In a first step, you need to generally
enable application control on the Network Visibility page which makes applications "vis
ible" in a way. Now you can leave it that way (or for a certain time) to see which applic
ations are used by your users (e.g. in Flow Monitor, logging, reporting). In a second step
you can block certain applications and allow others. This is achieved by rules which
can be created on the Application Control Rules page. Additionally, you can use traffic
shaping to privilege traffic of defined applications which can be configured via Sophos'
Quality of Service function.
11.5.1 Network Visibility
On the Web Protection > Application Control > Network Visibility page, you can enable
and disable application control.
When application control is enabled all network traffic is classified and logged accord
ing to its classification. Current network traffic can be viewed via the Flow Monitor
with in-depth information about its type (see chapter Flow Monitor). For example inform
ation on HTTP traffic is drilled down to the underlying applications, e.g. "twitter", "face
book", etc. To open the Flow Monitor, select the desired interface in the Flow Monitor
section and click the Open Flow Monitor button.
Regarding logging and reporting, there is extensive information available on network
traffic and its classification, as well as clients and servers which use those applic
ations. For more information on logging and reporting, see chapter Logging & Reporting,
section View Log Files for logging and section Network Usage > Bandwidth Usage and
Web Protection > Application Control for reporting.
11.5.2 Application Control Rules
On the Web Protection > Application Control > Application Control Rules page you can
create rules based on network traffic classification which define applications whose
traffic should be blocked or explicitly allowed for your network.
By default, all network traffic is allowed when application control is enabled.
Application control rules can be created either via this page or via the Flow Monitor. The
latter method may be more convenient, however you can only create rules for traffic
currently monitored in your network.
To create an application control rule, proceed as follows:
350
UTM 9 WebAdmin
11 Web Protection
11.5 Application Control
1. On the Application Control Rules tab, click New Rule.
The Add Rule dialog box opens.
2. Make the following settings:
Name (optional): You can enter a name for the rule. If you leave the field empty
the system is going to generate a name for the rule.
Group: The Group option is useful to group rules logically. With the drop-down list
on top of the list you can filter the rules by their group. Grouping is only used for
display purposes, it does not affect rule matching. To create a new group select
the << New group >> entry and enter a descriptive name in the Name field.
Position: The position number, defining the priority of the rule. Lower numbers
have higher priority. Rules are matched in ascending order. Once a rule has
matched, rules with a higher number will not be evaluated anymore.
Action: Select whether the traffic is to be blocked or allowed.
Control by: Select whether to control traffic based on its application type or by a
dynamic filter based on categories.
l
l
Applications: The traffic is controlled application-based. Select one or more
applications in the box Control These Applications.
Dynamic filter: The traffic is controlled category-based. Select one or more
categories in the box Control These Categories.
Control these applications/categories: Click the Folder icon to select applic
ations/categories. A dialog window opens, which is described in detail in the next
section.
Note – Some applications cannot be blocked. This is necessary to ensure a flaw
less operation of Sophos UTM. Such applications miss a checkbox in the applic
ation table of the Select Application dialog window, e.g. WebAdmin, Teredo and
SixXs (for IPv6 traffic), Portal (for User Portal traffic), and some more. When
using dynamic filters, blocking of those applications is also prevented auto
matically.
Productivity (only with Dynamic filter): Reflects the productivity score you have
chosen.
Risk (only with Dynamic filter: Reflects the risk score you have chosen.
UTM 9 WebAdmin
351
11.5 Application Control
11 Web Protection
For: Select or add networks or hosts to this box whose network traffic is to be
controlled by this rule. This applies only to source hosts/networks. How to add a
definition is explained on the Definitions & Users > Network Definitions > Network
Definitions page.
Log: This option is selected by default and enables logging of traffic which
matches the rule.
Comment (optional): Add a description or other information.
3. Click Save.
The new rule appears on the Application Control Rules list.
T he Select Application or Category Dialog W indow
When creating application control rules you need to choose applications or application
categories from a dialog window called Select one or more applications/categories to
control.
The table in the lower part of the dialog window displays the applications you can
choose from or which belong to a defined category. By default, all applications are dis
played.
The upper part of the dialog window provides three configuration options to limit the
number of applications in the table:
l
l
l
352
Category: Applications are grouped by category. This list contains all available
categories. By default, all categories are selected, which means that the table
below displays all applications available. If you want to limit the displayed applic
ations to certain categories, click into the category list and select only one or
more categories relevant to you.
Productivity: Applications are also classified by their productivity impact which
means how much they influence productivity. Example: Salesforce, a typical busi
ness software, has the score 5 which means its usage adds to productivity. On
the contrary, Farmville, an online game, has the score 1 which means its usage is
counterproductive. The network service DNS has the score 3 which means its pro
ductivity impact is neutral.
Risk: Applications are also classified by the risk they carry when used with
regard to malware, virus infections, or attacks. A higher number means a higher
risk.
UTM 9 WebAdmin
11 Web Protection
11.6 FTP
Tip – Each application has an Info icon which, when clicked, displays a description of
the respective application. You can search the table by using the filter field in the
table header.
Now, depending on the type of control you selected in the Create New Rule dialog box,
do the following:
l
l
Control by dynamic filter: Select the categories from the Category box and click
Apply to adopt the selected categories to your rule.
Control by application: From the table, select the applications you want to control
by clicking the checkbox in front. Click Apply to adopt the selected applications to
your rule.
After clicking Apply, the dialog window closes and you can continue to edit the settings
of your application rule.
11.5.3 Advanced
On the Web Protection > Application Control > Advanced page you can configure
advanced options for application control.
Application Control Skiplist
Hosts and networks listed in this box will not be monitored by application control and
can therefore neither be controlled by application control nor by the application
selector of Quality of Service. This applies both to source and destination host
s/networks.
11.6 FTP
On the Web Protection > FTP tab you can configure the FTP proxy. The File Transfer Pro
tocol (FTP) is a widely used protocol for exchanging files over the Internet. Sophos UTM
presents a proxy service acting as a go-between for all FTP traffic passing your net
work. The FTP proxy provides such useful features as virus scanning of FTP traffic or
blocking of certain file types that are transferred via the FTP protocol.
The FTP proxy can work transparently, that is, all FTP clients within your network would
establish a connection to the proxy instead of their ultimate destination. The proxy
UTM 9 WebAdmin
353
11.6 FTP
11 Web Protection
would then initiate a new network connection on behalf of the request, invisible to the
client. The advantage of this mode is that no additional administration or client-side
configuration is necessary.
11.6.1 Global
On the Web Protection > FTP > Global tab you can configure the basic settings of the
FTP proxy.
To configure the FTP proxy, proceed as follows:
1. On the Global tab, enable the FTP proxy.
Click the toggle switch.
The toggle switch turns amber and the FTP Settings area becomes editable.
2. Select the allowed networks.
Select the networks that are allowed to use the FTP proxy.
3. Select an operation mode.
Select an operation mode for the FTP proxy. The following modes are available:
l
l
l
Transparent: The proxy forwards the client request to the target server and
scans the content. No configuration on client side is necessary.
Non-transparent: Using this mode you need to configure the FTP clients.
Use the gateway's IP address and port 2121.
Both: This mode allows you to use transparent mode for some clients and
non-transparent mode for others. Configure FTP clients that are to work in
non-transparent mode to use a proxy with the gateway's IP address and
port 2121.
4. Click Apply.
Your settings will be saved.
The toggle switch turns green.
Note – The FTP proxy is unable to communicate with FTP servers that use Active Dir
ectory authentication. To enable FTP clients to connect to an FTP server of that kind,
add the server to the FTP proxy skiplist, which is configured on the Advanced tab.
354
UTM 9 WebAdmin
11 Web Protection
11.6 FTP
11.6.2 Antivirus
The Web Protection > FTP > Antivirus tab contains all measures that can be taken
against FTP traffic that carries harmful and dangerous content such as viruses, worms,
or other malware.
Use antivirus scanning: When selecting this option, FTP traffic will be scanned. Sophos
UTM features several antivirus engines for best security.
l
l
Single scan: Default setting; provides maximum performance using the engine
defined on the System Settings > Scan Settings tab.
Dual scan: Provides maximum recognition rate by scanning the respective traffic
twice using different virus scanners. Note that dual scan is not available with
BasicGuard subscription.
Max scanning size: Specify the maximum size of files to be scanned by the antivirus
engine(s). Files exceeding this size will be exempt from scanning.
Click Apply to save your settings.
Note – Files within archives (e.g. zip files) will not be scanned for blocked file types
or blocked extensions. To protect your network from these within archived files, con
sider blocking archive file types such as zip, rar, etc. MIME types within archives will
be blocked if MIME Blocking Inspects HTTP Body is enabled in Web Protection
> Filtering Options > Misc.
File Extension Filter
This feature filters FTP transfers that transmit certain types of files based on their
extensions (e.g., executable binaries) from web traffic that have a file extension listed
in the Blocked File Extensions box. You can add additional file extensions or delete file
extensions that are not to be blocked. To add a file extension, click the Plus icon in the
Blocked File Extensions box and enter the file extension you want to block, for example
exe (without the delimiting dot). Click Apply to save your settings.
11.6.3 Exceptions
On the FTP > Exceptions tab you can define whitelist hosts/networks that should be
excluded from selectable security options offered by the FTP proxy.
UTM 9 WebAdmin
355
11.6 FTP
11 Web Protection
To create an exception, proceed as follows:
1. On the Exceptions tab, click New Exception List.
The Add Exception List dialog box opens.
2. Make the following settings:
Name: Enter a descriptive name for this exception.
Skip these checks: Select the security checks that should be skipped:
l
l
l
Antivirus checking: Select to disable virus scanning, which checks traffic
for unwanted content such as viruses, trojan horses, and the like.
Extension blocking: Select to disable the file extension filter, which can be
used to block file transfers based on file extensions.
Allowed servers: Select to disable checks for allowed servers which can
be set on the Advanced tab. If selected, the selected client hosts/networks
will have access to any FTP server, whereas the selected server host
s/networks will be allowed for any client.
For these client hosts/networks: When selecting this option, the Client Host
s/Networks box opens. Select the client hosts/networks that should be exempt
from the security checks of this exception rule.
OR for these server hosts/networks: When selecting this option, the Server Host
s/Networks box opens. Select the server hosts/networks that should be exempt
from the security checks of this exception rule.
Comment (optional): Add a description or other information.
3. Click Save.
The new exception appears on the Exceptions list.
To either edit or delete an exception, click the corresponding buttons.
11.6.4 Advanced
On the FTP > Advanced tab you can specify hosts and networks that can skip the trans
parent mode of the FTP proxy. Additionally, you can define which FTP servers are
allowed to be accessed.
356
UTM 9 WebAdmin
11 Web Protection
11.6 FTP
FT P P roxy Skiplist
Hosts and networks (FTP clients as well as FTP servers) listed here are excluded from
the transparent interception of FTP traffic. However, to allow FTP traffic for these hosts
and networks, select the Allow FTP traffic for listed hosts/nets checkbox. If you do not
select this checkbox, you must define specific firewall rules for the hosts and net
works listed here.
Note – The FTP proxy is unable to communicate with FTP servers that use Active Dir
ectory authentication. To enable FTP clients to connect to an FTP server of that kind,
add the server to the FTP proxy skiplist.
FT P Servers
Select or add FTP servers or networks that are allowed to be accessed from your host
s/networks. You can create exceptions for some FTP clients or FTP servers to bypass
this list on the Exceptions tab.
UTM 9 WebAdmin
357
12 Email Protection
This chapter describes how to configure basic email protection features of Sophos
UTM. The Email Protection Statistics page in WebAdmin shows an overview of today's
top ten email senders, email recipients, spammers (by country), recognized malware,
and concurrent connections. Each of the sections contains a Details link. Clicking the
link redirects you to the respective reporting section of WebAdmin, where you can find
more statistical information.
The following topics are included in this chapter:
l
SMTP
l
SMTP Profiles
l
POP3
l
Encryption
l
SPX Encryption
l
Quarantine Report
l
Mail Manager
12.1 SMTP
The menu Email Protection > SMTP allows you to configure the SMTP proxy. SMTP is
the abbreviation of Simple Mail Transfer Protocol, a protocol used to deliver emails to a
mail server. Sophos UTM includes an application level gateway for SMTP, which can be
used to protect your internal mail server from remote attacks and additionally provides
powerful virus scanning and email filtering services.
Note – To use the SMTP proxy correctly, a valid name server (DNS) must be con
figured.
12.1.1 Global
On the Email Protection > SMTP > Global tab you can decide whether to use Simple
mode for SMTP configuration or Profile mode.
12.1 SMTP
12 Email Protection
1. Enable SMTP.
Click the toggle switch.
The toggle switch turns green and the Configuration Mode area becomes editable.
2. Select a configuration mode.
Simple mode: Use this mode if all domains share the same settings. However,
you can still define exceptions based on domain name, email addresses, and
hosts. There is no functionality restriction compared with Profile mode.
Profile mode: (Not available with BasicGuard subscription.) In this mode you can
override or extend global settings e.g., of antispam and malware, for individual
domains or domain groups by creating profiles for them in the menu SMTP Pro
files. Settings made in the SMTP menu still apply to their assigned domains and,
moreover, serve as defaults for profiles. In Profile mode, you will find additional
notes with some of the settings regarding recommendations for profile mode and
behavior of the UTM.
3. Click Apply.
The selected mode will be enabled.
SPX Global T emplate
If SPX Encryption is enabled, this section is available. From the drop-down list, select
the SPX template that will be globally used. If using SMTP simple mode, this template
will be used for all SMTP users. If using SMTP profile mode, this template will be used
for all SMTP profiles that do not have an individual SPX template selected.
Live Log
The SMTP Live Log logs the SMTP proxy activities, showing all incoming emails. Click
the button to open the live log in a new window.
12.1.2 Routing
On the Routing tab you can configure domain and routing targets for the SMTP proxy
and define how recipients are to be verified.
To configure the SMTP proxy routing, proceed as follows:
1. Enter your internal domain(s).
To enter your email domains, click the Plus icon in the Domains box.
360
UTM 9 WebAdmin
12 Email Protection
12.1 SMTP
In the appearing text box, enter the domain in the form example.com and click
Apply. Repeat this step until all domains are listed. You can also use wildcards in
different ways. For example *.me.mycompany.de, *.mycompany.de,
*.me*.mycompany.*e, **.mycompany.*. It is not allowed to use only '*'.
In Profile Mode: Enter only domains that use global settings. All other domains
should be listed in their respective profiles.
2. Specify the internal server.
From the drop-down list Route by, select the host to which emails for the
domains listed above should be forwarded to. A typical target host would be the
Microsoft Exchange Server on your local network. You can choose between dif
ferent server types:
l
l
l
Static host list: Select a host definition of the target route in the Host list
box. Note that you can select several host definitions for basic failover pur
poses. If delivery to the first host fails, mail will be routed to the next one.
However, the (static) order of hosts cannot be determined with the current
version of Sophos UTM and is somewhat accidental. To randomize delivery
to a group of hosts so as to additionally achieve basic load balancing cap
ability, use the DNS hostname route type and specify a hostname that has
multiple A records (an A record or address record maps a hostname to an
IP address).
DNS hostname: Specify the fully qualified domain name (FQDN) of your tar
get route (e.g., exchange.example.com). Note that when you select a DNS
name having multiple A records, mail to each server will be delivered ran
domly. In addition, if one server fails, all mail destined for it will auto
matically be routed to the remaining servers.
MX records: You can also route mail to your domain(s) by means of MX
record(s). If you select this route type, the mail transfer agent of Sophos
UTM makes a DNS query requesting the MX record for the recipient's
domain name, which is the portion of the email address following the "@"
character. Make sure that the gateway is not the primary MX for the domain
(s) specified above, since it will not deliver mail to itself.
3. Click Apply.
Your settings will be saved.
UTM 9 WebAdmin
361
12.1 SMTP
12 Email Protection
Recipient Verif ication
Verify Recipients: Here you can specify whether and how email recipients are to be
verified.
l
With callout: A request is sent to the server to verify the recipient.
l
In Active Directory: A request is sent to the Active Directory server to verify the
recipient. To be able to use Active Directory you must have an Active Directory
server specified in Definitions & Users > Authentication Services > Servers. Enter a
base DN into the Alternative Base DN field and select the Active Directory server.
Note – The use of Active Directory recipient verification may lead to bounced
messages in case the server does not respond.
l
Off: You can turn off recipient verification completely but this is not recom
mended for it will lead to higher spam traffic volume and dictionary attacks. Thus
your quarantine is likely to be flooded with unsolicited messages.
Click Apply to save your settings.
12.1.3 Malware
The Malware tab contains various measures against emails that carry harmful and dan
gerous content such as viruses, worms, or other malware.
Note – Outgoing emails will be scanned if the checkbox Scan relayed
(outgoing) messages on the Relaying tab is selected.
Scan During SMT P T ransaction
Select the checkbox Reject malware during SMTP transaction if you want to have mes
sages scanned already during SMTP transaction and to have them rejected in case they
contain malware.
In Profile mode: This setting cannot be changed per profile. Messages with more than
one recipient will skip this feature if one of the recipient profiles has Malware Scanning
turned off. This means it is advisable to leave the regular malware setting below set to
either Blackhole or Quarantine.
Click Apply to save your settings.
362
UTM 9 WebAdmin
12 Email Protection
12.1 SMTP
Malw are Scanning
When using this option, emails will be scanned for unwanted content such as viruses,
trojan horses, or suspicious file types. Messages containing malicious content will be
blocked and stored in the email quarantine. Users can review and release their quar
antined messages either through the Sophos User Portal or the daily Quarantine Report.
However, messages containing malicious content can only be released from the quar
antine by the administrator in the Mail Manager.
Malware: You can configure how to proceed with messages that contain malicious con
tent. The following actions are available:
l
l
l
Off: There will be no malware scans.
Blackhole: Incoming messages will be accepted and instantly removed. Outgoing
messages will never be blackholed to avoid unintended mail loss. They will be
quarantined instead.
Quarantine: The message will be blocked and stored in the email quarantine. Quar
antined messages can be reviewed either through the User Portal or the daily
Quarantine Report. Note that messages containing malicious content can only be
released from the quarantine by an administrator.
Sophos UTM features several malware engines for best security:
l
l
Single scan: Default setting; provides maximum performance using the engine
defined on the System Settings > Scan Settings tab.
Dual scan: Provides maximum recognition rate by scanning the respective traffic
twice using different virus scanners. Note that dual scan is not available with
BasicGuard subscription.
Enable Sandstorm: Select this option to activate Sandstorm and send suspicious
attachments for sandboxing to have enhanced protection and better visibility into the
likely behaviors of malware.
Note – This feature is only available to licensed users of Sophos Sandstorm.
Quarantine unscannable and encrypted content: Select this option to quarantine emails
whose content could not be scanned. Unscannable content may be encrypted or corrupt
archives or oversized content, or there may be a technical reason like a scanner failure.
Click Apply to save your settings.
UTM 9 WebAdmin
363
12.1 SMTP
12 Email Protection
MI ME T ype Filter
The MIME type filter reads the MIME type of email contents. You can define how the dif
ferent MIME types are to be dealt with.
l
l
l
Quarantine audio content: When you select this checkbox audio content like e.g.,
mp3 or wav files, will be quarantined.
Quarantine video content: When you select this checkbox video content like e.g.,
mpg or mov files, will be quarantined.
Quarantine executable content: When you select this checkbox executable con
tent like e.g., exe files, will be quarantined.
Additional types to quarantine: To add a MIME type other than above that shall be quar
antined, click the Plus icon in the Additional Types To Quarantine box and enter the MIME
type (e.g., image/gif). You can use wildcards (*) on the right side of the slash, e.g.,
application/*.
Whitelisted content types: You can use this box to allow generally certain MIME types.
To add a MIME type click the Plus icon in the Whitelisted content types box and enter
the MIME type. Click Apply to save your settings.
MIME type
MIME type class
audio/*
audio files
video/*
video files
application/x-dosexec
application/x-msdownload
application/exe
application/x-exe
application/dos-exe
applications
vms/exe
application/x-winexe
application/msdos-windows
application/x-msdos-program
Table 2: MIME types known by the MIME Type Filter
364
UTM 9 WebAdmin
12 Email Protection
12.1 SMTP
File Extension Filter
This feature filters and quarantines emails (with warnings) that contain certain types
of files based on their extensions (e.g. executables). To add file extensions, click the
Plus icon in the Blocked file extensions box and enter a critical file extension you want
to be restricted, e.g., exe or jar (without the dot delimiter). Click Apply to save your set
tings.
Malw are Check Footer
For each outgoing and incoming email, you can add and customize a special footer
informing users that the email has been scanned for malicious content. However, the
footer will only be added if the checkbox Scan relayed (outgoing) messages on the
Relaying tab is selected. In addition, the malware check footer will not be appended to
the email if the email is a reply (i.e. having In-Reply-To header) or if the content type of
the email could not be determined. Select the checkbox Use the Text Below as a Footer
and enter the footer text. Click Apply to save your settings.
Note – Adding a footer to messages already signed or encrypted by an email client
(e.g., Microsoft's Outlook or Mozilla's Thunderbird) will break their signature and render
them invalid. If you want to create digital signatures on the client side, disable the
antivirus check footer option. However, if you do not wish to forgo the privacy and
authentication of your email communication and still want to apply a general anti
virus check footer, consider using the built-in email encryption feature of Sophos
UTM. Email encryption done on the gateway means that the footer is added to the
message prior to creating the digital signature, thus leaving the signature intact.
12.1.4 Antispam
Sophos UTM can be configured to detect unsolicited spam emails and to identify spam
transmissions from known or suspected spam purveyors. Configuration options loc
ated on the Antispam tab let you configure SMTP security features aimed at preventing
your network from receiving unsolicited commercial emails.
Note – Outgoing emails will be scanned if the checkbox Scan relayed
(outgoing) messages on the Relaying tab is selected.
UTM 9 WebAdmin
365
12.1 SMTP
12 Email Protection
Note – Some of the features on this tab are not available with BasicGuard sub
scription.
Spam Detection During SMT P T ransaction
You have the possibility to reject spam already during SMTP transaction. Select one of
the following settings for the option Reject at SMTP Time:
l
l
l
Off: Spam detection is disabled and no email is going to be rejected for spam
reasons.
Confirmed spam: Only confirmed spam is rejected.
Spam: All emails that the system regards as spam are rejected. Note that there
may be a higher false positive rate because emails regarded as probable spam
may be rejected such as newsletters.
Emails which are not rejected during SMTP transaction will be treated according to
your settings in the Spam Filter section below.
In Profile Mode: This setting cannot be changed per profile. Messages with more than
one recipient will skip this feature if one of the recipient profiles has spam scanning
completely turned off. This means it is advisable to leave the regular spam scanning
setting set to either Spam or Confirmed spam.
RBLs (Realtime Blackhole Lists)
A Realtime Blackhole List (RBL) is a means by which an Internet site may publish a list
of IP addresses linked to spamming.
Use recommended RBLs: Selecting this option causes the mail transfer agent to query
external databases of known spam senders (so-called Realtime Blackhole Lists). Mes
sages sent from a site included in one or more of such lists can easily be rejected.
Several services of this type are available on the Internet. This function massively
helps to reduce the amount of spam.
By default, the following RBLs are queried:
l
Commtouch IP Reputation (cyren.org)
l
cbl.abuseat.org
366
UTM 9 WebAdmin
12 Email Protection
12.1 SMTP
Note – The list of RBLs queried by Sophos UTM is subject to change without notice.
Sophos does not warrant for the contents of these databases.
You can also add further RBL sites to enhance the antispam capability of Sophos UTM.
To do so, click the Plus icon in the Extra RBL zones box. In the appearing textbox, enter
the RBL zone.
Click Apply to save your settings.
Spam Filter
Sophos UTM includes a heuristic check of emails for characteristics suggestive of
spam. It uses SMTP envelope information and an internal database of heuristic tests
and characteristics. This spam filtering option scores messages based on their content
and SMTP envelope information. Higher scores indicate a higher spam probability.
With the following two options you can specify what to do with messages that have
been assigned a certain spam score. This ensures that potential spam emails are
treated differently by the gateway.
l
l
Spam action: Here you can define what to do with messages that are classified
as probable spam. Note that there may be false positives, such as newsletters,
thus blackholing may lead to email loss.
Confirmed spam action: Here you can define what to do with confirmed spam
messages.
You can choose between different actions for those two types of spam:
l
l
l
l
Off: No messages will be marked as spam or filtered out.
Warn: No messages will be filtered out. Instead, for incoming messages, a spam
flag will be added to the message's header and a spam marker will be added to
the message's subject. Outgoing messages will be sent without action.
Quarantine: Messages will be blocked and stored in the email quarantine. Quar
antined messages can be reviewed either through the User Portal or the daily
Quarantine Report.
Blackhole: Incoming messages will be accepted and instantly removed. Outgoing
messages will never be blackholed to avoid unintended mail loss. They will be
quarantined instead.
UTM 9 WebAdmin
367
12.1 SMTP
12 Email Protection
Spam marker: With this option you can specify a spam marker, that is, a string that will
be added to the message's subject line making it easy to identify spam messages
quickly. By default, the string *SPAM* is used to tag messages as spam.
Sender Blacklist
The envelope sender of incoming SMTP sessions will be matched against the
addresses on this blacklist. If the envelope sender is found on the blacklist the mes
sage will be moved to quarantine. Settings in the Reject at SMTP time field do not
affect this function.
To add a new address pattern to the blacklist click the Plus icon in the Blacklisted
Address Patterns box, enter (a part of) an address, and click Apply. You can use an aster
isk (*) as a wildcard, e.g., *@abbeybnknational.com. A wildcard does not work in the
domain or TLD part of an address.
Tip – End-users can create their personal blacklist and whitelist in the User Portal.
Expression Filter
The expression filter scans messages' content passing through the SMTP proxy for spe
cific expressions. Suspicious emails will be blocked. Expressions can be entered as
Perl Compatible Regular Expressions. Simple strings such as "online dating" are inter
preted in a case-insensitive manner. Click Apply to save your settings.
Cross Reference – For detailed information on using regular expressions in the expres
sion filter, see the Sophos Knowledgebase.
Advanced Antispam Features
This area gathers various other advanced options increasing the antispam capability of
Sophos UTM.
Reject invalid HELO/missing RDNS: Select this option if you want to reject hosts that
send invalid HELO entries or lack RDNS entries. If you want to exempt hosts from this
check, please refer to the Exceptions tab.
Do strict RDNS checks: Select this option if you want to additionally reject mail
from hosts with invalid RDNS records. An RDNS record is invalid if the found host
name does not resolve back to the original IP address.
368
UTM 9 WebAdmin
12 Email Protection
12.1 SMTP
Use greylisting: Greylisting basically means the temporary rejection of emails for a cer
tain amount of time. Typically, a mail server using greylisting will record the following
pieces of information for all incoming messages:
l
The sender address
l
The IP address of the host the message is sent from
l
The recipient address
l
The message subject
This data set is checked against the SMTP proxy's internal database; if the data set has
not been seen before, a record is created in the database along with a special time
stamp describing it. This data set causes the email to be rejected for a period of five
minutes. After that time the data set is known to the proxy and the message will be
accepted when it is sent again. Note that the data set will expire after 30 days if it is
not updated within this period.
Greylisting uses the fact that most senders of spam messages use software based on
the "fire-and-forget" method: Try to deliver the mail and if it doesn’t work, forget it! This
means that senders of spam mail do not try to send emails again when there is a tem
porary failure, contrary to RFC-conform mail servers. The assumption is that since tem
porary failures are built into the RFC specifications for email delivery, a legitimate
server will try again to send the email later, at which time the destination will accept it.
Use BATV: BATV is a draft of the IETF, facing the challenge to distinguish legitimate
uses from unauthorized uses of email addresses. BATV provides a method to sign the
envelope sender of outgoing mail by adding a simple shared key to encode a hash of
the address and time-varying information as well as some random data proving that
the email was really sent by you. It is basically used to reject bounce messages not
sent by you. By using BATV, you can now check if bounces you receive are really
caused by your initial email, and not from a spammer forging an email with your
address. If a bounce returns and the email address is not signed according to BATV, the
SMTP proxy will not accept the message. Note that the signature provided by BATV
expires after seven days. To change the key (also known as BATV secret) that is used
to encode the hash of an email's envelope MAIL FROM address, go to the Email Pro
tection > SMTP > Advanced tab.
UTM 9 WebAdmin
369
12.1 SMTP
12 Email Protection
Note – Some mail transfer agents may reject a message whose envelope sender
address was modified using BATV. In this case, you need to create an exception rule
for the senders, recipients, or domains affected.
Perform SPF check: SPF (Sender Policy Framework) is a framework where domain own
ers can publish information about their outgoing email servers. Domains use public
records to direct requests for different services (web, email, etc.) to the machines that
perform those services. All domains already publish MX records for email related ser
vices to let others know what machines receive mail for the domain. SPF works by
domains publishing some sort of "reverse MX" records to tell the world what machines
send mail from the domain. When receiving a message from a certain domain, the recip
ient can check those records to make sure that mail is coming from where it should be
coming from.
Cross Reference – Further information is available at the Sender Policy Framework
website.
As an additional antispam feature, the SMTP proxy tacitly checks each recipient
address it receives with your backend mail server(s) before accepting mail for this
address. Emails for invalid recipient addresses will not be accepted. In order for this
function to work, your backend mail server(s) must reject mails for unknown recipients
at the SMTP stage. The general rule is that if your backend server rejects a message,
the SMTP proxy will reject it, too.
Note, however, that recipient verification is not done for trusted (authenticated) or relay
hosts, because some user agents may encounter problems when recipients get rejec
ted in the SMTP transaction. In the usual scenario (backend mail server rejects
unknown recipients in the SMTP transaction), Sophos UTM will only generate bounces
in the following cases:
l
l
When a trusted or relay source sends a message to an undeliverable recipient.
When the backend mail server has been down so that Sophos UTM was not able
to verify the recipient.
However, Sophos UTM does not prevent your backend mail server(s) from sending nondelivery reports (NDRs) or bounces. In addition, Sophos UTM caches positive callout
replies from the mail server for 24 hours, and negative ones for two hours.
370
UTM 9 WebAdmin
12 Email Protection
12.1 SMTP
12.1.5 Data Protection
On the SMTP > Data Protection tab, the Data Protection feature allows you to reduce
accidental data loss from workstations by monitoring and restricting the transfer of
files containing sensitive data. Accidental data loss is commonly caused by employees
mishandling sensitive data. For example, a user sends a file containing sensitive data
home via email (SMTP). Data Protection scans outgoing emails including subject line,
message body and attachments for sensitive or confidential information. Based on the
outcome, the email can be encrypted using SPX encryption, or the email can be rejec
ted or sent.
To configure Data Protection, define the settings in the following sections. As long as
no Sophos content control rule is selected, and no custom rule is defined, the feature is
disabled.
Data P rotection Policy
Scan within attachments: If selected, attachments will be scanned for sensitive data,
additionally to the message itself. The SAVI engine, which is used for this scan, scans a
large variety of files types dependent on the current database.
Action on rule match: Select how to handle an email if the policy is triggered:
Blackhole: An email that matches the policy will not be sent.
Send with SPX encryption: An email that triggers the policy will automatically be
sent SPX encrypted (see Email Protection > SPX Encryption tab). If SMTP is used
in Simple Mode, the SPX Template selected on the SMTP > Global tab will be used
for SPX encryption. If SMTP is used in Profile Mode, the SPX template used
depends on the SMTP profile the sender's domain is assigned to (see SMTP Pro
files tab). If the sender's domain is not assigned to any profile, the default tem
plate selected on the SMTP > Global tab will be used.
Allow: An email that triggers the policy will be sent nevertheless.
On match, notify: Select one or more of the following recipients who should be notified
in case the policy matches:
l
Sender: The sender of the email that matched the policy.
l
Administrator: The administrator which is configured.
l
Other: If you select this option, you will need to enter an email address.
UTM 9 WebAdmin
371
12.1 SMTP
12 Email Protection
The notification email can be customized on the Management > Customization > Email
Messages tab.
Click Apply to save your settings.
Sophos Content Control Lists Rules
A Content Control List (CCL) is a set of conditions that describe structured file content.
CCLs help identifying confidential, malicious or inappropriate email content sent or
received by your organization. A CCL may describe a single type of data (for example, a
postal address or social security number), or a combination of data types (for example,
a project name near the term "confidential"). Based on the policy and the selected Con
tent Control Lists rule you can notify someone if a rule matches.
SophosLabs CCLs provide expert definitions for common financial and personally iden
tifiable data types, for example, credit card numbers, social security numbers, postal
addresses, or email addresses. Advanced techniques, such as checksums, are used in
SophosLabs Content Control Lists to increase the accuracy of sensitive data detection.
Type: Select an entry from the drop-down list to reduce the number of displayed rules
accordingly.
Region: Select an entry from the drop-down list to reduce the number of displayed
rules accordingly.
Show selected only: If enabled, only selected rules will be displayed in the list.
Rules: Select the rules you want to use for the Data Protection feature. Hovering the
cursor on an entry, a tool-tip with additional information concerning the rule appears.
Click Apply to save your settings.
Custom Rules
Custom expression: Enter expressions that you want to use for the Data Protection fea
ture, in addition to the rules selected above. You can add regular expressions.
Cross Reference – For detailed information on using regular expressions here, see the
Sophos Knowledgebase.
Click Apply to save your settings.
372
UTM 9 WebAdmin
12 Email Protection
12.1 SMTP
12.1.6 Exceptions
On the SMTP > Exceptions tab you can define whitelist hosts, networks, senders, and
recipients that can be excluded from antispam, malware, or other security checks.
Note – Since emails can have many recipients, and Sophos UTM implements inline
scanning for the SMTP protocol, scanning of an email is skipped for all recipients if
one of the email's recipients is listed in the Recipients box.
To create an exception, proceed as follows:
1. On the Exceptions tab, click New Exception List.
The Add Exception List dialog box opens.
2. Make the following settings:
Name: Enter a descriptive name for this exception.
Skip these checks: Select the security checks that should be skipped. For more
information, see Email Protection > SMTP > Malware, Antispam, and Data Pro
tection.
For these source hosts/networks: Select or add the source hosts/networks (i.e.,
the host or network messages originate from) that should skip the security
checks defined by this exception rule. How to add a definition is explained on the
Definitions & Users > Network Definitions > Network Definitions page.
Note – No exception needs to be created for localhost because local messages
will not be scanned by default.
When selecting this option, the Hosts/Networks box opens. You can add a host or
network by either clicking the Plus icon or the Folder icon.
OR these sender addresses: Select the senders' email addresses that should skip
the defined security checks.
When selecting this option, the Senders box opens. You can either enter a com
plete valid email address (e.g., jdoe@example.com) or all email addresses of a
specific domain using an asterisk as wildcard (e.g., *@example.com).
UTM 9 WebAdmin
373
12.1 SMTP
12 Email Protection
Note – Use the Senders option with caution, as sender addresses can easily be
forged.
OR these recipient addresses: Select the recipients' email addresses that should
skip the defined security checks.
When selecting this option, the Recipients box opens. You can either enter a com
plete valid email address (e.g., jdoe@example.com) or all email addresses of a
specific domain using an asterisk as wildcard (e.g., *@example.com).
Comment (optional): Add a description or other information.
3. Click Save.
The new exception appears on the Exceptions list.
To either edit or delete an exception, click the corresponding buttons.
12.1.7 Relaying
The SMTP proxy can be used as a mail relay. A mail relay is an SMTP server configured
in such a way that it allows specific users, user groups, or hosts to relay (i.e., send)
emails through it to domains that are not local.
Note – Some of the features on this tab are not available with BasicGuard sub
scription.
Upstream Host List
An upstream host is a host that forwards email to you, e.g., your ISP or external MX. If
you get inbound email from static upstream hosts, it is necessary that you enter the
hosts here. Otherwise spam protection will not work properly.
To add an upstream host either click the Plus icon or the Folder icon for drag-and-drop
from the Networks object list. How to add a definition is explained on the Definitions &
Users > Network Definitions > Network Definitions page. If you would like to only allow
upstream hosts select the checkbox Allow upstream/relay hosts only. SMTP access will
then be limited to the defined upstream hosts. Upstream hosts can authenticate to get
relaying rights. Click Apply to save your settings.
374
UTM 9 WebAdmin
12 Email Protection
12.1 SMTP
Authenticated Relay
SMTP clients can authenticate to get relaying privileges. Select the checkbox Allow
authenticated relaying and specify the users and user groups that should be able to use
this feature. How to add a user is explained on the Definitions & Users > Users & Groups
> Users page. Click Apply to save your settings.
Note – If the checkbox Allow upstream/relay hosts only is enabled then Authenticated
Relay does only work when the sending host is configured as upstream/relay host.
Host- based Relay
Mail relaying can also be enabled host-based. If your local mail server or mail clients
should be able to use the SMTP proxy as a mail relay, you need to add the networks and
hosts which should be able to send mail through the relay to the Allowed host
s/networks box. The networks and hosts listed are allowed to send messages to any
addresses. How to add a definition is explained on the Definitions & Users > Network
Definitions > Network Definitions page.
Caution – It is extremely important not to select Any in the Allowed hosts/networks
box, because this would result in an open relay, allowing anyone on the Internet to
send messages through the SMTP proxy. Spammers will quickly recognize this, lead
ing to massive email traffic. In the worst case, you will be listed on 3rd party spam
mer blacklists. In most configurations, the only hosts that should be allowed to relay
mail are the mail servers in your network.
Click Apply to save your settings.
Host/Netw ork Blacklist
Here you can define hosts and networks that shall be blocked by the SMTP proxy. Click
Apply to save your settings.
Content Scan f or Relayed Messages
When this option is enabled, also messages sent by either authenticated or host-based
relays will be scanned for malicious content. If there are many outgoing mails, turning
this option off can improve your performance. Click Apply to save your settings.
Note that your global malware and antispam settings also apply to outgoing messages.
UTM 9 WebAdmin
375
12.1 SMTP
12 Email Protection
12.1.8 Advanced
On the SMTP > Advanced tab you can configure additional security options of the SMTP
proxy such as smarthost settings or transparent mode skiplist, among others.
Header Modif ications
SMTP header content of emails passing through UTM can be changed and/or deleted in
Header Modifications.
Add/delete a header:
1. Click on the Plus icon.
The Add Header Modification rule dialog opens.
2. Select the requested Operation.
3. Enter the Header name you want to change/delete.
1-255 ASCII characters are allowed.
4. If you add a header, enter the Value the new header should have.
0-255 characters are allowed.
5. On demand add a Comment.
6. Click Save.
7. Click Apply.
Your settings will be saved.
To edit or delete a header rule click on the concerning icons next to the rule.
T ransparent Mode
To enable transparent mode for SMTP select the checkbox and click Apply.
Hosts and networks listed in the Skip transparent mode hosts/nets box will not be sub
ject to the transparent interception of SMTP traffic. However, to allow SMTP traffic for
these hosts and networks, select the Allow SMTP traffic for listed hosts/nets checkbox.
If you do not select this checkbox, you must define specific firewall rules for the hosts
and networks listed here. Click Apply to save your settings.
T LS Settings
TLS certificate: Select a certificate from the drop-down list which will be used to nego
tiate TLS encryption with all remote hosts supporting it. You can create or upload
376
UTM 9 WebAdmin
12 Email Protection
12.1 SMTP
certificates on the Site-to-site VPN > Certificate Management > Certificates tab.
Require TLS negotiation host/nets: Add or select hosts or nets here which always
require TLS encryption for email communication. The UTM will then hold back emails if
TLS encryption is not available for those hosts/nets for some reason, that means mes
sages will stay in the mail queue until TLS becomes available again. In case TLS is not
available within a reasonable period of time, sending attempts will be stopped and the
user will get a notification that their email could not be sent.
Require TLS negotiation sender domains: If you want to enforce TLS encryption for
incoming emails for certain domains, enter those domains here. Emails sent from
those domains without TLS will be rejected immediately.
Skip TLS negotiation host/nets: If a particular host or network should encounter prob
lems with TLS encryption, you can enter it in the box and select the appropriate TLS cer
tificate from the drop-down menu. This will cause the UTM to skip TLS negotiation for
this host or network. Click Apply to save your settings.
DomainK eys I dentif ied Mail (DK I M)
DKIM is a method to cryptographically sign outgoing messages. To use DKIM signing,
enter your private RSA key and the corresponding key selector into the respective
fields and add the domains you want to sign emails for to the DKIM Domains box. Click
Apply to save your settings.
Conf identiality Footer
For each outgoing email, you can add and customize a confidentiality footer informing
users, for example, that the email may contain confidential or privileged information.
However, the confidentiality footer will not be appended to the email if the email is a
reply (i.e. having an In-Reply-To header) or if the content type of the email could not be
determined.
Note – Adding a footer to messages already signed or encrypted by an email client
(e.g., Microsoft's Outlook or Mozilla's Thunderbird) will break their signature and render
them invalid. If you want to create digital signatures on the client side, disable the
antivirus check footer option. However, if you do not wish to forgo the privacy and
authentication of your email communication and still want to apply a general anti
virus check footer, consider using the built-in email encryption feature of Sophos
UTM 9 WebAdmin
377
12.1 SMTP
12 Email Protection
encryption done on the gateway means that the footer is added to the message prior
to creating the digital signature, thus leaving the signature intact.
Advanced Settings
Here you can configure the SMTP hostname and the postmaster address, among other
things.
SMTP hostname: Setting the SMTP hostname will cause the proxy to use the specified
name in HELO and SMTP banner messages. By default, the normal system hostname is
selected.
Postmaster address: Specify the email address of the postmaster of the UTM to whom
messages are to be forwarded that are sent in the form of postmaster@
[192.168.16.8], where the IP literal address is one of the IP addresses of the UTM.
Accepting such messages is an RFC requirement.
BATV secret: Here you can change the automatically generated BATV secret used by
the SMTP proxy. The BATV secret is a shared key used to sign an email's envelope
MailFrom address, thus enabling detection of invalid bounce addresses. If you are using
several MXs for your domains, you can change the BATV secret to be the same on all
systems.
Max message size: The maximum message size that is accepted by the proxy. This set
ting applies to both incoming and outgoing emails. If your backend server has a lim
itation with regard to message sizes, you should set the same or a lower value here.
Default is 50 megabytes.
Note – The maximum message size limit is 250 megabytes.
Max connections: The maximum number of concurrent connections the proxy allows.
Default is 20.
Max connections/host: The maximum number of connections per host the proxy allows.
Default is 10.
Note – If the value is 0 the connection number per host is unlimited.
Max mails/connection: The maximum number of mails per connection the proxy allows.
Default is 1000.
378
UTM 9 WebAdmin
12 Email Protection
12.2 SMTP Profiles
Max rcpt/mail: The maximum number of recipients per mail the proxy allows. Default is
100.
Footers mode: Here you can define how footers will be added to mails. MIME part will
add the footer as extra MIME part. Existing part encodings are not changed and national
language characters are preserved. The other method is Inline which means that the
footer is separated from the main mail by the -- separator. With this mode you can
choose whether the footer should be Unicode (UTF-8) converted or not. Unicode con
version upgrades the message to preserve national language characters in the footer.
Smarthost Settings
A smarthost is a type of mail relay server which allows an SMTP server to route mail
to an upstream mail server rather than directly to the recipient’s server. Often this
smarthost requires authentication from the sender to verify that the sender has priv
ileges to have mail forwarded through the smarthost.
Use a smarthost: If you want to use a smarthost to send mail, select the checkbox. In
that case, the proxy will never deliver mail itself, but rather send anything to the
smarthost.
l
l
l
Smarthost: Select or add a smarthost object. How to add a definition is explained
on the Definitions & Users > Network Definitions > Network Definitions page.
Smarthost port: The default port for the smarthost connection is 25. You can
change it if required.
This smarthost requires authentication: Select this checkbox if the smarthost
requires authentication. Both Plain and Login authentication types are supported.
Enter a username and password into the respective fields.
12.2 SMTP Profiles
The SMTP proxy of Sophos UTM lets you create alternative SMTP profiles, which can
then be associated with different domains. That way you can specify domains that
should use a different profile other than the default profile configured in Email Pro
tection > SMTP. The order of the functions, structured as tabs, reflects how each step
gets processed one after the other during SMTP time.
To create an SMTP profile, proceed as follows:
UTM 9 WebAdmin
379
12.2 SMTP Profiles
12 Email Protection
1. Enable the SMTP profile mode.
On the Email Protection > SMTP > Global tab select Profile Mode and click Apply.
The SMTP profiles creation in the Email Protection > SMTP Profiles menu is
enabled.
2. On the SMTP Profiles tab, click New Profile.
A dialog box opens.
3. Enter a descriptive name for the profile.
4. Add one or more domains.
Add one or more domains to the Domains box.
Settings of this profile will be applied for those domains.
5. Make the following settings:
You only need to make settings for functions you want to use. For each of the fol
lowing functions you can decide whether to use individual settings defined here
or global settings defined under Email Protection > SMTP. By default, the global
settings option is selected. The individual settings for each function are
described below.
Note – Encrypted emails whose sender address includes a domain name con
figured here cannot be decrypted when using the email encryption/decryption
engine of Sophos UTM. Therefore, no profile should be added for external email
domains.
All settings that you can define here can also be set globally in Email Protection
> SMTP. Therefore only a list of settings and the differences from the global set
tings are given here, along with cross-references to the respective global setting
where detailed information can be found.
The following settings can be made:
l
Routing: On the Routing tab you can configure domain and routing targets
for the SMTP proxy and define how recipients shall be verified.
380
l
Static Host List
l
DNS Hostname
l
MX Records
UTM 9 WebAdmin
12 Email Protection
12.2 SMTP Profiles
For detailed information please refer to Email Protection > SMTP > Routing.
l
Recipient Verification
Verify Recipients: Here you can specify whether and how email recipients
are to be verified.
l
With callout: A request is sent to the server to verify the recipient.
l
In Active Directory: A request is sent to the Active Directory server to
verify the recipient. To be able to use Active Directory you must have
an Active Directory server specified in Definitions & Users > Authentic
ation Services > Servers. Enter a base DN into the Alternative Base DN
field and select the Active Directory server.
Note – The use of Active Directory recipient verification may lead to
bounced messages in case the server does not respond.
l
Off: You can turn off recipient verification completely but this is not
recommended for it will lead to higher spam traffic volume and dic
tionary attacks. Thus your quarantine is likely to be flooded with unso
licited messages.
For detailed information please refer to Email Protection > SMTP > Routing.
l
Sophos UTM RBLs: Here you can block IP addresses linked to spamming.
l
Use recommended RBLs
For detailed information please refer to Email Protection > SMTP > Antis
pam.
l
l
Extra RBLs: You can add further RBL sites to enhance the antispam cap
ability of Sophos UTM. For detailed information please refer to Email Pro
tection > SMTP > Antispam. Note that, as a third option, you can add the
global settings to your individual settings here.
BATV/RDNS/HELO/SPF/Greylisting: This tab gathers various other
advanced options increasing the antispam capability of Sophos UTM.
l
Reject invalid HELO/missing RDNS
l
Use greylisting
UTM 9 WebAdmin
381
12.2 SMTP Profiles
l
Use BATV
l
Perform SPF check
12 Email Protection
For detailed information please refer to Email Protection > SMTP > Antis
pam.
l
Malware Scanning: You can configure how to proceed with messages that
contain malicious content. The following actions are available:
l
Off
l
Quarantine
l
Blackhole
You can choose between the following malware scan options:
l
l
Single scan: Default setting; provides maximum performance using
the engine defined on the System Settings > Scan Settings tab.
Dual scan: Provides maximum recognition rate by scanning the
respective traffic twice using different virus scanners. Note that dual
scan is not available with BasicGuard subscription.
Quarantine unscannable and encrypted content: Select this option to quar
antine emails whose content could not be scanned. Unscannable content
may be encrypted or corrupt archives or oversized content, or there may be
a technical reason like a scanner failure.
For detailed information please refer to Email Protection > SMTP > Malware.
l
Antispam Scanning: Here you can decide how to deal with unsolicited com
mercial emails. Both for spam and confirmed spam you can choose
between the following actions:
l
Off
l
Warn
l
Quarantine
l
Blackhole
For detailed information please refer to Email Protection > SMTP > Antis
pam.
382
UTM 9 WebAdmin
12 Email Protection
l
l
12.2 SMTP Profiles
Sender Blacklist: The envelope sender of incoming SMTP sessions will be
matched against the addresses on this blacklist. If the envelope sender is
found on the blacklist the message will be blackholed. For detailed inform
ation please refer to Email Protection > SMTP > Antispam. Note that, as a
third option, you can add the global settings to your individual settings here.
MIME Audio/Video/Executables blocking: The MIME type filter reads the
MIME type of email contents. You can select which content types you would
like to quarantine:
l
Audio content
l
Video content
l
Executable content
For detailed information please refer to Email Protection > SMTP > Malware.
l
l
l
l
l
MIME Type Blacklist: Here you can add additional MIME types to quarantine.
For detailed information please refer to Email Protection > SMTP > Malware.
Note that, as a third option, you can add the global settings to your indi
vidual settings here.
MIME Type Whitelist: Here you can add MIME types not to quarantine. For
detailed information please refer to Email Protection > SMTP > Malware.
Note that, as a third option, you can add the global settings to your indi
vidual settings here.
Blocked File Extensions: Using the File extension filter you can quarantine
emails (with warnings) that contain certain types of files based on their
extensions (e.g., executables). For detailed information please refer to Email
Protection > SMTP > Malware. Note that, as a third option, you can add the
global settings to your individual settings here.
Blocked Expressions: The expression filter scans messages' content
passing through the SMTP proxy for specific expressions. Suspicious
emails will be blocked. For detailed information please refer to Email Pro
tection > SMTP > Antispam. Note that, as a third option, you can add the
global settings to your individual settings here.
Confidentiality Footer: For each outgoing email, you can add and customize
a confidentiality footer informing users, for example, that the email may
contain confidential or privileged information. However, the confidentiality
footer will not be appended to the email if the email is a reply (i.e. having
UTM 9 WebAdmin
383
12.3 POP3
12 Email Protection
an In-Reply-To header) or if the content type of the email could not be
determined. Note that the footer is appended depending on the sender
domain. To use a footer, select the checkbox and enter the footer text.
l
l
SPX Template Selection: The SPX template is used for SPX Encryption. It
defines how encrypted emails will be sent to the recipients. For detailed
information please refer to Email Protection > SPX Encryption > SPX Tem
plates.
Data Protection Configuration: Here you can add attachments to the scan
list, set notifications and select items from the SophosLabs Content Con
trol List.
For detailed information please refer to SMTP > Data Protection.
6. Click Apply.
Your settings will be saved.The new profile appears on the SMTP Profiles list.
Note – When you select Use global settings for a topic and click Apply, the icon of the
function changes to the global settings icon. By this, you can easily get an overview
on which functions global settings or individual settings are applied.
To either disable, rename or delete a profile click the corresponding buttons at the top
below the profile drop-down list.
12.3 POP3
The menu Email Protection > POP3 lets you configure the POP3 proxy for incoming
emails. The Post Office Protocol 3 (POP3) is an application-layer Internet standard pro
tocol that allows the retrieval of emails from a remote mail server. The POP3 proxy
works transparently, meaning that all POP3 requests coming from the internal network
on port 110 (and 995 if scanning of TLS encrypted traffic is enabled) are intercepted
and redirected through the proxy invisible to the client. The advantage of this mode is
that no additional administration or client-side configuration is necessary.
Note – It might be necessary to increase the server timeout settings in the email cli
ents' configuration. Usual default settings of about one minute or less might be too
low, especially when fetching large emails.
384
UTM 9 WebAdmin
12 Email Protection
12.3 POP3
The POP3 protocol does not have server-side tracking of which mails have already
been retrieved. Generally, a mail client retrieves a mail and deletes it on the server
afterwards. However, if the client is configured to not delete mails, then server-side
deleting is omitted and the client keeps track of which mail has already been fetched.
12.3.1 Global
On the Email Protection > POP3 > Global tab you can configure basic settings for the
POP3 proxy.
To configure the POP3 proxy, proceed as follows:
1. Enable the POP3 proxy.
Click the toggle switch.
The toggle switch turns amber and the POP3 Settings area becomes editable.
2. Select the allowed networks.
Add or select the networks that should be allowed to proxy POP3 traffic. Typ
ically, this is the internal network. How to add a definition is explained on the
Definitions & Users > Network Definitions > Network Definitions page.
Caution – It is extremely important not to select an Any network object,
because this introduces a serious security risk and opens your appliance up to
abuse from the Internet.
3. Click Apply.
Your settings will be saved.
The toggle switch turns green.
To cancel the configuration, click the amber colored toggle switch.
Live Log
The POP3 Live Log logs the POP3 proxy activities, showing all incoming emails. Click
the button to open the live log in a new window.
Note – In the log, you can see the public source IP address (scrip) from all incoming
emails. If an incoming mail was sent from a private IP address range, that IP address
cannot be displayed and the log shows srcip=0.0.0.0. Typical private IP address
ranges are for example 127.0.0.0/8, 10.0.0.0/8, 172.16.0.0/12 or 192.168.0.0/16.
UTM 9 WebAdmin
385
12.3 POP3
12 Email Protection
12.3.2 Malware
The Malware tab contains various measures against emails that carry harmful and dan
gerous content such as viruses, worms, or other malware.
Malw are Scanning
When using this option, emails will be scanned for unwanted content such as viruses,
trojan horses, or suspicious file types. Messages containing malicious content will be
blocked and stored in the email quarantine. Users can review and release their quar
antined messages either through the Sophos User Portal or the daily Quarantine Report.
However, messages containing malicious content can only be released from the quar
antine by the administrator in the Mail Manager.
Sophos UTM features several malware engines for best security.
l
l
Single scan: Default setting; provides maximum performance using the engine
defined on the System Settings > Scan Settings tab.
Dual scan: Provides maximum recognition rate by scanning the respective traffic
twice using different virus scanners. Note that dual scan is not available with
BasicGuard subscription.
Quarantine unscannable and encrypted content: Select this option to quarantine emails
whose content could not be scanned. Unscannable content may be encrypted or corrupt
archives or oversized content, or there may be a technical reason like a scanner failure.
Max scanning size: Specify the maximum size of files to be scanned by the antivirus
engine(s). Files exceeding this size will be exempt from scanning.
Click Apply to save your settings.
File Extension Filter
This feature filters and quarantines emails (with warnings) that contain certain types
of files based on their extensions (e.g., executables). To add file extensions, click the
Plus icon in the Blocked File Extensions box and enter a critical file extension you want
to be scanned, e.g., exe or jar (without the dot delimiter). Click Apply to save your set
tings.
386
UTM 9 WebAdmin
12 Email Protection
12.3 POP3
Note – Archives cannot be scanned for forbidden file extensions. To protect your net
work from malware included in archives you might want to consider blocking the
respective archive file extensions altogether.
12.3.3 Antispam
Sophos UTM can be configured to detect unsolicited spam emails and to identify spam
transmissions from known or suspected spam purveyors. Configuration options loc
ated on the Antispam tab let you configure POP3 security features aimed at preventing
your network from receiving unsolicited commercial emails.
Spam Filter
Sophos UTM includes a heuristic check of incoming emails for characteristics sug
gestive of spam. It uses SMTP envelope information and an internal database of heur
istic tests and characteristics. This spam filtering option scores messages based on
their content and SMTP envelope information. Higher scores indicate a higher spam
probability.
With the following two options you can specify what to do with messages that have
been assigned a certain spam score. This ensures that potential spam emails are
treated differently by the gateway.
l
l
Spam action: Here you can define what to do with messages that are classified
as probable spam.
Confirmed spam action: Here you can define what to do with confirmed spam
messages.
You can choose between different actions for those two types of spam:
l
l
l
Off: No messages will be marked as spam or filtered out.
Warn: No messages will be filtered out. Instead, a spam flag will be added to the
message's header and a spam marker will be added to the message's subject.
Quarantine: The message will be blocked and stored in the email quarantine. Quar
antined messages can be reviewed either through the User Portal or the daily
Quarantine Report.
UTM 9 WebAdmin
387
12.3 POP3
12 Email Protection
Spam marker: With this option you can specify a spam marker, that is, a string that will
be added to the message's subject line making it easy to identify spam messages
quickly. By default, the string *SPAM* is used to tag messages as spam.
Expression Filter
The expression filter scans the message's subject and body for specific expressions.
Emails that contain an expression listed here will be blocked. However, if the prefetch
option is enabled on the Email Protection > POP3 > Advanced tab, the email will be sent
to the quarantine. Expressions can be entered as Perl Compatible Regular Expressions.
Simple strings such as "online dating" are interpreted in a case-insensitive manner.
Cross Reference – For detailed information on using regular expressions in the expres
sion filter, see the Sophos Knowledgebase.
Click Apply to save your settings.
Sender Blacklist
The envelope sender of incoming POP3 sessions will be matched against the
addresses on this blacklist. If the envelope sender is found on the blacklist the mes
sage will be quarantined and marked as Other in the subject line.
To add a new address pattern to the blacklist click the Plus icon in the Blacklisted
Address Patterns box, enter (a part of) an address, and click Apply. You can use an aster
isk (*) as a wildcard, e.g., *@abbeybnknational.com. A wildcard does not work in the
domain or TLD part of an address.
Tip – End-users can create their personal blacklist and whitelist in the User Portal.
12.3.4 Exceptions
On the POP3 > Exceptions tab you can define client hosts/networks and sender
addresses that shall be excluded from various security features.
To create an exception, proceed as follows:
1. On the Exceptions tab, click New Exception List.
The Add Exception List dialog box opens.
2. Make the following settings:
388
UTM 9 WebAdmin
12 Email Protection
12.3 POP3
Name: Enter a descriptive name for this exception.
Skip these checks: Select the security checks that should be skipped. For more
information, see Email Protection > POP3 > Malware and Antispam.
For these client hosts/networks: Add or select the source hosts/networks (i.e.,
the hosts or networks messages originate from) that should skip the security
checks. How to add a definition is explained on the Definitions & Users > Network
Definitions > Network Definitions page.
Note – No exception needs to be created for localhost because local messages
will not be scanned by default.
When selecting this option, the Client hosts/networks dialog box opens. You can
add a host or network by either clicking the plus symbol or the folder symbol.
OR these sender addresses: Select the senders' email addresses that should skip
the defined security checks.
When selecting this option, the Senders box opens. You can either enter a com
plete valid email address (e.g., jdoe@example.com) or all email addresses of a
specific domain using an asterisk as wildcard (e.g., *@example.com).
Note – Use the Senders option with caution, as sender addresses can easily be
forged.
Comment (optional): Add a description or other information.
3. Click Save.
The new exception appears on the Exceptions list.
To either edit or delete an exception, click the corresponding buttons.
12.3.5 Advanced
On the POP3 > Advanced tab you can specify those hosts and networks that can skip
the transparent mode of the POP3 proxy. In addition, it contains the POP3 proxy's
prefetch option, which allows the prefetching of messages from a POP3 server and
storing them in a database.
UTM 9 WebAdmin
389
12.3 POP3
12 Email Protection
T ransparent Mode Skiplist
Hosts and networks listed in the Skip transparent mode hosts/nets box will not be sub
ject to the transparent interception of POP3 traffic. However, to allow POP3 traffic for
these hosts and networks, select the Allow POP3 traffic for listed hosts/nets checkbox.
If you do not select this checkbox, you must define specific firewall rules for the hosts
and networks listed here.
POP3 Servers and Pref etch Settings
You can enter one or more POP3 servers here that are used in your network or by your
end users, so that the servers are known to the proxy. Additionally, you can turn on
prefetching.
To define a POP3 server, do the following:
1. Add the DNS name of the POP3 server(s).
In the POP3 servers box, click the Plus icon. In the Add Server dialog window,
enter the DNS name and click Save.
A new entry with the entered DNS name and the suffix Servers is displayed in the
box. The UTM automatically creates a DNS group with the specified DNS name
and associates it with the new POP3 server entry.
2. Specify the POP3 server's properties.
In the POP3 servers box, click the Edit icon in front of the POP3 server. The Edit
Server dialog window opens. Make the following settings:
Name: If you want, modify the POP3 server's name.
Hosts: The box automatically contains a DNS group with the DNS name specified
above. Add or select additional hosts or DNS groups. Make sure to add only such
hosts or DNS groups that serve the same POP3 accounts. How to add a definition
is explained on the Definitions & Users > Network Definitions > Network Definitions
page.
TLS certificate: Select a certificate from the drop-down list which will be used to
negotiate TLS encryption with all remote hosts supporting it. You can create or
upload certificates on the Site-to-site VPN > Certificate Management
> Certificates tab.
390
UTM 9 WebAdmin
12 Email Protection
12.3 POP3
Note – For TLS encryption to work, the Scan TLS encrypted POP3 traffic check
box in the TLS Settings section has to be enabled. For POP3 servers not defined
here or not having a TLS certificate, you can select a default TLS certificate in
the TLS Settings section.
Comment (optional): Add a description or other information.
3. Click Save.
The POP3 server is defined.
If no POP3 server is specified and a mail gets caught by the proxy, the proxy replaces
the mail with a notification to the recipient right away in the same connection stating
that the mail has been quarantined. The quarantined mail can be viewed in Mail Man
ager, but is not associated to a server or account and therefore cannot be released in a
later connection. Generally, releasing of emails from quarantine does only work for
prefetched messages.
There are two scenarios:
l
l
If POP3 server(s) are given and prefetching is disabled, the proxy keeps track
which quarantined mails belong to which server/account. Thus, quarantined mail
can be released when the client polls the mailbox next time. For this to work, the
proxy has to safely identify which IP addresses belong to which server (by their
FQDN which you have entered in your mail client).
If POP3 server(s) are given and prefetching is enabled, the POP3 proxy peri
odically checks the POP3 server(s) for new messages. If a new message has
arrived, it will be copied to the POP3 proxy, scanned and stored into a database
on the UTM. The message remains on the POP3 server. When a client tries to
fetch new messages, it communicates with the POP3 proxy instead and only
retrieves messages from this database.
A POP3 proxy supporting prefetching has a variety of benefits, among others:
l
l
l
No timeout problems between client and proxy or vice versa.
Delivery of messages is much faster because emails have been scanned in
advance.
Blocked messages can be released from the User Portal—they will then be
included in the next fetch.
UTM 9 WebAdmin
391
12.3 POP3
12 Email Protection
If a message was blocked because it contained malicious content or because it was
identified as spam, it will not be delivered to the client. Instead, such a message will be
sent to the quarantine. A message held in quarantine is stored in the Mail Manager sec
tion of the User Portal, from where it can be deleted or released.
Use prefetch mode: To enable prefetch mode, select the checkbox and add one or more
POP3 servers to the POP3 Servers box.
Prefetch interval: Select the time interval at which the POP3 proxy contacts the
POP3 server to prefetch messages.
Note – The interval at which mail clients are allowed to connect to the POP3
server may vary from server to server. The prefetch interval should therefore
not be set to a shorter interval than allowed by the POP3 server, because oth
erwise the download of POP3 messages would fail as long as the access to the
POP3 server is blocked.
Note further that several mail clients may query the same POP3 account.
Whenever messages were successfully fetched from a POP3 server, this will
restart the timer until the server can be accessed for the next time. If for that
reason the POP3 proxy cannot access a POP3 server four times in a row
(default is every 15 minutes), the account password will be deleted from the
proxy's mail database and no emails will be fetched until a mail client sends
the password to the POP3 server again and successfully logs in.
Delete quarantined mails from server: When you select this option, quarantined
messages will be deleted from the POP3 server immediately. This is useful to
prevent that users get spam or virus messages when they connect to the POP3
server not via the UTM, but for example via the POP3 server's web portal.
If the email client is configured to delete messages from the server after retrieving
them, this information will be stored in the database, too. The next time the proxy is
going to prefetch messages for this POP3 account, it will delete the messages from
the server. This means, as long as no client fetches the messages from the Sophos
UTM and no delete command is configured, no message will be deleted from the POP3
server. Therefore, they can still be read, for example, via the web portal of the email pro
vider.
Quarantined messages are deleted from the POP3 server in the following cases:
392
UTM 9 WebAdmin
12 Email Protection
l
Messages are manually deleted via the Mail Manager.
l
Messages are manually deleted by the user via the User Portal.
l
l
l
12.3 POP3
The message was released (either through the Quarantine Report or the User
Portal) and the user's email client is configured to delete messages upon deliv
ery.
The notification message has been deleted.
After the storage period has expired (see section Configuration in chapter Mail
Manager).
In prefetch mode however, spam messages in quarantine cannot be deleted from the
POP3 server directly by means of a client command.
Note – The email client must successfully connect to the POP3 server at least once
for the prefetch function to operate properly. This is because Sophos UTM needs to
store the name of the POP3 server, the username, and the user's password in a data
base in order to fetch POP3 messages on behalf of this user. This, however, cannot be
achieved by configuring POP3 account credentials in the Sophos User Portal. The
POP3 account credentials in the User Portal are needed for prefetched messages to
appear in this user's portal and daily Quarantine Report.
Note for fetchmail users: The TOP method is not supported to download emails from
the mail server for security reasons—messages that are received through TOP cannot
be scanned. It will work if you specify the fetchall option (-a on command line). For
more information, see "RETR or TOP" in the fetchmail manual.
P ref erred Charset
In this section you can select a charset different than UTF-8 that will be used for those
mail headers, which have been in some way changed by the UTM (e.g. BATV). This is
useful if your users who use mail clients which do not understand UTF-8. Generally the
default charset for mail headers works fine for every region. Therefore only change this
setting if you are sure this is what you want. If in doubt keep the default UTF-8.
T LS Settings
Scan TLS encrypted POP3 traffic: If enabled, the UTM will scan TLS encrypted POP3
traffic. For this to work, TLS certificates have to be defined for the POP3 servers
accessed by the POP3 clients (see POP3 Servers and Prefetch Settings section above
and TLS certificate checkbox below).
UTM 9 WebAdmin
393
12.4 Encryption
12 Email Protection
If disabled, and a POP3 client tries to access a POP3 server via TLS, the connection will
not be established.
TLS certificate: Select a certificate from the drop-down list which will be used for TLS
encryption with all POP3 clients supporting TLS and trying to access a POP3 server
that either is not listed in the POP3 servers box above or does not have a matching TLS
certificate associated. The selected certificate will be presented to the POP3 client.
POP3 clients usually verify that the TLS certificate presented by the POP3 server
matches the configured POP3 server name. For this reason, most POP3 clients will dis
play a warning that the certificate's hostname does not match the expected configured
POP3 server's name. However, the user can dismiss the warning and connect nev
ertheless. If you want to avoid this warning, add all used POP3 servers to the POP3 serv
ers box above and configure matching TLS certificates for each of them.
If no certificate is selected here, and a POP3 client tries to access a POP3 server via
TLS that is not listed in the POP3 servers box or does not have a matching TLS cer
tificate associated, the connection will not be established.
Tip – You can create or upload certificates on the Site-to-site VPN > Certificate Man
agement > Certificates tab.
12.4 Encryption
Ever since email became the primary electronic communication medium for personal
and business purposes, a legitimate concern over privacy and authentication has
arisen. In general terms, the email format is transmitted in clear text, similar to a post
card which anyone could read. Moreover, as assimilating false identities is an easy pro
cess, it is important for the recipient to be able to tell if the sender is who they claim to
be.
Solutions to these issues are typically accomplished with email encryption and digital
certificates, where an email message is electronically signed and cryptographically
encoded. This assures that the message recipient exclusively can open and view the
contents of the email (privacy), verifying the identity of the sender (authentication). In
other words, this process negates the idea of being sent an "e-postcard", and intro
duces a process much like registered or certified mail.
394
UTM 9 WebAdmin
12 Email Protection
12.4 Encryption
Modern cryptography has two methods to encrypt email: symmetric and asymmetric.
Both have become standard methods and are utilized in several types of applications.
Symmetric key cryptography refers to encryption methods in which both, the sender
and receiver, share the same key.
On the other hand, asymmetric key cryptography (also known as public key cryp
tography) is a form of cryptography in which each user has a pair of cryptographic
keys; a public key, which encrypts data, and a corresponding private or secret key for
decryption. Whereas the public key is freely published, the private key will be securely
kept by the user.
One drawback with symmetric encryption is that for a sender and recipient to com
municate securely, they must agree upon a key and keep it secret between them
selves. If they are in different physical locations, they must prevent the disclosure of
the secret key during transmission. Therefore, the persistent problem with symmetric
encryption is key distribution: how do I get the key to the recipient without someone
intercepting it? Public key cryptography was invented to exactly address this problem.
With public key cryptography, users can securely communicate over an insecure chan
nel without having to agree upon a shared key beforehand.
The need for email encryption has produced a variety of public key cryptography stand
ards, most notably S/MIME and OpenPGP, both of which are supported by Sophos UTM.
S/MIME (Secure Multipurpose Internet Mail Extensions) is a standard for asymmetric
encryption and the signing of emails encapsulated in MIME. It is typically used within a
public key infrastructure (PKI) and is based on a hierarchical structure of digital cer
tificates, requiring a trusted instance as Certificate Authority (CA). The CA issues a
digital certificate by binding an identity to a pair of electronic keys; this can be seen as
a digital counterpart to a traditional identity document such as a passport. Technically
speaking, the CA issues a certificate binding a public key to a particular Distinguished
Name in the X.500 standard, or to an Alternative Name such as an email address.
A digital certificate makes it possible to verify someone's claim that they have the
right to use a given key. The idea is that if someone trusts a CA and can verify that a
public key is signed by this CA, then one can also be assured that the public key in
question really does belong to the purported owner.
OpenPGP (Pretty Good Privacy), on the other hand, uses asymmetric encryption typ
ically employed in a web of trust (WOT). This means that public keys are digitally
signed by other users who, by that act, endorse the association of that public key with
the person.
UTM 9 WebAdmin
395
12.4 Encryption
12 Email Protection
Note – Although both standards offer similar services, S/MIME and OpenPGP have
very different formats. This means that users of one protocol cannot communicate
with the users of the other. Furthermore, authentication certificates also cannot be
shared.
By default, if for example S/MIME, OpenPGP and SPX Encryption are activated, the pri
orities are: S/MIME, OpenPGP and then SPX Encryption.
The entire email encryption is transparent to the user, that is, no additional encryption
software is required on the client side. Generally speaking, encryption requires having
the destination party's certificate or public key on store. For incoming and outgoing
messages, email encryption functions as follows:
l
l
l
l
l
396
By default, outgoing messages from internal users will be scanned, automatically
signed, and encrypted using the recipient's certificate (S/MIME) or public key
(OpenPGP), provided the S/MIME certificate or OpenPGP public key of the recip
ient is existent on the UTM.
Encrypted incoming messages from external users whose S/MIME certificate or
OpenPGP public key are known to the UTM will automatically be decrypted and
scanned for malicious content. To decrypt the message, the S/MIME key or
OpenPGP private key of the internal user must be existent on the UTM.
Encrypted incoming messages from external users or for internal users unknown
to the UTM will be delivered, although they cannot be decrypted and therefore not
scanned for viruses or spam. It is then the responsibility of the recipient (internal
user) to ensure that the email does not contain any malware, for example, by
using a personal firewall.
Outgoing messages already encrypted on the client side will directly be sent to
the recipient if the recipient's S/MIME certificate or OpenPGP public key are
unknown. However, if the recipient's S/MIME certificate or OpenPGP public key
are available, the message will be encrypted a second time. Note that pre-encryp
ted messages cannot be scanned for malicious content.
Decryption is only possible for incoming emails, where "incoming" means that
the domain name of the sender's email address must not be part of any SMTP pro
file. For example, to decrypt a message sent by jdoe@example.com, the domain
example.com must not be configured in either the routing settings or any SMTP
profile.
UTM 9 WebAdmin
12 Email Protection
l
12.4 Encryption
A summary of the signing/encryption result is written into the subject line of
each email. For example, an email that was correctly signed and encrypted with
S/MIME, has '(S/MIME: Signed and encrypted)' appended to the subject line.
Note – Adding a footer to messages already signed or encrypted by an email client
(e.g., Microsoft's Outlook or Mozilla's Thunderbird) will break their signature and render
them invalid. If you want to create digital signatures on the client side, disable the
antivirus check footer option. However, if you do not wish to forgo the privacy and
authentication of your email communication and still want to apply a general anti
virus check footer, consider using the built-in email encryption feature of Sophos
UTM. Email encryption done on the gateway means that the footer is added to the
message prior to creating the digital signature, thus leaving the signature intact.
12.4.1 Global
On the Email Protection > Encryption > Global tab you can configure the basic settings
of the email encryption functionality.
Note – Encryption is only working for SMTP, not for POP3.
Before you can use email encryption, you must first create a Certificate Authority (CA)
consisting of a CA certificate and CA key. The CA certificate can be downloaded and
stored locally. In addition, it can be installed as an external CA (S/MIME Authority) in
other units as illustrated in the diagram to enable transparent email encryption
between two Sophos UTM units.
Figure 19 Encryption: Using Two Sophos UTM Units
To configure email encryption, proceed as follows:
UTM 9 WebAdmin
397
12.4 Encryption
12 Email Protection
1. On the Global tab, enable email encryption.
Click the toggle switch.
The toggle switch turns amber and the Email Encryption Certificate Authority (CA)
area becomes editable.
2. Create a certificate authority (CA).
Fill out the form in the Email Encryption Certificate Authority (CA) area. By
default, the form is filled out with the values of the Management > System Set
tings > Organizational tab.
3. Click Save.
The toggle switch turns green and the following certificates and keys are being
created:
l
S/MIME CA Certificate
l
OpenPGP Postmaster Key
Note that this may take several minutes to complete. If you do not see the fin
gerprints of the S/MIME CA certificate or the OpenPGP Postmaster key, click the
Reload button in the upper right corner of WebAdmin. The certificate and the key
can be downloaded and locally stored.
Use the Reset Email Encryption System Now button to reset all settings in the Encryp
tion menu to the factory default configuration.
12.4.2 Options
On the Encryption > Options tab you can define the default policy to be used within the
public key cryptography framework of Sophos UTM.
Default Policy: Specify your default policy for emails in terms of cryptography. These
settings can, however, be overwritten by customized settings.
The following actions are available:
l
Sign outgoing email
l
Encrypt outgoing email
l
Verify incoming email
l
Decrypt incoming email
Click Apply to save your settings.
398
UTM 9 WebAdmin
12 Email Protection
12.4 Encryption
Note – For encryption to work, the sender must be within the Internal Users list. Out
going emails for recipients whose S/MIME certificate or OpenPGP public key are exist
ent on the gateway will be encrypted by default. If you want to disable encryption for
these recipients, delete their S/MIME certificates or OpenPGP public keys. If cer
tificates or public keys are unknown to the UTM, emails will be sent unencrypted.
Automatic Extraction of S/MI ME Certif icates
When this option is selected, S/MIME certificates will automatically be extracted from
incoming emails provided the certificate that is appended to the email is signed by a
trusted certificate authority, that is, a CA present on the unit as shown on the Email Pro
tection > Encryption > S/MIME Authorities tab. In addition, the time and date of Sophos
UTM must be within the certificate's validity period for the automatic extraction of cer
tificates to work. Once a certificate has been successfully extracted, it will appear on
the Email Protection > Encryption > S/MIME Certificates tab. Note that this may take
five to ten minutes to complete. Click Apply to save your settings.
OpenP GP K eyserver
OpenPGP keyserver host public PGP keys. You can add an OpenPGP keyserver here. For
signed incoming emails and for outgoing emails that shall be encrypted, the UTM will
try to retrieve the public key from the given server if the respective public key is yet
unknown to the UTM.
12.4.3 Internal Users
For signing and decrypting messages, either the S/MIME key or the OpenPGP private
key must be existent on the UTM. On the Encryption > Internal Users tab you can create
both an individual S/MIME key/certificate and/or OpenPGP key pair for those users for
whom email encryption should be enabled.
To create an internal email user, proceed as follows:
1. On the Internal Users tab, click New Email Encryption User.
The Add User dialog box opens.
2. Make the following settings:
Email address: Enter the email address of the user.
Full name: Enter the name of the user.
UTM 9 WebAdmin
399
12.4 Encryption
12 Email Protection
Signing: The following signing options are available:
l
Use default policy: The policy from the Options tab will be used.
l
On: Emails will be signed using the certificate of the user.
l
Off: Emails will not be signed.
Encryption: The following encryption options are available:
l
Use default policy: The policy from the Options tab will be used.
l
On: Emails will be encrypted using the public key of the recipient.
l
Off: Emails will not be encrypted.
Verifying: The following verification options are available:
l
Use default policy: The policy from the Options tab will be used.
l
On: Emails will be verified using the public key of the sender.
l
Off: Emails will not be verified.
Decryption: The following decryption options are available:
l
Use default policy: The policy from the Options tab will be used.
l
On: Emails will be decrypted using the certificate of the user.
l
Off: Emails will not be decrypted.
S/MIME: Select whether you want to have the S/MIME certificate and key auto
matically generated by the system or whether you want to upload a certificate in
PKCS#12 format. When uploading the certificate, you must know the passphrase
the PKCS#12 file was protected with. Note that the PKCS#12 file must both contain
the S/MIME key and certificate. Any CA certificate that may be included in this
PKCS#12 file will be ignored.
OpenPGP: Select whether you want to have the OpenPGP key pair consisting of a
private key and the public key automatically generated by the system or whether
you want to upload the key pair in ASCII format. Note that both private and public
key must be included in one single file and that the file must not contain a pass
phrase.
400
UTM 9 WebAdmin
12 Email Protection
12.4 Encryption
Note – If you configure both S/MIME and OpenPGP for an individual user, emails
sent by this user will be signed using S/MIME.
Comment (optional): Add a description or other information.
3. Click Save.
The new user appears on the Internal Users list.
Use the toggle switch to turn the usage of one or both keys off without having to delete
the key(s).
Note – The files offered for download contain the S/MIME certificate. The OpenPGP
certificate offers the public key. For security reasons it is not possible to download
the OpenPGP private key and the S/MIME key.
12.4.4 S/MIME Authorities
On the Encryption > S/MIME Authorities tab you can manage certificate authorities (CA)
for email encryption. In addition to pre-installed CAs, you can upload certificates of
external certificate authorities. All incoming emails whose certificates are signed by
one of the CAs listed and enabled here will be trusted automatically.
Note – If you have selected the Enable automatic S/MIME certificate extraction option
on the Email Protection > Encryption > Options tab, certificates signed by a CA listed
and enabled here will be extracted automatically and placed on the Email Protection >
Encryption > S/MIME Certificates tab.
Local S/MI ME Authorities
You can import the certificate (i.e., the public key) of an external certification authority
you trust. That way, all incoming emails whose certificates were signed by this CA will
be trusted, too. For example, you can install the CA of another Sophos UTM unit, thus
enabling transparent email encryption between two Sophos UTM units.
To import an external S/MIME authority certificate, proceed as follows:
1. Click the Folder icon next to the Upload local authority field.
The Upload File dialog window opens.
UTM 9 WebAdmin
401
12.4 Encryption
12 Email Protection
2. Select the certificate to upload.
Click Browse and select the CA certificate to upload. The following certificate
extensions are supported:
l
cer, crt, or der: These certificate types are binary and basically the same.
l
pem: Base64 encoded DER certificates.
3. Upload the certificate.
Click Start Upload to upload the selected CA certificate.
The certificate will be installed and displayed in the Local S/MIME Authorities
area.
You can delete or disable an S/MIME authority certificate if you do not regard the CA as
trustworthy. To revoke an S/MIME authority's certificate click its toggle switch. The
toggle switch turns gray and the SMTP proxy will no longer accept mails signed by this
S/MIME authority. To delete a certificate, click the Empty icon.
Tip – Click the blue Info icon to see the fingerprint of a CA.
Global S/MI ME Authorities
The list of S/MIME CAs shown here is identical to the S/MIME CAs pre-installed by Moz
illa Firefox. This facilitates email encryption between your company and your com
munication partners who maintain a PKI based on those CAs. However, you can disable
an S/MIME authority certificate if you do not regard the CA as trustworthy. To revoke an
S/MIME authority's certificate click its toggle switch. The toggle switch turns gray and
the SMTP proxy will no longer accept mails signed by this S/MIME authority.
The following links point to URLs of notable root certificates:
l
Trustcenter
l
S-TRUST
l
Thawte
l
VeriSign
l
GeoTrust
402
UTM 9 WebAdmin
12 Email Protection
12.4 Encryption
12.4.5 S/MIME Certificates
On the Encryption > S/MIME Certificates tab, you can import external S/MIME cer
tificates. Emails for recipients whose certificates are listed here will automatically be
encrypted. If you want to disable encryption for a particular recipient, simply delete its
certificate from the list.
Note – If for a recipient an OpenPGP public key is imported additionally to an S/MIME
certificate, emails will be encrypted using OpenPGP.
Note – When you upload an S/MIME certificate manually, messages from the email
address associated with the certificate are always trusted, although no CA certificate
is available that may identify the person noted in the certificate. That is to say, manu
ally uploading an S/MIME certificate labels the source as trusted.
To import an external S/MIME certificate, proceed as follows:
1. On the S/MIME Certificates tab, click New External S/MIME Certificate.
The Add S/MIME Certificate dialog box opens.
2. Make the following settings:
Format: Select the format of the certificate. You can choose between the fol
lowing formats:
l
der (binary)
l
pem (ASCII)
Note – Microsoft Windows operating systems use the cer file extension for
both der and pem formats. You must therefore determine in advance whether
the certificate you are about to upload is in binary or ASCII format. Then select
the format from the drop-down list accordingly.
Certificate: Click the Folder icon to open the Upload File dialog window. Select
the file and click Start Upload.
Comment (optional): Add a description or other information.
UTM 9 WebAdmin
403
12.4 Encryption
12 Email Protection
3. Click Save.
The new S/MIME certificate appears on the S/MIME Certificates list.
12.4.6 OpenPGP Public Keys
On the Encryption > OpenPGP Public Keys tab you can install OpenPGP public keys. Files
must be provided in .asc format. The upload of entire keyrings is supported.
Note – Do not upload a keyring that is protected by a passphrase.
All public keys included in the keyring will be imported and can be used to encrypt mes
sages. Emails for recipients whose public keys are listed here will automatically be
encrypted. If you want to disable encryption for a particular recipient, simply delete its
public key from the list.
Note – Only one email address per key is supported. If there are multiple addresses
attached to a key, only the "first" one will be used (the order may depend on how
OpenPGP sorts addresses). If the key you want to import has several addresses
attached, you must remove the unneeded addresses with OpenPGP or other tools
prior to importing the key into Sophos UTM.
To import an OpenPGP public key, proceed as follows:
1. On the OpenPGP Public Keys tab, click New Public OpenPGP Key(s).
The Add Keyring File dialog box opens.
2. Upload the OpenPGP key(s).
Click the Folder icon to open the Upload File dialog window. Select the file and
click Start Upload.
The key or, if the file contains several keys, a list of keys is displayed.
3. Select one or more keys and click Import Selected Keys.
The key(s) appear(s) on the OpenPGP Public Keys list.
Note – An email address must be attached to the key. Otherwise the installation will
fail.
404
UTM 9 WebAdmin
12 Email Protection
12.5 SPX Encryption
12.5 SPX Encryption
SPX (Secure PDF Exchange) encryption is a next-generation version of email encryp
tion. It is clientless and extremely easy to set up and customize in any environment.
Using SPX encryption, unencrypted email messages and any attachments sent to the
UTM are converted to a PDF document, which is then encrypted with a password. You
can configure the UTM to allow senders to select passwords for the recipients, or the
server can generate the password for the recipient and store it for that recipient, or the
server can generate one-time passwords for recipients.
When SPX encryption is enabled, there are two ways how emails can be SPX encryp
ted:
l
The administrator can download a Microsoft Outlook plugin (see chapter Email
Protection > SPX Encryption > Sophos Outlook Add-in). After having it installed, an
Encrypt button is displayed in the Microsoft Outlook user interface. To encrypt a
single message, the user needs to enable the Encrypt button and then write and
send the message. Only if something goes wrong, for example the sender does
not enter a valid password, a notification will be sent, if configured.
Note – If you are not using Outlook you can also trigger SPX encryption by set
ting the header field X-Sophos-SPX-Encrypt to yes.
l
In the Data Protection feature, you can specify to automatically SPX encrypt
emails containing sensitive data (see SMTP > Data Protection tab).
The encrypted message is then sent to the recipient's mail server. Using Adobe Reader,
the recipient can decrypt the message with the password that was used to encrypt the
PDF. SPX-encrypted email messages are accessible on all popular smartphone plat
forms that have native or third-party PDF file support, including Blackberry and Win
dows Mobile devices.
Using the SPX reply portal, the recipient is able to answer the email in a secure way. It
is possible to set expiry times for the secure reply and unused passwords (see chapter
Email Protection > SPX Encryption > SPX Configuration).
SPX encryption can be activated in both SMTP configuration modes, Simple Mode and
Profile Mode. If using Simple mode, a global SPX template can be chosen. The SPX
UTM 9 WebAdmin
405
12.5 SPX Encryption
12 Email Protection
template defines the layout of the PDF file, password settings, recipient instructions,
and SPX reply portal settings. If using Profile mode, you can define different SPX tem
plates for different SMTP profiles. So, if you are managing various customer domains,
you can assign them customized SPX templates containing for example different com
pany logos and texts.
Cross Reference – Find information about configuring email encryption with SPX on
Sophos UTM in the Sophos Knowledgebase.
12.5.1 SPX Configuration
On the SPX Encryption > SPX Configuration tab you enable SPX encryption, and you con
figure general settings for all SMTP users.
To configure SPX encryption, proceed as follows:
1. Enable SPX encryption.
Click the toggle switch.
The toggle switch turns green.
2. In the sections of this tab, make the required global settings.
3. On the SPX Templates tab, modify the existing Sophos Default Template and/or
add new SPX templates.
4. On the SMTP > Global tab, select the Global SPX Template.
5. Optionally, if using SMTP profile mode, select the desired SPX templates for the
respective SMTP profiles.
Note – If you want users to SPX-encrypt email messages via the Microsoft Outlook
plugin, make sure they have access to the Email Protection > SPX Encryption >
Sophos Outlook Add-in tab. If you use another email messenger you need to set the
header manually by yourself.
SPX Encryption P recedence
Prefer SPX Encryption: If enabled and S/MIME and/or OpenPGP are activated,
SPX Encryption has precedence over S/MIME and OpenPGP.
Click Apply to save your settings.
406
UTM 9 WebAdmin
12 Email Protection
12.5 SPX Encryption
SP X P assw ord Settings
Minimum length: The minimum number of characters allowed for a password specified
by the sender.
Require special characters: If enabled, the password specified by the sender has to con
tain at least one special character (non alphanumeric characters and whitespace are
treated like special characters).
Click Apply to save your settings.
SP X P assw ord Reset
Reset password for: Here you can delete the password of a recipient. Enter the recip
ient's email address.
Click Apply to save your settings.
SP X P ortal Settings
Hostname: Enter the hostname or your SPX portal.
Listen address: Select your listen address for your SPX portal.
Port: Enter the port on which the SPX reply portal should listen.
Allowed Networks: Add or select the networks that should be allowed to access the
SPX portal.
Click Apply to save your settings.
SP X Expiry Settings
Allow secure reply for: Specify for how long the recipient of an SPX encrypted mes
sage is allowed to send a reply via the SPX reply portal.
Keep unused password for: Specify the expiry time of a password that was not used
meanwhile. For example, if Keep unused password for is set to 3 days, the password
will expire at 0 o'clock if there was no SPX encrypted message sent for a specific recip
ient.
Note – If Keep Unused Password for is set to 0 days, the password will be saved and
expires at 0 o'clock.
UTM 9 WebAdmin
407
12.5 SPX Encryption
12 Email Protection
Allow password registration for: Specify for how long the recipient is able to register a
password for SPX portal to view the current encrypted mails. Only for password type
Specified by recipient. After the expiry time the mails will be dropped.
Registration reminder frequency: Specify in which frequency the recipient should get a
reminder to register a password.
Click Apply to save your settings.
SPX Notif ication Settings
Send notification on error to: Specify whom to send a notification when an SPX error
occurs. You can send the notification to the administrator, to the sender, or to both, or
you can send no notification at all. Error messages will always be listed in the SMTP
log.
Tip – SPX error messages can be customized on the Management > Customization >
Email Messages tab.
Click Apply to save your settings.
12.5.2 SPX Templates
On the SPX Encryption > SPX Templates tab you can modify the existing Default Sophos
Template, and you can define new SPX templates. If using SMTP Simple mode, a global
SPX template can be selected for all SMTP users on the SMTP > Global tab. If using
SMTP Profile mode, you can assign different SPX templates to different SMTP profiles
on the SMTP Profiles tab.
To configure SPX encryption, proceed as follows:
1. Click New SPX Template.
The Add SPX Template dialog box opens.
Tip – The Sophos Default Template contains useful settings and example texts.
Therefore you should consider to clone the existing template using its Clone but
ton instead of creating a new template from scratch.
408
UTM 9 WebAdmin
12 Email Protection
12.5 SPX Encryption
Note – The notification sender is the mail address which is configured in Man
agement > Notifications > Sender.
2. Make the following settings:
Template name: Enter a descriptive name for the template.
3. Make the following basic settings:
Comment (optional): Add a description or other information.
Organization name: The organization name will be displayed on notifications con
cerning SPX, sent to the administrator or the email sender, depending on your set
tings.
PDF cover page: Select if you want the encrypted PDF file to have an additional
first page. You can use the default page or a custom page. In case of the custom
page, upload a one page PDF file via the Folder icon.
PDF encryption: Select the encryption mode of the PDF file. Note that some PDF
viewers cannot read AES / 256 encrypted PDF files.
Label languages: Select the display language of the labels in the email forwarded
to the recipient. The email contains fields such as From, To, Sender, or Subject,
for example.
Page size: Select the page size of the PDF file.
Remove Sophos logos: Enable this option to replace the default Sophos logo with
your company logo specified on the Management > Customization > General tab.
The logo will be displayed in two places: on the footer of the encryption email
sent to the recipient and in the footer of the reply message generated via the
Reply button in the PDF file.
4. Make the following password settings:
Password type: Select how you want to generate the password for accessing the
encrypted email message. Dependent on which type you select, the sender
always has to take care of transferring the password in a safe way to the recip
ient, except for Specified by recipient.
l
Generated one-time password for every email: The UTM automatically cre
ates a new password for each affected email. This password will be sent
to the sender.
UTM 9 WebAdmin
409
12.5 SPX Encryption
l
l
12 Email Protection
Generated and stored for recipient: The UTM automatically creates a recip
ient-specific password when the first email is sent to a recipient. This pass
word will be sent to the sender. With the next email, the same password is
used automatically. The password will expire when it is not used for a cer
tain time, and it can be reset by the administrator, see the SPX Con
figuration tab.
Specified by sender: Select if the email sender should provide the pass
word himself. In this case, the sender has to enter the password into the
Subject field, using the following format: [secure:<password>]<subject
text> where <password> is the password to open the encrypted PDF file
and <subject text> is the random subject. Of course, the password will
be removed by the UTM before the email is sent to the recipient.
Note – A template with this option should not be used in combination with
Data Protection. With Data Protection, the sender does not know before
hand that an email will be encrypted and thus will not enter the password
into the Subject field. When the UTM tries to SPX encrypt an email with no
password specified, the sender will receive an error message with the
information that the password is missing.
l
Specified by recipient: Select if the email recipient should provide the pass
word by himself. In this case, the recipient receives a link leading to the
UTM Portal to register with a password. After registration the recipient is
able to view the current encrypted mail and any future encrypted mails
using the same password from this or other senders from the same organ
ization. In case the recipient did not provide a password, the mail is dis
played on the Email Protection > Mail Manager > Global tab.
Note – The password type Specified by recipient does not work after Gen
erated and stored for recipient type was used in the same template
before. The sent email will still use the generated password. In this case,
the admin needs to reset the password for the given user on the Email
Protection > SPX Encryption > SPX Configuration tab.
410
UTM 9 WebAdmin
12 Email Protection
12.5 SPX Encryption
Notification Subject (not with the Specified by sender option): The subject of the
email that is sent from the UTM to the email sender containing the password.
Here you can use variables, e.g. %%ENVELOPE_TO%%, for the recipient's name.
Notification Body (not with the Specified by sender option): The body of the email
that is sent from the UTM to the email sender containing the password. Here you
can use variables, e.g., %%GENERATED_PASSWORD%%, for the password.
Tip – The Sophos Default SPX Template on this tab contains all available vari
ables and gives a useful example of a notification.
5. Make the following recipient instructions settings:
Instructions for recipient: The body of the email that is sent from the UTM to the
email recipient containing instructions concerning the encrypted email. Simple
HTML markup and hyperlinks are allowed. You can also use variables, e.g.,
%%ORGANIZATION_NAME%%.
Tip – The Sophos Default SPX Template on this tab contains possible variables
which gives a useful example of recipient instructions.
Header image/Footer image: Select if the email from the UTM to the email recip
ient should have a header and/or a footer image. You can use the default image,
which is an orange envelope with an appropriate text, or a custom image. In case
of the custom image, upload a JPG, GIF, or PNG file via the Folder icon. The recom
mended size is 752 x 69 pixels.
6. Make the following SPX portal settings:
Enable SPX reply portal: If enabled, the encrypted PDF file sent to the recipient
will contain a Reply button. With this button the recipient can access the SPX
reply portal to send an encrypted email reply to the sender.
Include original body into reply: If enabled, the reply from the recipient will auto
matically contain the body of the original email.
Portal header image/Portal footer image: Select if the SPX reply portal should
have a header and/or a footer image. You can use the default image, which is an
orange envelope with an appropriate text, or a custom image. In case of the cus
tom image, upload a JPG, GIF, or PNG file via the Folder icon. The recommended
size is 752 x 69 pixels.
UTM 9 WebAdmin
411
12.5 SPX Encryption
12 Email Protection
7. Click Save.
The SPX template will be created and appears on the SPX Templates list.
To either edit or delete an SPX template, click the corresponding buttons.
12.5.2.1 Variables for SPX Templates
You can use the following variables in SPX templates for Password Settings and Recip
ient Instructions.
Password notification for options Generated one-time password for every email and Gen
erated and stored for recipient:
l
%%ENVELOPE_TO%%: Email address of recipient
l
%%GENERATED_PASSWORD%%: Password which was generated
Password notification for option Specified by recipient:
l
%%ORGANIZATION_NAME%%: Organization name from template
l
%%HEADER_FROM_SANITIZED%%: Original sender display name (or if not present,
envelope sender)
l
%%REGISTRATION_URL%%: URL address which should be used to register the pass
word.
Recipient instructions:
l
l
%%ORGANIZATION_NAME%%: Organization name from template
%%HEADER_FROM_SANITIZED%%: Original sender display name (or if not present,
envelope sender)
12.5.3 Sophos Outlook Add-in
On the Email Protection > SPX Encryption > Sophos Outlook Add-in tab you can navigate
to the Sophos website and with your MySophos credentials you are able to download
the Sophos Outlook Add-in.
The Outlook Add-in simplifies the encryption of messages which contain sensitive or
confidential information leaving your organization. For downloading and for the
installing documentation visit the Sophos website.
412
UTM 9 WebAdmin
12 Email Protection
12.6 Quarantine Report
Run the installer with the parameters: msiexec /qr /i SophosOutlookAddInSetup.msi
T=1 EC=3 C=1 I=1
12.6 Quarantine Report
Sophos UTM features an email quarantine containing all messages (SMTP and POP3)
that have been blocked and redirected to the quarantine for various reasons. This
includes messages waiting for delivery as well as messages that are infected by mali
cious software, contain suspicious attachments, are identified as spam, or simply con
tain unwanted expressions.
To minimize the risk of messages being withheld that were quarantined mistakenly
(so-called false positives), Sophos UTM sends a daily Quarantine Report to the users
informing them of messages in their quarantine. If users have several email addresses
configured, they will get an Quarantine Report to the primary email address. This also
applies if a user has additional POP3 accounts configured in his User Portal, provided
the POP3 proxy of Sophos UTM is in prefetch mode, which allows the prefetching of
messages from a POP3 server and storing them in a local database. In a Quarantine
Report a user can click on any spam entry to release the message from the quarantine
or to whitelist the sender for the future.
The following list contains some more information about the Quarantine Report:
l
l
l
Quarantine Reports are only sent to those users whose email address is part of a
domain contained in any SMTP profile. This includes the specification in the
Domains box on the SMTP > Routing tab as well as the specifications in the
Domains box of any SMTP Profile.
If the POP3 prefetch option is disabled, quarantined messages sent to this
account will not appear in the Quarantine Report. Instead, each user will find the
typical Sophos POP3 blocked message in his inbox. It is therefore not possible to
release the message by means of the Quarantine Report or the User Portal. The
only way to deliver such an email is to download it in zip format from the Mail
Manager by the administrator.
On the Advanced tab, the administrator defines which types of quarantined mail
can be released by the users. By default, only spam emails can be released from
the quarantine. Messages quarantined for other reasons, for example because
they contain viruses or suspicious file attachments, can only be released from
the quarantine by the administrator in the Mail Manager of Sophos UTM. In
UTM 9 WebAdmin
413
12.6 Quarantine Report
12 Email Protection
addition, users can also review all of their messages currently held in quarantine
in the Sophos User Portal.
l
l
l
l
If a spam email has multiple recipients, as is the case with mailing lists, when
any one recipient releases the email, it is released for that recipient only,
provided the email address of the mailing list is configured on the system. Other
wise the email will be sent to all recipients simultaneously. For more inform
ation, see the Define internal mailing lists option on Email Protection > Quarantine
Report > Exceptions.
Emails sent to an SMTP email address for which no user is configured in Sophos
UTM can be released (but not whitelisted) from the Quarantine Report or in the
Mail Manager by the administrator. However, as this user is not configured, no
access to the User Portal is possible.
Spam emails sent to mailing lists cannot be whitelisted.
Some email clients do not encode the header of an email correctly, which may
result in an awkward representation of the email in the daily Quarantine Report.
12.6.1 Global
On the Quarantine Report > Global tab you can define at what time the daily Quarantine
Report shall be sent and write a message text that will appear in the Quarantine
Reports.
To edit the Quarantine Report settings, enable the Quarantine Report: Click the toggle
switch.
The toggle switch turns green.
T ime to Send Report
Here you can define when the daily Quarantine Report will be sent. Select the time
using the drop-down lists and click Apply.
You can also send an additional report. For this, select the checkbox Send Additional
Report, set the time, and click Apply.
Customiz able Message T ext
Here you can customize the text which forms the introduction of the Quarantine Report.
Change the message text according to your needs and click Apply.
Note – It is not possible to use HTML tags in the customizable message text box.
414
UTM 9 WebAdmin
12 Email Protection
12.6 Quarantine Report
Note – Customization is not possible when using a home use license.
Note – The notification sender is the mail address which is configured on the Man
agement > Notifications > Global tab.
12.6.2 Exceptions
On the Quarantine Report > Exceptions tab you can define a skiplist of email addresses
that should be exempt from receiving daily Quarantine Reports.
Skipping Quarantine Reports
Here you can configure internal email addresses for which no quarantine notifications
should be sent. Users whose email addresses are listed here will not receive daily Quar
antine Reports. You can enter full email addresses or use an asterisk (*) as wildcard,
for example *@example.com.
Note – The skiplist only applies for the SMTP Quarantine Report. If there is a POP3
account specified for the respective user, the POP3 Quarantine Report will be sent
nonetheless.
Def ine I nternal Mailing Lists
If the email address of a mailing list is configured in the Mailing list address patterns
box (e.g., newsletter@example.com) and a spam message sent to this mailing list was
detected and redirected to the email quarantine, the Quarantine Report of all recipients
included in this mailing list will contain a link to this spam message. Thus, each recip
ient can release this spam message individually by entering his email address in a
user prompt that appears once the recipient has clicked the Release link in the Quar
antine Report.
Note – Mailing lists cannot be whitelisted in the Quarantine Report or the User Portal.
Alternatively, you could enter the email address of that particular mailing list as an
additional email address in a local user's profile; this user becoming some sort of a
mail manager. Then only this user's Quarantine Report will contain a link to the spam
UTM 9 WebAdmin
415
12.6 Quarantine Report
12 Email Protection
message that was sent to the mailing list. Clicking the Release link will deliver the
spam message to all recipients of that mailing list at once.
Note – If the email address of a mailing list is configured as an additional email
address in a user's profile, no recipient included in that mailing list gets displayed the
links to spam messages that were sent to this mailing list.
However, if the email address of a mailing list is both configured as an additional email
address in a user's profile and in the Mailing list address patterns box, then the Release
link in that user's Quarantine Report will open a user prompt. The user is then to decide
who is going to receive the spam mail by manually entering the respective email
address(es) to forward the spam message to.
Finally, if the email address of a mailing list is neither configured as an additional email
address in a user's profile nor as a mailing list address pattern, a spam message sent
to the mailing list is handled like a normal email, meaning that if any one recipient
releases the spam mail, it will be sent to all recipients of the mailing list.
To sum up, whenever the email address of a mailing list is configured as a mailing list
address pattern, each user having a link to the spam message in his Quarantine Report
is prompted to enter an email address to release the spam message to.
12.6.3 Advanced
On the Quarantine Report > Advanced tab you can configure an alternative hostname
and port number for the Release links contained in daily Quarantine Reports. Addi
tionally, you can change the release options for spam emails.
Advanced Quarantine Report Options
Hostname: By default, this is the gateway's hostname as given on the Management >
System Settings > Hostname tab. The quarantine report, for example, which is sent by
the gateway, contains hyperlinks a user can click to release messages from the email
quarantine. By default, these links point to the hostname specified here. If you want to
enable users to release their emails from across the Internet, it might be necessary to
enter an alternative hostname here that can be publicly resolved.
Port: By default, port 3840 is configured. You can change the port to any value in the
range from 1024 to 65535.
416
UTM 9 WebAdmin
12 Email Protection
12.7 Mail Manager
Allowed networks: You can also specify the networks that should be allowed to con
nect to the email release service. By default, only the internal network is selected.
Click Apply to save your settings.
Release Options
Here you can select which types of quarantined messages shall be releasable by users.
You can choose between the following options:
l
Malware
l
Spam
l
Expression
l
File extension
l
Unscannable
l
MIME type
l
Other
Click Apply to save your settings.
12.7 Mail Manager
The Mail Manager is an administrative tool to manage and organize all email messages
currently stored on the unit. This includes messages waiting for delivery as well as
quarantined messages that are infected by malicious software, contain suspicious
attachments, are identified as spam, or contain unwanted expressions. You can use the
Mail Manager to review all messages before downloading, releasing, or deleting them.
The Mail Manager is fully UTF-8 capable.
UTM 9 WebAdmin
417
12.7 Mail Manager
12 Email Protection
12.7.1 Mail Manager Window
Figure 20 Mail Manager of Sophos UTM
To open the Mail Manager window click the button Open Mail Manager in New Window on
the Email Protection > Mail Manager > Global tab. The Mail Manager is divided into five
different tabs:
l
l
SMTP Quarantine: Displays all messages that are currently quarantined.
SMTP Spool: Displays all messages currently in /var/spool. This may be due to
them waiting for delivery or because of an error.
l
SMTP Log: Displays the delivery log for all messages processed via SMTP.
l
SMTP Corrupt: Displays messages with invalid or missing information.
l
l
418
POP3 Quarantine: Displays all messages fetched via POP3 that are currently quar
antined.
Close: Click here to close the Mail Manager window.
UTM 9 WebAdmin
12 Email Protection
12.7 Mail Manager
12.7.1.1 SMTP/POP3 Quarantine
Messages in SMTP and POP3 Quarantine can be displayed according to their respective
quarantine cause:
l
Malware
l
Spam
l
Expression
l
File Extension
l
MIME Type (SMTP only)
l
Unscannable
l
Other
Use the checkboxes to select/unselect quarantine causes. Double-click the checkbox
of a cause to solely select this cause.
Tip – Double-click a message to view it.
Profile/Domain: Select a profile/domain to show its messages only.
Sender/Rcpt/Subject substring: Here you can enter a sender, recipient, or subject to
search for in the messages.
Received date: To only show messages processed during a certain time frame, enter a
date, or select a date from the calendar icon.
Sort by: By default, the list is sorted by time of arrival. Messages can be sorted by date,
subject line, sender address, and message size.
and show: The checkbox allows to display 20, 50, 100, 250, 500, 1000, or all messages
per page. Note that showing all messages may take a lot of time.
Use the checkbox in front of each message or click a message to select it to apply
actions on the selected messages. The following actions are available:
l
l
View (only available for an individual message): Opens a window with the con
tents of the email.
Download: Selected messages will be downloaded.
UTM 9 WebAdmin
419
12.7 Mail Manager
12 Email Protection
l
Delete: Selected messages will be deleted irrevocably.
l
Release: Selected messages will be released from quarantine.
l
Release and report as false positive: Selected messages will be released from
quarantine and reported as false positive to the spam scan engine.
Note that only the administrator can release all messages held in quarantine. Users
reviewing their messages in the Sophos User Portal can only release messages they
are explicitly allowed to. The authorization settings for this can be found on the Email
Protection > Quarantine Report > Advanced tab.
Select global cleanup action: Here you find several deletion options that will be applied
on messages globally, that is, regardless whether they are selected and/or displayed
or not.
Caution – Deleted messages are irrevocable.
12.7.1.2 SMTP Spool
Here you see messages that are either waiting for delivery or have produced an error.
The delivery log is also part of the message header. Use the following checkboxes to
select only one type of messages for display:
l
l
l
Waiting: Messages waiting for delivery.
AV Scan pending: Messages that cannot be scanned due to AV Scanner being
unreachable during pattern update. Messages that fall into this category are auto
matically retried every 15 minutes.
Error: Messages that caused an error. If a messages produces an error more than
once, please report the case to your Sophos Partner or the Sophos Support Team.
Hint – Double-click a message to view it.
Profile/Domain: Select a profile/domain to show its messages only.
Sender/Rcpt/Subject substring: Here you can enter a sender, recipient, or subject to
search for in the messages.
Received date: To only show messages processed during a certain time frame, enter a
date, or select a date from the calendar icon.
420
UTM 9 WebAdmin
12 Email Protection
12.7 Mail Manager
Sort by: By default, the list is sorted by time of arrival. Messages can be sorted by date,
subject line, sender address, and message size.
and show: The checkbox allows to display 20, 50, 100, 250, 500, 1000, or all messages
per page. Note that showing all messages may take a lot of time.
Use the checkbox in front of each message or click a message to select it to apply
actions on the selected messages. The following actions are available:
l
Download: Selected messages will be downloaded.
l
Retry: For selected messages delivery will be retried immediately.
l
Delete: Selected messages will be deleted irrevocably.
l
Bounce: Selected messages will be bounced, that is the sender will receive a
message that the delivery of their message has been canceled.
Select global cleanup action: Here you find a retry option and several deletion options
that will be applied on messages globally, that is, regardless whether they are selected
and/or displayed or not.
Caution – Deleted messages are irrevocable.
12.7.1.3 SMTP Log
The SMTP Log displays the log messages for all messages processed via SMTP.
Result Filter: Select which type of message will be displayed by selecting the cor
responding checkboxes.
l
Delivered: Successfully delivered messages.
l
Rejected: Messages rejected by the UTM.
l
Quarantined: Quarantined messages.
l
Blackholed: Messages that have been deleted without notification.
l
Canceled: Messages that have been manually bounced in SMTP Spool.
l
Bounced: Messages that could not be delivered, for example because of false rout
ing settings.
l
Deleted: Messages that have been manually deleted.
l
Unknown: Messages whose status is unknown.
UTM 9 WebAdmin
421
12.7 Mail Manager
12 Email Protection
Use the checkboxes to select/unselect Result Filter items. Double-click an item to
solely select this item.
Reason Filter: Use the checkboxes to further filter the message log display.
Note – Double-click a message log to view it. Click on the server icon of a message to
resolve the IP address. An asterisk (*) denotes a successful reverse DNS lookup.
Profile/Domain: Select a profile/domain to show its messages only.
IP/Net/Address/Subj. substring: Here you can enter an IP address, network address, or
subject to search for in the SMTP log messages.
Received date: To only show messages processed during a certain time frame, enter a
date, or select a date from the calendar icon.
Sort by: By default, the list is sorted by event time. Messages can be sorted by event
time, sender address, and message size.
and show: The checkbox allows to display 20, 50, 100, 250, 500, 1000, or all messages
per page. Note that showing all messages may take a lot of time.
12.7.1.4 SMTP Corrupt
Here you see messages that contain invalid or missing information regarding for
example time stamp, recipient or source address.
Hint – Double-click a message to view it.
Profile/Domain: Select a profile/domain to show its messages only.
Sender/Rcpt/Subject substring: Here you can enter a sender, recipient, or subject to
search for in the messages.
Received date: To only show messages processed during a certain time frame, enter a
date, or select a date from the calendar icon.
Sort by: By default, the list is sorted by time of arrival. Messages can be sorted by date,
subject line, sender address, and message size.
and show: The checkbox allows to display 20, 50, 100, 250, 500, 1000, or all messages
per page. Note that showing all messages may take a lot of time.
422
UTM 9 WebAdmin
12 Email Protection
12.7 Mail Manager
Use the checkbox in front of each message or click a message to select it to apply
actions on the selected messages. The following actions are available:
l
Download: Selected messages will be downloaded.
l
Delete: Selected messages will be deleted irrevocably.
Select global cleanup action: Here you find a retry option and several deletion options
that will be applied on messages globally, that is, regardless whether they are selected
and/or displayed or not.
Caution – Deleted messages are irrevocable.
12.7.2 Global
In the upper part of the Mail Manager > Global tab you can open the Mail Manager by
clicking the Open Mail Manager in New Window button.
In the lower part, the Statistics Overview area provides an overview of all messages cur
rently stored on the unit. Data is divided into messages that were delivered via the
SMTP or POP3 protocol. For both types, the following information is displayed:
l
l
l
l
l
l
l
Waiting for delivery (spooled) (SMTP only): Mails that are currently in spool, for
example because they were being scanned and could not be delivered yet.
Clean total (POP3 only): Mails that have been prefetched by the unit and have not
yet been collected by a client/user.
Quarantined malware: The total of messages that contain malware, such as vir
uses or other harmful content.
Quarantined spam: The total of messages that were identified as spam.
Quarantined expression: The total of messages that were diverted to the quar
antine because they contain forbidden expressions.
Quarantined file extension: The total of messages held in quarantine because
they contain suspicious attachments (identified by their file extension).
Quarantined unscannable: The total of messages held in quarantine because it
could not be scanned.
UTM 9 WebAdmin
423
12.7 Mail Manager
l
l
12 Email Protection
Quarantined MIME type (SMTP only): The total of messages held in quarantine
because they contain MIME types that are to be filtered according to the SMTP
settings.
Quarantined total: The total of messages that are held in quarantine.
Note – The numbers for Waiting for delivery represent a real-time snapshot for SMTP
messages. However, for POP3 messages, the numbers presented are the accu
mulation of data since the last time prefetching was enabled.
Below you see a short statistic for SMTP quarantining and rejections of the last 24
hours:
l
l
l
l
l
l
l
l
Malware quarantined/rejected: Messages quarantined/rejected because they con
tain harmful content.
Spam quarantined/rejected: Messages quarantined/rejected because they have
been identified as spam.
Blacklist rejects: Messages rejected because the sender is on a blacklist.
Address verification rejects: Messages rejected because the sender address
could not be verified.
SPF rejects: Messages rejected because sending host is not allowed.
RBL rejects: Messages rejected because the sender is on a real time blackhole
list.
BATV rejects: Messages rejected because BATV tag could not be validated.
RDNS/HELO rejects: Messages rejected due to invalid HELO or missing RDNS
entries.
Whether there are any rejects depends on your settings in Email Protection > SMTP.
12.7.3 Configuration
On the Mail Manager > Configuration tab you can configure how long the database log
will be kept and after how many days quarantined messages are to be deleted from the
quarantine. Any logs and messages that are older than the number of days in the expir
ation settings will be deleted automatically.
The default settings are as follows:
424
UTM 9 WebAdmin
12 Email Protection
l
l
12.7 Mail Manager
Database log will be deleted after three days. Maximum number permitted: 30
days.
Quarantined messages will be deleted after 14 days. Maximum number per
mitted: 999 days.
The minimum number of days permitted for both database log and quarantine is one
day.
Flush Database Log
This option is useful if your database log has accumulated an immense amount of data
to clear the log immediately. That way you do not have to wait for the normal cleanup
action to apply.
UTM 9 WebAdmin
425
13.1 Sophos Sandstorm
13 Advanced Protection
13 Advanced Protection
This chapter describes how to configure the advanced protection features of Sophos
UTM. The Advanced Protection Statistics page shows an overview of Sophos Sandstorm
and Advanced Threat Protection events.
13.1 Sophos Sandstorm
This section displays a table of all incidents where a file was flagged for further ana
lysis using the Sophos Active Sandbox component of Sophos Sandstorm. The table
columns display Sophos Sandstorm activity for web and email, as well as the total
number of items flagged. The table rows show:
l
l
l
l
Suspicious files: The number of files that have been flagged as suspicious.
Depending on your configuration, some of these may not be sent to Sophos Sand
storm for analysis.
Excluded by policy: Items that are excluded by policy.
Awaiting result: The number of files that have been sent to Sophos Sandstorm,
and are currently waiting to be analyzed.
Malicious: The number of suspicious files that exhibited unwanted or risky beha
vior when tested.
l
Clean: The number of suspicious files that did not pose a threat.
l
Sent for analysis: The total number of files sent to Sophos Sandstorm today.
l
Average analysis time: The average amount of time it takes to process a file sub
mitted for analysis.
Note – This information is only available to licensed users of Sophos Sandstorm.
13.2 Advanced Threat Protection
This section displays information on the number of machines on your network that are
potentially infected. Clicking the Details link of the Advanced Threat Protection section
426
UTM 9 WebAdmin
13 Advanced Protection
13.3 Sophos Sandstorm
redirects you to its reporting section of WebAdmin, where you can find more statistical
information.
The following topics are included in this chapter:
l
Sophos Sandstorm
l
Advanced Threat Protection
13.3 Sophos Sandstorm
The Sophos Sandstorm page allows licensed users to use Sophos Sandstorm, a cloud
service that executes and analyzes suspicious downloads.
The Sandbox Activity page lists all incidents where a file was sent for further analysis
using the Sophos Active Sandbox component of Sophos Sandstorm.
The Configuration page allows users to specify the data center location for Sophos
Sandstorm and add file type exclusions.
13.3.1 Overview
The page Overview provides general information on what Sophos Sandstorm is meant
for and how it works.
13.3.2 Sandbox Activity
The Sandbox Activity page lists all incidents where a file was sent for further analysis
using the Sophos Active Sandbox component of Sophos Sandstorm. If the analysis is
still in progress or indicates an error, the Release button allows immediate access to
the downloaded file.
Note – If you release a file before analysis has been completed, potentially malicious
content may be downloaded.
The following options are available:
UTM 9 WebAdmin
427
13.3 Sophos Sandstorm
l
l
13 Advanced Protection
If you want to release a downloaded item, and its status is In Progress or Error,
select the checkbox next to it, then click the Release button. Doing this when the
analysis is not yet finished may result in the download of malicious content.
To view details about a specific downloaded item, click its status. A detailed
report will be displayed with download information, file information and results of
the Sophos Active Sandbox analysis. The exact content of the report will vary for
each download.
13.3.3 Configuration
On the Configuration tab you can specify the Sandstorm data center location and
exclude files from Sandstorm analysis.
13.3.3.1 Sandstorm Data Center Location
Files to be analyzed by Sandstorm are transmitted using a SSL connection to a data
center. By default, Sandstorm selects the closest data center according to the location
of the device to give you the highest performance.
Note – Changing data centers may affect any analysis that is currently in progress.
13.3.3.2 Sandstorm File Type Exclusions
A file type is a classification that is determined by file extension and MIME header. Add
a file type that you do not want to send to Sandstorm for analysis. Exclusions apply to
web and email traffic.
Note – Any archive that includes a file of the selected type will also be excluded,
regardless of what other types of files are in that archive.
Note – Many file types that are considered safe will never be sent to Sandstorm, e.g.
images. Only risky file types that Sandstorm can detonate and analyze will be sent,
e.g. executable files.
428
UTM 9 WebAdmin
13 Advanced Protection
13.4 Advanced Threat Protection
13.4 Advanced Threat Protection
On the menu Advanced Protection > Advanced Threat Protection you can enable and
configure the Advanced Threat Protection feature to rapidly detect infected or com
promised clients inside your network, and raise an alert or drop the respective traffic.
An alert will be automatically deleted after 72 hours. If you want to delete all alerts
immediately, click the Reset button.
Advanced Threat Protection aims at typical challenges in current corporate networks:
on the one hand management of a mobile workforce with an increasing number of dif
ferent mobile devices (BYOD), and on the other hand malware evolution and distribution
methods getting faster and faster. The Advanced Threat Protection analyzes network
traffic, e.g., DNS requests, HTTP requests, or IP packets in general, coming from and
going to all networks. It also incorporates Intrusion Prevention and Antivirus data if the
respective features are activated. The database used to identify threats is updated con
stantly by a CnC/Botnet data feed from Sophos Labs through pattern updates. Based
on this data, infected hosts and their communication with command-and-control (CnC)
servers can quickly be identified and dealt with.
13.4.1 Global
On the Advanced Threat Protection > Global tab, you can activate the Advanced Threat
Protection System of Sophos UTM.
To enable Advanced Threat Protection, proceed as follows:
1. Enable the Advanced Threat Protection system.
Click the toggle switch.
The toggle switch turns amber and the Global Settings area becomes editable.
2. Make the following settings:
Policy: Select the security policy that the Advanced Threat Protection system
should use if a threat has been detected.
l
Drop: The data packet will be logged and dropped.
l
Alert: The data packet will be logged.
UTM 9 WebAdmin
429
13.4 Advanced Threat Protection
13 Advanced Protection
Network/host exceptions: Add or select the source networks or hosts that should
be exempt from being scanned for threats by Advanced Threat Protection. How to
add a definition is explained on the Definitions & Users > Network Definitions > Net
work Definitions page.
Threat exceptions: Add destination IP addresses or domain names that you want
to skip from being scanned for threats by Advanced Threat Protection. This is the
place where you would add false positives to prevent them from being detected
as threat. Examples: 8.8.8.8 or google.com.
Caution – Be careful with specifying exceptions. By excluding sources or des
tinations you may expose your network to severe risks.
3. Click Apply.
Your settings will be saved.
The toggle switch turns green.
If enabled, and a threat is detected, it will be listed on the Network Protection page. A
notification will be sent to the administrator if enabled on the Management > Noti
fications > Notifications page. The notification is set by default for drop and alert.
Cross Reference – Find information about configuring Advanced Threat Protection in
the Sophos Knowledgebase.
Live Log
The Advanced Threat Protection live log can be used to monitor the detected threats.
Click the button to open the live log in a new window.
Note – IPS and Web Proxy threats will not be displayed in the Live Log.
430
UTM 9 WebAdmin
14 Endpoint Protection
The Endpoint Protection menu allows you to manage the protection of endpoint devices
in your network, e.g. desktop computers, servers, and laptops. UTM is the configuration
side of endpoint protection where you deploy the software for endpoints, get an over
view of the protected endpoints, set up antivirus and device control policies, group end
points, and assign the defined policies to endpoint groups.
Endpoint protection uses a central service called Sophos LiveConnect. This cloudbased service is automatically set up for the use with your UTM once you enable end
point protection. LiveConnect allows you to always manage all of your endpoints,
whether they are on your local network, at remote sites, or with traveling users. The
LiveConnect service provides:
l
A pre-configured installation package for the endpoint agent
l
Policy deployment & updates for endpoints
l
Security updates and definitions for endpoints
l
Central logging & reporting data to monitor endpoints centrally through
WebAdmin
As LiveConnect is a cloud-based service you will need an active Internet connection in
order for the service to work. Managed endpoints will need an Internet connection to
receive policy and security updates, too.
The figure below shows a deployment example of Sophos UTM Endpoint Protection with
the use of the LiveConnect Service.
14 Endpoint Protection
Figure 21 Endpoint Protection: Overview
The following topics are included in this chapter:
l
Computer Management
l
Antivirus
l
Device Control
l
Web Control
If endpoint protection is enabled, the overview page gives you general information on
registered computers and their status. You can sort and search this list. If the status of
an endpoint is not OK, you can click on the status to open a window with more inform
ation. The status Not Compliant indicates that the device's settings are currently not
the same as configured on the UTM. To resolve this problem you find a link in the win
dow to send the current endpoint settings to the endpoint. For the other statuses you
can acknowledge the information and decide what actions have to be taken.
Open Endpoint P rotection Live Log
The endpoint protection live log gives you information about the connection between
the endpoints, LiveConnect, and the UTM, as well as security information concerning
the endpoints. Click the Open Endpoint Protection Live Log button to open the endpoint
protection live log in a new window.
432
UTM 9 WebAdmin
14 Endpoint Protection
14.1 Computer Management
14.1 Computer Management
On the Endpoint Protection > Computer Management pages you can enable and manage
the protection of individual computers connected to your Sophos UTM.
You can find and deploy an installation file for endpoints and you get an overview of all
computers where the endpoint protection software is installed. You can define com
puter groups with differing protection settings.
14.1.1 Global
On the Endpoint Protection > Computer Management > Global tab you can enable or dis
able endpoint protection.
To enable endpoint protection, do the following:
1. On the Global tab, enable endpoint protection.
Click the toggle switch.
The toggle switch turns amber and some fields with your organization details
become visible.
2. Enter your organization details.
By default the settings from the Management > System Settings > Organizational
tab is used.
3. Optionally, configure a parent proxy:
If your UTM does not have direct HTTP internet access, Endpoint Protection can
use a proxy server to reach Sophos LiveConnect. Select Use a parent proxy and
enter the host and port if necessary.
Click Activate Endpoint Protection.
The toggle switch turns green and endpoint protection is activated.
4. To cancel the configuration, click the amber colored toggle switch.
On the Deploy Agent page you can now continue by deploying an endpoint protection
installation package to computers to be monitored.
Note – When using endpoint protection, we recommend to enable the Force caching
for Sophos Endpoint updates feature on the Web Protection > Filtering Options > Misc
UTM 9 WebAdmin
433
14.1 Computer Management
14 Endpoint Protection
tab, section Web Caching, to prevent uplink saturation when endpoints download data
from the update servers in the Internet.
Note – The administrator can configure alerts for endpoint virus detection under Man
agement > Notifications > Notifications tab, section Endpoint.
Note – If the Web Filter is activated and works in transparent mode, additional set
tings are necessary to ensure that endpoints can correctly use endpoint protection:
As soon as endpoint protection is enabled, the UTM automatically creates a DNS
group named Sophos LiveConnect. Add this DNS group to the Skip transparent mode
destination hosts/nets box on the Web Protection > Filtering Options > Misc tab.
To disable endpoint protection, do the following:
1. On the Global tab, disable endpoint protection.
Click the toggle switch.
The toggle switch turns amber and two options are available.
2. Select whether you want to delete your endpoint data.
Keep ALL data: Use this option if you want to temporarily disable endpoint pro
tection. Your endpoint settings will be preserved. When enabling the feature
again, the previously installed endpoints will automatically connect again and all
defined policies will be available.
Delete ALL data: Use this option if you want to reset all endpoint settings and
start from scratch. All connections to endpoints and all policy settings will be
deleted. After enabling the feature again, deploy new installation packages to the
endpoints for them to get the new registration data (see section Computer Man
agement > Advanced).
3. Click Disable Endpoint Protection.
The toggle switch turns gray and endpoint protection is disabled.
14.1.2 Deploy Agent
On the Endpoint Protection > Computer Management > Deploy Agent tab you can deploy
the installation files for the individual computers to be monitored via endpoint
434
UTM 9 WebAdmin
14 Endpoint Protection
14.1 Computer Management
protection.
With the package there are two different ways to deploy the endpoint protection soft
ware to endpoints:
l
l
Use the Download Endpoint Installation Package Now button to download and
save the installation package. Then give endpoint users access to the package.
Copy the URL which is displayed in the gray box and send it to the endpoint users.
Using the URL, endpoint users can download and install the installation package
by themselves.
Note – The name of the installation packages must not be changed. During installation
LiveConnect compares the package name with the current registration data of the
UTM. If the information does not match, the installation will be aborted.
After installation on an endpoint, the respective computer will be displayed on the Man
age Computers tab. Additionally it will automatically be assigned to the computer group
defined on the Advanced tab.
Note – The installation package can be invalidated using the Reset Registration Token
button on the Advanced tab.
14.1.3 Manage Computers
The Endpoint Protection > Computer Management > Manage Computers tab gives you
an overview of the computers which have endpoint protection installed for your UTM.
The computers are added to the list automatically. You can assign a computer to a
group, add additional information, modify a computer's tamper protection settings, or
delete a computer from the list.
To edit the settings of a listed computer proceed as follows:
1. Click the Edit button of the respective computer.
The Edit Computer dialog box opens.
2. Make the following settings:
Computer group: Select the computer group you want to assign the computer to.
The computer will receive the protection settings of the assigned group.
UTM 9 WebAdmin
435
14.1 Computer Management
14 Endpoint Protection
Type: Select the computer type, i.e. desktop, laptop, or server. The type serves to
filter the list.
Tamper protection: If enabled, modification of the protection settings on the com
puter locally is only possible with a password. The password is defined on the
Advanced tab. If disabled, the endpoint user can modify protection settings
without password. By default, the setting matches the setting of the group the
computer belongs to.
Inventory # (optional): Enter the inventory number of the computer.
Comment (optional): Add a description or other information.
3. Click Save.
Your settings will be saved.
To delete a computer from the list, click the Delete button.
Note – When you delete a computer from the list it will no longer be monitored by the
UTM. However, the installed endpoint software will not automatically be uninstalled,
and the policies last deployed will still be active.
14.1.4 Manage Groups
On the Endpoint Protection > Computer Management > Manage Groups tab you can com
bine the protected computers to groups, and define endpoint protection settings for
groups. All computers belonging to a group share the same antivirus and device
policies.
Note – Every computer belongs to exactly one group. Initially, all computers belong to
the Default group. After adding groups, on the Advanced tab you can define which
group should be the default, i.e., which group a newly installed computer will be
assigned to automatically.
To create a computer group, proceed as follows:
1. Click Add Computer Group.
The Add Computer Group dialog box opens.
2. Make the following settings:
436
UTM 9 WebAdmin
14 Endpoint Protection
14.1 Computer Management
Name: Enter a descriptive name for this group.
Antivirus policy: Select the antivirus policy to be applied to the group. The
policies are defined on the Antivirus > Policies tab. Note that you can define
group-specific exceptions from this policy on the Antivirus > Exceptions tab.
Device policy: Select the device policy to be applied to the group. The policies are
defined on the Device Control > Policies tab. Note that you can define group-spe
cific exceptions from this policy on the Device Control > Exceptions tab.
Tamper protection: If enabled, modification of the protection settings on the
respective endpoints locally is only possible with a password. The password is
defined on the Advanced tab. If disabled, the endpoint user can modify protection
settings without password. Note that you can change the tamper protection set
ting for individual computers on the Manage Computers tab.
Web control: If enabled, endpoints in this group can enforce and report on web fil
tering policy, even if they are not on a Sophos UTM network. To enable Endpoint
Web Control, see the Endpoint Protection > Web Control tab.
Use proxy for autoupdate: If enabled, the proxy attributes specified in the fields
below will be sent to the endpoints of this group. The endpoints will use the proxy
data to connect to the Internet.
Note – Make sure to enter the correct data. If the endpoints receive wrong proxy
data they cannot connect to the Internet and to the UTM any more. In this case
you will have to change the configuration on each affected endpoint manually.
Address: Enter the proxy's IP address.
Port: Enter the proxy's port number.
User: Enter the proxy's username if required.
Password: Enter the proxy's password if required.
Computers: Add the computers to belong to the group.
Comment (optional): Add a description or other information.
3. Click Save.
The group will be created and appears on the Manage Groups list. Please note that
it may take up to 15 minutes until all computers are reconfigured.
UTM 9 WebAdmin
437
14.2 Antivirus
14 Endpoint Protection
To either edit or delete a group, click the corresponding buttons.
14.1.5 Advanced
On the Endpoint Protection > Computer Management > Advanced tab, the following
options can be configured:
Tamper Protection: With tamper protection enabled, protection settings can only be
changed on endpoints using this password.
Default Computers Group: Select the computer group a computer will be assigned to
automatically, shortly after installation of endpoint protection.
Sophos LiveConnect – Registration: This section contains registration information
about your endpoint protection. Amongst others, the information is used to identify
installation packages, and it can be used for support purposes.
If you use Sophos Enterprise Console to manage endpoints, you can use this UTM to
provide their Web Control policy. Under SEC Information, copy the Hostname and the
Shared-Key into the Web Control policy editor in Sophos Enterprise Console.
l
Reset registration token: Click this button to prevent endpoints from being
installed with a previously deployed installation package. Typically you do this to
finish your rollout. If you want new endpoints to be installed, provide a new install
ation package via the Deploy Agent tab.
Parent Proxy: Use a parent proxy if your UTM does not have direct internet access.
Cross Reference – Find information about providing SECs Web Control Policy through
the UTM Endpoint Protection service in the Sophos Knowledgebase.
14.2 Antivirus
On the Endpoint Protection > Antivirus pages you can define antivirus settings for the
endpoint protection feature. You can create antivirus policies, i.e., sets of antivirus set
tings, which you can subsequently apply to your computer groups to be monitored by
endpoint protection. Additionally you can define exceptions for the antivirus features to
be applied to specific computer groups.
438
UTM 9 WebAdmin
14 Endpoint Protection
14.2 Antivirus
14.2.1 Policies
On the Endpoint Protection > Antivirus > Policies tab you can manage different sets of
antivirus settings which you can subsequently apply to the computer groups monitored
by endpoint protection.
By default, the antivirus policy Basic protection represents the best balance between
protecting your computer against threats and overall system performance. It cannot be
modified.
To add a new antivirus policy, proceed as follows:
1. Click the Add Policy button.
The Add Policy dialog box opens.
2. Make the following settings:
Name: Enter a descriptive name for this policy.
On-access scanning: If enabled, whenever you copy, move, or open a file, the file
will be scanned and access will only be granted if it does not pose a threat to
your computer or has been authorized for use.
l
Scan for PUA: If enabled, the on-access scanning will include a check for
potentially unwanted applications (PUAs).
Automatic cleanup: If enabled, items that contain viruses or spyware will auto
matically be cleaned up, any items that are purely malware will be deleted, and
any items that have been infected will be disinfected. These disinfected files
should be considered permanently damaged, as the virus scanner cannot know
what the file contained before it was damaged.
Sophos live protection: If the antivirus scan on an endpoint computer has iden
tified a file as suspicious, but cannot further identify it as either clean or mali
cious based on the Sophos threat identity (IDE) files stored on the computer, cer
tain file data (such as its checksum and other attributes) is sent to Sophos to
assist with further analysis.
The in-the-cloud checking performs an instant lookup of a suspicious file in the
SophosLabs database. If the file is identified as clean or malicious, the decision
is sent back to the computer and the status of the file is automatically updated.
UTM 9 WebAdmin
439
14.2 Antivirus
l
14 Endpoint Protection
Send sample file: If a file is considered suspicious, but cannot be positively
identified as malicious based on the file data alone, you can allow Sophos
to request a sample of the file. If this option is enabled, and Sophos does
not already hold a sample of the file, the file will be submitted auto
matically. Submitting sample files helps Sophos to continuously enhance
detection of malware without the risk of false positives.
Suspicious behavior (HIPS): If enabled, all system processes are watched for
signs of active malware, such as suspicious writes to the registry, file copy
actions, or buffer overflow techniques. Suspicious processes will be blocked.
Web protection: If enabled, the website URLs are looked up in the Sophos online
database of infected websites.
l
l
Block malicious sites: If enabled, sites with malicious contents will be
blocked.
Download scanning: If enabled, during a download data will be scanned by
antivirus scanning and blocked if the download contains malicious content.
Scheduled scanning: If enabled, a scan will be executed at a specified time.
l
l
l
Rootkit scan: If enabled, with each scheduled scan the computer will be
scanned for rootkits.
Low priority scan: If enabled, the on-demand scans will be conducted with
a lower priority. Note that this only works from Windows Vista Service
Pack 2 onwards.
Time event: Select a time event when the scans will take place, taking the
time zone of the endpoint into account.
Comment (optional): Add a description or other information.
3. Click Save.
The new policy appears on the antivirus policies list. Please note that settings
changes may need up to 15 minutes until all computers are reconfigured.
To either edit or delete a policy, click the corresponding buttons.
14.2.2 Exceptions
On the Endpoint Protection > Antivirus > Exceptions tab you can define computer groupspecific exceptions from the antivirus settings of endpoint protection. An exception
440
UTM 9 WebAdmin
14 Endpoint Protection
14.2 Antivirus
serves to exclude items from scanning which would be scanned due to an antivirus
policy setting.
To add an exception, proceed as follows:
1. On the Exceptions tab, click Add Exception.
The Add Exception dialog box opens.
2. Make the following settings:
Type: Select the type of items you want to skip from on-access and on-demand
scanning.
l
l
l
l
l
l
Adware and PUA: If selected, you can exclude a specific adware or PUA
(Potentially Unwanted Applications) from scanning and blocking. Adware
displays advertising (for example, pop-up messages) that may affect user
productivity and system efficiency. PUAs are not malicious, but are gen
erally considered unsuitable for business networks. Add the name of the
adware or PUA in the Filename field, e.g., example.stuff.
File/folders: If selected, you can exclude a file, a folder, or a network drive
from antivirus scanning. Enter the file, folder, or network drive in the
File/Path field, e.g., C:\Documents\ or
\\Server\Users\Documents\CV.doc.
File extensions: If selected, you can add files with a specific extension so
that they will be scanned by antivirus scanning. Enter the extension in the
Extension field, e.g., html.
Buffer overflow: If selected, you can prevent an application using buffer
overflow techniques from being blocked through behavior monitoring.
Optionally enter the name of the application file in the Filename field and
upload the file via the Upload field.
Suspicious files: If selected, you can prevent a suspicious file from being
blocked through antivirus scanning. Upload the file via the Upload field. UTM
generates the MD5 checksum of the file. The name of the uploaded file will
automatically be used for the Filename field. Optionally modify the file
name. If a file having the defined filename and the stored MD5 sum is found
on the client, it will not be blocked through antivirus scanning.
Suspicious behaviors: If selected, you can prevent a file from being blocked
through suspicious behavior detection. Optionally enter the name of the file
in the Filename field and upload the file via the Upload field.
UTM 9 WebAdmin
441
14.3 Device Control
l
14 Endpoint Protection
Websites: If selected, websites matching the properties specified in the
Web format field will not be scanned through antivirus protection.
Web format: Specify the server(s) with the websites you want to allow to
visit.
l
l
l
Domain name: Enter the name of the domain to be allowed into the
Website field.
IP address with subnet mask: Enter the IPv4 address and netmask of
the computers to be allowed.
IP address: Enter the IPv4 address of the computer to be allowed.
Upload (only with types Buffer overflow, Suspicious files, and Suspicious
behaviors): Upload the file that should be skipped from antivirus scanning.
Computers Groups: Select the computer groups for which this exception is valid.
Comment (optional): Add a description or other information.
3. Click Save.
The new exception appears on the Exceptions list.
To either edit or delete an exception, click the corresponding buttons.
14.3 Device Control
On the Endpoint Protection > Device Control pages you can control devices attached to
computers monitored by endpoint protection. Basically, in a device policy, you define
which types of devices are allowed or blocked for the computer groups the policy is
assigned to. As soon as a device is detected, the endpoint protection checks if it is
allowed according to the device policy applied to the computer group of the respective
computer. If it is blocked or restricted due to the device policy it will be displayed on
the Exceptions tab, where you can add an exception for the device.
14.3.1 Policies
On the Endpoint Protection > Device Control > Policies tab you can manage different
sets of device control settings which can subsequently be applied to the computer
groups monitored by endpoint protection. These sets are called device policies.
442
UTM 9 WebAdmin
14 Endpoint Protection
14.3 Device Control
By default two device policies are available: Blocked All prohibits the usage of all types
of devices, whereas Full Access permits all rights for all devices. These policies cannot
be modified.
To add a new policy, proceed as follows:
1. Click the Add Policy button.
The Add Policy dialog box opens.
2. Make the following settings:
Name: Enter a descriptive name for this policy.
Storage devices: For different types of storage devices you can configure
whether they should be Allowed or Blocked. Where applicable, a Read only entry
is available, too.
Network devices: For modems and wireless networks you can configure whether
they should be Allowed, Block bridged, or Blocked.
Short range devices: For Bluetooth and infrared devices you can configure
whether they should be Allowed or Blocked.
3. Comment (optional): Add a description or other information.
4. Click Save.
The new policy appears on the device control policies list. It can now be applied
to a computer group. Please note that settings changes may need up to 15
minutes until all computers are reconfigured.
To either edit or delete a policy, click the corresponding buttons.
14.3.2 Exceptions
On the Endpoint Protection > Device Control > Exceptions tab you can create protection
exceptions for devices. An exception always allows something which is forbidden by
the device policy assigned to a computer group. Exceptions are made for computer
groups, therefore an exception always applies to all computers of the selected group
(s).
The Exceptions list automatically shows all detected devices that are blocked or
access-restricted by the applied device control policies. For floppy drives technically
cannot be distinguished, if multiple floppy drives are connected, only one entry will be
displayed which serves as a placeholder for all floppy drives.
UTM 9 WebAdmin
443
14.3 Device Control
14 Endpoint Protection
To add an exception for a device, proceed as follows:
1. Click the Edit button of the device.
The Edit Device dialog box opens.
2. Make the following settings:
Allowed: Add the computer groups for which this device should be allowed.
Read only or bridged: Add the computer groups for which this device should be
allowed in read-only mode (applies to storage devices) or bridged mode (applies
to network devices).
Apply to all: If you select this option, the current settings will be applied to all
devices with the same device ID. This is for example useful if you want to assign
a generic exception to a set of USB sticks of the same type.
Mode: This option is only available when you unselect the Apply to all checkbox.
In this case you have to specify what becomes of other devices having the gen
eric exception. If you want to keep the generic exception for the affected devices,
select Keep for others. If you want to delete the generic exception, click Delete
for others.
Tip – For more information and examples concerning generic exceptions, see
section Working With Generic Device Exceptions below.
Comment (optional): Add a description or other information.
3. Click Save.
The computer groups along with their exceptions will be displayed with the
edited device.
Note – Once a device exists on the Exceptions list, it will stay on the list until you
delete it using the Delete button. Typically you would delete a device after the cor
responding hardware device has been removed irrevocably (e.g., optical drive does
not exist any longer) or after changing your device policies (e.g., wireless network
adapters are now generally allowed). When you delete a device which is still in use, a
message box opens that you need to confirm with OK. After that the device will be
deleted from the list. If an exception existed for this device, the exception will auto
matically be invalidated, i.e. the current device policy will be applied to the device.
444
UTM 9 WebAdmin
14 Endpoint Protection
14.3 Device Control
Working With Generic Device Exceptions
A generic device exception is an exception which is automatically applied to all devices
having the same device ID.
Creating a Generic Exception
1. Click the Edit button of a device that does not have a generic exception, i.e., the
Apply to all checkbox is unselected.
2. Configure the exception and select the Apply to all checkbox.
3. Save the exception.
The exception will be applied to all devices having the same device ID.
Excluding a Device From a Generic Exception
1. Click the Edit button of the device you want to exclude from an existing generic
exception.
2. Configure the individual exception and unselect the Apply to all checkbox.
3. In the Mode drop-down list, select Keep for others.
4. Save the exception.
The edited device will have an individual exception, whereas the others will keep
the generic exception.
Changing the Settings f or All Devices Having the Generic
Exception
1. Click the Edit button of one of the devices having a generic exception.
2. Configure the exception while keeping the Apply to all checkbox selected.
3. Save the exception.
The settings of all devices with the same device ID and where the Apply to all
checkbox is selected will be changed accordingly.
Deleting a Generic Exception
1. Click the Edit button of one of the devices having the generic exception.
2. Unselect the Apply to all checkbox.
3. In the Mode drop-down list, select Delete for others.
UTM 9 WebAdmin
445
14.4 Endpoint Web Control
14 Endpoint Protection
4. Save the exception.
The exceptions of all devices with the same device ID and where the Apply to all
checkbox was selected will be deleted. Only the edited device still has an excep
tion—an individual one.
14.4 Endpoint Web Control
While the Sophos UTM provides security and productivity protection for systems brows
ing the web from within your corporate network, Endpoint Web Control extends this pro
tection to user's machines. This provides protection, control, and reporting for endpoint
machines that are located, or roam, outside your corporate network. When enabled, all
policies that are defined in Web Protection > Web Filtering and Web Protection > Web
Filter Profiles > Proxy Profiles are enforced by Endpoint Web Control, even if the com
puter is not on a UTM network. Sophos UTM and Sophos endpoints communicate
through LiveConnect, a cloud service that enables instant policy and reporting updates
by seamlessly connecting Sophos UTM and roaming Sophos endpoints. For instance, a
roaming laptop at home or in a coffee shop would still enforce Web Control policy, and
the Sophos UTM will receive logging information from the roaming laptop.
14.4.1 Global
On the Endpoint Protection > Web Control > Global tab you can enable or disable end
point web control. To configure filtering policies for Endpoint Web Control, Web Control
must be enabled for the relevant group on the Endpoint Protection > Computer Man
agement > Manage Groups page, and that group must be referenced in a proxy profile on
the Web Protection > Web Filter Profiles > Proxy Profiles tab.
14.4.2 Advanced
On the Endpoint Protection > Web Control > Advanced tab you can select Scan traffic on
both gateway and endpoint . You can also configure what action Endpoint Web Control
should take when it encounters a site with an associated quota.
Endpoint T raf f ic Setting
By default, the Sophos UTM does not scan web traffic for endpoints that have Web Con
trol enabled. If this option is selected, both the endpoint and the Sophos UTM will filter
446
UTM 9 WebAdmin
14 Endpoint Protection
14.4 Endpoint Web Control
web traffic.
Endpoint Quota Action
Sophos Endpoint Web Control cannot enforce time quotas. Select an alternate action
for the endpoint for sites that have an associated quota.
Note – The endpoint setting gets precedence. For instance, if a user has Endpoint Web
Control enabled, Scan traffic on both gateway and endpoint is selected, and you have
configured the Endpoint quota action to Warn, the user would first get a warning. If
they proceed to the site, quota time usage for that site would then be in effect. If the
Endpoint quota action is set to Block, the user will be blocked, even if they have avail
able quota time for that site.
14.4.3 Features not Supported
While there are many benefits to extending Web Control to the Endpoint, some features
are only available from within a Sophos UTM network. The following features are sup
ported on the Sophos UTM, but not supported by Endpoint Web Control:
l
l
l
l
l
Scan HTTPS (SSL) traffic: HTTPS traffic cannot be scanned by the Endpoint. If the
Endpoint is proxying through the UTM and this feature is turned on, the traffic will
be scanned by the UTM.
Authentication mode: The Endpoint will always use the currently logged on user
(SSO). The Endpoint cannot perform authentication because if the Endpoint is
roaming it will not be able to talk to the UTM to authenticate.
Antivirus/malware: Sophos endpoint antivirus settings are configured on the End
point Protection > Antivirus page. If Web Protection (Download scanning) is
turned on it will always perform a virus single scan for all web content. Dual scan
and max scanning size are not supported.
Active content removal
Streaming settings: The Sophos Endpoint will always scan streaming content for
viruses.
l
Block unscannable and encrypted files
l
Block by download size
l
Allowed target services: This feature applies only to the Sophos UTM.
UTM 9 WebAdmin
447
14.4 Endpoint Web Control
l
448
14 Endpoint Protection
Web caching: This feature applies only to the Sophos UTM.
UTM 9 WebAdmin
15 Wireless Protection
The Wireless Protection menu allows you to configure and manage wireless access
points for your Sophos UTM, the corresponding wireless networks, and the clients
which use wireless access. The access points are automatically configured on your
UTM, so there is no need to configure them individually. The communication between
the UTM and the access point, which is used to exchange the access point con
figuration and status information, is encrypted using AES.
Important Note – When the lights of your access point blink furiously, do not dis
connect it from power! Furiously blinking lights mean that a firmware flash is cur
rently in progress. A firmware flash takes place for example after an UTM system
update that comes with a Wireless Protection update.
The following topics are included in this chapter:
l
Global Settings
l
Wireless Networks
l
Mesh Networks
l
Access Points
l
Wireless Clients
l
Hotspots
The Wireless Protection overview page gives you general information on connected
access points, their status, connected clients, wireless networks, mesh networks, and
mesh peer links.
In the Currently Connected section, you can sort the entries by SSID or by access point,
and you can expand and collapse the individual entries by clicking the Collapse icon on
the left.
Live Log
You can click the Open Wireless Protection Live Log button to see detailed connection
and debug information for the access points and clients trying to connect.
15.1 Global Settings
15 Wireless Protection
15.1 Global Settings
On the Wireless Protection > Global Settings pages you can enable Wireless Protection,
configure network interfaces for Wireless Protection and WPA/WPA2 enterprise
authentication.
15.1.1 Global Settings
On the Wireless Protection > Global Settings > Global Settings tab you can enable or dis
able Wireless Protection.
To enable Wireless Protection do the following:
1. On the Global Settings tab, enable Wireless Protection.
Click the toggle switch.
The toggle switch turns amber and the Access Control area becomes editable.
When enabling Wireless Protection for the first time, the Initial Setup section
appears. It shows the configuration which will be created: A separate wireless
"Guest" network using WPA2 personal encryption with DHCP for wireless clients,
which will be allowed to use DNS on the UTM and the Web Surfing service. The
pre-shared key is auto-generated and will only be shown in this section. This ini
tial configuration is intended as a template. You can edit the settings at any time
on the Wireless Protection > Wireless Networks page.
Skip automatic configuration: You can also skip the initial setup by selecting this
option. You will then need to configure the wireless settings manually.
2. Select a network interface for the access point.
Click the Folder icon in the Allowed Interfaces section to select a configured inter
face where the access point is going to be plugged in. Make sure that a DHCP
server is associated to this interface.
Note – UTM appliances marked with "w", for example SG 105-125w, do not need
to have a network selected. Since these appliances have a Wifi card onboard
they do not need a dedicated WiFi interface.
3. Click Apply.
450
UTM 9 WebAdmin
15 Wireless Protection
15.1 Global Settings
Your settings will be saved. The toggle switch turns green to indicate that Wire
less Protection is active.
You can now continue by plugging the access point into the configured network
interface. If you decided to skip the automatic configuration, proceed the con
figuration on the Wireless Networks page.
To cancel the configuration, click the amber colored toggle switch.
As soon as you plug in an access point it will automatically connect to the system.
Newly connected, unconfigured access points are listed as Pending Access Points on
the Access Points > Overview page.
15.1.2 Advanced
On the Wireless Protection > Global Settings > Advanced tab you can configure your
access points to use WPA/WPA2 enterprise authentication and to specify the noti
fication delay of offline access points.
Enterprise Authentication
For enterprise authentication, you need to provide some information of your RADIUS
server. Note that the AP(s) do not communicate with the RADIUS server for authen
tication but only the UTM. Port 414 is used for the RADIUS communication between the
UTM and the AP(s).
Select the requested RADIUS server from the drop-down list. Servers can be added and
configured on Definitions & Users > Authentication Services > Servers.
Note – When your RADIUS server is connected to the UTM via an IPsec tunnel, you
have to configure an additional SNAT rule to ensure that the communication works
correctly. On the Network Protection > NAT > NAT tab, add the following SNAT rule: For
traffic from the APs' network(s), using service RADIUS, and going to the
RADIUS server, replace the source address with the UTM's IP address used to reach
the RADIUS server.
Click Apply to save your settings.
UTM 9 WebAdmin
451
15.2 Wireless Networks
15 Wireless Protection
Notification Timeout
If an access point is offline you get a notification. With the notification timeout you can
configure a timeout for the notification. This means, if you set the delay for example to
2 minutes the notification will be sent if the access point is offline for at least 2
minutes. The notification timeout requires an integer. The default timeout is 5 minutes.
To set the notification timeout, proceed as follows:
1. Enter the timeout in minutes.
2. Click Apply.
Your settings will be saved.
15.2 Wireless Networks
On the Wireless Protection > Wireless Networks page you can define your wireless net
works, such as their SSID and encryption method. Moreover, you can define whether the
wireless network should have a separate IP address range or be bridged into the LAN of
the access point.
To define a new wireless network, do the following:
1. On the Wireless Networks page, click Add Wireless Network.
The Add Wireless Network dialog box opens.
2. Make the following settings:
Network name: Enter a descriptive name for the network.
Network SSID: Enter the Service Set Identifier (SSID) for the network which will
be seen by clients to identify the wireless network. The SSID may consist of 1-32
ASCII printable characters 1. It must not contain a comma and must not begin or
end with a space.
Encryption mode: Select an encryption mode from the drop-down list. Default is
WPA 2 Personal. We recommend to prefer WPA2 over WPA, if possible. For secur
ity reasons, it is recommended to not use WEP unless there are clients using
1http://en.wikipedia.org/wiki/ASCII#ASCII_printable_characters
452
UTM 9 WebAdmin
15 Wireless Protection
15.2 Wireless Networks
your wireless network that do not support one of the other methods. When using
an enterprise authentication method, you also need to configure a RADIUS server
on the Global Settings > Advanced tab. As NAS ID of the RADIUS server enter the
wireless network name.
Note – UTM supports the IEEE 802.11r standard in WPA2 (PSK/Enterprise) net
works to reduce roaming times. Clients also need to support the IEEE 802.11r
standard.
Passphrase/PSK: Only available with WPA/WPA2 Personal encryption mode.
Enter the passphrase to protect the wireless network from unauthorized access
and repeat it in the next field. The passphrase may consist of 8-63 ASCII printable
characters.
128-bit WEP key: Only available with WEP encryption mode. Enter a WEP key here
that exactly consists of 26 hexadecimal characters.
Client traffic: Select a method how the wireless network is to be integrated into
your local network.
Note – If you use RED 15w as access point please see chapter Wireless Pro
tection > Access Points > RED 15w for extensive information on configuration.
l
Separate zone (default): The wireless network is handled as a separate net
work, having an IP address range of its own. Using this option, after adding
the wireless network you have to continue your setup as described in the
section below (Next Steps for Separate Zone Network).
Note – When switching an existing Separate Zone network to Bridge to AP
LAN or Bridge to VLAN, already configured WLAN interfaces on the UTM
will be disabled and the interface object will become unassigned.
However, you can assign a new hardware interface to the interface object
by editing it and thus re-enable it.
l
Bridge to AP LAN: You can bridge a wireless network into the network of an
access point, that means that wireless clients share the same IP address
UTM 9 WebAdmin
453
15.2 Wireless Networks
15 Wireless Protection
range.
For Local WiFi Device: To create a Bridge to AP LAN you need to edit the
Local WiFi Device on the Wireless Protection > Access Points > Overview
tab and enable bridged to AP LAN. In addition, you need to create a new
interface on the Interfaces & Routing > Interfaces > Interfaces tab and
select the bridge. You also need to have a DHCP server on the Network Ser
vices > DHCP > Servers tab so that the client can receive an IP.
Note – If VLAN is enabled, the wireless clients will be bridged into the
VLAN network of the access point.
l
Bridge to VLAN (not available for Local WiFi Devices): You can decide to
have this wireless network's traffic bridged to a VLAN of your choice. This
is useful when you want the access points to be in a common network sep
arate from the wireless clients.
Bridge to VLAN ID: Enter the VLAN ID of the network that the wireless cli
ents should be part of.
Client VLAN ID (only available with an Enterprise encryption mode): Select
how the VLAN ID is defined:
l
l
Static: Uses the VLAN ID defined in the Bridge to VLAN ID field.
RADIUS & Static: Uses the VLAN ID delivered by your RADIUS server:
When a user connects to one of your wireless networks and authen
ticates at your RADIUS server, the RADIUS server tells the access
point what VLAN ID to use for that user. Thus, when using multiple
wireless networks, you can define per user who has access to which
internal networks. If a user does not have a VLAN ID attribute
assigned, the VLAN ID defined in the Bridge to VLAN ID field will be
used.
Comment (optional): Add a description or other information.
3. Optionally, make the following advanced settings:
Algorithm (only available with WPA/WPA2 encryption mode): Select an encryp
tion algorithm which can be either AES or TKIP. For security reasons, it is recom
mended to use AES.
454
UTM 9 WebAdmin
15 Wireless Protection
15.2 Wireless Networks
Frequency band: The access points assigned to this wireless network will trans
mit on the selected frequency band(s). The 5 GHz band generally has higher per
formance, lower latency, and is typically less disturbed. Hence it should be pre
ferred for e.g. VoIP communication. For more information on which AP types
support the 5 GHz band, see Wireless Protection> Access Points.
Time-based access: Select this option if you want to automatically enable and
disable the wireless network according to a time schedule.
Select active time: Select a time period definition which determines when
the wireless network is enabled. You can add a new time period definition
by clicking the Plus icon.
Client isolation: Clients within a network usually can communicate with one
another. If you want to prevent this, for example in a guest network, select
Enabled from the drop-down list.
Hide SSID: If you want to hide your SSID, select Yes from the drop-down list.
Please note that this is no security feature.
Fast Transition (only available with WPA2 Personal/Enterprise encryption mode):
Wireless networks with WPA2 encryption use the IEEE 802.11r standard. If you
want prevent this, select Disabled from the drop-down list.
MAC filtering type: To restrict the MAC addresses allowed to connect to this wire
less network, select Blacklist or Whitelist. With Blacklist, all MAC addresses are
allowed except those listed on the MAC address list selected below. With Whitel
ist, all MAC addresses are prohibited except those listed on the MAC address list
selected below.
MAC addresses: The list of MAC addresses used to restrict access to the
wireless network. MAC address lists can be created on the Definitions &
Users > Network Definitions > MAC Address Definitions tab. Note that it is
not recommended to have more than 5000 MAC addresses.
4. Click Save.
Your settings will be saved. The wireless network appears on the Wireless Net
works list.
UTM 9 WebAdmin
455
15.3 Access Points
15 Wireless Protection
Next Steps for Separate Zone Networks
When you created a wireless network with the option Separate Zone, a new cor
responding virtual hardware interface will be created automatically, e.g., wlan0. To be
able to use the wireless network, some further manual configuration steps are
required. Proceed as follows:
1. Configure a new network interface.
On the Interfaces & Routing > Interfaces > Interfaces tab create a new interface
and select your wlan interface (e.g., wlan0) as hardware. Make sure that type is
“Ethernet” and specify the IP address and netmask of your wireless network.
2. Enable DHCP for the wireless clients.
For your clients to be able to connect to UTM, they need to be assigned an IP
address and a default gateway. Therefore, on the Network Services > DHCP > Serv
ers tab, set up a DHCP server for the interface.
3. Enable DNS for the wireless clients.
For your clients to be able to resolve DNS names they have to get access to DNS
servers. On the Network Services > DNS > Global tab, add the interface to the list
of allowed networks.
4. Create a NAT rule to mask the wireless network.
As with any other network you have to translate the wireless network's
addresses into the address of the uplink interface. You create the NAT rule on the
Network Protection > NAT > Masquerading tab.
5. Create one or more packet filter rules to allow traffic from and to the wireless
network.
As with any other network you have to create one or more packet filter rules to
allow the traffic to pass the UTM, e.g., web surfing traffic. You create packet filter
rules on the Network Protection > Firewall > Rules tab.
15.3 Access Points
The Wireless Protection > Access Points pages provide an overview of the access
points (AP) known to the system. You can edit AP attributes, delete or group APs and
assign wireless networks to APs or AP groups.
456
UTM 9 WebAdmin
15 Wireless Protection
15.3 Access Points
Note – With BasicGuard subscription, only one access point can connect to UTM.
Types of Access Points
Currently, Sophos provides the following dedicated access points:
Name Standards
Band
AP 5
802.11b/g/n
2.4 GHz
AP 10 802.11b/g/n
2.4 GHz
AP 15 802.11b/g/n
2.4 GHz
2.4 GHz
AP
15C
2.4/5 GHz
dualband/singleradio
2.4 GHz
802.11b/g/n
Band for FCC regMesh Net- ulatory
works
domain
(mainly US)
ETSI regulatory
domain
(mainly
Europe)
Channels 1-11
Channels 1-11
Channels 1-11
Channels 1-11
Channels 1-11
Channels 1-13
Channels 1-11
Channels 1-13
Channels 1-11
Channels 1-11
2.4/5 GHz
Channels 1-11,
36-48, 149-165
Channels 1–
13, 36-48
AP 30 802.11b/g/n
2.4 GHz
AP 50 802.11a/b/g/n
2.4/5 GHz
dual-band/dual-radio
AP 55 802.11a/b/g/n
2.4/5 GHz
dual-band/dual-radio
2.4 GHz
Channels 1-11,
Channels 1-13,
36-64, 100-116,
36-64, 100132-140, 149116, 132-140
165
AP
55C
802.11a/b/g/n
2.4/5 GHz
dual-band/dual-radio
2.4 GHz
Channels 1-11,
36-48, 149-165
Channels 1-13,
36-64, 100116, 132-140
AP
100
2.4/5 GHz
802.11a/b/g/n/ac dual-band/dual-radio
2.4 GHz
Channels 1-11,
36-48, 149-165
Channels 1-13,
36-64, 100116, 132-140
AP
100C
2.4/5 GHz
802.11a/b/g/n/ac dual-band/dual-radio
2.4 GHz
Channels 1-11,
36-48, 149-165
Channels 1-13,
36-64, 100116, 132-140
UTM 9 WebAdmin
457
15.3 Access Points
15 Wireless Protection
Note – AP 5 can only be connected to a RED rev2 or rev3 with USB connector and
exactly supports one SSID with the WLAN type Bridge to AP LAN and a maximum of 7
wireless clients.
Sophos also provides the following dedicated outdoor access points:
Name Standards
AP
100X
Band
2.4/5 GHz
802.11a/b/g/n/ac dual-band/dual-radio
Band for
Mesh Networks
FCC regulatory
domain
(mainly US)
ETSI regulatory
domain
(mainly
Europe)
Channels 1-11, Channels 1-13,
36-64, 100100-116, 132116, 132-140
140
2.4 GHz
Sophos also provides the followings WiFi Remote Ethernet Devices:
Name
Standards
Band
RED 15w
802.11a/b/g/n
2.4/5 GHz dual-band
Sophos also provides the following Local WiFi Devices:
Name
Standards
Band
SG 105w/115w
802.11a/b/g/n
2.4/5 GHz dual-band
SG 125w/135w
802.11a/b/g/n/ac
2.4/5 GHz dual-band
Note – Because of the bandwidth on the APs with ac standard there may be an auto
matic channel change in some cases. For example, if you select channel 36 the AP
could choose channel 40 instead because it provides a better connection. The shown
channel in the Wireless Protection > Access Points > Overview tab represents the
primary channel. This can effect all AP 100 appliances (AP 100, AP 100C and AP
100X) and all SG appliances with integrated access (SG 105w/115w and SG
125w/135w).
Note that the country setting of an AP regulates the available channels to be compliant
with local law.
458
UTM 9 WebAdmin
15 Wireless Protection
15.3 Access Points
Cross Reference – For detailed information about access points see the Operating
Instructions in the Sophos UTM Resource Center.
15.3.1 Overview
The Wireless Protection > Access Points > Overview page provides an overview of
access points (AP) known to the system. The Sophos UTM distinguishes between act
ive, inactive and pending APs. To make sure that only genuine APs connect to your net
work, APs need to be authorized first.
Note – If you want to use an AP 5, first enable RED management and set up the RED.
Then make sure that the RED interface is added to the allowed interfaces on the Wire
less Protection > Global Settings page. After connecting the AP 5 to the RED the AP 5
should be displayed in the Pending Access Points section.
Access points can be temporarily disabled on the Grouping tab. When an AP is phys
ically removed from your network, you can delete it here by clicking the Delete button.
As long as the AP remains connected to your network, it will automatically re-appear in
Pending state after deletion. SG "w" appliances with on-board WiFi cannot be deleted
form the AP list.
Tip – Each section of this page can be collapsed and expanded by clicking the Col
lapse icon on the right of the section header.
Active Access Points
Here, APs are listed that are connected, configured, and running. To edit an AP, click the
Edit button (see Editing an Access Point below).
I nactive Access Points
Here, APs are listed that have been configured in the past but are currently not con
nected to the UTM. If an AP remains in this state for more than five minutes, please
check the network connectivity of the AP and the configuration of your system. A
restart of the Wireless Protection service will erase Last Seen timestamps. To edit an
AP, click the Edit button (see Editing an Access Point below).
UTM 9 WebAdmin
459
15.3 Access Points
15 Wireless Protection
Pending Access P oints
Here, APs are listed that are connected to the system but not yet authorized. To author
ize an access point, click the Accept button (see Editing an Access Point below).
After receiving its configuration, the now authorized access point will be immediately
displayed in one of the above sections, depending on whether it is currently active or
not.
Editing an Access Point
1. Click the Edit or Accept button of the respective access point.
The Edit Access Point dialog window opens.
2. Make the following settings:
Label (optional): Enter a label to easily identify the AP in your network.
Country: For dedicated APs select the country where the AP is located. For a
Local WiFi Device the country is derived from the global country setting on the
Management > System Settings > Organizational tab.
Important Note – The country setting regulates which channels are available for
transmission. To comply with local law, always select the correct country of
operation (see Access Points).
Group (optional): You can organize APs in groups. If a group has been created
before, you can select it from the drop-down list. Otherwise select << New group
>> and enter a name for the group into the appearing Name text box. Groups can
be organized on the Grouping tab.
3. In the Wireless Networks section, make the following settings:
Wireless network selection (only if no group or a new group is selected): Select
the wireless networks the access point should broadcast. This is useful if you
have, for example, a company wireless network that should only be broadcasted
in your offices, and a guest wireless network that should only be broadcasted in
public parts of your building. You can search the wireless network list by using
the filter field in the list header.
460
UTM 9 WebAdmin
15 Wireless Protection
15.3 Access Points
Note – It is possible to assign 8 wireless networks to the access point. Each
wireless network can be broadcasted on 2.4 GHz and 5 GHz, which results in 16
SSIDs (8 per radio). For more information on access points bands, see chapter
Access Point.
Note – For an access point to broadcast a wireless network some conditions
have to be fulfilled. They are explained in section Rules for Assigning Networks
to APs below.
4. Optionally, in the Mesh Networks section, make the following settings (only avail
able with AP 50 and only if a mesh network is defined on the Mesh Networks tab):
Mesh roles: Click the Plus icon to select mesh networks that should be broad
casted by the access point. A dialog window opens.
l
Mesh: Select the mesh network.
l
Role: Define the access point's role for the selected mesh network. A root
access point is directly connected to the UTM. A mesh access point, after
having received its initial configuration, once unplugged from the UTM will
connect to a root access point via the mesh network. Note that an access
point can be mesh access point only for one single mesh network.
After saving, the access point icon in the Mesh roles list designates the access
point's role. Via the functional icons you can edit a mesh role or delete it from the
list.
Important Note – If you delete a mesh role from the Mesh roles list, you have to
plug the access point into your Ethernet again to get its initial configuration. To
change the mesh network without having to plug the access point into your Eth
ernet again, do not delete the mesh role but instead click the Edit icon of the
mesh role, and select the desired mesh network.
5. Optionally, make the following advanced settings:
Band (only available for Local WiFi Devices): The Local WiFi Device allows one
band only. Select 5 GHz or 2.4 GHz from the drop-down list.
UTM 9 WebAdmin
461
15.3 Access Points
15 Wireless Protection
Channel (only available for Local WiFi Devices): Either keep the default setting
Auto which automatically selects the last used channel for transmit or select a
fix channel.
TX Power (only available for Local WiFi Devices): Either keep the default setting
100 % for the access point to send with maximum power or down-regulate the
power to reduce the operating distance, e.g., to minimize interference.
Channel 2.4 GHz: Either keep the default setting Auto which will automatically
select the least used channel for transmit or select a fix channel.
Dyn Chan: If selected, the AP scans all available channels and connects to
the channel with the best signal.
Time-based scan: If selected, the AP checks for the best signal channel on
a regular time base. To add a time event, click the Plus icon and enter the
time data. You can also select a predefined time event which is listed on
the Definitions & Users > Time Period Definitions tab.
Channel 5 GHz (only available with AP 50, AP 55, AP 55C, AP 100, AP 100C and
AP 100X): You can keep the default setting Auto which will automatically select
the least used channel for transmit. Or you can select a fix channel.
Tip – When you select Auto, the currently used channel will be announced in the
access point entry.
TX power 2.4 GHz: You can keep the default setting 100 % for the access point to
send with maximum power. Or you can down-regulate the power to reduce the
operating distance, e.g., to minimize interference.
TX power 5 GHz (only available with AP 50, AP 55, AP 55C, AP 100, AP 100C and
AP 100X): You can down-regulate the power output for the 5 GHz band separately.
STP: To enable Spanning Tree Protocol, select Enabled from the drop-down list.
This network protocol detects and prevents bridge loops. STP is mandatory if the
access point broadcasts a mesh network.
VLAN tagging: VLAN tagging is disabled by default. If you want to connect the AP
with an existing VLAN Ethernet interface, you need to enable VLAN tagging by
selecting the checkbox. Make sure that the VLAN Ethernet interface is added to
the Allowed interfaces box on the Global Settings > Global Settings page.
462
UTM 9 WebAdmin
15 Wireless Protection
15.3 Access Points
Note – To introduce the usage of VLAN for your access points in your network,
take the following steps: Connect the AP to the UTM using standard LAN for at
least a minute. This is necessary for the AP to get its configuration. Connecting
it via VLAN from the beginning, the AP would not know of being in a VLAN and
therefore would not be able to connect to the UTM to get its configuration. When
the AP is displayed, enable VLAN tagging and enter the VLAN ID. Then connect
the AP to its intended VLAN, e.g., a switch.
Note – VLAN tagging is not possible with AP 5.
AP VLAN ID: When VLAN tagging is enabled, enter the VLAN tag of the VLAN the
access point should use to connect to the UTM. Do not use the VLAN tags 0 and 1
as they usually have a special meaning on networking hardware like switches,
and 4095 is reserved by convention.
Note – When VLAN tagging is configured, the AP will try DHCP on the configured
VLAN for 60 seconds. If no IP address is received during that time, the AP will
try DHCP on the regular LAN as a fallback.
6. Click Save.
The access point receives its configuration or configuration update, respectively.
Note – A configuration change needs approximately 15 seconds until all inter
faces are reconfigured.
If VLAN tagging is configured but the AP cannot contact the UTM via VLAN, the AP
will reboot itself and try again after receiving the configuration.
Cross Reference – Find information about configuring auto channel assignment
for Sophos Wireless Access Points in the Sophos Knowledgebase.
Rules for Assigning Networks to APs
An access point can only be assigned to a wireless network if the Client traffic option
of the wireless network and the VLAN tagging option of the access point fit together.
The following rules apply:
UTM 9 WebAdmin
463
15.3 Access Points
l
l
l
15 Wireless Protection
Wireless network with client traffic Separate Zone: VLAN tagging of the access
point can be enabled or disabled.
Wireless network with client traffic Bridge to AP LAN: VLAN tagging of the
access point has to be disabled.
Wireless network with client traffic Bridge to VLAN: VLAN tagging of the access
point has to be enabled. The respective wireless clients will use the Bridge to
VLAN ID specified for the wireless network, or they will receive their VLAN ID
from the RADIUS server, if specified.
Note – An AP 5 can only be assigned one single wireless network with the Client
traffic option Bridge to AP LAN.
Reflash Bricked APs
The main reason for returned Access Points are bricked devices with a broken firm
ware. Therefore you can download a tool to reflash Sophos Access Points. The tool is
available here.
If you are running the tool on Windows 8, you may have to disable the Windows Fire
wall first.
To reflash a Sophos Access Point, proceed as follows:
1. Download the AP reflash utility.
2. Extract the downloaded files.
3. Run the exe-file as Administrator to start the reflash utility.
4. Follow the instructions to flash the AP device.
The power-LED will flash very fast.
The process is completed if the power-LED flashes every second.
Reflash Bricked RED Devices
You can download a tool to reflash Sophos RED 10 devices. The tool is available here.
If you are running the tool on Windows 8, you may have to disable the Windows Fire
wall first.
To reflash a Sophos RED, proceed as follows:
464
UTM 9 WebAdmin
15 Wireless Protection
15.3 Access Points
1. Download the reflash utility.
2. Extract the downloaded files.
3. Run the exe-file as Administrator to start the reflash utility.
4. Follow the instructions to reflash the RED device.
Flashing will take about two minutes.
15.3.2 Grouping
On the Wireless Protection > Access Points > Grouping page you can organize access
points in groups. The list provides an overview of all access point groups and
ungrouped access points. Access points and groups can be distinguished by their
respective icon.
To create an access point group, proceed as follows:
1. On the Grouping page, click New Group.
The Add Access Point Group dialog box opens.
2. Make the following settings:
Name: Enter a descriptive name for the access point group.
VLAN tagging: VLAN tagging is disabled by default. If you want to connect the AP
with an existing VLAN Ethernet interface, you need to enable VLAN tagging by
selecting the checkbox. Make sure that the VLAN Ethernet interface is added to
the Allowed interfaces box on the Global Settings > Global Settings page.
AP VLAN ID: Enter the VLAN tag that should be used by this group of APs to
connect to UTM. Do not use the VLAN tags 0 and 1 as they usually have a
special meaning on networking hardware like switches, and 4095 is
reserved by convention.
Access point selection: Select the access points that should become members
of the group. Only access points that are not assigned to any other group are dis
played.
Note – Local WiFi Devices cannot be grouped and do not appear in the access
point selection. Local WiFi Devices appear in the Grouping list.
UTM 9 WebAdmin
465
15.3 Access Points
15 Wireless Protection
Wireless network selection: Select the wireless networks that should be broad
casted by the access points of this group.
Note – For an access point to broadcast a wireless network some conditions
have to be fulfilled. They are explained in chapter Access Points > Overview, sec
tion Rules for Assigning Networks to APs.
3. Click Save.
The new access point group appears on the Grouping list.
To either edit or delete a group, click the corresponding buttons of a group.
To either edit or delete an access point, click the corresponding buttons of an access
point. For more information on editing and deleting access points, see Access Points >
Overview.
15.3.3 RED 15w
This page provides general information about how the different RED modes work with
wireless modes.
RED Modes vs. W ireless Modes
In general all wireless modes (Separate Zone, Bridge to AP LAN and Bridge to VLAN) are
supported by RED 15w. The actual meaning of the modes can vary depending on the
mode that is actually selected.
Standard / Unif ied
In this mode, all traffic of the RED is sent to the UTM. The following preconditions must
be met for wireless:
l
RED tunnel interface on UTM site is up and has an IP address
l
DHCP server is running on the RED tunnel interface
l
DNS can be resolved on this RED interface
l
l
466
Firewall allows traffic from the RED interface to UTM for AWE client and VXLAN
(RFC 7348) (only for Separate Zone).
RED interface is added to the Allowed Interfaces section under Wireless Pro
tection > Global Settings
UTM 9 WebAdmin
15 Wireless Protection
15.3 Access Points
Separate Zone: All traffic from a separate zone network is sent to UTM using vxlan pro
tocol. The vxlan pakets are not encrypted but will be encrypted on the way to the UTM
while crossing the RED tunnel. The seperate zone networks are connected to each other
on UTM site as usual. The firewall has to allow this type of traffic.
Bridge to AP LAN: The RED will bridge the SSID in the LAN network behind the RED. This
includes LAN ports 1 - 4. Clients connected to this SSID are able to reach the RED tun
nel endpoint interface on the UTM site if the firewall is configured to allow traffic from
the RED network to this interface (enabled by default).
Bridge to VLAN: The RED will tag all traffic from clients that are connected to this SSID
using the configured VLAN tag. Clients are able to reach all network devices with the
same VLAN tag that are connected to LAN port 1 - 4 as well as a VLAN tagged interface
on top of the tunnel endpoint interface on the UTM site.
Standard / Split
In this mode, all traffic of the RED listed in the Split Networks is sent to the UTM. All
other traffic is sent to the default gateway specified by the remote DHCP server.
Normally, this would be the Internet router where the RED is connected to at the remote
site.The following preconditions must be met for wireless:
l
RED tunnel interface on the UTM site is up and has an IP address
l
DHCP server is running on the RED tunnel interface
l
DNS can be resolved on this RED interface
l
l
Firewall allows traffic from the RED interface to the UTM for AWE client and
VXLAN (RFC 7348) (only for Separate Zone).
RED interface is added to the Allowed Interfaces section under Wireless Pro
tection > Global Settings
Separate Zone: All traffic from a separate zone network is sent to the UTM using vxlan
protocol. The the vxlan packets are not encrypted but will be encrypted on the way to
the UTM while crossing the RED tunnel. The separate zone networks are connected to
each other on the UTM site as usual. The firewall has to allow this type of traffic.
Bridge to AP LAN: The RED will bridge the SSID in the LAN network behind the RED. This
includes LAN ports 1 - 4. Clients connected to this SSID are able to reach the RED tun
nel endpoint interface on the UTM site if the firewall is configured to allow traffic from
the RED network to this interface (Enabled by default). The clients are able to reach all
UTM 9 WebAdmin
467
15.3 Access Points
15 Wireless Protection
hosts that are connected to one of the networks specified in the split networks list.
Firewall rules can restrict this access further.
Bridge to VLAN: The clients are able to reach all hosts behind the RED that own the
same VLAN tag. Also the tunnel endpoint is reachable if a VLAN interface is configured
on top of the RED interface on the UTM site. The split networks can't be reached as
these are routed for untagged packets only.
T ransparent / Split
In this mode, only networks listed in the Split Networks list are reachable through the
UTM. All other networks are routed through the Internet-providing router at the remote
site. The remote network also provides DHCP and DNS. That means the RED tunnel end
point interface on the UTM site has to obtain an IP address by the remote DHCP server.
It requires the following preconditions for wireless:
l
RED tunnel interface on the UTM site is up and has an IP address
l
DHCP server is running on the RED tunnel interface
l
DNS can be resolved on this RED interface
l
l
l
Firewall allows traffic from the RED interface to the UTM for AWE client and
VXLAN (RFC 7348) (only for Separate Zone).
RED interface is added to the Allowed Interfaces section under Wireless Pro
tection > Global Settings
The remote DHCP server has to provide the DHCP option 234 which must contain
the IP address of the RED interface on the UTM site. Otherwise the fallback IP
1.2.3.4 is used.
Separate Zone: All traffic from a separate zone network is sent to the UTM using the
vxlan protocol. The the vxlan packets are not encrypted but will be encrypted on the
way to the UTM while crossing the RED tunnel. The separate zone networks are con
nected to each other on the UTM site as usual. The firewall has to allow this type of
traffic.
Bridge to AP LAN: The RED will bridge the SSID in the LAN network behind the RED. This
includes LAN ports 1 - 4. Clients connected to this SSID are able to reach the RED tun
nel endpoint interface on the UTM site if the firewall is configured to allow traffic from
the RED network to this interface (enabled by default). The clients are able to reach all
hosts that are connected to one of the networks specified in the Split Networks list.
Firewall rules can restrict this access further.
468
UTM 9 WebAdmin
15 Wireless Protection
15.4 Mesh Networks
Bridge to VLAN: The clients are able to reach all hosts behind the RED that own the
same VLAN tag on LAN ports 1 - 4 as well as on the WAN port. The split networks can
not be reached as these are routed for untagged packets only.
15.4 Mesh Networks
On the Wireless Protection > Mesh Networks page you can define mesh networks, and
associate access points that should broadcast them. In general, in a mesh network mul
tiple access points communicate with each other and broadcast a common wireless
network. On the one hand, access points connected via a mesh network can broadcast
the same wireless network to clients, thus working as a single access point, while cov
ering a wider area. On the other hand, a mesh network can be used to bridge Ethernet
networks without laying cables.
Access points associated with a mesh network can play one of two roles: root access
point or mesh access point. Both broadcast the mesh network, thus the amount of
other wireless networks they can broadcast is reduced by one.
l
l
Root access point: It has a wired connection to the UTM and provides a mesh net
work. An access point can be root access point for multiple mesh networks.
Mesh access point: It needs a mesh network to connect to the UTM via a root
access point. An access point can be mesh access point for only one single
mesh network at a time.
A mesh network can be used for two main use cases: you can implement a wireless
bridge or a wireless repeater:
l
Wireless bridge: Using two access points, you can establish a wireless con
nection between two Ethernet segments. A wireless bridge is useful when you
cannot lay a cable to connect those Ethernet segments. While the first Ethernet
segment with your UTM is connected to the Ethernet interface of the root access
point, the second Ethernet segment has to be connected to the Ethernet interface
of the mesh access point. Using multiple mesh access points, you can connect
more Ethernet segments.
UTM 9 WebAdmin
469
15.4 Mesh Networks
15 Wireless Protection
Figure 22 Mesh Network Use Case Wireless Bridge
l
Wireless repeater: Your Ethernet with your UTM is connected to the Ethernet inter
face of a root access point. The root access point has a wireless connection via
the mesh network to a mesh access point, which broadcasts wireless networks
to wireless clients.
Figure 23 Mesh Network Use Case Wireless Repeater
To define a new mesh network, do the following:
1. On the Mesh Networks page, click Add Mesh Network.
The Add Mesh Network dialog box opens.
2. Make the following settings:
Mesh-ID: Enter a unique ID for the mesh network.
Frequency band: Access points assigned to this network will transmit the mesh
network on the selected frequency band. Generally, it is a good idea to use a dif
ferent frequency band for the mesh network than for the broadcasted wireless
networks.
470
UTM 9 WebAdmin
15 Wireless Protection
15.4 Mesh Networks
Note – Except for AP 50, all mesh network-capable APs transmit the mesh net
work on 2.4 GHz only. If an AP 50 transmits on 5 GHz, it is not compatible to
other APs which transmit on 2.4 GHz.
Comment (optional): Add a description or other information.
Access points: Click the Plus icon to select access points that should broadcast
the mesh network. A dialog window Add Mesh Role opens:
l
l
AP: Select an access point. All APs which can be used for broadcasting
mesh networks are listed under Wireless Protection> "Access Points" on
page 456.
Role: Define the access point's role for the selected mesh network. A root
access point is directly connected to the UTM. A mesh access point, after
having received its initial configuration, once unplugged from the UTM will
connect to a root access point via the mesh network. Note that an access
point can be mesh access point only for one single mesh network.
Note – It is crucial for the initial configuration to plug the mesh access point
like every other access point into one of the Ethernet segments selected in the
Allowed interfaces box on the Global Settings tab.
Use the Delete icon in the Access Points list to delete an access point from the
list.
Important Note – If you delete a mesh access point from the Access Points list,
you have to plug the access point into your Ethernet again to get its initial con
figuration. To change the mesh network without having to plug the access point
into your Ethernet again, do not delete the access point but instead click the
access point's Edit button on the Access Points > Overview tab, click the Edit
icon in the Mesh Networks section, and select the desired mesh network.
The access point icon designates an access point's role. You can search the
access point list by using the filter field in the list header.
3. Click Save.
Your settings will be saved. The mesh network appears on the Mesh Networks list.
UTM 9 WebAdmin
471
15.5 Wireless Clients
15 Wireless Protection
15.5 Wireless Clients
The Wireless Protection > Wireless Clients page gives you an overview of clients that
are currently connected to an access point or have been connected in the past.
As not all clients transmit their name you can give them a name here to ease dis
tinguishing known clients in the overview. If clients transmit their NetBIOS name during
the DHCP request, their name is displayed in the table. Otherwise they will be listed as
[unknown]. You can change the name of (unknown) clients by clicking the Plus icon in
front of the name. Then enter a name and click Save. It takes a few seconds for the
change to take effect. Click the Reload button in the upper right corner of WebAdmin to
see the name of the client. If you want to change the name, click the Edit button.
Note – Adding a name to a client can have a short effect on the performance.
You can also delete clients from the table by clicking the Delete icon.
A restart of the Wireless Protection service will erase Last seen timestamps.
15.6 Hotspots
On the Wireless Protection > Hotspots pages you can manage access with the captive
portal system. The Hotspot feature allows cafés, hotels, companies, etc. to provide
time- and traffic-restricted Internet access to guests. The feature is available within
the wireless subscription, but also works with wired networks.
Note – Technically, the Hotspot feature serves to restrict traffic which is basically
allowed by the firewall. Therefore you have to ensure that a firewall rule exists which
allows the traffic to be managed via the hotspots. It is recommended to test the
traffic with the hotspot feature disabled before enabling the hotspots.
The UTM intercepts HTTP traffic and redirects users to a predefined page, the so-called
hotspot or captive portal. There, users have to use one of the configured authentication
methods before they can access the allowed networks, e.g. the Internet. HTTPS and
other traffic is not intercepted and redirected to the hotspot.
472
UTM 9 WebAdmin
15 Wireless Protection
15.6 Hotspots
Note – If the Hotspot feature is used in combination with an active-active cluster
setup, the respective traffic cannot be distributed between master and workers. All
traffic from and to the hotspot interfaces will be directed through the master.
Hotspot Generation
In a first step, the administrator creates and enables a hotspot with a specific type of
access. The following types are available:
l
l
l
Terms of use acceptance: The guest is presented a terms of use, which you can
define, and has to select a checkbox to get access.
Password of the day: The guest has to enter a password to get access. The pass
word changes on a daily basis.
Voucher: The guest gets a voucher and has to enter the voucher code to get
access. The voucher can be limited in the number of devices, in time, and traffic.
Distribution of Access Information to Guests
With the types Password of the day and Voucher, the access information has to be
handed out to the guests. Therefore you can define users who are allowed to manage
and distribute access information. Those users receive and distribute the access
information via the Hotspot tab of the User Portal:
l
l
Password of the day: The current password can be sent via email and the users
find the password in the User Portal. The users forward the password to the
guests. They can generate or enter a new password. Hereby, the former password
automatically becomes invalid and active sessions will be terminated. Potential
other users will be informed of the new password, either by email or via the User
Portal, depending on what is configured for them.
Voucher: In the User Portal, users have the possibility to create vouchers, each
with a unique code. Different types of vouchers can be available if specified by
the administrator. The vouchers can be printed or exported and given to the
guests. A list of created vouchers gives an overview about their usage and helps
to manage them.
UTM 9 WebAdmin
473
15.6 Hotspots
15 Wireless Protection
Legal Information
In many countries, operating a public wireless LAN is subject to specific national laws,
restricting access to websites of legally questionable content (e.g., file sharing sites,
extremist websites, etc.). To meet this requirement, you can combine the hotspot with
the web protection capabilities of the Sophos UTM, which allow you to control web
access by blocking and allowing everything from an entire website category type to a
single URL. The UTM gives you complete control over what is allowed to be accessed,
by whom, and when. That way you can put the hotspot under heavy restrictions, if
national or corporate policies require you to do so.
Using the built-in HTTP proxy of Sophos UTM also gives you advanced logging and
reporting capabilities. The reporting will show who visited what site, when, and how
many times, allowing you to identify inappropriate usage in case you want to operate a
hotspot without any access restrictions.
In addition to that, legal regulations may require you to register your hotspot at the
national's regulatory body.
15.6.1 Global
On the Wireless Protection > Hotspots > Global tab you can enable the Hotspots feature
and define users who are allowed to view and distribute hotspot access information.
To configure hotspots, proceed as follows:
1. On the Global tab, enable the Hotspots.
Click the toggle switch.
The toggle switch turns green and the Global Hotspot Settings area becomes edit
able.
2. Select the allowed users.
Select the users or groups or add new users that should be able to provide hot
spot access information via the User Portal. Users selected here can change the
password of the day and are able to create hotspot vouchers. How to add a user
is explained on the Definitions & Users > Users & Groups > Users page.
3. Click Apply.
Your settings will be saved.
474
UTM 9 WebAdmin
15 Wireless Protection
15.6 Hotspots
Live Log
The Hotspots live log gives you information on the usage of the hotspots. Click the
Open Live Log button to open the Hotspots live log in a new window.
Dow nload T emplates
Here you can download the hotspot login template and the voucher template that are
used by default when adding a new hotspot. You can modify the default templates to
customize your hotspot login page or the voucher design without the need to create
them from scratch. You can upload the customized HTML and PDF template on the Wire
less Protection > Hotspots > Hotspots tab.
1. Click the blue Download icon.
The Download Certificate File dialog window opens.
2. Save the file.
The file will be downloaded.
15.6.2 Hotspots
On the Wireless Protection > Hotspots > Hotspots tab you can manage different hot
spots.
Note – A hotspot has to be assigned to an existing interface, typically a WLAN inter
face. All hosts using this interface will automatically be restricted by the hotspot.
Therefore, before you create a hotspot you would typically create a wireless network
with client traffic Separate Zone, then create an interface for the respective WLAN
interface hardware. For more information, see Wireless Protection > Wireless Net
works.
To create a hotspot, proceed as follows:
1. Click Add Hotspot.
The Add Hotspot dialog box opens.
2. Make the following settings:
Name: Enter a descriptive name for this hotspot.
UTM 9 WebAdmin
475
15.6 Hotspots
15 Wireless Protection
Interfaces: Add the interfaces which are to be restricted by the hotspot. Please
ensure that for the selected interfaces a firewall rule exists which allows the
desired traffic. An interface can only be used by one hotspot.
Caution – You should not select an uplink interface here because traffic to the
Internet will completely be blocked afterwards. Additionally, we strongly advise
against using interfaces used by servers which provide essential services like
authentication. You may irreversibly lock yourself out of WebAdmin!
Administrative Users: Add or select users for administrative settings. Admin
istrative users are allowed to create vouchers or change the password of the day
in the User Portal. By default nobody is allowed to make administrative settings.
Redirect to HTTPS: If enabled, users will be redirected to HTTPS.
l
l
Hostname type: Select if you want to redirect to an IP address or to a cus
tom hostname (DNS).
Hostname (only available with custom hostname): Select or add the host
name for the redirect.
Hotspot type: Select the hotspot type for the selected interfaces.
l
l
Password of the day: A new password will be created automatically once a
day. This password will be available in the User Portal on the Hotspots tab
which is available to all users specified on the Global tab. Additionally it
will be sent to the specified email addresses.
Voucher (not available with BasicGuard subscription): With this hotspot
type, in the User Portal tokens with different limitations and properties can
be generated, printed and given to customers. After entering the code, the
customers can then directly access the Internet.
Note – If only a normal ethernet interface is configured for this hotspot,
SSID and PSK will not be displayed. If you use a normal interface and a
WLAN interface, it will be displayed.
l
476
Terms of use acceptance: Customers can access the Internet after accept
ing the Terms of Use.
UTM 9 WebAdmin
15 Wireless Protection
l
15.6 Hotspots
Backend authentication: With this hotspot type, users can authenticate via
any supported backend mechanism (see Definitions & Users > Authentic
ation Services). With this type, the user credentials are stored to peri
odically check if the user is still authorized.
Note – If you select Backend authentication a new entry field for OTP token
appears on the login form if Hotspot is configured as an OTP facility.
Note – Every hotspot type drops the packets if the conditions are not fulfilled.
ICMP packets types 8 and 0 (Echo Request and Echo Reply) will not be dropped.
Password creation time (only with Hotspot type Password of the day): The
assigned time of the day at which the new password will be created. At this time
the former password will immediately get invalid and current sessions will be
cut off.
Send password by email to (only with Hotspot type Password of the day): Add
email addresses to which the password shall be sent.
Voucher definitions (only with Hotspot type Voucher): Add or select the voucher
definitions you want to use for the hotspot. How to add a voucher definition is
explained on the Voucher Definitions page.
Devices per voucher (only with Hotspot type Voucher): Enter the number of
devices which are allowed to log in with one voucher during its lifetime. It is not
recommended to use the unlimited entry.
Hotspot users (only with Hotspot type Backend Authentication): Select the users
or user groups or add the users that should be able to access the hotspot via
backend authentication. Typically, this is a backend user group.
Session expires (only with Hotspot type Terms of Use Acceptance or Backend
Authentication): Select the time span after which the access will expire. After
that, with the hotspot type Terms of Use Acceptance, the users have to accept
the terms of use again to log in. With the hotspot type Backend Authentication,
the users have to authenticate again.
UTM 9 WebAdmin
477
15.6 Hotspots
15 Wireless Protection
Synchronize password with PSK of wireless networks (only with Hotspot type
Password of the day): Select this option to synchronize the new generated/saved
password with wireless PSK for separate zone networks.
Note – With the new PSK all APs that are configured with a separate zone wire
less network that is also used as a hotspot interface will be reconfigured and
restarted. This means all connections will be dropped.
Users have to accept terms of use (not with Hotspot type Terms of Use Accept
ance): Select this option if you want the hotspot users to accept your terms of
use before accessing the Internet.
l
Terms of use: Add the text to be displayed as terms of use. Simple HTML
markup and hyperlinks are allowed.
Redirect to URL after login: If selected, after entering the password or the
voucher data, the users will be redirected automatically to a particular URL, e.g.,
your hotel's website or a webpage stating your portal system policies.
l
URL: URL to which the user is redirected.
Note – When you select hotspot type Voucher the Redirect to URL after login
does not automatically redirect to the configured URL. Users will be redirected
to a statistics page which contains important information about the voucher,
e.g. period of validity. Users will be able to continue to the configured URL when
they click on the link: You will be redirected to [URL].
Comment (optional): Add a description or other information.
3. Optionally, make the following hotspot customization settings:
By default, the user will be presented a login page with the Sophos logo. You can
use a customized HTML file with your own images and stylesheets. Additionally,
you can customize the voucher layout.
Customization type: Select the customization type. The following types are avail
able:
l
Basic: Use the default login page template. If required, change logo, title,
and text.
478
UTM 9 WebAdmin
15 Wireless Protection
15.6 Hotspots
Logo: Upload a logo for the login page. Supported image file types are jpg,
png and gif. A maximum image width of 300 px and height of 100 px is
recommended (depending on the title length). Use the Restore Default but
ton to select the default Sophos logo again.
Scale logo to recommended size: If selected, a logo exceeding the recom
mended width or height will be scaled down and displayed in the recom
mended size. If not selected, the logo will be displayed in the original size.
Title: Add a title for the login page. Simple HTML markup and hyperlinks are
allowed.
Custom text: Add an additional text for the login page. You can for example
enter the SSID of the wireless network to be used. Simple HTML markup
and hyperlinks are allowed.
l
Full: Select an individual login HTML page.
Login page template: Select the HTML template you want to use for your
individual login page. Clicking the Folder icon opens a window where you
can select and upload the file. Use the Restore Default button to select the
default Sophos HTML template again. In this template, you can use vari
ables that can dynamically insert information for each hotspot. For
example, you can add the company name and administrator information,
the terms of use and the login form. See detailed information below, in
Using Variables in Login Page Template. You can download the default HTML
template on the Wireless Protection > Hotspots > Global tab.
Images/Stylesheets: Add files that are referenced in your login page tem
plate, e.g., images, stylesheets, or JavaScript files. Clicking the Folder icon
opens a window where you can select and upload the files.
Voucher template (only with hotspot type Voucher): Clicking the Folder icon
opens a window where you can select and upload the PDF file with the voucher
layout. By default, a default template is used. You can restore the default clicking
the Restore Default button. The voucher PDF file has to have a PDF version PDF
1.5 or lower. It may have any page size and format—both size and format will be
adjust during voucher creation in the User Portal, depending on page size and
number of vouchers per page specified there. You can download the default PDF
template on the Wireless Protection > Hotspots > Global tab.
UTM 9 WebAdmin
479
15.6 Hotspots
15 Wireless Protection
The PDF file may contain the following variables that will be replaced with the
respective values during voucher generation in the User Portal:
l
l
Wireless network name (SSID): <?ssid0?> (and <?ssid1?>, <?ssid2?> and
so on, if the WLAN has more than one SSIDs)
Wireless network password: <?psk0?> (and <?psk1?>, <?psk2?> and so on,
if the WLAN has more than one SSIDs)
l
Voucher code: <?code?>
l
Voucher validity time: <?validity?>
l
Voucher data limit: <?datalimit?>
l
Voucher time limit: <?timelimit?>
l
Comment: <?comment?>
l
QR code with the hotspot access data encoded: <?qrX?>. The upper left
corner of the QR code will be placed on the lower left corner of the variable.
Note – When using variables, the PDF file must include the entire character sets
of the fonts used. When a variable is replaced by its value, and one of the sub
stitute characters is not available, it will be displayed incorrectly. We recom
mend to add the string
<?abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789?>
(for English usage) to your PDF file, which will automatically be removed during
voucher generation. If you use another language, you can include any other char
acter set you want. Additionally, it is recommended to use a separate line for
the variables as the layout could get corrupted if the substituted text is too
long.
4. Click Save.
The hotspot will be created and appears on the Hotspots list.
Tip – You can open a preview of the login page after saving the hotspot. In the Hot
spots list just click the button Preview Login Page of the respective hotspot.
To either edit or delete a hotspot, click the corresponding buttons.
480
UTM 9 WebAdmin
15 Wireless Protection
15.6 Hotspots
Cross Reference – Find information about enabling backend authentication for hot
spots in the Sophos Knowledgebase.
Using Variables in Login Page Template
The HTML template for the login page may contain various variables that can dynam
ically insert information for the hotspot login page. When the UTM processes a tem
plate in order to display a login page, it replaces any template variables with the rel
evant value. Valid variables are:
l
General variables
<?company_text?>: Custom company text as defined on Management > Cus
tomization > Global
<?company_logo?>: Company logo as defined on Management > Customization >
Global. The variable will be replaced by the path of the logo file, usage e.g., <img
src="<?company_logo?>">
<?admin_contact?>: Administrator name or address as defined on Management
> Customization > Web Messages
<?admin_message?>: Administrator information label as defined on Management
> Customization > Web Messages (default: Your cache administrator is:)
<?error?>: Error message that arose while trying to log in.
l
Variables used for all hotspot types
<?terms?>: Terms of use (as defined on Hotspots page)
<?redirect_host?>: Redirect URL that is specified for the hotspot (as defined on
Hotspots page)
<?location?>: URL the user requested
<?location_host?>: Hostname of the URL the user requested
<?login_form?>: Login form suitable for the respective hotspot type: Password
text box, Token text box, Username and Password text boxes, or Accept checkbox,
and Login button. For creating customized login forms, see User Specific Login
Form below.
UTM 9 WebAdmin
481
15.6 Hotspots
15 Wireless Protection
<?asset_path?> (only important for customization mode Full): Hotspot-specific
directory for storage of images or stylesheets (example usage: <img
src="<?asset_path?>/logo.png">)
l
Variables only used for Voucher type hotspots
<?maclimit?> Number of allowed devices per voucher of this hotspot (as defined
on Hotspots page)
<?numdevices?>: Number of devices used for this voucher
<?timeend?>: End of validity period (can be defined on Voucher Definitions page)
<?time_total?>: Total time quota allowed (can be defined on Voucher Defin
itions page)
<?time_used?>: Time quota used up (can be defined on Voucher Definitions page)
<?traffic_total?>: Total data volume allowed (can be defined on Voucher Defin
itions page)
<?traffic_used?>: Data volume used up (can be defined on Voucher Definitions
page)
Templates can contain if variables that make up sections like the ones shown below.
Each section has an opening and a closing variable. The contents of an if section is
only displayed on a specific condition.
If Section
Meaning
<?if_loggedin?>
Section is displayed when the user has successfully logged in.
<?if_loggedin_
end?>
<?if_notloggedin?> Section is displayed when the user has not yet logged in, e.g., because
<?if_notloggedin_ terms of use have to be accepted or because an error occurred.
end?>
<?if_authtype_
password?>
<?if_authtype_
password_end?>
Section is displayed when hotspot type is Password of the day.
<?if_authtype_dis- Section is displayed when hotspot type is Terms of Use Acceptance.
claimer?>
<?if_authtype_disclaimer_end?>
482
UTM 9 WebAdmin
15 Wireless Protection
15.6 Hotspots
If Section
Meaning
<?if_authtype_
token?>
<?if_authtype_
token_end?>
Section is displayed when hotspot type is Voucher.
<?if_authtype_
backend?>
<?if_authtype_
backendtoken_
end?>
Section is displayed when hotspot type is Backend Authentication.
<?if_location?>
<?if_location_
end?>
Section is displayed when the user has been redirected.
<?if_redirect_url?> Section is displayed when the checkbox Redirect to URL after login is
<?if_redirect_url_ enabled.
end?>
<?if_not_redirect_
url?>
<?if_not_redirect_
url_end?>
Section is displayed when the checkbox Redirect to URL after login is
<?if_timelimit?>
<?if_timelimit_
end?>
Section is displayed when a validity period is set for a voucher.
<?if_trafficlimit?>
<?if_trafficlimit_
end?>
Section is displayed when a data volume is set for a voucher.
<?if_timequota?>
<?if_timequota_
end?>
Section is displayed when a time quota is set for a voucher.
<?if_maclimit?>
<?if_maclimit_
end?>
Section is displayed when a Devices per voucher value is specified.
<?if_terms?>
<?if_terms_end?>
Section is displayed when Terms of Use are defined and enabled.
<?if_error?>
<?if_error_end?>
Section is displayed when an error occurred while trying to log in.
UTM 9 WebAdmin
disabled.
483
15.6 Hotspots
15 Wireless Protection
User-Specific Login Form
If you want to create your own login form instead of using the pre-defined <?login_
form?> variable, consider the following:
l
Enclose the form in the following tags:
<form action="?action=login" method="POST"> ... </form>
l
For a Terms of Use Acceptance hotspot, add a checkbox named "accept":
<input type="checkbox" name="accept">
l
For Password of the Day or Voucher hotspots, add a text box named "token":
<input type="text" name="token">
l
For a Backend Authentication hotspot, add the two text boxes named "username"
and "password":
<input type="text" name="username">
<input type="password" name="password">
l
Add a means to submit the form, e.g., a Login button:
<input type="submit" name="login" value="Login">
Cross Reference – Find information about customizing the login page for UTM hot
spots in the Sophos Knowledgebase.
15.6.3 Voucher Definitions
On the Wireless Protection > Hotspots > Voucher Definitions tab you can manage dif
ferent voucher definitions for voucher type hotspots.
To create a voucher definition, proceed as follows:
1. Click Add Voucher Definition.
The Add Voucher Definition dialog box opens.
2. Make the following settings:
Name: Enter a descriptive name for this voucher definition.
484
UTM 9 WebAdmin
15 Wireless Protection
15.6 Hotspots
Validity period: Enter the time span for which a voucher with this definition will
be valid. Counting is started at the first login. It is highly recommended to enter a
time period.
Note – The maximum time for the Validity Period is two years.
Time quota: Here you can restrict the allowed online time. Enter the maximum
online time after which a voucher of this definition expires. Counting is started at
login and is stopped at logout. Additionally, counting is stopped after 5 minutes of
inactivity.
Note – The maximum time for the Time Quota is two years.
Data volume: Here you can restrict the allowed data volume. Enter the maximum
data volume to be transmitted with this voucher definition.
Note – The maximum Data Volume is 100 GB.
Comment (optional): Add a description or other information.
3. Click Save.
The voucher definition will be created. It can now be selected when creating a
voucher-type hotspot.
To either edit or delete a voucher definition, click the corresponding buttons.
Cross Reference – Find information about customizing hotspot vouchers in the
Sophos Knowledgebase.
15.6.4 Advanced
General Voucher Options
Here you can decide if and after which time interval you want to delete expired vouch
ers from the database. In the hotspot log you will still find information about the
deleted vouchers.
UTM 9 WebAdmin
485
15.6 Hotspots
15 Wireless Protection
Login P age Certif icate
To ensure login over HTTPS you can select certificates for the page login. You can gen
erate and upload new certificates with on the Webserver Protection > Certificate Man
agement > Certificates page. Select the requested certificate from the drop-down list
and click Apply to activate it.
W alled Garden
Add or select specific hosts or networks to be always accessible by all users, without
entering a password or a voucher code. How to add a definition is explained on the
Definitions & Users > Network Definitions > Network Definitions page.
486
UTM 9 WebAdmin
16 Webserver Protection
This chapter describes how to configure the web application firewall of Sophos UTM
which protects your webservers against attacks and malicious behavior.
The following topics are included in this chapter:
l
Web Application Firewall
l
Reverse Authentication
l
Certificate Management
16.1 Web Application Firewall
Using the Web Application Firewall (WAF), also known as reverse proxy, Sophos UTM
lets you protect your webservers from attacks and malicious behavior like cross-site
scripting (XSS), SQL injection, directory traversal, and other potent attacks against your
servers. You can define external addresses (virtual webservers) which should be trans
lated into the "real" machines in place of using the DNAT rule(s). From there, servers
can be protected using a variety of patterns and detection methods. In simpler terms,
this area of UTM allows the application of terms and conditions to requests which are
received and sent from the webserver. It also offers load balancing across multiple tar
gets.
16.1.1 Virtual Webservers
On the Web Application Firewall > Virtual Webservers tab you can create virtual web
servers. Those webservers, as part of the UTM, build the firewall between the Internet
and your webservers. That is why this kind of intervention is also known as reverse
proxy. The UTM picks up the requests for the webservers and protects the real web
servers from various attacks. Each virtual webserver maps to a real webserver and
determines what level of protection is applied. You can also use more than one real
webserver in one virtual webserver definition. That way you get load balancing for your
real webservers.
To add a virtual webserver, do the following:
16.1 Web Application Firewall
16 Webserver Protection
1. Click the New Virtual Webserver button.
The Add Virtual Webserver dialog box opens.
2. Make the following settings:
Name: Enter a descriptive name for the virtual webserver.
Interface: Select an interface from the drop-down list over which the webserver
can be reached.
Note – If there is an interface with an IPv4 address and an IPv6 link local
address defined as frontend interface, the virtual webserver is only reachable
at the IPv4 address. Interfaces for which only an IPv6 link local address is
defined cannot be selected as frontend interface for a virtual webserver.
Type: Determine whether you want the communication between the client and
the virtual webserver to be Plaintext (HTTP), Encrypted (HTTPS) or Encrypted
(HTTPS) & Redirect. When you want to use reverse authentication, we highly
recommend to select Encrypted (HTTPS) for security reasons. If enabled Encryp
ted (HTTPS) & Redirect, users entering the URL without https:// will be redir
ected automatically to the virtual webserver.
Port: Enter a port number on which the virtual webserver can be reached from
external. Default is port 80 with Plaintext (HTTP) and port 443 with Encrypted
(HTTPS).
TLS version (not with Plaintext (HTTP)): Select the minimal TLS version that is
allowed to connect to the WAF.
Note – If you select TLS version 1.2, clients using old versions of the Microsoft
Internet Explorer (6,7 or 8) or Microsoft Windows XP will not be able to connect
to the WAF.
Certificate (not with Plaintext (HTTP)): Select the webserver's certificate from
the drop-down list. The certificate needs to be created beforehand on the web
server, and be uploaded on the Certificate Management > Certificates tab.
Domain: This field displays the hostname for which the certificate had
been created.
488
UTM 9 WebAdmin
16 Webserver Protection
16.1 Web Application Firewall
Domains (only with SAN certificates): The WAF supports Subject Altern
ative Name (SAN) certificates. All hostnames covered by a certificate will
be listed in this box. You can then select one or more hostnames by select
ing the checkbox in front of a hostname.
Domains (only with Plaintext (HTTP) or Encrypted (HTTPS) with wildcard cer
tificate): Enter the domains the webserver is responsible for as FQDN, e.g.
shop.example.com, or use the Action icon to import a list of domain names. You
can use an asterisk (*) as a wildcard for the prefix of the domain,
e.g.,*.mydomain.com. Domains with wildcards are considered as fallback set
tings: The virtual webserver with the wildcard domain entry is only used when no
other virtual webserver with a more specific domain name is configured.
Example: A client request to a.b.c will match a.b.c before *.b.c before *.c.
Real Webservers: Create a new real webserver or select the checkbox in front of
the webserver you want to apply the firewall profile to. If you have mirroring web
servers you can also select more than one webserver. By default, traffic will be
load-balanced between the selected webservers. The implemented request count
ing algorithm automatically assigns each new request to the webserver with the
lowest number of active requests at present. On the Site Path Routing tab you
can specify detailed balancing rules.
Firewall profile: Select a firewall profile from the drop-down list. This profile is
applied to protect the selected webservers. You can also select No Profile to not
use any firewall profile.
Comment (optional): Add a description or other information.
3. Optionally, make the following advanced settings:
Disable compression support (optional): By default, this checkbox is disabled and
the content is sent compressed when the client requests compressed data. Com
pression increases transmission speed and reduces page load time. However, in
case of websites being displayed incorrectly or when users experience contentencoding errors accessing your webservers, it can be necessary to disable com
pression support. When the checkbox is enabled, the WAF will request uncom
pressed data from the real webservers of this virtual webserver and will send it
on uncompressed to the client, independent of the HTTP request's encoding para
meter.
UTM 9 WebAdmin
489
16.1 Web Application Firewall
16 Webserver Protection
Rewrite HTML (optional): Select this option to have the UTM rewrite links of the
returned webpages in order for the links to stay valid. Example: One of your real
webserver instances has the hostname yourcompany.local but the virtual web
server's hostname on the UTM is yourcompany.com. Thus, absolute links like <a
href="http://yourcompany.local/"> will be broken if the link is not rewritten
to <a href="http://yourcompany.com/"> before delivery to the client.
However, you do not need to enable this option if either yourcompany.com is con
figured on your webserver or if internal links on your webpages are always real
ized as relative links. It is recommended to use the option with Microsoft's
Outlook Web Access and/or Sharepoint Portal Server.
Note – It is likely that some links cannot be rewritten correctly and are there
fore rendered invalid. Ask your website author(s) to format links consistently.
Apart from URL rewriting, the HTML rewriting feature also fixes malformed HTML,
for example:
l
l
<title> tags are moved in DOM tree from node html > title to correct
html > head > title
Quotes around HTML attribute values are fixed (e.g., name="value becomes
name="value")
Note – HTML rewriting affects all files with a HTTP content type of text/* or
*xml*, where * is a wildcard. Make sure that other file types, e.g. binary files,
have the correct HTTP content type, otherwise they may get corrupted by the
HTML rewriting feature.
Cross Reference – Please see the libxml documentation for further information
(http://xmlsoft.org/html/libxml-HTMLparser.html).
Rewrite cookie (optional, only visible if Rewrite HTML is enabled): Select this
option to have the UTM rewrite cookies of the returned webpages.
Note – If Rewrite HTML is disabled the Rewrite cookie option will be also dis
abled.
490
UTM 9 WebAdmin
16 Webserver Protection
16.1 Web Application Firewall
Pass host header (optional): When you select this option, the host header as
requested by the client will be preserved and forwarded along with the web
request to the webserver. Whether passing the host header is necessary in your
environment however depends on the configuration of your webserver.
4. Click Save.
The server is added to the Virtual Webservers list.
5. Enable the virtual webserver.
The new virtual webserver is disabled by default (toggle switch is gray). Click the
toggle switch to enable the virtual webserver.
The virtual webserver is now enabled (toggle switch is green).
Note – The virtual webserver cannot be enabled if the corresponding interface
is disabled. The interface can be enabled on Interfaces & Routing > Interfaces
> Interfaces.
The Virtual Webservers list displays a status icon for each real webserver assigned to a
virtual webserver. The status icon of a real webserver is red when the real webserver
has not been enabled. It is amber when the real webserver is down or unavailable and
green if everything is working.
16.1.2 Real Webservers
On the Web Application Firewall > Real Webservers tab you can add the webservers that
are to be protected by the WAF.
To add a webserver, do the following:
1. Click the New Real Webserver button.
The Add Real Webserver dialog box opens.
2. Make the following settings:
Name: Enter a descriptive name for the webserver.
Host: Add or select a host, which can either be of the type Host or DNS Host. We
highly recommend to use the DNS hostname here because hosts listed with their
IP address transmit empty host headers which leads to problems with some
UTM 9 WebAdmin
491
16.1 Web Application Firewall
16 Webserver Protection
browsers. How to add a definition is explained on the Definitions & Users > Net
work Definitions > Network Definitions page.
Type: Determine whether you want the communication between the UTM and the
webserver to be Encrypted (HTTPS) or Plaintext (HTTP).
Port: Enter a port number for the communication between the UTM and the web
server. Default is port 80 with Plaintext (HTTP) and port 443 with Encrypted
(HTTPS).
Comment (optional): Add a description or other information.
3. Optionally, make the following advanced settings:
Enable HTTP keepalive: By default, the WAF uses HTTP keepalive, i.e., HTTP per
sistent connections, which helps to reduce CPU and memory usage. In rare cases
where the real webserver does not support HTTP keepalive properly, this feature
can provoke reading errors or timeouts and should then be disabled for the
affected webserver. When a virtual webserver is assigned at least one real web
server with HTTP keepalive disabled, the feature will automatically be disabled
for all real webservers assigned to this virtual webserver.
Timeout: Here you can enter the connection timeout, i. e. the number of seconds
the Web Application Firewall waits for data sent by/to the real webserver. Values
between 1 and 65535 seconds are allowed. Data can be received as long as the
real webserver sends data before the timeout expires. After expiring WAF sends
HTTP 502 message to clients. The default timeout is 300 seconds.
Disable backend connection pooling: If enabled, WAF will create a new con
nection to the backend server every time it is used, instead of reusing an old con
nection from the connection pool. This option is disabled by default. Only use it if
you face connection problems because this may decrease system performance.
4. Click Save.
The server is added to the Real Webservers list.
The webservers present can now be assigned firewall profiles on the Virtual Web
servers tab.
16.1.3 Site Path Routing
On the Web Application Firewall > Site Path Routing tab you can define to which real
webservers incoming requests are forwarded. You can for example define that all URLs
492
UTM 9 WebAdmin
16 Webserver Protection
16.1 Web Application Firewall
with a specific path, e.g., /products/, are sent to a specific webserver. On the other
hand you can allow more than one webserver for a specific request but add rules how
to distribute the requests among the servers. You can for example define that each ses
sion is bound to one webserver throughout its lifetime (sticky session). This may for
example be necessary if you host an online shop and want to make sure that a user
sticks to one server during his shopping session. You can also configure to send all
requests to one webserver and use the others only as a backup.
For each virtual webserver, one default site path route (with path /) is created auto
matically. The UTM automatically applies the site path routes in the most reasonable
way: starting with the strictest, i.e., longest paths and ending with the default path
route which is only used if no other more specific site path route matches the incom
ing request. The order of the site path route list is not relevant. If no route matches an
incoming request, e.g., because the default route was deleted, the request will be
denied.
Note – The Site Path Routing tab can only be accessed after at least one virtual web
server has been created.
To create a site path route, proceed as follows:
1. Click the New Site Path Route button.
The Add Site Path Route dialog box opens.
2. Make the following settings:
Name: Enter a descriptive name for the site path route.
Virtual webserver: Select the original target host of the incoming traffic.
Path: Enter the path for which you want to create the site path route, e.g.,
/products/.
Reverse authentication: Select the authentication profile with the users or groups
that should have access to this site path route. When no profile is selected, no
authentication is required.
Caution – Using a reverse authentication profile on a Virtual Webserver running
in plain text mode will expose user credentials. Continuing will cause the Web
Application Firewall to send user credentials in an unsafe manner.
UTM 9 WebAdmin
493
16.1 Web Application Firewall
16 Webserver Protection
Caution – An authentication profile with frontend mode Form can only be
deployed once on any one virtual webserver.
Real Webservers: Select the checkboxes in front of the real webservers which
are to be used for the specified path. The order of the selected webservers is
only relevant for the Enable hot-standby mode option. With the sort icons you can
change the order.
Access control: If selected, you can allow or block specific client networks for
the Virtual webserver. Clients only get access when their IPs are listed in the
Allowed networks list. IPs in the Denied networks list will be blocked. If both lists
are empty no one will be able to connect to the Virtual webserver. If you want to
block only specific networks, allow Any and select or add Denied networks. If you
want to allow specific networks only, you need to select or add Allowed networks
and leave Denied networks empty.
Note – When a DNS host object is configured for access control, for every
HTTP request a DNS reverse lookup is made for the client IP address. If the
DNS reverse lookup succeeds, the resulting hostname is compared to the host
name of the configured DNS host object and a decision can be made whether
the HTTP request is allowed or denied for that DNS host object.
Allowed networks: Select or add the allowed networks that should be able to con
nect to the Virtual webserver.
Denied networks: Select or add the denied networks that should be blocked to
your Virtual webserver.
Comment (optional): Add a description or other information.
3. Optionally, make the following advanced settings:
Enable sticky session cookie: Select this option to ensure that each session will
be bound to one real webserver. If enabled, a cookie is passed to the user's
browser, which provokes the UTM to route all requests from this browser to the
same real webserver. If the server is not available, the cookie will be updated,
and the session will switch to another webserver.
494
UTM 9 WebAdmin
16 Webserver Protection
16.1 Web Application Firewall
Enable hot-standby mode: Select this option if you want to send all requests to
the first selected real webserver, and use the other webservers only as a backup.
The backup servers are only used in case the main server fails. As soon as the
main server is back working, the sessions will switch back—unless you selected
the Enable sticky session cookie option.
4. Click Save.
The site path route is added to the Site Path Routing list.
5. Enable the site path route.
The new site path route is disabled by default (toggle switch is gray). Click the
toggle switch to enable the site path route.
The site path route is now enabled (toggle switch is green).
To either edit or delete a site path route, click the corresponding buttons.
16.1.4 Request Redirection
On the Web Application Firewall > Request Redirection tab you can define to which URL
incoming requests are redirected. This allows you to have websites with multiple
domain names, shorten URLs and prevent broken links after a website was moved. For
example, if your company changes the name and has a new URL, visitors can reach the
new website via the old URL which gets redirected.
Note – The Request Redirection tab can only be accessed after at least one virtual
webserver has been created.
To create a request redirection, proceed as follows:
1. Click the New Request Redirection button.
The Add Request Redirection dialog box opens.
2. Make the following settings:
Name: Enter a descriptive name for the request redirection.
Virtual webserver: Select the original target host of the incoming traffic.
Path: Enter the path for which you want to create the request redirection, e.g.,
/home.
Host: Enter the URL where the path should lead to, e.g., www.sophos.com.
UTM 9 WebAdmin
495
16.1 Web Application Firewall
16 Webserver Protection
Protocol: Select if the connection to the host should be established using Plain
text (HTTP) or Encrypted (HTTPS).
Port: Enter a port number where the host can be reached from outside your net
work. Default is port 80 with Plaintext (HTTP) and port 443 with Encrypted
(HTTPS).
Response Code: Select the response code for the request redirection. Every HTTP
or HTTPS request needs a response code. The UTM offers the following options:
l
l
l
l
l
Move Permanently (301): This and all future requests should be directed to
the given URL.
Found (302): The request resides temporarily under a different URL.
See Other (303): The request should be redirected to another URL (GET
method).
Temporary Redirect (307): The request should be repeated with another
URL. Future requests should still use the original URL.
Permanent Redirect (308): The request and all future requests should be
repeated using another URL.
Note – For more information about response codes, please visit the HTTP
Status Codes website.
Comment (optional): Add a description or other information.
3. Click Save.
The request redirection is added to the Request Redirection list.
4. Enable the request redirection.
The new request redirection is disabled by default (toggle switch is gray). Click
the toggle switch to enable the request redirection.
The request redirection is now enabled (toggle switch is green).
To either edit or delete a request redirection, click the corresponding buttons.
16.1.5 Advanced
On the Web Application Firewall > Advanced tab you can activate SlowHTTP protection
and define the keys used for cookie signing and URL hardening.
496
UTM 9 WebAdmin
16 Webserver Protection
16.1 Web Application Firewall
16.1.5.1 SlowHTTP Protection
Here you can enable SlowHTTP protection and set a timeout for request headers. You
can determine the minimum and maximum time limit for request headers and extend
the minimal timeout according to the data volume. For example, the soft limit allows at
least 10 seconds to receive request headers. The extension rate is 500, the hard limit
is set to 30. If the client now sends data, the soft limit timeout increases 1 second for
every 500 bytes received. After 30 seconds the client will be disconnected. Please spe
cify the values for your scenario.
Use timeout for request headers: If enabled, the SlowHTTP Protection is activated.
Soft limit: Enter the minimum amount of time to receive the request header.
Hard limit: Enter the maximum amount of time to receive the request header.
Extension rate: Enter the amount of data volume which extends the timeout.
Skipped Networks/Host: Select or add networks/hosts that should not be
affected by SlowHTTP Protection.
P roxy P rotocol
If enabled, the proxy protocol is supported. Proxy Protocol is an Internet protocol which
carries connection information from the source requesting the connection to the des
tination for which the connection was requested.
You need to ensure that there is a trusted source of Proxy Protocol information in front
of WAF and that all traffic passes through this source. This means, that your
WAF should not be connected directly with the Internet. This must be ensured within
your network topology.
Session Storage
Here you can enter a limit for user sessions on Web Application Firewall. If the limit is
reached, once a day the UTM closes sessions to create capacity. The default value is
25000 sessions.
Cookie Signing
Here you can enter a custom secret that is used as signing key for cookie signing.
Static URL Hardening
Here you can enter a custom secret that is used as signing key for URL hardening.
UTM 9 WebAdmin
497
16.2 Firewall Profiles
16 Webserver Protection
Form Hardening
Here you can enter a custom secret that is used as encryption key for the form harden
ing token. The secret must consist of at least eight characters.
16.2 Firewall Profiles
This chapter describes how to create WAF profiles that define the modes and levels of
protection for your webservers. Firewall profiles give you different filtering and scan
ning options to optimize the level of protection for your webservers. Exceptions allow
you to exempt web requests or source networks from certain checks for specified vir
tual webservers.
16.2.1 Firewall Profiles
On the Firewall Profiles tab you can create WAF profiles that define the modes and
levels of protection for your webservers.
To create a WAF profile, do the following:
1. Click the New Firewall Profile button.
The Add Firewall Profile dialog box opens.
2. Make the following settings:
Name: Enter a descriptive name for the profile.
Mode: Select a mode from the drop-down list:
l
Monitor: HTTP requests are monitored and logged.
l
Reject: HTTP requests are rejected.
The selected mode is applied when an HTTP request meets any one of the con
ditions selected below.
3. Make the following Hardening & Signing settings:
Static URL hardening: Protects against URL rewriting. For that, when a client
requests a website, all static URLs of the website are signed. The signing uses a
similar procedure as with cookie signing. Additionally, the response from the web
server is analyzed with regard to which links can be validly be requested next.
498
UTM 9 WebAdmin
16 Webserver Protection
16.2 Firewall Profiles
URLs with static hardening can furthermore be bookmarked and visited later.
Select one of the following methods to define entry URLs:
l
l
l
Entry URLs specified manually: Enter URLs that serve as kind of entry URLs
of a website and therefore do not need to be signed. They need to comply
with the syntax of the following examples:
http://shop.example.com/products/,
https://shop.example.com/products/ or /products/.
Entry URLs from uploaded Google sitemap file: You can upload a sitemap
file here which contains information on your website structure. Sitemap
files can be uploaded in XML or in plain text format, the latter simply con
taining a list of URLs. As soon as the profile is saved, the sitemap file is
going to be parsed by the WAF.
Entry URLs from Google sitemap URL: You can have the UTM download a
sitemap file from a defined URL which contains information on your web
site structure. This file can be checked for updates at a regular interval. As
soon as the profile is saved, the sitemap file is going to be downloaded and
parsed by the WAF.
URL: Enter the path to the sitemap as absolute URL.
Update: Select an update interval from this drop-down list. When you select
Manual the sitemap is going to be updated only when you save this profile
anew.
Note – When using Reverse Authentication with frontend mode Form on a
designated path, it is not necessary to specify entry URLs for the login
form and for this path. How to configure the path is described on the Web
server Protection > Web Application Firewall > Site Path Routing page.
Note – Static URL hardening affects all files with a HTTP content type of text/*
or *xml*, where * is a wildcard. Make sure that other file types, e.g. binary files,
have the correct HTTP content type, otherwise they may get corrupted by the
URL hardening feature. It does not work for dynamic URLs created by a client,
for example: JavaScript.
UTM 9 WebAdmin
499
16.2 Firewall Profiles
16 Webserver Protection
Form hardening: Protects against web form rewriting. Form hardening saves the
original structure of a web form and signs it. Therefore, if the structure of a form
has changed the WAF rejects the request when it is submitted.
Note – Form hardening affects all files with a HTTP content type of text/* or
*xml*, where * is a wildcard. Make sure that other file types, e.g. binary files,
have the correct HTTP content type, otherwise they may get corrupted by the
form hardening feature.
Cookie signing: Protects a webserver against manipulated cookies. When the
webserver sets a cookie, a second cookie is added to the first cookie containing
a hash built of the primary cookie's name, its value and a secret, where the
secret is only known by the WAF. Thus, if a request cannot provide a correct
cookie pair, some sort of manipulation has occurred and the cookie will be
dropped.
4. Make the following Filtering settings:
Block clients with bad reputation: Based on GeoIP and RBL information you can
block clients which have a bad reputation according to their classification.
Sophos uses the following classification providers:
RBL sources:
l
Commtouch IP Reputation (ctipd.org)
l
http.dnsbl.sorbs.net
The GeoIP source is Maxmind. The WAF blocks clients that belong to one of
the following Maxmind categories:
l
l
A1: Anonymous proxies or VPN services used by clients to hide their IP
address or their original geographical location.
A2: Satellite providers are ISPs that use satellites to provide Internet
access to users all over the world, often from high risk countries.
Skip remote lookups for clients with bad reputation: As reputation lookups
include sending requests to remote classification providers, using repu
tation-based blocking may slow down your system. Select this checkbox to
only use GeoIP-based classification which uses cached information and is
therefore much faster.
500
UTM 9 WebAdmin
16 Webserver Protection
16.2 Firewall Profiles
Common Threats filter: If enabled, you can protect your webservers from several
threats. You can specify the threat filter categories you want to use in the Threat
Filter Categories section below. All requests will be checked against the rule sets
of the selected categories. Depending on the results, a notice or a warning will be
shown in the live log or the request will be blocked directly.
Rigid filtering: If enabled, several of the selected rules will be tightened.
This may lead to false positives.
Skip Filter Rules: Some of the selected threat categories may contain rules
that lead to false positives. To avoid false positives induced by a specific
rule, add the rule number that you want to skip to this box. WAF rule num
bers can for example be retrieved on the Logging & Reporting > Webserver
Protection > Details page, via the Top rules filter. There are basic rules for
WAF, so called infrastructure rules. Infrastructure rules affect rules which
are built upon these rules.
Caution – Do not disable required infrastructure rules because this could
affect other rules and lead to security issues. For detailed information on
infrastructure rules, see the Sophos Knowledgebase.
5. Optionally, select the following threat filter categories (only available when Com
mon Threats filter is enabled):
Protocol violations: Enforces adherence to the RFC standard specification of the
HTTP protocol. Violating these standards usually indicates malicious intent.
Protocol anomalies: Searches for common usage patterns. Lack of such patterns
often indicates malicious requests. These patterns include, among other things,
HTTP headers like 'Host' and 'User-Agent'.
Request limits: Enforces reasonable limits on the amount and ranges of request
arguments. Overloading request arguments is a typical attack vector.
HTTP policy: Narrows down the allowed usage of the HTTP protocol. Web
browsers typically use only a limited subset of all possible HTTP options. Dis
allowing the rarely used options protects against attackers aiming at these often
less well supported options.
UTM 9 WebAdmin
501
16.2 Firewall Profiles
16 Webserver Protection
Bad robots: Checks for usage patterns characteristic of bots and crawlers. By
denying them access, possible vulnerabilities on your webservers are less likely
to be discovered.
Generic attacks: Searches for attempted command executions common to most
attacks. After having breached a webserver, an attacker usually tries to execute
commands on the server like expanding privileges or manipulating data stores.
By searching for these post-breach execution attempts, attacks can be detected
that might otherwise have gone unnoticed, for example because they targeted a
vulnerable service by the means of legitimate access.
SQL injection attacks: Checks for embedded SQL commands and escape char
acters in request arguments. Most attacks on webservers target input fields that
can be used to direct embedded SQL commands to the database.
(XSS) attacks: Checks for embedded script tags and code in request arguments.
Typical cross-site scripting attacks aim at injecting script code into input fields
on a target webserver, often in a legitimate way.
Tight security: Performs tight security checks on requests, like checking for pro
hibited path traversal attempts.
Trojans: Checks for usage patterns characteristic of trojans, thus searching for
requests indicating trojan activity. It does not, however, prevent the installation
of such trojans as this is covered by the antivirus scanners.
Outbound: Prevents webservers from leaking information to the client. This
includes, among other things, error messages sent by servers which attackers
can use to gather sensitive information or detect specific vulnerabilities.
Comment (optional): Add a description or other information.
6. Make the following Scanning settings:
Enable antivirus scanning: Select this option to protect a webserver against vir
uses.
Mode:Sophos UTM features several antivirus engines for highest possible
security.
l
502
Single scan: Default setting; provides maximum performance using
the engine defined on the System Settings > Scan Settings tab.
UTM 9 WebAdmin
16 Webserver Protection
l
16.2 Firewall Profiles
Dual scan: Provides maximum recognition rate by scanning the
respective traffic twice using different virus scanners. Note that dual
scan is not available with BasicGuard subscription.
Direction: Select from the drop-down list whether to scan only up- or down
loads or both.
Block unscannable content: Enable this option to block files that cannot be
scanned. The reason for this may be, among other things, that files are
encrypted or corrupted.
Note – Please note that the scan size limit refers to an upload, not to
single files. This means, if you set for example a limit of 50 MB and
upload multiple files (45 MB, 5 MB and 10 MB), the last file will not be
scanned and a virus might not be detected due to the limitation.
Note – If you do not enter a limitation value, limitation will be saved with
'0' megabytes which means the limitation is not active.
Block uploads by MIME type: Select this option to scan and block uploads defined
on the MIME type (RFC 2045, RFC 2046).
Blocked MIME Types: Enter the MIME types you want to block for uploading
files.
Block unscannable content: Enable this option to block files that cannot be
scanned. The reason for this may be, among other things, that files are
encrypted or corrupted.
Scan timeout: Enter the timeout limit for antivirus and MIME type scanning. After
the timeout the file will be blocked. Default is 90 seconds.
Limit scan size: Enable this option to enter the scan size limit for antivirus and
MIME type scanning. Provide the limitation in megabytes.
7. Make the following Application Customization settings:
Pass Outlook Anywhere: Allows external Microsoft Outlook clients to access the
Microsoft Exchange Server via the WAF. Microsoft Outlook traffic will not be
checked or protected by the WAF.
8. Click Save.
UTM 9 WebAdmin
503
16.2 Firewall Profiles
16 Webserver Protection
The WAF profile is added to the Firewall Profiles list.
Additional Information on Static URL Hardening and Form
Hardening
It would be best practice to always enable both URL hardening and form hardening
because those two functions are complementary, especially in the way that they pre
vent issues you may have when enabling just one of them:
l
l
Only form hardening is activated: When a webpage contains hyperlinks with
appended queries (which is the case with certain CMSs), e.g.
http://example.com/?view=article&id=1, such page requests are blocked by
form hardening because it expects a signature which is missing.
Only URL hardening is activated: When a web browser appends form data to the
action URL of the form tag of a web form (which is the case with GET requests),
the form data becomes part of the request URL sent to the webserver, by that ren
dering the URL signature invalid.
The reason why activating both functions solves those issues is that in case either
form hardening or URL hardening find that a request is valid, the WAF accepts the
request.
Outlook Web Access
The configuration of the WAF for Outlook Web Access (OWA) is a bit tricky since OWA
handles requests from a public IP differently than internal requests from an internal
LAN IP to the OWA website. There are redirects attached in the URLs of OWA, where for
external access the external FQDN is used, whereas for internal requests the internal
server's IP address is used.
The solution is to set the OWA directory as Entry URL in the WAF profile of your OWA
webserver (e.g. http://webserver/owa/). Additionally, you need to create an exception
which skips URL hardening for the pathes /owa/*, /OWA/* and to disable cookie signing
completely for the virtual webserver.
To display the notifications, you need to make the following settings:
Create a second exception which skips Antivirus checks, skip all categories for path
/owa/ev.owa* and activate the advanced function Never change HTML during Static
URL Hardening or Form Hardening.
504
UTM 9 WebAdmin
16 Webserver Protection
16.2 Firewall Profiles
16.2.2 Exceptions
On the Firewall Profiles > Exceptions tab you can define web requests or source net
works that are to be exempt from certain checks.
1. On the Exceptions tab, click New Exception List.
The Add Exception List dialog box opens.
2. Make the following settings:
Name: Enter a descriptive name for the exception.
Skip these checks: Select the security check(s) that should be skipped. See Fire
wall Profiles for descriptions.
Skip these categories: Select the threat filter categories that should be skipped.
See Firewall Profiles for descriptions.
Virtual Webservers: Select the virtual webservers that are to be exempt from the
selected check(s).
For all requests: Select a request definition from the drop-down list. Note that
you can logically combine two request definitions by either AND or OR.
Networks: Add or select the source networks where the client request
comes from and which are to be exempt from the selected check(s). How
to add a definition is explained on the Definitions & Users > Network Defin
itions > Network Definitions page.
Paths: Add the paths that are to be exempt from the selected check(s). You
can either enter a complete path (e.g.,
/products/machines/images/machine1.jpg) or use asterisks as wild
cards (e.g., /products/*/images/*).
Comment (optional): Add a description or other information.
3. Optionally, make the following advanced settings:
Never change HTML during static URL hardening or form hardening: If selected, no
data matching the defined exception settings will be modified by the WAF engine.
With this option, e.g., binary data wrongly supplied with a text/html content type
by the real webserver will not be corrupted. On the other hand, web requests may
be blocked due to activated URL hardening, HTML rewriting, or form hardening.
UTM 9 WebAdmin
505
16.3 Reverse Authentication
16 Webserver Protection
Those three features use an HTML parser and therefore to some extent depend on
the modification of webpage content. To prevent undesired blocking, skip URL
hardening and/or form hardening for requests affected by blocking; you might
need to do this in another/new exception to reflect dependencies between web
servers and/or webpages.
Accept unhardened form data: Even though having an exception for Form Harden
ing, it is possible that form data will not be accepted if the Form Hardening sig
nature is missing. With this option unhardened form data will be accepted any
way.
4. Click Save.
The new exception appears on the Exceptions list.
5. Enable the exception.
The new exception is disabled by default (toggle switch is gray). Click the toggle
switch to enable the exception.
The exception is now enabled (toggle switch is green).
To either edit or delete an exception, click the corresponding buttons.
16.3 Reverse Authentication
On the Webserver Protection > Reverse Authentication pages, you can define how to use
the Web Application Firewall to authenticate users directly instead of leaving the
authentication to the real webservers. Via authentication profiles, the reverse authen
tication can be used to assign specific authentication settings to each site path route.
An authentication profile is basically defined by two authentication modes: the authen
tication mode used between the user and the WAF and the authentication mode used
between the WAF and the real webservers. Thus, even if a real webserver does not sup
port authentication, the WAF can enforce authentication of the users. On the other hand,
reverse authentication ensures that a user only has to authenticate once, even if more
than one real webserver is assigned to the respective virtual webserver.
Using forms for user authentication, you can specify company-specific form templates.
506
UTM 9 WebAdmin
16 Webserver Protection
16.3 Reverse Authentication
16.3.1 Profiles
On the Webserver Protection > Reverse Authentication > Profiles tab, you specify authen
tication profiles for the web application firewall. With profiles you can assign different
authentication settings to different users or user groups. After specifying the authen
tication profiles, you can assign them to site path routes on the Web Application Fire
wall > Site Path Routing tab.
To add an authentication profile, do the following:
1. On the Profiles tab, click New Authentication Profile.
The Add Authentication Profile dialog box opens.
2. Make the following settings:
Name: Enter a descriptive name for the profile.
Virtual Webserver: Here you can configure the profile settings for the virtual web
server.
Mode: Select how the users should authenticate at the Web Application Fire
wall.
Basic: Users authenticate with HTTP basic authentication, entering
username and password. As the credentials are sent unencrypted
with this mode, it should be used over HTTPS. With this mode, no ses
sion cookies will be generated and a dedicated logout is not possible.
Form: Users will be presented a form where they have to enter their
credentials. With this mode, session cookies will be generated and a
dedicated logout is possible. The form template to be used can be
selected in the Form template drop-down list. Besides the default
form template, the list shows the forms that have been defined on
the Form Templates tab.
Form template: Select the form template that will be presented to the
users for authentication. Form templates are defined on the Form Tem
plates tab.
Basic prompt: The realm is a unique string that provides additional inform
ation on the login page and is used for user orientation.
UTM 9 WebAdmin
507
16.3 Reverse Authentication
16 Webserver Protection
Note – These characters are allowed for the Basic prompt: A-Z a-z 0-9 , ; . : - _ ' +
=)(&%$!^<>|@
Users/Groups: Select the users or user groups or add new users or user groups
that should be assigned to this authentication profile. After assigning this profile
to a site path route, these users will have access to the site path with the authen
tication settings defined in this profile. Typically, this would be a backend user
group. How to add a user is explained on the Definitions & Users > Users & Groups
> Users page. How to add a user group is explained on the Definitions & Users >
Users & Groups > Groups page.
Note – Sometimes users should be required to use the User Principal Name
notation 'user@domain' when entering their credentials, for example when using
Exchange servers in combination with Active Directory servers. How to use
User Principal Name notation is explained on the Definitions & Users > Authentic
ation Services > Servers > Active Directory page.
Real Webserver: Here you can configure the profile settings for the real web
server.
Mode: Select how the Web Application Firewall authenticates against the
real webservers. The mode has to match the real webservers authen
tication settings.
Basic: Authentication works with HTTP basic authentication, provid
ing username and password.
None: There is no authentication between WAF and the real web
servers. Note that even if your real webservers do not support authen
tication, users will be authenticated via the frontend mode.
Username affix: Select an affix for the username. You can select Pre
fix, Suffix or both. Affixes are useful when working with domains and
email addresses.
Prefix: Enter a Prefix for Username.
508
UTM 9 WebAdmin
16 Webserver Protection
16.3 Reverse Authentication
Suffix: Enter a Suffix for Username.
Note – Prefix and suffix will be added automatically if the user
enters his username. Prefix and suffix will not be added if the user
enters it. Example: if the suffix is @testdomain.de and the user
enters his username test.user the suffix will be added. If he
enters test.user@testdomain.de the suffix will be ignored.
Remove Basic Header: If you select this option the basic header will
not be sent from UTM to the real webserver.
User Session (only for virtual webserver mode Form): Here you can configure the
timeout settings for user sessions.
Session timeout: Select this option to enable a timeout for the user ses
sion which will confirm user credentials by having them log in again if they
do not perform any action on the Virtual Webserver.
Limit to: Set an interval for the session timeout.
Session timeout scope: Set the scope to day(s), hour(s) or minute(s).
Session lifetime: Select this option to enable a hard limit for how long
users may remain logged in, regardless of activity in the mean time.
Limit to: Set an interval for the session lifetime value.
Session lifetime scope: Set the scope to day(s), hour(s) or minute(s).
Allow persistent sessions: If enabled, WAF authentication uses cookies for
a persistent session. A checkbox is visible for the end user on the login
form to enable persistent session cookies. If the end user enables the
checkbox on the login form, a persistent session cookie is created for the
user upon login. WAF authentication uses session cookies for a short-lived
session if Allow persistent sessions is disabled or the end user does not
enable the checkbox on the login form.
Logout (only for virtual webserver mode Form): Here you can provide a logout
function for the user session.
Mode: Select how the user can logout from the session.
None: The user has no option to logout.
UTM 9 WebAdmin
509
16.3 Reverse Authentication
16 Webserver Protection
Delegation: User logs out by predefined URLs. For example, /logout.
Add URLs that the user needs to logout.
Comment (optional): Add a description or other information.
3. Click Save.
The new profile appears on the Profiles list.
Caution – When using Reverse Authentication in combination with OTP the OTP
tokens will only be checked once when a user session is set up. Once a session
is set up, any subsequent request by the same user will not have their OTP
tokens evaluated. This is because malicious users might exploit the OTP con
figuration by sending an overwhelming amount of requests to authentication
protected paths, thereby invoking OTP checks and effectively running a DoS
attack on the authentication daemon. Passwords and all other request aspects
will still be checked to match the configuration.
To either edit or delete a profile, click the corresponding buttons.
Cross Reference – Find information about configuring Reverse Authentication and dif
ferences between the versions in the Sophos Knowledgebase.
Reverse Authentication: Users/Groups
Sometimes it is necessary for users to use the format user@domain when entering
their credentials, e.g. when using an Exchange server in combination with Active Dir
ectory servers. In this case there are additional steps to take:
1. From the WebAdmin menu, open the Definition & Users > Authentication Services
> Servers tab.
The Servers tab is displayed.
2. On the Servers tab, click the Clone button of the desired Active Directory server.
A new server will be created.
3. Change the field Backend to LDAP.
4. Change the User attribute field to >.
5. In the Custom field enter userPrincipalname.
510
UTM 9 WebAdmin
16 Webserver Protection
16.3 Reverse Authentication
If not present already, this will set up an LDAP Users group which you will need to use
instead of the Active Directory Users group.
Note – The format domain\user is not supported. Use the format user@domain
instead.
16.3.2 Form Templates
On the Webserver Protection > Reverse Authentication > Form Templates tab, you can
upload HTML forms for Reverse Authentication. A form template can be assigned to an
authentication profile with frontend mode Form. The respective form will be presented
when a user tries to access a site path to which the authentication profile is assigned.
To add a form template, do the following:
1. On the Form Templates tab, click New Form Template.
The Add Form Template dialog box opens up.
2. Make the following settings:
Name: Enter a descriptive name for the form template.
Filename: Click the folder icon to select the HTML template.
Images/Stylesheets: Select and upload the images, stylesheets, or JavaScript
files that are used by the selected form template.
Comment (optional): Add a description or other information.
3. Click Save.
The new form template appears on the Form Templates list.
To either edit or delete a form template, click the corresponding buttons.
Using Variables in Login Form Template
l
Required:
A <form> element with it's method set to Post and it's action set to <?login_
path?>, e.g. <form action="<?login_path?>" method="POST"> ... </form>
An <input> element inside the above mentioned form with it's name set to
httpd_username, e.g. <input name="httpd_username" type="text">
UTM 9 WebAdmin
511
16.3 Reverse Authentication
16 Webserver Protection
An <input> element inside the above mentioned form with it's name set to
httpd_password, e.g. <input name="httpd_password" type="password">
Note – It is essential that any form template meets these three conditions so it
can be parsed correctly (only <?login_path?> will actually be substituted).
l
Optional:
All occurrences of <?assets_path?> will be replaced by the path containing all
assets which have been uploaded alongside the form template. This allows for
cleaner form templates by placing style sheets, images, etc. outside the actual
form template, e.g. <link rel="stylesheet" type="text/css"
href="<?assets_path?>/stylesheet.css">
All occurrences of <?company_text?> and <?admin_contact?> will be replaced
by the messages defined in Management > Customization, e.g. <p>If you
encounter any problems or questions, please contact <b><?admin_
contact?></b>.</p>
All occurrences of <?company_logo?> will be replaced by the path leading to the
image uploaded in Management > Customization, e.g. <img src="<?company_
logo?>" alt="">
As of the 9.2 release, Sophos UTM includes a default form template to ease initial
reverse authentication configuration and deployment. This is the form contained in the
default form template object:
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
"http://www.w3.org/TR/html4/strict.dtd">
<html>
<head>
<link rel="stylesheet" type="text/css"
href="<?assets_path?>/default_stylesheet.css">
<meta http-equiv="content-type" content="text/html;
charset=UTF-8">
<title>Login</title>
</head>
<body>
<div id="container">
<div class="info">
<img src="<?company_logo?>" alt="">
512
UTM 9 WebAdmin
16 Webserver Protection
16.4 Certificate Management
<p><?company_text?></p></div>
<form action="<?login_path?>" method="POST">
<p><label for="httpd_username">Username:</label>
<input name="httpd_username" type="text"></p>
<p><label for="httpd_password">Password:</label>
<input name="httpd_password" type="password"></p>
<p style="visibility:<?persistency?>">
<label for="httpd_persistency">Keep me logged in</labe
<input name="httpd_persistency" type="checkbox"></p>
<p><input type="submit" value="Login"></p></form>
<div class="note">
If you encounter any problems or questions,
please contact
<b><?admin_contact?></b>.</div>
</div>
</body>
</html>
16.4 Certificate Management
Using the Webserver Protection > Certificate Management menu, which contains the
same configuration options as the Site-to-site VPN > Certificate Management menu,
you can manage all certificate-related operations of Sophos UTM. This includes cre
ating or importing X.509 certificates as well as uploading so-called Certificate Revoc
ation Lists (CRLs), among other things.
16.4.1 Certificates
See Site-to-site VPN > Certificate Management > Certificates.
16.4.2 Certificate Authority
See Site-to-site VPN > Certificate Management > Certificate Authority.
UTM 9 WebAdmin
513
16.4 Certificate Management
16 Webserver Protection
16.4.3 Revocation Lists (CRLs)
See Site-to-site VPN > Certificate Management > Revocation Lists (CRLs).
16.4.4 Advanced
See Site-to-site VPN > Certificate Management > Advanced.
514
UTM 9 WebAdmin
17 RED Management
This chapter describes how to configure Sophos RED. RED is short for Remote Ethernet
Device and is a means to connect remote branch offices and the like to your main
office as if the branch office is part of your local network.
The setup consists of the Sophos UTM in your main office and a Remote Ethernet
Device (RED) in your remote office. Establishing a connection between the two is
utmost easy as the RED appliance itself does not need to be configured at all. As soon
as the RED appliance is connected to your UTM it behaves like any other Ethernet
device on your UTM. All traffic of your branch office is safely routed via your UTM which
means that your branch office is as secure as your local network.
There are currently four types of RED appliances available:
l
RED 10: RED solution for small remote offices
l
RED 15: RED solution for small remote offices (successor of RED 10)
l
l
RED 15w: RED solution for small remote offices, including WiFi. RED 15w will be
listed as an access point under Wireless Protection > Access Points > Overview.
For extensive information on configuration, see chapter RED 15w.
RED 50: RED solution for bigger remote offices which comes with two uplink
interfaces.
For extensive information on configuration, see chapter RED 50 Uplink Balancing.
The following topics are included in this chapter:
l
Overview
l
Global Settings
l
Client Management
l
Deployment Helper
l
Tunnel Management
l
RED 15w
l
RED 50 Uplink Balancing
17.1 Overview
17 RED Management
Figure 24 RED: Setup Sketch
Setting up a RED environment involves the following steps:
1. Activation of RED support.
2. Configuration of the RED appliance on your UTM.
3. Connecting the RED appliance to the Internet on the remote site.
Note – The overview page of RED displays general information on the RED archi
tecture as long as no RED appliance is configured. When a RED appliance has been
configured, the page will display information on the RED status.
17.1 Overview
The page Overview provides general information on what RED is meant for, how it
works, and how a typical RED setup looks like.
Cross Reference – For detailed information about RED devices see the Quick Start
Guides and Operating Instructions in the Sophos UTM Resource Center. The LED blink
codes of the RED 10 and RED 15 appliances are described in the Sophos Know
ledgebase. The LCD messages of RED 50 are also described in the Sophos Know
ledgebase.
Open RED Live Log
You can use the live log to monitor the connection between your Sophos UTM and the
RED appliance. Click the Open RED Live Log button to open the live log in a new window.
516
UTM 9 WebAdmin
17 RED Management
17.2 Global Settings
17.2 Global Settings
On the Global Settings tab you can enable or disable the support for RED which means
that your UTM acts as a RED hub. You need to enable the RED support before any RED
appliances can connect to the UTM.
RED Conf iguration
To enable RED support, do the following:
1. On the Global Settings tab, enable RED.
Click the toggle switch.
The toggle switch turns amber and the RED Configuration area becomes editable.
2. Enter your organization details.
By default the settings from the Management > System Settings > Organizational
tab is used.
3. Click Activate RED.
The toggle switch turns green and RED support is activated. Your UTM is now
registered at the RED Provisioning Service (RPS) of Sophos to act as a RED hub.
You can now continue by adding one or more RED appliances on the Client Man
agement page, or use the wizard on the Deployment Helper page.
To cancel the configuration, click the amber colored toggle switch.
Automatic Device Deauthoriz ation
When RED support is enabled, you can specify if disconnected RED appliances should
automatically be deauthorized after a certain time span. With this feature, you can pre
vent stolen RED appliances from connecting to the UTM.
Note –The Automatic Device Deauthorization does not work for RED Tunnel between 2
UTMs.
1. Enable automatic deauthorization.
Select the Enable automatic device deauthorization checkbox.
2. Specify a time span after which the RED appliance should be deauthorized.
UTM 9 WebAdmin
517
17.3 Client Management
17 RED Management
Enter the desired value into the Deauthorize after text box. The minimum time
span is 5 minutes.
3. Click Apply.
The automatic device deauthorization is now activated.
When a RED appliance reconnects after being disconnected for a time span longer than
the defined time span, it will automatically be disabled. This is indicated by the toggle
switches on the Client Management page. A respective warning will be displayed on the
Overview page as well. To permit a deauthorized RED appliance to connect again, enable
that RED appliance on the Client Management page.
Disable RED
Disabling RED will not cause the deletion of the REDs. If you disable the
RED functionality the RED devices will be deactivated and lose their connection. If you
re-enable the RED functionality of the UTM the REDs will be activated again.
To disable RED click the toggle switch on the Global Settings page and confirm by click
ing the Confirm removal of RED configuration button.
17.3 Client Management
On the RED Management > Client Management page you can enable remote UTMs to con
nect to your UTM using a Remote Ethernet Device (RED) tunnel. The remote UTMs then
simply act like RED appliances. Furthermore you can configure RED appliances manu
ally (expert mode) instead of using the deployment helper. The deployment helper is a
more convenient way to configure RED appliances and can be found on the next
WebAdmin page.
Each RED appliance or UTM that is configured here is able to establish a connection to
your UTM.
The [Server] tag in front of the page name indicates that this page only needs con
figuration if the UTM should act as server (RED hub).
Note – For RED appliances to be able to connect, you need to enable RED support on
the Global Settings page first.
518
UTM 9 WebAdmin
17 RED Management
17.3 Client Management
Setting Up a RED Tunnel Between Two UTMs
To enable another UTM to connect to your local UTM using a RED tunnel, do the fol
lowing:
1. On the Client Management tab, click Add RED.
The Add RED dialog box opens.
2. Make the following settings:
Branch name: Enter a name for the branch where the client UTM is located, e.g.
"Office Munich".
Client type: Select UTM from the drop-down list.
Tunnel ID: By default, Automatic is selected. Tunnels will be numbered con
secutively. You need to make sure that the tunnel ID is unique for both UTMs. In
this case you might need to select another ID from the drop-down list.
Comment (optional): Add a description or other information.
3. Click Save.
The UTM object is being created.
4. Download the provisioning file.
To provide the remote (client) UTM with the configuration data download the pro
visioning file using the Download button and transfer the file to the remote UTM in
a secure way.
Configuring a RED Appliance
To enable a RED appliance to connect to your local UTM, do the following:
1. On the Client Management tab, click Add RED.
The Add RED dialog box opens.
2. Make the following settings:
Branch name: Enter a name for the branch where the RED appliance is located,
e.g. "Office Munich".
Client type: Select RED 10 or RED 50 from the drop-down list, depending on the
type of RED appliance you want to connect.
UTM 9 WebAdmin
519
17.3 Client Management
17 RED Management
Note – The RED 50 appliance has an LCD display. It can be used to show you
important information about the device. With the Left button you can enter the
menu. Navigate with the Up and Down button and enter with the Right button.
Please see the Operating Instructions for further information.
RED ID: Enter the ID of the RED appliance you are configuring. This ID can be found
on the back of the RED appliance and on its packaging.
Tunnel ID: By default, Automatic is selected. Tunnels will be numbered con
secutively. In case you have conflicting IDs, select another ID from the drop-down
list.
Unlock code (optional): For the first deployment of a RED appliance, leave this
box empty. In case the RED appliance you are configuring has been deployed
before, you need to provide its unlock code. The unlock code is generated during
the deployment of a RED appliance, and is emailed instantly to the address
provided on the Global Settings tab. This is a security feature, which ensures that
a RED appliance cannot simply be removed and installed elsewhere.
Note – For manual deployment via USB stick and automatic deployment via
RED Provisioning Service (see below), two separate unlock codes are gen
erated. If you switch a RED device from one deployment method to the other,
make sure to use the corresponding unlock code: For manual deployment,
provide the unlock code of the last manual deployment; for automatic deploy
ment, provide the unlock code of the last automatic deployment.
If you are not in the possession of the unlock code, the only way to unlock the
RED appliance is to contact the Sophos Support. The Support however can only
help you if you deployed the configuration automatically, via the Sophos RED Pro
visioning Service.
Tip – The unlock code can also be found in the backup file of the UTM the RED
was connected to in case that the backup contains host-specific data.
UTM hostname: You need to enter a public IP address or hostname where the UTM
is accessible.
520
UTM 9 WebAdmin
17 RED Management
17.3 Client Management
2nd UTM hostname (only with RED 15, RED 15w and RED 50): You can enter
another public IP address or hostname of the same UTM. Note that you cannot
enter the IP or hostname of a different UTM.
Use 2nd hostname for (only with RED 15, RED 15w and RED 50, see images
below): You can configure what the second hostname should be used for.
l
l
Failover: Select to only use the second hostname in case the first host
name fails.
Balancing: Select to activate active load balancing between both host
names. This makes sense if both uplinks the first and the second host
name correlate to, are equal in latency and throughput.
Uplink mode/2nd uplink mode: You can define how the RED appliance receives an
IP address, which can be either via DHCP or by directly assigning a static IP
address. For RED 50 appliances you define the uplink mode for each RED uplink
Ethernet port separately.
l
l
DHCP client: The RED pulls an IP address from a DHCP server.
Static address: Enter an IPv4 address, a corresponding netmask, a default
gateway and a DNS server.
Note – There is no one-to-one association between UTM hostname and RED
uplink Ethernet port. Each RED port will try to connect to each defined UTM host
name.
Use 2nd uplink for (only with RED 50, see images below): You can configure what
the second uplink should be used for.
l
l
Failover: Select to only use the second uplink in case the first uplink fails.
Balancing: Select to activate active load balancing between both uplinks.
This makes sense if both uplinks on the RED 50 appliance are equal in
latency and throughput.
Operation mode: You can define how the remote network will be integrated into
your local network.
UTM 9 WebAdmin
521
17.3 Client Management
17 RED Management
Note – If you use RED 15w as access point it is recommended that you read the
chapter RED Management > RED 15w especially if you are facing any con
figuration issues.
l
l
Standard/Unified: The UTM completely controls the network traffic of the
remote network. Additionally, it serves as DHCP server and as default gate
way. All remote network traffic will be routed through the UTM.
Standard/Split: The UTM completely controls the network traffic of the
remote network. Additionally, it serves as DHCP server and as default gate
way. In contrast to the Unified mode, only certain traffic will be routed
through the UTM. Define local networks in the Split Networks box below
which can be accessed by remote clients.
Note – VLAN tagged frames cannot be handled with this operation mode.
l
Transparent/Split: The UTM does not control the network traffic of the
remote network, it does neither serve as DHCP server nor as default gate
way. On the contrary, it pulls an IP address from the DHCP server of the
remote network to become a part of that network. However, you can enable
access for remote clients to your local network. For that you need to define
Split Networks that are allowed to be accessed by the remote network.
Additionally, you can define one or more Split Domains to be accessible. If
your local domains are not publicly resolvable, you need to define a Split
DNS Server, which can be queried by remote clients.
Note – VLAN tagged frames cannot be handled with this operation mode.
You can find examples for all the operation modes on the Deployment Helper tab.
3. For RED 50, optionally make the following switch port configuration settings:
LAN port mode: RED 50 offers four LAN ports that can be configured either as
simple switches or for intelligent VLAN usage. When set to Switch, all traffic will
basically be sent to all ports. When set to VLAN, traffic can be filtered according
to the Ethernet frames' VLAN tag, thus allowing to tunnel more than one network
into the RED tunnel.
522
UTM 9 WebAdmin
17 RED Management
17.3 Client Management
LAN modes: When using the VLAN switch port configuration, you can configure
each LAN port separately. For each LAN port, the following options are available:
Untagged: Ethernet frames with the VLAN IDs specified in the LAN VID(s)
field below will be sent to this port. The frames are sent without tags, thus
the end devices do not have to support VLAN. This port allows just one
VLAN ID.
Figure 25 LAN mode: Untagged
Untagged, drop tagged: Ethernet frames with the VLAN IDs specified in the
LAN VID(s) field below will not be sent to this port. The frames are sent
without tags, thus the end devices do not have to support VLAN.
Figure 26 LAN mode: Untagged, drop tagged
Tagged: Ethernet frames with the VLAN IDs specified in the LAN VID(s) field
below will be sent to this port. The frames are sent with tags, and the end
devices have to support VLAN. Frames without VLAN IDs will not be sent to
this port. This port allows up to 64 different VLAN ID(s) separated by
comma.
UTM 9 WebAdmin
523
17.3 Client Management
17 RED Management
Figure 27 LAN mode: Tagged
Disabled: This Port is closed. No frames with or without VLAN IDs specified
in the LAN VID(s) will be sent to this port.
Figure 28 LAN mode: Disabled
Note – The LAN modes have different names in the Cisco/HP documentation.
Untagged also known as 'Hybrid Port', Untagged, drop tagged also known as
'Access Port' and Tagged also known as 'Trunk Port'.
Comment (optional): Add a description or other information.
Cross Reference – For more information about VLAN tagging for RED 50, see the
Sophos Knowledgebase and more information about tunnel compression, see
also the Sophos Knowledgebase.
4. Optionally, make the following advanced settings:
MAC filtering type: To restrict the MAC addresses allowed to connect to this RED
appliance, select Blacklist or Whitelist. With Blacklist, all MAC addresses are
allowed except those listed on the MAC address list selected below. With Whitel
524
UTM 9 WebAdmin
17 RED Management
17.3 Client Management
ist, all MAC addresses are prohibited except those listed on the MAC address list
selected below.
MAC addresses: The list of MAC addresses used to restrict access to the
RED appliance. MAC address lists can be created on the Definitions & Users
> Network Definitions > MAC Address Definitions tab. Note that for RED 10, a
maximum of 200 MAC addresses is allowed, whereas for RED 15 and RED
15w, the list may contain up to 300 MAC addresses and for RED 50 up to
400 MAC addresses.
Note – MAC filtering only works for RED rev. 2 or newer.
Device deployment: Select how you want to provide the necessary configuration
settings for the RED appliance. By default, the UTM provides the RED's con
figuration data automatically via Sophos' RED Provisioning Service. In this case,
the RED appliance receives its configuration via Internet. The RED appliance con
nects to a Sophos NTP server and receives the system time. If for example your
RED does not have an Internet connection, you can provide the configuration
manually, via USB stick. If you deploy a RED device manually, you have to ensure
that UTM is acting as NTP server. Therefore activate NTP on the UTM and allow
the correct network or at least the IP address of the RED.
Note – Sophos UTM version 9.2 or older: After you deployed a RED manually you
need to deploy it once using the RED Provisioning Service (automatically)
before you can deploy it manually again. Manual device deployment only works
for RED appliances with firmware version 9.1 or newer.
Caution – If you select manual deployment, it is extremely important to keep
the unlock code, which is sent by email. If you lose the unlock code, you can
never again connect the RED appliance to another UTM.
Tunnel compression: Enabling tunnel compression will compress all traffic that
is sent through the RED tunnel. Tunnel compression might increase the through
put of the RED appliance in areas with a very slow Internet connection such as 12 Mbps. However, any performance increase mainly depends on the entropy of
the data being sent (for example, already compressed data such as HTTPS or
UTM 9 WebAdmin
525
17.3 Client Management
17 RED Management
SSH cannot be compressed any further). In some circumstances it might there
fore be possible that enabling tunnel compression could actually reduce the
throughput of the RED appliance. In that case, please disable tunnel compression.
Note – Tunnel compression is not available for RED 10 rev.1.
3G/UMTS failover: Starting with RED rev. 2, the RED appliance offers a USB port,
where you can plug in a 3G/UMTS USB stick. If selected, this stick can serve as
Internet uplink failover in case of a WAN interface failure. For the necessary set
tings please refer to your Internet provider's data sheet.
l
l
Username/Password (optional): If required, enter a username and pass
word for the mobile network.
PIN (optional): Enter the PIN of the SIM card if a PIN is configured.
Note – If you enter a wrong PIN, in case of a WAN interface failure, the con
nection via 3G/UMTS cannot be established. Instead, the 3G/UMTS fail
over checkbox of the RED appliance will automatically be unselected.
Thus, the wrong PIN will only be used once. When the WAN interface
comes up again, a warning will be displayed for the RED appliance: A
wrong PIN was entered for 3G/UMTS failover uplink. Please change the
login data. When you open the Edit RED dialog box, a message is displayed
which tells you that the 3G/UMTS failover was automatically unselected.
Correct the PIN before selecting the checkbox again. Please note that
after three connection attempts with a wrong PIN, the SIM card will be
locked. Unlocking cannot be done via the RED appliance or the UTM. The
signal strength for the most supported 3G/UMTS USB Sticks is displayed
in the Live Log and the RED 50 LCD display.
l
l
l
526
Mobile network: Select the mobile network type, which is either GSM or
CDMA.
APN: Enter your provider's Access Point Name information.
Dial string (optional): If your provider uses a different dial string, enter it
here. Default is *99#.
UTM 9 WebAdmin
17 RED Management
17.3 Client Management
Note – You always have to make the following configurations manually: 1)
Creating the necessary firewall rules (Network Protection > Firewall > Rules). 2)
Creating the necessary masquerading rules (Network Protection > NAT > Mas
querading).
5. Click Save.
The RED appliance is being created and appears on the RED list.
With automatic device deployment, as soon as the RED has booted, it will fetch its con
figuration at the Sophos RED Provisioning Service (RPS). After that the connection
between your UTM and the RED appliance is going to be established.
With manual device deployment, the new entry in the RED list will have a Download but
ton. Download the configuration file and save it to the root directory of a USB stick.
Then plug the USB stick into the RED appliance before turning it on. The RED will fetch
its configuration from the USB stick. After that the connection between your UTM and
the RED appliance is going to be established.
Caution – It is crucial that you keep the unlock code, which is emailed instantly to the
address provided on the Global Settings tab as soon as the RED appliance receives its
configuration. (In case of switching between manual and automatic deployment,
make sure to keep both unlock codes.) You need the unlock code when you want to
use the RED appliance with another UTM. If you then do not have the unlock code
ready, the only way to unlock the RED appliance is to contact the Sophos Support. The
Support however can only help you if you deployed the configuration automatically,
via the Sophos RED Provisioning Service.
To edit a RED appliance, click the corresponding button. You can see the appliance
status of all configured RED appliances on the RED overview page of WebAdmin.
The following images give an overview of the four balancing/failover combinations
RED 50 provides. Solid lines reflect balancing, dotted lines failover behavior:
UTM 9 WebAdmin
527
17.4 Deployment Helper
17 RED Management
Figure 29 RED 50: Hostname and Uplink Balancing (turquoise) and Hostname and
Uplink Failover (red)
Figure 30 RED 50: Hostname Balancing and Uplink Failover (green) and Hostname Fail
over and Uplink Balancing (blue)
Deleting a RED Appliance
To delete a RED appliance, click the Delete button next to the appliance name.
There will be a warning that the RED object has dependencies. Be aware that deleting a
RED appliance will not delete associated interfaces and their dependencies. This is
intentional, since it enables you to move an interface from one RED appliance to
another.
If you want to remove a RED appliance setup completely, you need to delete potential
interface and other definitions manually.
17.4 Deployment Helper
The RED Management > Deployment Helper tab provides a wizard that facilitates set
ting up and integrating a RED environment. The wizard is meant to be a simple altern
ative to the normal configuration on the Client Management tab. You only need to fill in
the requested fields, if needed also fields marked optional, and to click Deploy RED.
528
UTM 9 WebAdmin
17 RED Management
17.4 Deployment Helper
The [Server] tag in front of the page name indicates that this page only needs con
figuration if the UTM should act as server (RED hub).
Note – For your convenience, with Standard and Standard/Split mode, in contrast to
the Client Management tab, the deployment helper automatically creates the fol
lowing objects: a local interface with the specified IP address; a DHCP server for the
remote network, covering half of the available IP address range; access to the local
DNS resolver. In Transparent/Split mode, the deployment helper only creates a DHCP
client (Ethernet DHCP) interface.
The deployment helper provides short descriptions for every option and a sketch for
each of the three operation modes offered by the RED technology.
Below you find a description and use case examples for the three operation modes of
RED.
Standard/Unified
The UTM manages the whole remote network. It acts as DHCP server and as default
gateway.
Example: You have a branch office and, for security reasons, you want all its traffic to
be routed via your headquarter UTM. That way the remote site becomes a part of your
local network as if it were connected via LAN.
Standard/Split
Note – VLAN tagged frames cannot be handled with this operation mode.
As with the Standard mode, the UTM manages the whole remote network and acts as
DHCP server. The difference is that only traffic targeted to networks listed in the Split
Networks box is redirected to your local UTM. All traffic not targeted to the defined split
networks is directly routed to the Internet.
Example: You have a branch office and you want it to have access to your local intranet
or you want to route traffic of the remote network via your UTM for security reasons,
e.g. to have the traffic checked for viruses or to use an HTTP proxy.
UTM 9 WebAdmin
529
17.5 Tunnel Management
17 RED Management
Transparent/Split
Note – VLAN tagged frames cannot be handled with this operation mode.
The remote network stays independent, the UTM is a part of this network by getting an
IP address from the remote DHCP server. Only certain traffic of the remote network is
allowed to access certain networks or local domains of yours. Since the UTM has no
control of the remote network, local domains, which are not publicly resolvable, cannot
be resolved by the remote router unless you define a Split DNS Server. This is a local
DNS server of yours which can then be queried by remote clients.
Technically, the local interface of the RED appliance and its uplink interface to your
local UTM as well as its link to the remote router are bridged. (For RED 50 appliances,
LAN ports are bridged only to WAN 1.) Since the UTM is only a client of the remote net
work, routing traffic to the split networks the same way as with the other modes is not
possible. Therefore, the RED appliance intercepts all traffic: Traffic targeting to a net
work listed in the Split Networks box or going to a domain listed in the Split Domains
box is redirected to the UTM interface. This is accomplished by replacing the default
gateway's MAC address in the respective data packets with the UTM's MAC address.
Example: There is a partner or a service provider who should have access to your
intranet or a certain server in your local network. Using a RED appliance, that partner's
network will stay completely independent of your network, but they can access a
defined part of your network for certain purposes, as if they were connected via LAN.
Note – Using the deployment helper, the uplink mode of the RED appliance is DHCP Cli
ent in either operation mode. If you need to assign it a static IP address instead, you
need to configure the RED appliance on the Client Management tab.
17.5 Tunnel Management
On the RED Management > Tunnel Management page you can configure your UTM to act
as a RED appliance to be able to establish a RED tunnel to another UTM. The remote
host UTM will then serve as RED hub for your UTM.
530
UTM 9 WebAdmin
17 RED Management
17.6 RED 15w
The [Client] tag in front of the page name indicates that this page only needs con
figuration if the UTM should act as RED client.
To connect your UTM to the host UTM you need a provisioning file. This file needs to be
generated on the host UTM (see Client Management).
To connect your UTM to the host UTM, proceed as follows:
1. On the host UTM, add your local UTM to the Client Management list.
2. On the host UTM, download the provisioning file for your UTM.
3. On your local UTM, click Add Tunnel.
The Add Tunnel dialog box opens.
4. Make the following settings:
Tunnel name: Enter a descriptive name for this tunnel.
UTM host: Select the remote UTM host.
Prov. file: Click the Folder icon, select the provisioning file you want to upload,
and click Start Upload.
Comment (optional): Add a description or other information.
5. Click Save.
The RED tunnel will be established and displayed on the Tunnel Management list.
17.6 RED 15w
This page provides general information about how the different RED modes work with
wireless modes.
RED Modes vs. W ireless Modes
In general all wireless modes (Separate Zone, Bridge to AP LAN and Bridge to VLAN) are
supported by RED 15w. The actual meaning of the modes can vary depending on the
mode that is actually selected.
17.6.0.1 Standard / Unified
In this mode, all traffic of the RED is sent to the UTM. The following preconditions must
be met for wireless:
UTM 9 WebAdmin
531
17.6 RED 15w
l
RED tunnel interface on UTM site is up and has an IP address
l
DHCP server is running on the RED tunnel interface
l
DNS can be resolved on this RED interface
l
l
17 RED Management
Firewall allows traffic from the RED interface to UTM for AWE client and VXLAN
(RFC 7348) (only for Separate Zone).
RED interface is added to the Allowed Interfaces section under Wireless Pro
tection > Global Settings
Separate Zone: All traffic from a separate zone network is sent to UTM using vxlan pro
tocol. The vxlan pakets are not encrypted but will be encrypted on the way to the UTM
while crossing the RED tunnel. The seperate zone networks are connected to each other
on UTM site as usual. The firewall has to allow this type of traffic.
Bridge to AP LAN: The RED will bridge the SSID in the LAN network behind the RED. This
includes LAN ports 1 - 4. Clients connected to this SSID are able to reach the RED tun
nel endpoint interface on the UTM site if the firewall is configured to allow traffic from
the RED network to this interface (enabled by default).
Bridge to VLAN: The RED will tag all traffic from clients that are connected to this SSID
using the configured VLAN tag. Clients are able to reach all network devices with the
same VLAN tag that are connected to LAN port 1 - 4 as well as a VLAN tagged interface
on top of the tunnel endpoint interface on the UTM site.
17.6.0.2 Standard / Split
In this mode, all traffic of the RED listed in the Split Networks is sent to the UTM. All
other traffic is sent to the default gateway specified by the remote DHCP server.
Normally, this would be the Internet router where the RED is connected to at the remote
site.The following preconditions must be met for wireless:
l
RED tunnel interface on the UTM site is up and has an IP address
l
DHCP server is running on the RED tunnel interface
l
DNS can be resolved on this RED interface
l
l
532
Firewall allows traffic from the RED interface to the UTM for AWE client and
VXLAN (RFC 7348) (only for Separate Zone).
RED interface is added to the Allowed Interfaces section under Wireless Pro
tection > Global Settings
UTM 9 WebAdmin
17 RED Management
17.6 RED 15w
Separate Zone: All traffic from a separate zone network is sent to the UTM using vxlan
protocol. The the vxlan packets are not encrypted but will be encrypted on the way to
the UTM while crossing the RED tunnel. The separate zone networks are connected to
each other on the UTM site as usual. The firewall has to allow this type of traffic.
Bridge to AP LAN: The RED will bridge the SSID in the LAN network behind the RED. This
includes LAN ports 1 - 4. Clients connected to this SSID are able to reach the RED tun
nel endpoint interface on the UTM site if the firewall is configured to allow traffic from
the RED network to this interface (Enabled by default). The clients are able to reach all
hosts that are connected to one of the networks specified in the split networks list.
Firewall rules can restrict this access further.
Bridge to VLAN: The clients are able to reach all hosts behind the RED that own the
same VLAN tag. Also the tunnel endpoint is reachable if a VLAN interface is configured
on top of the RED interface on the UTM site. The split networks can't be reached as
these are routed for untagged packets only.
17.6.0.3 Transparent / Split
In this mode, only networks listed in the Split Networks list are reachable through the
UTM. All other networks are routed through the Internet-providing router at the remote
site. The remote network also provides DHCP and DNS. That means the RED tunnel end
point interface on the UTM site has to obtain an IP address by the remote DHCP server.
It requires the following preconditions for wireless:
l
RED tunnel interface on the UTM site is up and has an IP address
l
DHCP server is running on the RED tunnel interface
l
DNS can be resolved on this RED interface
l
l
l
Firewall allows traffic from the RED interface to the UTM for AWE client and
VXLAN (RFC 7348) (only for Separate Zone).
RED interface is added to the Allowed Interfaces section under Wireless Pro
tection > Global Settings
The remote DHCP server has to provide the DHCP option 234 which must contain
the IP address of the RED interface on the UTM site. Otherwise the fallback IP
1.2.3.4 is used.
Separate Zone: All traffic from a separate zone network is sent to the UTM using the
vxlan protocol. The the vxlan packets are not encrypted but will be encrypted on the
UTM 9 WebAdmin
533
17.7 RED 50 Uplink Balancing
17 RED Management
way to the UTM while crossing the RED tunnel. The separate zone networks are con
nected to each other on the UTM site as usual. The firewall has to allow this type of
traffic.
Bridge to AP LAN: The RED will bridge the SSID in the LAN network behind the RED. This
includes LAN ports 1 - 4. Clients connected to this SSID are able to reach the RED tun
nel endpoint interface on the UTM site if the firewall is configured to allow traffic from
the RED network to this interface (enabled by default). The clients are able to reach all
hosts that are connected to one of the networks specified in the Split Networks list.
Firewall rules can restrict this access further.
Bridge to VLAN: The clients are able to reach all hosts behind the RED that own the
same VLAN tag on LAN ports 1 - 4 as well as on the WAN port. The split networks can
not be reached as these are routed for untagged packets only.
17.7 RED 50 Uplink Balancing
The balancing algorithm selects an outgoing link based on source and destination IP
address. It does not balance on a per packet basis. The reason is that TCP performance
suffers severely when packets are reordered due to different paths in a single TCP con
nection.
This means that any transmission with the same source and destination IP address
will always take the same interface combination. For example, outgoing packets
always on WAN 1 to uplink 1 on UTM, incoming packets always from uplink 2 on UTM to
WAN 1. When a client behind a RED 50 downloads a large file, all incoming packets will
be transmitted via one interface only. When a client downloads simultaneous two files
from two different servers the incoming packets will be transmitted via either one
interface or both interfaces depending on the IP addresses.
Here are the balancing setups:
RED 50 with balancing, UTM with one uplink
To configure a RED 50 balancing on the UTM with one uplink, do the following:
1. Enter the UTM hostname (DNS name or IPv4 address).
2. Configure the first and the second uplink for balancing.
534
UTM 9 WebAdmin
17 RED Management
17.7 RED 50 Uplink Balancing
Note – Do not enter the same IP or name twice.
RED 50 with balancing, UTM with two uplinks in balancing
mode
To configure a RED 50 balancing on the UTM with two uplinks in balancing mode, do the
following:
1. Enter two different hostnames (DNS names or IPv4 addresses) for the UTM.
2. Configure the first and the second uplink for balancing.
3. Make sure UTM uplink balancing is enabled for the two hostnames and IP
addresses in Interfaces & Routing > Interfaces > Uplink Balancing.
RED 50 with one uplink, UTM with two uplinks in balancing
mode
To configure a RED 50 with one uplink on the UTM with two uplinks in balancing mode,
do the following:
1. Enter two different hostnames (DNS names or IPv4 addresses) for the UTM.
2. Make sure UTM uplink balancing is enabled for the two hostnames and IP
addresses in Interfaces & Routing > Interfaces > Uplink Balancing.
Note – If uplink balancing is not enabled the dmesg error message 'IPv4: martian
source...' will be shown on UTM.
UTM 9 WebAdmin
535
18 Site-to-site VPN
This chapter describes how to configure site-to-site VPN settings of Sophos UTM. Siteto-site VPNs in Sophos UTM are realized by means of Virtual Private Networks (VPNs),
which are a cost effective and secure way for remote networks to communicate con
fidentially with each other over a public network such as the Internet. They use the
cryptographic tunneling protocol IPsec to provide confidentiality and privacy of the
data transmitted over them.
Cross Reference – More information on how to configure site-to-site VPN connections
can be found in the Sophos Knowledgebase.
The following topics are included in this chapter:
l
Amazon VPC
l
IPsec
l
SSL
l
Certificate Management
The Site-to-site VPN overview page in WebAdmin shows all configured Amazon VPC,
IPsec, and SSL connections and their current status. The state of each connection is
reported by the color of its status icons. There are two types of status icons. The larger
ones next to the connection name inform about the overall status of a connection. The
different colors mean:
l
Green – All SAs (Security Association) have been established. Connection is fully
functional.
l
Yellow – Not all SAs have been established. Connection is partly functional.
l
Red – No SAs have been established. Connection is not functional.
The smaller ones next to the tunnel information report the status for that tunnel. Here
the colors mean:
l
Green – All SAs have been established. Tunnel is fully functional.
l
Yellow – IPsec SA has been established, ISAKMP SA (Internet Security Asso
18.1 Amazon VPC
18 Site-to-site VPN
ciation and Key Management Protocol) is down. Tunnel is fully functional.
l
Red – No SAs have been established. Connection is not functional.
18.1 Amazon VPC
Amazon Virtual Private Cloud (VPC) is a commercial cloud computing service. A user
can create virtual private clouds, which can subsequently be connected to a local net
work and centrally managed over IPsec tunnels.
You can connect your Amazon VPC to your Sophos UTM if the UTM has a static public
IP address. The entire configuration of the VPN connections has to be done in the
Amazon environment. Afterwards you just import the connection data using your
Amazon access data or a configuration file.
18.1.1 Status
The Site-to-site VPN > Amazon VPC > Status page shows a list of all connections to
your Amazon VPCs.
Here you can enable and disable the connections.
To enable connections to Amazon VPC, proceed as follows:
1. On the Setup page, import at least one VPC connection.
2. On the Status page, enable Amazon VPC.
Click the toggle switch.
The toggle switch turns green and the imported VPC connections are displayed.
3. Enable the desired connection.
Click the toggle switch of the connection you want to enable.
The toggle switch turns green and the two tunnels of the VPC connection are dis
played.
Note – Each connection consists of two tunnels for redundancy reasons: an act
ive and a backup tunnel. Active tunnels can be identified by having a netmask
at the end of their BGP line. The status icons of the tunnels are displayed for
control purposes only—you cannot enable or disable a single tunnel.
538
UTM 9 WebAdmin
18 Site-to-site VPN
18.1 Amazon VPC
To disable all Amazon VPC connections click the topmost toggle switch. To disable a
single connection click the toggle switch of the respective connection.
To close a connection and delete it from the list, click the red Delete icon of the respect
ive connection.
Note – As the connections are configured on Amazon VPC's side, you can re-import a
deleted connection into Sophos UTM with the same data as before.
More information about Amazon VPC can be found in the Amazon User Guide.
18.1.2 Setup
On the Site-to-site VPN > Amazon VPC > Setup page you add connections to your
Amazon Virtual Private Cloud (VPC). You can either import all connections configured
with one Amazon Web Service (AWS) account and using the IP address of your Sophos
UTM as Customer Gateway (Amazon term for your endpoint of a VPC VPN connection).
Or you add connections one by one using the configuration file which you can download
from Amazon.
I mport Via Amaz on Credentials
You can import all connections configured with one AWS account and using the IP
address of your Sophos UTM as Customer Gateway, at once. Just enter the AWS cre
dentials you have been given when you created your Amazon Web Service account.
Note – All existing connections listed in the Status tab will be deleted during the
import.
To import connections, proceed as follows:
1. Make the following settings:
Access key: Enter the Amazon Access Key ID. It is a 20-character, alphanumeric
sequence.
Secret key: Enter the Secret Access Key. It is a 40-character sequence.
2. Click Apply.
The connections are imported and subsequently displayed on the Status page.
UTM 9 WebAdmin
539
18.1 Amazon VPC
18 Site-to-site VPN
I mport Via Amaz on Conf iguration
To add a single connection to the existing list of connections you have to upload the
configuration file of the respective connection.
To import a single connection, proceed as follows:
1. Download the configuration file of your Amazon VPC connection.
In Amazon's download dialog make sure to select Sophos from the Vendor dropdown list.
2. Open the Upload file dialog window.
Click the Folder icon next to the VPC config file box.
3. Select the configuration file and upload it.
To upload the selected file click the button Start Upload.
The filename is displayed in the VPC config file field.
4. If you use static routing, enter the remote network.
The remote network is not part of the configuration file. Therefore you need to
enter it separately into the Remote network field, e.g. 10.0.0.0/8. This field is only
important if you have configured the use of static routing instead of dynamic rout
ing in Amazon VPC.
5. Click Apply.
The connection is imported and subsequently displayed on the Status page.
Route P ropagation
You can configure networks which are being pushed in route propagation enabled rout
ing tables in the Amazon VPC.
To select local networks, proceed as follows:
1. Add local networks.
Add or select a local network that should be pushed in route propagation. How to
add a definition is explained on the Definitions & Users > Network Definitions > Net
work Definitions page.
2. Click Apply.
The route propagation networks are applied.
540
UTM 9 WebAdmin
18 Site-to-site VPN
18.2 IPsec
18.2 IPsec
IP Security (IPsec) is a standard for securing Internet Protocol (IP) communications by
encrypting and/or authenticating all IP packets.
The IPsec standard defines two service modes and two protocols:
l
Transport mode
l
Tunnel mode
l
Authentication Header (AH) authentication protocol
l
Encapsulated Security Payload (ESP) encryption (and authentication) protocol
IPsec also offers methods for manual and automatic management of Security Asso
ciations (SAs) as well as key distribution. These characteristics are consolidated in a
Domain of Interpretation (DOI).
IPsec Modes
IPsec can work in either transport mode or tunnel mode. In principle, a host-to-host con
nection can use either mode. If, however, one of the endpoints is a security gateway,
the tunnel mode must be used. The IPsec VPN connections on this UTM always use the
tunnel mode.
In transport mode, the original IP packet is not encapsulated in another packet. The ori
ginal IP header is retained, and the rest of the packet is sent either in clear text (AH) or
encrypted (ESP). Either the complete packet can be authenticated with AH, or the pay
load can be encrypted and authenticated using ESP. In both cases, the original header is
sent over the WAN in clear text.
In tunnel mode, the complete packet—header and payload—is encapsulated in a new IP
packet. An IP header is added to the IP packet, with the destination address set to the
receiving tunnel endpoint. The IP addresses of the encapsulated packets remain
unchanged. The original packet is then authenticated with AH or encrypted and authen
ticated using ESP.
IPsec Protocols
IPsec uses two protocols to communicate securely on the IP level.
UTM 9 WebAdmin
541
18.2 IPsec
l
l
18 Site-to-site VPN
Authentication Header (AH): A protocol for the authentication of packet senders
and for ensuring the integrity of packet data.
Encapsulating Security Payload (ESP): A protocol for encrypting the entire packet
and for the authentication of its contents.
The Authentication Header protocol (AH) checks the authenticity and integrity of packet
data. In addition, it checks that the sender and receiver IP addresses have not been
changed in transmission. Packets are authenticated using a checksum created using a
Hash-based Message Authentication Code (HMAC) in connection with a key. One of the
following hashing algorithms will be used:
l
l
Message Digest Version 5 (MD5): This algorithm generates a 128-bit checksum
from a message of any size. This checksum is like a fingerprint of the message,
and will change if the message is altered. This hash value is sometimes also
called a digital signature or a message digest.
The Secure Hash (SHA-1): This algorithm generates a hash similar to that of MD5,
though the SHA-1 hash is 160 bits long. SHA-1 is more secure than MD5, due to
its longer key.
Compared to MD5, an SHA-1 hash is somewhat harder to compute, and requires more
CPU time to generate. The computation speed depends, of course, on the processor
speed and the number of IPsec VPN connections in use at the Sophos UTM.
In addition to encryption, the Encapsulated Security Payload protocol (ESP) offers the
ability to authenticate senders and verify packet contents. If ESP is used in tunnel
mode, the complete IP packet (header and payload) is encrypted. New, unencrypted IP
and ESP headers are added to the encapsulating packet: The new IP header contains
the address of the receiving gateway and the address of the sending gateway. These IP
addresses are those of the VPN tunnel.
For ESP with encryption normally the following algorithms are used:
l
Triple Data Encryption Standard (3DES)
l
Advanced Encryption Standard (AES)
Of these, AES offers the highest standard of security. The effective key lengths that
can be used with AES are 128, 192 and 256 bits. Sophos UTM supports a number of
encryption algorithms. Either the MD5 or SHA-1 algorithms can be used for authen
tication.
542
UTM 9 WebAdmin
18 Site-to-site VPN
18.2 IPsec
NAT Traversal (NAT-T)
NAT traversal is a technology for establishing connections between hosts in TCP/IP
networks which use NAT devices. This is achieved by using UDP encapsulation of the
ESP packets to establish IPsec tunnels through NAT devices. UDP encapsulation is only
used if NAT is detected between the IPsec peers; otherwise normal ESP packets will
be used.
With NAT traversal you are able to place the gateway or a road warrior behind a NAT
router and still establish an IPsec tunnel. Both IPsec peers must support NAT traversal
if you want to use this feature, which is automatically negotiated. Make sure that the
NAT device has IPsec-passthrough turned off, because this could impair the use of NAT
traversal.
If road warriors want to use NAT traversal, their corresponding user object in
WebAdmin must have a static remote access IP address (RAS address) set (see also
Use Static Remote Access IP on the Users page in WebAdmin).
By default, a NAT traversal keep-alive signal is sent at intervals of 60 seconds to pre
vent an established tunnel from expiring when no data is transmitted. The keep-alive
messages are sent to ensure that the NAT router keeps the state information asso
ciated with the session so that the tunnel stays open.
TOS
Type of Service bits (TOS bits) are several four-bit flags in the IP header. These bits are
referred to as Type of Service bits because they allow the transferring application to
tell the network which type of service quality is necessary.
With the IPsec implementation of Sophos UTM the TOS value is always copied.
18.2.1 Connections
On the Site-to-site VPN > IPsec > Connections tab you can create and edit IPsec con
nections.
To create an IPsec connection, proceed as follows:
UTM 9 WebAdmin
543
18.2 IPsec
18 Site-to-site VPN
1. On the Connections tab, click New IPsec Connection.
The Add IPsec Connection dialog box opens.
2. Make the following settings:
Name: Enter a descriptive name for this connection.
Remote gateway: Select a remote gateway definition. Remote gateways are con
figured on the Site-to-site VPN > IPsec > Remote Gateways tab.
Local interface: Select the name of the interface which is used as the local end
point of the IPsec tunnel.
Policy: Select the IPsec policy for this IPsec connection. IPsec policies can be
defined on the Site-to-site VPN > IPsec > Policies tab.
Local networks: Select or add the local networks that should be reachable
through the VPN tunnel. How to add a definition is explained on the Definitions &
Users > Network Definitions > Network Definitions page.
Automatic firewall rules: By selecting this option you can automatically add fire
wall rules that allow traffic for this connection. The rules are added as soon as
the connection is enabled, and they are removed when the connection is disabled.
If you want to use a stricter IPsec connection, disable Automatic firewall rules
and use IPsec objects in the firewall rule set instead.
Strict routing: If strict routing is enabled, VPN routing is done according to source
and destination IP address (instead of only destination IP address). In this case,
only those packets exactly matching the VPN tunnel definition are routed into the
VPN tunnel. As a consequence, you cannot use SNAT to add networks or hosts to
the VPN tunnel, that are originally not part of the tunnel definition. On the other
hand, without strict routing, you cannot have a mixed unencrypted/encrypted
setup to the same network from different source addresses.
Bind tunnel to local interface: By default, the option is unselected and all traffic
originating from the selected local networks and going to the defined remote net
works will always be sent through this IPsec tunnel. It is not possible to have
multiple identical tunnels on different interfaces because the selector would
always be the same. However, if enabled, the defined IPsec selector will be
bound to the selected local interface. Thus it is possible to either bypass IPsec
policies with static routes or define redundant IPsec tunnels over different
544
UTM 9 WebAdmin
18 Site-to-site VPN
18.2 IPsec
uplinks and use multipath rules to balance traffic over the available interfaces
and their IPsec tunnels. Use cases for this setting are for example: l
l
Bypass IPsec policies for local hosts which belong to the remote network
through static routes.
Balance traffic based on layer 3 and layer 4 with multipath rules over mul
tiple IPsec tunnels or MPLS links with automatic failover.
Note – This option cannot be used in combination with an interface group.
Comment (optional): Add a description or other information.
3. Click Save.
The new connection appears on the IPsec Connections list.
To either edit or delete a connection, click the corresponding buttons.
Open Live Log: The IPsec VPN live log displays monitoring information about estab
lished IPsec connection. Click the button to open the live log in a new window.
18.2.2 Remote Gateways
On the Site-to-site VPN > IPsec > Remote Gateways tab you can define the remote gate
ways for your site-to-site VPN tunnels. These remote network definitions will become
available when creating IPsec connections on the IPsec > Connections tab.
To add a remote gateway, proceed as follows:
1. On the Remote Gateways tab, click New Remote Gateway.
The Add Remote Gateway dialog box opens.
2. Make the following settings:
Name: Enter a descriptive name for this remote gateway.
Gateway type: Select the type of the gateway. The following types are available:
l
Initiate connection: Select if the remote endpoint has a static IP address so
that a connection to the remote gateway can be initiated by the gateway. If
selected, specify the remote gateway in the Gateway box. Note that you can
also select this option if the remote gateway is resolved through DynDNS.
UTM 9 WebAdmin
545
18.2 IPsec
l
18 Site-to-site VPN
Respond only: Select if the IP address of the remote endpoint is unknown
or cannot be resolved through DynDNS. The gateway is not able to initiate a
connection to the remote gateway but waits for incoming connections to
which it only needs to respond.
Authentication type: Select the authentication type for this remote gateway defin
ition. The following types are available:
l
l
l
l
546
Preshared key: Authentication with Preshared Keys (PSK) uses secret pass
words as keys. These passwords must be distributed to the endpoints
before establishing the connection. When a new VPN tunnel is established,
each side checks that the other knows the secret password. The security
of PSKs depends on the quality of the passwords used: common words and
phrases are subject to dictionary attacks. Permanent or long-term IPsec
connections should use certificates instead.
RSA key: Authentication using RSA keys is much more sophisticated. In
this scheme, each side of the connection generates a key pair consisting of
a public key and a private key. The private key is necessary for the encryp
tion and authentication during the key exchange. Both endpoints of an
IPsecVPN connection using this authentication method need their own key
pair. Copy the public RSA key of the remote unit (Site-to-site VPN > IPsec >
Local RSA Key) into the Public Key box of the local unit and vice versa. In
addition, enter the VPN ID types and VPN identifiers that correspond to the
respective RSA keys.
Local X.509 certificate: Similarly, the X.509 certificate authentication
scheme uses public keys and private keys. An X.509 certificate contains
the public key together with information identifying the owner of the key.
Such certificates are signed and issued by a trusted Certificate Authority
(CA). During the key exchange process, the certificates are exchanged and
authenticated using a locally stored CA certificate. Select this authen
tication type if the X.509 certificate of the remote gateway is locally stored
on the unit.
Remote X.509 certificate: Select this authentication type if the X.509 cer
tificate of the remote gateway is not locally stored on the unit. You must
then select the VPN ID type and VPN identifier of the certificate being used
on the remote unit, that is, the certificate which is selected in the Local
X.509 Certificate area of the Site-to-site VPN > IPsec > Advanced tab.
UTM 9 WebAdmin
18 Site-to-site VPN
18.2 IPsec
VPN ID type: Depending on the authentication type you must select a VPN ID type
and VPN identifier. The VPN identifier entered here must match the values con
figured on the remote site. Suppose you are using two UTM appliances for estab
lishing a site-to-site VPN tunnel. If you select RSA Key as authentication type on
the local unit, the VPN ID type and the VPN identifier must match what is con
figured on the Site-to-site VPN > IPsec > Local RSA Key tab on the remote unit.
You can select among the following VPN ID types:
l
IP address
l
Hostname
l
Email address
l
l
Distinguished name: Only available with Remote X.509 Certificate authen
tication.
Any: Default with Respond Only gateway type.
Remote networks: Select the remote networks that should be reachable via the
remote gateway.
Comment (optional): Add a description or other information.
3. Make advanced settings if necessary.
The following advanced settings should only be made when you know what their
impact is:
Support path MTU discovery: PMTU (Path Maximum Transmission Unit) refers to
the size of data packets transmitted. It is usually preferable that IP data packets
be of the largest size that does not require fragmentation anywhere along the
path from the source to the destination. If any of the data packets are too large to
be forwarded without fragmentation by some router along the path, that router
will discard them and return ICMP Destination Unreachable messages with a
code meaning "fragmentation needed and DF set". Upon receipt of such a mes
sage, the source host reduces its assumed PMTU for the path.
If you enable this option, UTM enables PMTU if it is enabled on the server side.
Support congestion signaling (ECN): ECN (Explicit Congestion Notification) is an
extension to the Internet Protocol and allows end-to-end notifications of network
congestion without dropping packets. Select this option if you want to copy ECN
information from the original IP packet header into the IPsec packet header. Note
UTM 9 WebAdmin
547
18.2 IPsec
18 Site-to-site VPN
that the remote endpoint must support it as well as the underlying network and
involved routers.
Enable XAUTH client mode: XAUTH is an extension of IPsec IKE to authenticate
users via username and password at a VPN gateway. To use XAUTH for authen
tication with this remote gateway, select the option and provide username and
password (twice) as required by the remote gateway.
4. Click Save.
The gateway definition appears on the Remote Gateways list.
To either edit or delete a remote gateway definition, click the corresponding buttons.
18.2.3 Policies
On the IPsec > Policies tab you can customize parameters for IPsec connections and
unite them into a policy. An IPsec policy defines IKE (Internet Key Exchange) and IPsec
proposal parameters of an IPsec connection. Note that each IPsec connection needs an
IPsec policy.
Note – Sophos UTM only supports the main mode in IKE phase 1. The aggressive mode
is not supported.
To create an IPsec policy, proceed as follows:
1. On the Policy tab, click New IPsec Policy.
The Add IPsec Policy dialog box opens.
2. Make the following settings:
Name: Enter a descriptive name for this policy.
IKE encryption algorithm: The encryption algorithm specifies the algorithm used
for encrypting the IKE messages. Supported algorithms are:
548
l
DES (56 bit)
l
3DES (168 bit)
l
AES 128 (128 bit)
l
AES 192 (192 bit)
l
AES 256 (256 bit)
UTM 9 WebAdmin
18 Site-to-site VPN
l
Blowfish (128 bit)
l
Twofish (128 bit)
l
Serpent (128 bit)
18.2 IPsec
Security Note – We strongly recommend to use AES and SHA2 256 to reduce
potential vulnerability.
IKE authentication algorithm: The authentication algorithm specifies the
algorithm used for integrity checking of the IKE messages. Supported algorithms
are:
l
MD5 (128 bit)
l
SHA1 (160 bit)
l
SHA2 256 (256 bit)
l
SHA2 384 (384 bit)
l
SHA2 512 (512 bit)
IKE SA lifetime: This value specifies the timeframe in seconds for which the IKE
SA (security association) is valid and when the next rekeying should take place.
Valid values are between 60 sec and 28800 sec (8 hrs). The default value is 7800
seconds.
IKE DH group: When negotiating a connection, the communicating parties also
settle the actual keys used to encrypt the data. In order to generate a session
key, IKE uses the Diffie-Hellman (DH) algorithm, which utilizes random data. The
random data generation is based on pool bits. The IKE group basically tells the
number of pool bits. The more pool bits, the larger the random numbers. The lar
ger the numbers, the harder it is to crack the Diffie-Hellman algorithm. As a con
sequence, more pool bits mean more security but also the consumption of more
CPU resources. Currently, the following Diffie-Hellman groups are supported:
l
Group 1: MODP 768
l
Group 2: MODP 1024
l
Group 5: MODP 1536
l
Group 14: MODP 2048
UTM 9 WebAdmin
549
18.2 IPsec
18 Site-to-site VPN
l
Group 15: MODP 3072
l
Group 16: MODP 4096
Security Note – Group 1 (MODP 768) is considered weak and only supported for
interoperability reasons. We strongly recommend against using it, as it rep
resents a potential vulnerability.
IPsec encryption algorithm: The same encryption algorithms as for IKE. Addi
tionally there are the following entries:
l
No encryption (null)
l
AES 128 CTR (128 bit)
l
AES 192 CTR (192 bit)
l
AES 256 CTR (256 bit)
l
AES 128 GCM (96 bit)
l
AES 192 GCM (96 bit)
l
AES 256 GCM (96 bit)
l
AES 128 GCM (128 bit)
l
AES 192 GCM (128 bit)
l
AES 256 GCM (128 bit)
Security Note – We strongly recommend against using no encryption or DES, as
this represents a potential vulnerability.
IPsec authentication algorithm: The same authentication algorithms as for IKE.
Additionally there are the following algorithms:
550
l
SHA2 256 (96 bit)
l
SHA2 384 (96 bit)
l
SHA2 512 (96 bit)
UTM 9 WebAdmin
18 Site-to-site VPN
18.2 IPsec
Those are available for compliance with tunnel endpoints not adhering to RFC
4868, for example UTM (i.e., ASG) versions older than V8, and therefore do not sup
port truncated checksums longer than 96 bit.
IPsec SA lifetime: This value specifies the timeframe in seconds for which the
IPsec SA is valid and when the next rekeying should take place. Valid values are
between 60 sec and 86400 sec (1 day). The default value is 3600 seconds.
IPsec PFS group: Perfect Forward Secrecy (PFS) refers to the notion that if a ses
sion key is compromised, it will permit access only to data of this specific ses
sion. In order for PFS to exist, the key used to protect the IPsec SA must not be
derived from random keying material used to get the keys for the IKE SA. There
fore, PFS initiates a second Diffie-Hellman key exchange proposing the selected
DH group for the IPsec connection to get a new randomly generated key. Sup
ported Diffie-Hellman groups are the same as for IKE.
Enabling PFS is considered to be more secure, but it takes also more time for the
exchange. It is not recommended to use PFS on slow hardware.
Note – PFS is not fully interoperable with all vendors. If you notice problems dur
ing the negotiation, you might consider disabling PFS.
Strict policy: If an IPsec gateway makes a proposition with respect to an encryp
tion algorithm and to the strength, it might happen that the gateway of the
receiver accepts this proposition, even though the IPsec policy does not cor
respond to it. If you select this option and the remote endpoint does not agree on
using exactly the parameters you specified, the IPsec connection will not be
established. Suppose the IPsec policy of your UTM requires AES-256 encryption,
whereas, for example, a road warrior with SSH Sentinel wants to connect with
AES-128; with the strict policy option enabled, the connection would be rejected.
Note – The compression setting will not be enforced via Strict policy.
Compression: This option specifies whether IP packets should be compressed by
means of the IP Payload Compression Protocol (IPComp) prior to encryption.
IPComp reduces the size of IP packets by compressing them to increase the over
UTM 9 WebAdmin
551
18.2 IPsec
18 Site-to-site VPN
all communication performance between a pair of communicating hosts or gate
ways. Compression is turned off by default.
Comment (optional): Add a description or other information.
3. Click Save.
The new policy appears on the Policies list.
To either edit or delete a policy, click the corresponding buttons.
18.2.4 Local RSA Key
With RSA authentication, RSA keys are used for authentication of the VPN endpoints.
The public keys of the endpoints are exchanged manually before the connection is
established. If you want to use this authentication type, you have to define a VPN iden
tifier and create a local RSA key. The public RSA key of the gateway must be made
available to remote IPsec devices that use IPsec RSA authentication with Sophos UTM.
Note – UTM uses RFC 3110 format for RSA keys. RSA authentication will not work
with 3rd party endpoints that use a different RSA key format.
Current Local P ublic RSA K ey
Displayed is the public portion of the currently installed local RSA key pair. Click into
the box, then press CTRL-A and CTRL-C to copy it to the clipboard.
Local RSA K ey VP N Options
Select the VPN ID type which best suits your needs. By default, the hostname of the
gateway is taken as the VPN identifier. If you have a static IP address as local VPN end
point, select IP address. Alternatively, use an email address as VPN ID for mobile IPsec
road warriors.
l
l
l
Hostname: Default setting; the hostname of the gateway. However, you can enter
a different hostname here.
Email address: By default, this is the email address of the gateway's admin
account. However, you can enter a different email address here.
IP address: The IP address of the external interface of the gateway.
Click Apply to save your settings. Changing the settings does not modify the RSA key.
552
UTM 9 WebAdmin
18 Site-to-site VPN
18.2 IPsec
Re- generate Local RSA K ey
To generate a new RSA key, select the desired key size and click Apply. This will start
the key generation process, which can take from a few minutes up to two hours,
according to your selected key length and used hardware. The key size (key length) is a
measure of the number of keys which are possible with a cipher. The length is usually
specified in bits. The following key sizes are supported:
l
1024 bits
l
2048 bits
l
4096 bits
Once the RSA key has been generated, the appropriate public key will be displayed in
the Current Local Public RSA Key box. Generating a new RSA key will overwrite the old
one.
18.2.5 Advanced
On the Site-to-site VPN > IPsec > Advanced tab you can configure advanced options of
IPsec VPN. Depending on your preferred authentication type, you can define the local
certificate (for X.509 authentication) and the local RSA key (for RSA authentication),
among other things. Note that this should only be done by experienced users.
Local X.509 Certif icate
With X.509 authentication, certificates are used to verify the public keys of the VPN
endpoints. If you want to use this authentication type, you have to select a local cer
tificate from the drop-down list in the Local X.509 Certificate area. The selected
key/certificate is then used to authenticate the gateway to remote peers if X.509
authentication is selected.
You can only select certificates where the appropriate private key is present, other cer
tificates are not available in the drop-down list.
If there is no certificate available for selection, you have to add one in the Certificate
Management menu, either by creating a new one or by importing one using the upload
function.
UTM 9 WebAdmin
553
18.2 IPsec
18 Site-to-site VPN
After selecting the certificate, enter the passphrase the private key was protected
with. During the saving process, the passphrase is verified and an error message is dis
played if it does not match the encrypted key.
Once an active key/certificate is selected, it is displayed in the Local X.509 Certificate
area.
Preshared K ey Settings
Select the VPN ID type which is used by PSK connections. This is useful if your client is
behind a NAT gateway and the peer cannot accept any VPN ID. If the text box VPN ID is
empty, the interface IP address is taken as the VPN identifier.
For IPsec connections using the respond-only mode you can decide to use different pre
shared keys (PSK) for each IPsec connection.
Enable probing of preshared keys: Select the checkbox to enable this option. This will
affect L2TP-over-IPsec, remote access IPsec, and VPN IPsec connections.
Dead P eer Detection (DPD)
Use Dead Peer Detection: The dead peer detection option is used for automatically ter
minating a connection if the remote VPN gateway or client is unreachable. For con
nections with static endpoints, the tunnel will be re-negotiated automatically. Con
nections with dynamic endpoints require the remote side to re-negotiate the tunnel.
Usually it is safe to always enable this option. The IPsec peers automatically determ
ine whether the remote side supports dead peer detection or not, and will fall back to
normal mode if necessary.
NAT T raversal (NAT - T )
Use NAT traversal: Select to enable that IPsec traffic can pass upstream systems
which use Network Address Translation (NAT). Additionally, you can define the keepalive
interval for NAT traversal. Click Apply to save your settings.
CRL Handling
There might be situations in which the provider of a certificate attempts to revoke the
confirmation awarded with still valid certificates, for example if it has become known
that the receiver of the certificate fraudulently obtained it by using wrong data (name,
etc.) or because an attacker has got hold of the private key, which is part of the cer
tified public key. For this purpose, so-called Certificate Revocation Lists or CRLs are
used. They normally contain the serial numbers of those certificates of a certifying
554
UTM 9 WebAdmin
18 Site-to-site VPN
18.3 SSL
instance, that have been held invalid and that are still valid according to their respect
ive periods of validity.
After the expiration of these periods the certificate will no longer be valid and must
therefore not be maintained in the block list.
Automatic fetching: This function automatically requests the CRL through the URL
defined in the partner certificate via HTTP, Anonymous FTP or LDAP version 3. On
request, the CRL can be downloaded, saved and updated, once the validity period has
expired. If you use this feature but not via port 80 or 443, make sure that you set the
firewall rules accordingly, so that the CRL distribution server can be accessed.
Strict policy: If this option is enabled, any partner certificate without a corresponding
CRL will be rejected.
18.2.6 Debug
I K E Debugging
In the IKE Debugging section you can configure IKE debug options. Select the check
boxes for which types of IKE messages or communication you want to create debug
output.
Note – The IKE Debugging section is identical across the Debug tabs of the menus
Site-to-site VPN IPsec, Remote Access IPsec, L2TP over IPsec and Cisco VPN Client.
The following flags can be logged:
l
Control flow: Displays control messages of IKE state
l
Outbound packets: Displays content of outgoing IKE messages
l
Inbound packets: Displays content of incoming IKE messages
l
Kernel messaging: Displays communication messages with the Kernel
l
High availability: Displays communication with other HA nodes
18.3 SSL
Site-to-site VPN tunnels can be established via an SSL connection. SSL VPN con
nections have distinct roles attached. The tunnel endpoints act as either client or
UTM 9 WebAdmin
555
18.3 SSL
18 Site-to-site VPN
server. The client always initiates the connection, the server responds to client
requests. Keep in mind that this contrasts IPsec where both endpoints normally can ini
tiate a connection.
Note – If you run into problems in establishing a connection, check whether SSL scan
ning is activated with the Web Filter operating in transparent mode. If so, make sure
that the target host of the VPN connection has been added to the Transparent Mode
Skiplist under Web Protection > Filtering Options > Misc.
18.3.1 Connections
To create an SSLVPN site-to-site tunnel, it is crucial to create the server configuration
first. The configuration of the client has always to be the second step.
To create a server configuration, proceed as follows:
1. On the Connections tab, click New SSL Connection.
The Add SSL Connection dialog box opens.
2. Make the following settings:
Connection type: Select Server from the drop-down list.
Connection name: Enter a descriptive name for the connection.
Use static virtual IP address (optional): Only select this option if the IP address
pool is not compatible with the client's network environment: By default clients
are assigned an IP address from the Virtual IP Pool (configurable on Settings tab).
Rarely, it may happen that such an IP address is already in use on the client's
host. In that case enter a suitable IP address in the Static Peer IP field which will
then be assigned to the client during tunnel setup.
Local networks: Select or add one or more local networks that are allowed to be
accessed remotely. How to add a definition is explained on the Definitions & Users
> Network Definitions > Network Definitions page.
Remote networks: Select or add one or more remote networks that are allowed
to connect to the local network(s).
556
UTM 9 WebAdmin
18 Site-to-site VPN
18.3 SSL
Note – You can change the Local networks and Remote networks settings later
without having to reconfigure the client.
Automatic firewall rules (optional): When enabled, the UTM will automatically
allow access to the selected local networks for all accessing SSL VPN clients.
Comment (optional): Add a description or other information.
3. Click Save.
The new SSL server connection appears on the Connections list.
4. Download the configuration file.
Use the Download button, which is located in the newly created SSL server con
nection row, to download the client configuration file for this connection.
Encrypt configuration file (optional): It is advisable to encrypt the configuration
file for security reasons. Enter a password twice.
Click Download peer config to save the file.
This file is needed by the client-side administrator in order to be able to set up
the client endpoint of the tunnel.
The next step is the client configuration which has to take place on client side and not
on server side. Ensure that the downloaded client configuration file is at hand.
To create a client configuration, proceed as follows:
1. On the Connections tab, click New SSL Connection.
The Add SSL Connection dialog box opens.
2. Make the following settings:
Connection type: Select Client from the drop-down list.
Connection name: Enter a descriptive name for the connection.
Configuration file: Click the Folder icon, browse for the client configuration file
and click Start Upload.
Password (optional): If the file has been encrypted, enter the password.
Use HTTP proxy server (optional): Select the checkbox if the client is located
behind a proxy and enter the settings for the proxy.
UTM 9 WebAdmin
557
18.3 SSL
18 Site-to-site VPN
Proxy requires authentication (optional): Select the checkbox if the client
needs to authenticate against the proxy and enter username and password.
Override peer hostname (optional): Select the checkbox and enter a hostname
here if the server system's regular hostname (or DynDNS hostname) cannot be
resolved from the client host.
Automatic firewall rules (optional): When enabled, the UTM will automatically
allow traffic between hosts on the tunneled local and remote networks.
Comment (optional): Add a description or other information.
3. Click Save.
The new SSL VPN client connection appears on the Connections list.
To either edit or delete a client connection, click the corresponding buttons.
Click on the Site-to-site VPN menu to see the status of the SSL VPN connection on the
overview page. The status icon there turns green when the connection is established.
Then information about the interconnected subnets on both sides of the tunnel
becomes available, too.
18.3.2 Settings
On the SSL > Settings tab you can configure the basic settings for SSL VPN server con
nections.
Note – This tab is identical for Site-to-site VPN > SSL and Remote Access > SSL.
Changes applied here always affect both SSL configurations.
Server Settings
You can make the following settings for the SSL VPN connection:
l
Interface address: Default value is Any. When using the web application firewall
you need to give a specific interface address for the service to listen for SSL con
nections. This is necessary for the site-to-site/remote access SSL connection
handler and the web application firewall to be able to differentiate between the
incoming SSL connections.
l
558
Protocol: Select the protocol to use. You can choose either TCP or UDP.
UTM 9 WebAdmin
18 Site-to-site VPN
l
18.3 SSL
Port: You can change the port. The default port is 443. You cannot use port 10443,
the SUM Gateway Manager port 4422, or the port used by the WebAdmin interface.
Note – Changing the port will also change the remote access configurations and
the end-users have to download the new remote access configurations from
the User Portal. For more information, see User Portal > User Portal: Remote
Access.
l
Override hostname: The value in the Override hostname field is used as the target
hostname for client VPN connections and is by default the hostname of the gate
way. Only change the default if the system's regular hostname (or DynDNS host
name) cannot be reached under this name from the Internet.
Virtual I P P ool
Pool network: This is the virtual IP address pool which is used to distribute IP
addresses from a certain IP range to the SSL clients. By default, the VPN Pool (SSL) is
selected. In case you select a different address pool, the netmask must not be greater
than 29 bits, for OpenVPN cannot handle address pools whose netmask is /30, /31, or
/32. Note that the netmask is limited to a minimum of 16.
Duplicate CN
Select Allow multiple concurrent connections per user if you want to allow your users
to connect from different IP addresses at the same time. When disabled, only one con
current SSL VPN connection is allowed per user.
18.3.3 Advanced
On the SSL > Advanced tab you can configure various advanced server options ranging
from the cryptographic settings, through compression settings, to debug settings.
Note – This tab is identical for Site-to-site VPN > SSL and Remote Access > SSL.
Changes applied here always affect both SSL configurations.
Cryptographic Settings
These settings control the encryption parameters for all SSL VPN remote access cli
ents:
UTM 9 WebAdmin
559
18.3 SSL
l
18 Site-to-site VPN
Encryption algorithm: The encryption algorithm specifies the algorithm used for
encrypting the data sent through the VPN tunnel. The following algorithms are
supported, which are all in Cipher Block Chaining (CBC) mode:
l
l
DES-EDE3-CBC
l
AES-128-CBC (128 bit)
l
AES-192-CBC (192 bit)
l
AES-256-CBC (256 bit)
l
BF-CBC (Blowfish (128 bit))
Authentication algorithm: The authentication algorithm specifies the algorithm
used for checking the integrity of the data sent through the VPN tunnel. Sup
ported algorithms are:
l
l
l
MD5 (128 bit)
l
SHA-1 (160 bit)
l
SHA2 256 (256 bit)
l
SHA2 384 (384 bit)
l
SHA2 512 (512 bit)
Key size: The key size (key length) is the length of the Diffie-Hellman key
exchange. The longer this key is, the more secure the symmetric keys are. The
length is specified in bits. You can choose between a key size of 1024, 2048,
3072 or 4096 bits.
Server certificate: Select a local SSL certificate to be used by the SSL VPN
server to identify itself against the clients.
Note – The UTM does not support wildcard certificates and certificates signed
by an intermedia CA in the SSL VPN.
l
Key lifetime: Enter a time period after which the key will expire. The default is
28,800 seconds.
Compression Settings
Compress SSL VPN traffic: When enabled, all data sent through SSL VPN tunnels will
be compressed prior to encryption.
560
UTM 9 WebAdmin
18 Site-to-site VPN
18.4 Certificate Management
Debug Settings
Enable debug mode: When enabling debug mode, the SSL VPN log file will contain exten
ded information useful for debugging purposes.
18.4 Certificate Management
The Site-to-site VPN > Certificate Management menu is the central place to manage all
certificate-related operations of Sophos UTM. This includes creating or importing X.509
certificates as well as uploading so-called Certificate Revocation Lists (CRLs), among
other things.
18.4.1 Certificates
On the Site-to-site VPN > Certificate Management > Certificates tab you can create or
import public key certificates in the X.509 standard format. Such certificates are digit
ally signed statements usually issued by a Certificate Authority (CA) binding together a
public key with a particular Distinguished Name (DN) in X.500 notation.
All certificates you create on this tab contain an RSA key. They are signed by the selfsigned certificate authority (CA) VPN Signing CA that was created automatically using
the information you provided during the initial login to the WebAdmin interface.
To generate a certificate, proceed as follows:
1. On the Certificates tab, click New Certificate.
The Add Certificate dialog box opens.
2. Make the following settings:
Name: Enter a descriptive name for this certificate.
Method: To create a certificate, select Generate (for more information on upload
ing certificates, see below).
Key size: The length of the RSA key. The longer the key, the more secure it is. You
can choose among key sizes of 1024, 2048, or 4096 bits. Select the maximum
key size compatible with the application programs and hardware devices you
intend to use. Unless longer keys cause critical performance issues for your spe
cific purposes, do not reduce the key size in order to optimize performance.
UTM 9 WebAdmin
561
18.4 Certificate Management
18 Site-to-site VPN
VPN ID type: You have to define a unique identifier for the certificate. The fol
lowing types of identifiers are available:
l
Email address
l
Hostname
l
IP address
l
Distinguished name
VPN ID: Depending on the selected VPN ID type, enter the appropriate value into
this text box. For example, if you selected IP address from the VPN ID type list,
enter an IP address into this text box. Note that this text box will be hidden when
you select Distinguished Name from the VPN ID type list.
Use the drop-down lists and text boxes from Country to Email to enter identifying
information about the certificate holder. This information is used to build the
Distinguished Name, that is, the name of the entity whose public key the cer
tificate identifies. This name contains a lot of personal information in the X.500
standard and is supposed to be unique across the Internet. If the certificate is for
a road warrior connection, enter the name of the user in the Common name box. If
the certificate is for a host, enter a hostname.
Comment (optional): Add a description or other information.
3. Click Save.
The certificate appears on the Certificates list.
To delete a certificate click the button Delete of the respective certificate.
Alternatively, to upload a certificate, proceed as follows:
1. On the Certificates tab, click New Certificate.
The Add Certificate dialog box opens.
2. Make the following settings:
Name: Enter a descriptive name for this certificate.
Method: Select Upload.
File type: Select the file type of the certificate. You can upload certificates being
one of the following types:
562
UTM 9 WebAdmin
18 Site-to-site VPN
l
l
18.4 Certificate Management
PKCS#12 (Cert+CA): PKCS refers to a group of Public Key Cryptography
Standards (PKCS) devised and published by RSA laboratories. The PKCS#12
file format is commonly used to store private keys with accompanying pub
lic key certificates protected with a container passphrase. You must know
this container passphrase to upload files in this format.
PEM (Cert only): A Base64 encoded Privacy Enhanced Mail (PEM) file format
with no password required.
File: Click the Folder icon next to the File box and select the certificate you want
to upload.
Comment (optional): Add a description or other information.
3. Click Save.
The certificate appears on the Certificates list.
To delete a certificate click the button Delete of the respective certificate.
You can download the certificate either in PKCS#12 or as PEM format. The PEM file only
contains the certificate itself, while the PKCS#12 file also contains the private key as
well as the CA certificate with which it was signed.
Note – Certificates have a validity period. 30 days before a certificate expires, a flag
will be added in WebAdmin and you will receive an email notification.
18.4.2 Certificate Authority
On the Site-to-site VPN > Certificate Management > Certificate Authority tab you can
add new Certificate Authorities to the unit. Generally speaking, a certificate authority or
Certification Authority (CA) is an entity which issues digital certificates for use by
other parties. A CA attests that the public key contained in the certificate belongs to
the person, organization, host, or other entity noted in the certificate by signing the cer
tificate signing request with the private key of the CA's own certificate. Such a CA is
therefore called a signing CA.
On UTM, the signing CA was created automatically using the information you provided
during the initial login to UTM. Thus, all certificates you create on the Certificates tab
are self-signed certificates, meaning that the issuer and the subject are identical.
However, you can alternatively import a signing CA by third-party vendors. In addition,
to verify the authenticity of a host or user requesting an IPsec connection, you can also
UTM 9 WebAdmin
563
18.4 Certificate Management
18 Site-to-site VPN
use alternative CA certificates whose private keys are unknown. Those CA certificates
are called verification CAs and can be added on this tab as well.
Important Note – You can have multiple verification CAs on your system, but only one
signing CA. So if you upload a new signing CA, the previously installed signing CA auto
matically becomes a verification CA.
To add a CA, proceed as follows:
1. On the Certificate Authority tab, click New CA.
The Add CA dialog box opens.
2. Make the following settings:
Name: Enter a descriptive name for this CA.
Type: Select the type of CA you are going to import. You can choose between veri
fication CAs or signing CAs. A verification CA must be available in the PEM format,
while a signing CA must be available in the PKCS#12 format.
CA certificate: Click the Folder icon next to the CA certificate box and select the
certificate you want to import. Note that if you are to upload a new signing CA,
you must enter the password with which the PKCS#12 container was secured.
Comment (optional): Add a description or other information.
3. Click Save.
The new CA certificate appears on the Certificate Authority list.
To delete a CA click the button Delete of the respective CA.
The signing CA can be downloaded in PKCS#12 format. You will then be prompted to
enter a password, which will be used to secure the PKCS#12 container. In addition, veri
fication CAs can be downloaded in PEM format.
18.4.3 Revocation Lists (CRLs)
A CRL is a list of certificates (more precisely, their serial numbers) which have been
revoked, that is, are no longer valid, and should therefore not be relied upon. On the Siteto-site VPN > Certificate Management > Revocation Lists (CRLs) tab you can upload the
CRL that is deployed within your PKI.
To add a CRL, proceed as follows:
564
UTM 9 WebAdmin
18 Site-to-site VPN
18.4 Certificate Management
1. On the Revocation Lists (CRLs) tab, click New CRL.
The Add CRL dialog box opens.
2. Make the following settings:
Name: Enter a descriptive name for this CRL.
CRL file: Click the Folder icon next to the CRL file box and select the CRL you
want to upload.
Comment (optional): Add a description or other information.
3. Click Save.
The new CRL appears on the list of revocation lists.
To delete a CRL click the button Delete of the respective CRL.
18.4.4 Advanced
On the Site-to-site VPN > Certificate Management > Advanced tab you can re-generate
the VPN Signing CA that was created during the initial setup of the unit. The VPN Sign
ing CA is the certificate authority with which digital certificates are signed that are
used for remote access and site-to-site VPN connections. The old VPN signing CA will
be kept as verification CA.
Re- generate Signing CA
You can renew all user certificates using the current signing CA. This becomes relevant
once you have installed an alternative VPN Signing CA on the Certificate Authority tab.
Caution – The UTM and all user certificates will be re-generated using the new signing
CA. This will break certificate-based site-to-site and remote access VPN connections.
UTM 9 WebAdmin
565
19 Remote Access
This chapter describes how to configure remote access settings of Sophos UTM.
Remote access using Sophos UTM is realized by means of Virtual Private Networks
(VPNs), which are a cost effective and secure way to provide remote users such as
telecommuting employees access to the corporate network. VPNs use cryptographic
tunneling protocols such as IPsec and PPTP to provide confidentiality and privacy of
the data transmitted over them.
Cross Reference – More information on how to configure remote access VPN con
nections can be found in the Sophos Knowledgebase.
The UTM automatically generates necessary installation and configuration files for the
respective remote access connection type. Those files can be downloaded directly
from the User Portal. However, only those files are available to a user that correspond
to the connection types enabled for them, e.g., a user who has been enabled to use SSL
remote access will find an SSL installation file only.
Note – You can download remote access configuration files of all or selected users on
the Definitions & Users > Users & Groups > Users tab.
The Remote Access Status page contains an overview of all online users.
The following topics are included in this chapter:
l
SSL
l
PPTP
l
L2TP over IPsec
l
IPsec
l
HTML5 VPN Portal
l
Cisco VPN Client
l
Advanced
l
Certificate Management
19.1 SSL
19 Remote Access
19.1 SSL
The remote access SSL feature of Sophos UTM is realized by OpenVPN, a full-featured
SSL VPN solution. It provides the ability to create point-to-point encrypted tunnels
between remote employees and your company, requiring both SSL certificates and a
username/password combination for authentication to enable access to internal
resources. In addition, it offers a secure User Portal, which can be accessed by each
authorized user to download a customized SSL VPN client software bundle. This bundle
includes a free SSL VPN client, SSL certificates and a configuration that can be handled
by a simple one-click installation procedure. This SSL VPN client supports most busi
ness applications such as native Outlook, native Windows file sharing, and many more.
Cross Reference – More information on how to use the SSL VPN client can be found in
the Sophos Knowledgebase.
19.1.1 Profiles
On the Remote Access > SSL > Profiles tab you can create different profiles for remote
access users defining basic settings for SSL VPN access.
To configure an SSL VPN profile, proceed as follows:
1. On the Profiles tab, click New Remote Access Profile.
The Add Remote Access Profile dialog box opens.
2. Make the following settings:
Profile name: Enter a descriptive name for this profile.
Users and groups: Select the users or user groups or add new users that should
be able to use SSL VPN remote access with this profile. How to add a user is
explained on the Definitions & Users > Users & Groups > Users page.
Local networks: Select or add the local network(s) that should be reachable to
the selected SSL clients through the VPN SSL tunnel. How to add a definition is
explained on the Definitions & Users > Network Definitions > Network Definitions
page.
568
UTM 9 WebAdmin
19 Remote Access
19.1 SSL
Note – By default, the SSL VPN solution of Sophos UTM employs so-called split
tunneling, that is, the process of allowing a remote VPN user to access a public
network, for example, the Internet, at the same time that the user is allowed to
access resources on the VPN. However, split tunneling can be bypassed if you
select Any in the Local networks field. Thus, all traffic will be routed through the
VPN SSL tunnel. Whether users are allowed to access a public network then
depends on your firewall configuration.
Automatic firewall rules: Select this option to automatically add firewall rules
that allow traffic for this profile. The rules are added as soon as the profile is
enabled, and they are removed when the profile is disabled. If you do not select
this option, you need to specify appropriate firewall rules manually.
Comment (optional): Add a description or other information.
3. Click Save.
The new profile appears on the Profiles list.
To either edit or delete a profile, click the corresponding buttons.
Note – The Remote Access menu of the User Portal is only available to users who are
selected in the Users and groups box and for whom a user definition does exist on the
UTM (see Definitions & Users > Users & Groups > Users). Authorized users who have
successfully logged in to the User Portal find the SSL VPN client software bundle as
well as a link to installation instructions, which are available at the Sophos Know
ledgebase. Downloading may fail with some browsers on Android if the CA certificate
is not installed or if the hostname does not match the common name in the portal cer
tificate. In this case, the user needs to install the CA certificate or try another
browser.
Open Live Log
The OpenVPN Live Log logs remote access activities. Click the button to open the live
log in a new window.
UTM 9 WebAdmin
569
19.1 SSL
19 Remote Access
19.1.2 Settings
On the SSL > Settings tab you can configure the basic settings for SSL VPN server con
nections.
Note – This tab is identical for Site-to-site VPN > SSL and Remote Access > SSL.
Changes applied here always affect both SSL configurations.
Server Settings
You can make the following settings for the SSL VPN connection:
l
Interface address: Default value is Any. When using the web application firewall
you need to give a specific interface address for the service to listen for SSL con
nections. This is necessary for the site-to-site/remote access SSL connection
handler and the web application firewall to be able to differentiate between the
incoming SSL connections.
l
Protocol: Select the protocol to use. You can choose either TCP or UDP.
l
Port: You can change the port. The default port is 443. You cannot use port 10443,
the SUM Gateway Manager port 4422, or the port used by the WebAdmin interface.
Note – Changing the port will also change the remote access configurations and
the end-users have to download the new remote access configurations from
the User Portal. For more information, see User Portal > User Portal: Remote
Access.
l
Override hostname: The value in the Override hostname field is used as the target
hostname for client VPN connections and is by default the hostname of the gate
way. Only change the default if the system's regular hostname (or DynDNS host
name) cannot be reached under this name from the Internet.
Virtual I P P ool
Pool network: This is the virtual IP address pool which is used to distribute IP
addresses from a certain IP range to the SSL clients. By default, the VPN Pool (SSL) is
selected. In case you select a different address pool, the netmask must not be greater
570
UTM 9 WebAdmin
19 Remote Access
19.1 SSL
than 29 bits, for OpenVPN cannot handle address pools whose netmask is /30, /31, or
/32. Note that the netmask is limited to a minimum of 16.
Duplicate CN
Select Allow multiple concurrent connections per user if you want to allow your users
to connect from different IP addresses at the same time. When disabled, only one con
current SSL VPN connection is allowed per user.
19.1.3 Advanced
On the SSL > Advanced tab you can configure various advanced server options ranging
from the cryptographic settings, through compression settings, to debug settings.
Note – This tab is identical for Site-to-site VPN > SSL and Remote Access > SSL.
Changes applied here always affect both SSL configurations.
Cryptographic Settings
These settings control the encryption parameters for all SSL VPN remote access cli
ents:
l
Encryption algorithm: The encryption algorithm specifies the algorithm used for
encrypting the data sent through the VPN tunnel. The following algorithms are
supported, which are all in Cipher Block Chaining (CBC) mode:
l
l
DES-EDE3-CBC
l
AES-128-CBC (128 bit)
l
AES-192-CBC (192 bit)
l
AES-256-CBC (256 bit)
l
BF-CBC (Blowfish (128 bit))
Authentication algorithm: The authentication algorithm specifies the algorithm
used for checking the integrity of the data sent through the VPN tunnel. Sup
ported algorithms are:
l
MD5 (128 bit)
l
SHA-1 (160 bit)
UTM 9 WebAdmin
571
19.2 PPTP
l
l
19 Remote Access
l
SHA2 256 (256 bit)
l
SHA2 384 (384 bit)
l
SHA2 512 (512 bit)
Key size: The key size (key length) is the length of the Diffie-Hellman key
exchange. The longer this key is, the more secure the symmetric keys are. The
length is specified in bits. You can choose between a key size of 1024, 2048,
3072 or 4096 bits.
Server certificate: Select a local SSL certificate to be used by the SSL VPN
server to identify itself against the clients.
Note – The UTM does not support wildcard certificates and certificates signed
by an intermedia CA in the SSL VPN.
l
Key lifetime: Enter a time period after which the key will expire. The default is
28,800 seconds.
Compression Settings
Compress SSL VPN traffic: When enabled, all data sent through SSL VPN tunnels will
be compressed prior to encryption.
Debug Settings
Enable debug mode: When enabling debug mode, the SSL VPN log file will contain exten
ded information useful for debugging purposes.
19.2 PPTP
Point-to-Point Tunneling Protocol (PPTP) allows single Internet-based hosts to access
internal network services through an encrypted tunnel. PPTP is easy to configure and
requires no special client software on Microsoft Windows systems.
PPTP is included with versions of Microsoft Windows starting with Windows 95. In
order to use PPTP with Sophos UTM, the client computer must support the MSCHAPv2
authentication protocol. Windows 95 and 98 users must apply an update to their sys
tems in order to support this protocol.
572
UTM 9 WebAdmin
19 Remote Access
19.2 PPTP
19.2.1 Global
To configure global PPTP options, proceed as follows:
1. On the Global tab, enable PPTP remote access.
Click the toggle switch.
The toggle switch turns amber and the Main Settings area becomes editable.
2. Make the following settings:
Authentication via: Select the authentication mechanism. PPTP remote access
only supports local and RADIUS authentication.
l
Local: If you select Local, specify the users and user groups who should be
able to use PPTP remote access. It is not possible to drag backend user
groups into the field. Until a user account has been specified, PPTP remote
access cannot be activated.
Note – Username and password of the selected users may only contain
ASCII printable characters 1.
Note – Similar to SSL VPN, the Remote Access menu of the User Portal is
only available to users who are selected in the Users and groups box and
for whom a user definition does exist on the UTM. Authorized users who
have successfully logged in to the User Portal will find a link to install
ation instructions, which are available at the Sophos Knowledgebase.
l
RADIUS: RADIUS can only be selected if a RADIUS server has been pre
viously configured. With this authentication method users will be authen
ticated against an external RADIUS server that can be configured on the
Definitions & Users > Authentication Services > Servers tab. The Users and
Groups dialog box will be grayed out. However, its settings can still be
changed, which has no effect. The RADIUS server must support MSCHAPv2
challenge-response authentication. The server can pass back parameters
such as the client's IP address and DNS/WINS server addresses. The PPTP
1http://en.wikipedia.org/wiki/ASCII#ASCII_printable_characters
UTM 9 WebAdmin
573
19.2 PPTP
19 Remote Access
module sends the following string as NAS-ID to the RADIUS server: pptp.
Note that when RADIUS authentication is selected, local users cannot be
authenticated with PPTP anymore. Note further that clients must support
MSCHAPv2 authentication as well.
Assign IP addresses by: IP addresses can be either assigned from a predefined
IP address pool or distributed automatically by means of a DHCP server:
l
l
IP Address pool: Select this option if you want to assign IP addresses from
a certain IP range to the clients gaining remote access through PPTP. By
default, addresses from the private IP space 10.242.1.0/24 are assigned.
This network definition is called the VPN Pool (PPTP) and can be used in all
network-specific configuration options. If you want to use a different net
work, simply change the definition of the VPN Pool (PPTP) on the Defin
itions & Users > Network Definitions page. Alternatively, you can create
another IP address pool by clicking the Plus icon next to the Pool network
text box. Note that the netmask is limited to a minimum of 16.
DHCP server: If you select DHCP server, also specify the network interface
through which the DHCP server is connected. The DHCP server does not
have to be directly connected to the interface—it can also be accessed
through a router. Note that the local DHCP server is not supported; the
DHCP server selected here must be running on a physically different sys
tem.
3. Click Apply.
Your settings will be saved.
The toggle switch turns green.
Live Log
The PPTP daemon live log logs all PPTP remote access activities. Click the button to
open the live log in a new window.
19.2.2 iOS Devices
You can enable that iOS device users are offered automatic PPTP configuration in the
User Portal.
574
UTM 9 WebAdmin
19 Remote Access
19.2 PPTP
However, only users that have been added to the Users and groups box on the Global tab
will find configuration files on their User Portal site. The iOS device status is enabled
by default.
Connection name: Enter a descriptive name for the PPTP connection so that iOS device
users may identify the connection they are going to establish. The default name is your
company name followed by the protocol PPTP.
Note – Connection name must be unique among all iOS device connection settings
(PPTP, L2TP over IPsec, Cisco VPN Client).
Override hostname: In case the system hostname cannot be publicly resolved by the
client, you can enter a server hostname here that overrides the internal preference of
the DynDNS Hostname before the System DNS Hostname.
To disable automatic iOS device configuration, click the toggle switch.
The toggle switch turns gray.
19.2.3 Advanced
On the Remote Access > PPTP > Advanced tab you can configu