T-Mobile Wi-Fi Calling Issues with Sophos UTM

image_print

For those of you that may not be familiar with T-Mobile, one of the features that they offer (tout really) is their wi-fi calling.  It’s a great feature, especially if you live in an area with crappy reception.

As I live pretty much at the edge of the city, the coverage I have is not great.  It works most of the time, but sometimes the signal drops out, or isn’t completely reliable.   So Wi-Fi calling is incredibly helpful.

For a long while, I had just allowed the specific device through the firewall, unobstructed. But I really hate that. I like having a list of “holes” that are being used by the services on the network, and restricting it to just that.

So when I was pruning and cleaning up my firewall list, I decided to really dig into this issue. And let me tell you, T-Mobile is shit here. They give some super brief description about the issues.  And their guide to fix it? “Disable your firewall”.  Might as well tell me to take a hammer to my phone, because that’s how it makes me feel.

One of the nice things about Sophos UTM is the logging. It’s very, very helpful, if you know what you’re looking at.

So, I allowed everything, and then watched as I placed a call to my voicemail.

The main connection uses UDP Port 4500. The same port used in VPNs.  Not entirely surprising, as encapsulating the traffic is a good idea (eg secure).

However, allowing traffic on that port out wasn’t enough.  After restricting the traffic and allowing that port, I got stuck with a “ER04: DNS Error” warning.

Fun.

So it definitely looks like they’re using VPN for secure communication. Which is fantastic. Now, if they actually admitted that, rather than giving out wrong information on their customer service site.

Specifically, to get Wi-Fi Calling enabled, I had to allow VPN and IPSec communication out, as well as TCP/UDP (probably just need UDP, but just in case) port 5228.  T-Mobile Customer service lists port 5061 (SIP over SSL) as the port being used, but I didn’t see this in use at all.

Worse yet, is that the IP block range the customer service agent listed wasn’t even what was being used. At all.

All in all, T-Mobile needs to fix their information and actually DOCUMENT their error codes. Not just post generic info and hope people don’t stress the fuck out.

But to summarize again.

Add a firewall rule that is:

Internal (Network) > VPN, IPSec, SIP over SSL, TCP/UDP Port 5228 -> Any

Add this rule, enable it, and reboot your phone. And then you should be able to enjoy Wi-Fi calling (though, you may want to add “IPSec” to a QoS rule to ensure priority.

Posted in Networking, Rants, Sophos Tagged with: , , , , , , , , , , , , ,

Sophos UTM and the ARRIS/Motorola Cable Modem Exploit

image_print

If you haven’t heard about it by now, there is a recent exploit that allows a maliciously designed website to trigger a reset of certain ARRIS (formerly Motorola) Cable Modems.

The common way to do this is with an img tag, as it pings the site which triggers the reboot process which can take up to 30 minutes to complete.

This doesn’t affect all of them, but only a certain model. However, if you’re paranoid at all, there is no harm in blocking access to the cable modem.

There are two ways to do this: drop all traffic to the cable modem (which doesn’t affect internet traffic), or to filter out the specific URL used to do this.

Read more ›

Posted in Announcements, Networking, Sophos Tagged with: , , , , , , , , , , , , ,

Sophos UTM and Wireless Access Points

image_print

For a long while, I’ve been using a Linksys Router flashed with DD-WRT. It worked well enough and functioned fine.  However, it’s been on it’s last legs and randomly power cycling frequently. So it was time to replace the wireless, and because I am using Sophos UTM, I figured it would be a good idea to use a Sophos Wireless Access point.

To start off with, the Sophos APs are not exactly cheap. These are enterprise grade access points, and support a lot of features. For instance, a single AP device can host multiple wireless networks.  But you’re paying for quality and, more importantly: Integration with Sophos UTM.

Read more ›

Posted in Networking Tagged with: , , , , , , , , , , ,

Sophos XG Firewall Port Forwarding

image_print

Like in previous posts, I’m skipping the normal “junk” (installation).  I’ll come back to it later, but I want to cover this right away. The reason for this, is that the port forwarding (NAT) section is …. beyond confusing, and I think completely unnecessary.

To anyone from Sophos reading this, please, fix the UI. It’s broke, stupid and actively harms your user base. Unless the goal is to force administrators to pay for training on how to use the clusterfuck that is the new UI …. you’re completely failed here. COMPLETELY.

That said, let’s cover how to successfully forward ports on Sophos XG Firewall.

WARNING:  If you’ve already read through this, re-read. Things have changed. Some stuff didn’t work right… and broke access internally to the forwarded ports (in my case, web traffic).


Read more ›

Posted in Networking, Rants Tagged with: , , , , , , ,

Sophos Copernicus

image_print

If you’re wondering why I don’t have a bunch of new guides for Sophos UTM out, that’s because there is a new version of it being worked on and released in the near future (Q1 of 2016 is expected for the release period).

It is a huge and significant overhaul to the UI and the entire system. Things such as the web filter are supposed to be significantly more efficient (less load time delays).

You can find the beta for download, but I don’t plan on releasing any more guides until it’s closer to release.

Posted in Networking, Releases Tagged with: , , , ,

Data Deduplication

image_print

So, I’ve been playing with storage lately. Mainly, because I’ve been planning on moving my HyperV files to a faster drive due to some poor performance. While looking for solutions, I cam accross the idea of data deduplication.

Now, why is data deduplication an attractive idea here? Because it stores specific ranges of data only once. While this may not be important to most, I store a VM of each Windows operating system (Vista and Server 2008, and up) This is a lot of duplicate data being stored on the data.

In fact, Microsoft estimates that you can save 80-95% space. That is a significant savings. In practice, I’m seeing about 75% savings. That means that I can reliably use a single SSD drive to host HyperV.

Additionally, Microsoft estimates that you can get about 70-80% saves for “distribution shares”. Specifically shares used for installers and updates. If you’re planning on rolling out WSUS, it maybe a great idea for the storage used for the updates, as it could save a considerable amount of space (in theory).

However, accessing the data can be rather intensive, and can be fairly slow on a spinning hard drive, especially when copying a lot of data from the drive. That means that if you want to use Data Deduplication, you need to use Storage Spaces, RAID or an SSD. Something that will (potentially) be much faster than a normal hard drive.

Additionally, Data Deduplication is only supported on Server 2012, Server 2012R2 and Storage Server 2012R2.  This is as the built in feature, as 3rd party implementation could be used on any supported OS.

However, this means that it is not supported on Windows Server 2012R2 Essentials, the operating system that I am using.  This means that it’s not available by default, and requires both access to Windows Server 2012R2 Standard/Datacenter for the files, and hacking the feature in.

I’ll cover that later if there is demand (or if I feel like adding it).

Posted in X:Files Edition

Unexpected Downtime

image_print

Because I was trying to install a new graphics card on my server… It BSODed at some point and damaged system files.

I’m running Server 2012 R2 Essentials, so it’s a domain controller. Somehow the file system got corrupted and prevented LSASS from loading. This is a key part of Windows and “bad things happen” if it can’t load right or is terminated.

Specifically, I was getting a “2e2” BSOD from the system. I was able to get into the “Directory Services Recovery Mode” option. This is basically a safe mode for Active Directory.

Due to a couple of issues, I suspected a disk error. I was right. Ran a chkdsk on the system and it started booting just fine!!

 

Just wanted to post this for anyone else that ran into this weird BSOD.

Posted in Announcements

An Exercise in Frustration: Fine Tuning the Web Filter in Sophos UTM

image_print

Everything up til know regarding the Web Filter has been a cake walk by comparison. I’m not saying it’s been easy, but fine tuning the web filter, adding exceptions and the like is going to be the hardest part of this by far.

I’m going to cover some of the basic services that you’ll need here, and maybe a bit of how to troubleshoot to identify future issue. But this part will cover the part that has caused me the most frustration and the most time.

Unfortunately, not every website, platform or app supports the Web Filter, even when you have the CA Certificate installed. In fact, some programs store the CA Certificate store outside of the OS, making it problematic.

Read more ›

Posted in Networking Tagged with: , , , , , , , , , , , , , , ,

An Exercise in Frustration: Setting up Web Filter Certificates in Sophos UTM

image_print

By now, you may be tired of looking at the web filter stuff. However, we’ve only just gotten started.

Right now, the filtering may be enabled, but chances are that you are seeing certificate errors for every HTTPS website your visiting. To fix that, we need to use a Signing CA Certificate. This will be used to re-encrypt the HTTPS traffic. But not only does that need to be installed into Sophos, but you must also install it into each and EVERY client that will be accessing the internet behind the router.

Well, for the most part.

Since a lot of people looking at this guide will be from the Home Server communities, chances are that you’ll have a server that is also a Certificate Authority (CA).

Read more ›

Posted in Networking Tagged with: , , , , , , , , , , , , , , , , ,

An exercise in frustration: Setting up Web Filtering on Sophos UTM

image_print

Overall, Sophos is a great platform. And part of what adds to that greatness is the web filtering options. By default, it gives a bunch of options that can be filtered out by default. However, most of these are suited for a business setting, but it definitely works well of the home environment. In fact, it features an inline download scanner virus scanner.

However, because of it’s complexity, and that some programs may not like what it is doing, it is one feature that may require the most amount of tweaking to get everything working just right.

First thing first here: If you’re not willing to spend hours reading logs and testing out rules just to get everything working just right, and not willing to listen to your wife or significant other to bitch because they can’t access Facebook/YouTube/Hulu or whatever iOS/Android game of the week for a few hours…..

Then set the HTTPS service to “URL Filtering” and not “Decrypt and scan”, or just turn off the Web Filter feature altogether. Read more ›

Posted in Networking Tagged with: , , , , , , , , , , , , , , , , , , , , , , , ,