Installing Sophos UTM

Well, I apparently missed doing this. And there are some important steps here, because the installation for Sophos UTM isn’t as turn key as it could be. There are some specific things you have to do before it’s up and running 95%.

So we are going to cover that here.

Well, I apparently missed doing this. And there are some important steps here, because the installation for Sophos UTM isn’t as turn key as it could be.  There are some specific things you have to do before it’s up and running 95%.

So lets cover that.

First thing to do is to … well, start the installation. I’ve tried using some of the “pendrive” tools, as well as Rufus. They don’t seem to work properly. So you’ll need is a CD or DVD to burn the image to. Or some other way to load an ISO directly. Then you will need to download the latest ISO from here. You want the “UTM ISO for software and virtual appliances” section, and download the latest ISO. You then will want to register for the Home license here.

Once you have the ISO/CD/DVD ready for installation, it’s time to boot into it on the device you’re going to use. This is the screen that you’ll be greeted with:

Sophos Boot

Hit “Enter” and start the installation. This will immediately take you to the next screen, which will inform you that it will format the attached hard drive. That’s fine, as it’s what we want. Hit “Enter” again, and lets get this started!

The next screen is a hardware detection wizard. Let that run, and detect the hardware. Make sure that it detects the hard drive and the network adapters. Also, this installer is smart enough to know if you’re running it as a VM (and to install the appropriate drivers).

Installation hardware profile

Once you’ve verified the hardware, hit “OK”, and select the language, time zone, date and time. The next page asks which network adapter that you want to use for the “WebAdmin user interface”. This is asking which adapter is to be the internal “LAN” adapter. Select whichever one you want, and hit “Next”.

Installation Select NIC

The next page asks for the IPv4 configuration for then LAN adapter. You don’t need to set up a gateway for this, as that will be done later on. Once you’ve set the IP Address to what you want, hit “Next”.

Installation Set LAN IP

If you have a 64-bit capable CPU, the next page will ask you if you want to install that 64-bit kernel instead of the 32-bit one. Given the disclaimer, I would definitely recommend the 64-bit kernel. If you have issues, you’ll need to reinstall and select the 32-bit kernel.

Installation Set Kernel Architecture

The next page is for GPL compliance. Since Sophos UTM (aka Astaro) is based off of linux, they need to include this message. Since we want what makes Sophos UTM unique, we absolutely want to install all of these tools. So, select “Yes” here.

Installation FOSS GNU Crap

Now, it confirms that you want to wipe the drive. Since this is required to proceed, select “Yes”.

Installation FORMATNow, it will proceed to partition, format, and install the OS and packages required to work onto the system. This will take a while, depending on the hardware in question. It may be time to sit back and have a beer now.

Installation beer

Once it’s done installing everything, you will see the completion screen. Note the URL on the screen. You will need to use this to finish the setup for the Sophos UTM router.

Installation DONE

From here, remove whatever you used to install Sophos UTM. Then reboot it. Give it a while, and you’ll see the following image eventually.

First Boot2

 

Once you see this screen, Sophos will be accessible over the network. Unfortunately, the DHCP Server is not configured by default. This means that you will have to set it up manually on a client computer.  Use an IP address that is within the appropriate subnet (such as 192.168.2.10, based on the examples here).

Once you have done that, log into the website for your Sophos Router and start the setup.

Screenshot 2014-09-14 14.19.48

Set the “Hostname” to be the full URL that you want for the router. If you have a domain controller, then something like “sophos.domain.local” would be best for the hostname (change “domain.local” to match your domain). Otherwise, “sophos” should be fine here.

As for the rest of the information, fill it out as you want, and then check the “I accept the license agreement” and click on the “Perform basic system setup”. This will refresh the page and require you to log in with the credentials that you’ve just provided.

Screenshot 2014-09-14 14.20.57

Once you’ve logged in, it will start setting up everything. Yes, this is an extra step, but Sophos is marketed as a turn key solution. It means that this is the step you’d see when you bought the box. None of the initial installation.

Also, once you login, it will prompt you about restoring from a backup or to continue to run the setup wizard. If you had a backup of the router, load it here and you’ll be done. Otherwise, “Continue” with the setup.

Screenshot 2014-09-14 14.21.15

The next page asks you to install the license file. You get this by registering for the Home license. If you don’t already have this file, no worries. Just continue on, and it will set up a 30 day trial (useful to see what your usage is actually like).

Screenshot 2014-09-14 14.21.21

 

The next page asks for the LAN configuration information again. you can change it here (again), or leave it. It also asks you if you want to set up DHCP. Since you most likely do, enable it and configure the range of IP addresses that you want to use. Since Sophos only really supports 50 active IP addresses for home use, you may want to limit it to that many devices (for simplicity).

Screenshot 2014-09-14 14.22.00

 

The next page asks you about the WAN settings. Choose the adapter that you want to use and the correct “type” for the adapter.

Screenshot 2014-09-14 14.22.18

The next page is a list of the “Allowed Services”. These are the default ports that it will be open. Check the “Web (HTTP, HTTPS)”, “Email (SMTP, POP3, IMAP)”, and “DNS (outgoing)” options. Any options that are not checked here will not connect to the outside internet. If you want, check the FTP and Terminal services options as well. As for the Ping settings, that’s up to you. It would definitely be more secure to uncheck both of the Ping options, but that’s up to you.

Screenshot 2014-09-14 14.22.33

 

The next page is for the “Advanced Threat Protection Services”. Since this is meant to protect your network against intrusion, or from reporting back to a C&C server, I highly recommend making sure both options are enabled here.

Screenshot 2014-09-14 14.22.42

The next page is for the Web Protection settings. This is for the webpage proxy.  I would recommend enabling the “Scan sites for viruses” option here. Also check any other categories that you want to block.

A note here, you may want to reconfigure this later to work better for your network.

Screenshot 2014-09-14 14.23.12

The next page is for email protection. Check the options that you want. I would recommend the “Scan email fetched over POP3”.

Screenshot 2014-09-14 14.23.18

And the next page is the final one. This will list all the configurations that you’ve enabled. Click on “Finish” and you’re “super router” is good to go.

Screenshot 2014-09-14 14.23.27

And the file page it shows you will be the dashboard for Sophos. From here, you can get a good look at everything in the system and get to about everything, quickly.

Screenshot 2014-09-14 14.23.38

From here, you can start using your network just fine. Don’t forget to change your IP address back to a dynamically assigned address!

And don’t forget to check out the post on how to configure the firewall (as it is very draconian).

Author: Drashna Jael're

Drashna Jael're

31 thoughts on “Installing Sophos UTM”

  1. I recently had to do a re-install after I screwed up the certificates on my box. Luckily I had backed up the settings to another machine and the whole re-install took only about 15 minutes. Anyway, I wanted to point out that there is a way to use a USB pendrive to install from. I found this info buried in the Sophos forums…

    “When using actual Sophos UTM ISO ssi-9.205-12.1.iso and used Rufus to build an bootable USB. I started the installation, and went immediately to ALT+F2 and typed mount /dev/sdb1 /install
    The error was gone, and installation succeeded!!!”

  2. Kevin, thanks for the tip!
    I’d tried using Rufus without success. However, I’m glad that there is a solution. Would be nice if it was simpler, or that I was more familiar with Linux (so I could include it).

    1. You’re more than welcome 🙂

      It really is as simple as it sounds.

      1. When you get to the black screen from your first screenshot, type ‘Alt+F2’ on your keyboard. This will switch to a console window.

      2. In that console window type ‘mount /dev/sdb1 /install’. This mounts the pendrive to the /install directory so the installer can find the files.

      3. Last step is to type ‘Alt+F1’ to get back to the black screen from your first screenshot and continue the install as normal.

  3. Well, by simpler, I mean automated. That can be done to the installer so I don’t have to remember this.

    Bu yes, this is definitely simple. However, I have a CD for it now, so I’m good. 🙂

  4. thanks for the guide Drashna!.. been a huge help. I’ve got it running in HyperV Server 2012 R2, and its’ working great. I too am coming from Pfsense, and am loving this.

    Although, setting up definitions is a bit clunky with not being able to aggregate multiple individual ports in a single rule, but doable. For example, I’ve had to make 5 definitions for League of Legends. I can then build a group for them to make assignments in network services easier, no big deal.

    It has me at least thinking more about what I’m doing keeping me security conscience.

    1. I’m not sure if I covered it in my firewall guide, but if you’re just allowing ports….. go to the “Definitions” page, and set up service definitions. Create definitions for all the ports needed, and then create a “Group” for all of them. Then you can add this Group to the firewall definitions. It’s a bit more work, but it makes management 10x easier.

  5. Ditto. I got it going in a couple of hours with the help of this site. Only a couple of hitches that I am working on. Came from Untangle.

  6. I have a problem with DownloadStudio which I have posted in their forums.

    “Been using DownloadStudio with great success for 6 months. I have changed my router from Untangle to Sophos (Home Edition) and now downloads have slowed. The Job Queue shows a number of connections open and start to load but in seconds reduce to one connection only. Any ideas? ”

    No reply so far! Also, I have a feeling that opening websites is a little slower which may be due to the fact I did as you suggested and checked both threat protection engines. My box is an overkill as you say. 8GB 1600 Ram and Xeon E3-1230V3 4 core CPU.

    I would have taken hours to work out how to allow my Usenet to work (using Astraweb) had it not been for your fine tutorial “Learning to use Sophos’ Firewall”

    I would have been lost without the 4 posts.

    PS.

    I just love SuperMicro IPMI and IPMIView. Have used ASUS MB’s for 20 years but am now a convert.

    1. DownloadStudio appears to be a download manager.
      If that is the case, then it really depends on what you’re downloading, and more importantly, HOW (which protocol).

      If you’re using the web protection option (the web filter), then this would most likely be the cause of the slow down. It’s set up as a transparent proxy, for HTTP and HTTPS traffic (and a few other ports, as well).
      Since it’s being inspected first and then allowed, it cause be the cause.

      If you are downloading from one specific site (or top level domain, at least), add that site to the “skip hosts” section. That is located under Web Protection -> Filter options -> Misc tab. Add it to the destination network section. However, if this is a dedicated download box, you may want to add the system to the “source” network, to completely bypass the web filter.

      Additionally, if you do suspect that it’s being caused by the Intrusion prevention, you can open it’s settings and add an exception for the machine, or destination (add a DNS host if you need to).

      As for the IPMI, it is definitely very nice. I’ve been using it on an ASRock RACK board, and like it. The only issue is that it uses Java (not sure about Supermicro’s implementation, but I suspect the same).
      However, I really do like Intel vPro/AMT. It uses VNC to do it. The downside is the $100 price tag to get Viewer Pro to be able to mount ISOs over the network (otherwise, you can use VNC).

      1. I DL’d a 50MB file and it took 16 minutes. Turned webfiltering off and DL’d a 60MB file from the same site. It took less than 2 minutes. So you are correct. I only have about 4 sites I need to get podcasts from so I can add them. So say I want to add http://homeservershow.com/feed I guess I must first define it somewhere under Definitions & Users, Network Definitions then add it to the skip host.

        1. Ah, yeah, definitely the web filter then.
          You can either add an exception for the site, specifically, or add the entire domain to the “skip list” in the misc tab.
          Both are under “filter options”, under web protection.
          And yes, you’d need to add a definition. However, you can do it “right then and there”. Just click on the “+”, and create a DNS host.

          In fact, Web filtering is the next post for Sophos I planned on covering.

  7. Another block seems to be the time sync. Interestingly I can find no reference on Google. Perhaps it is not a problem with a server using a domain controller as most Sophos users would be. Anyhow my clients could not sync to internet time servers. Simply allowing UDP port 123 solved the problem.

    As you have stated the great advantage (and to some disadvantage) of Sophos is that from the get go it stops most services so you have to one by one allow the services you require into your LAN. This is the safest way to set up a UTM.

    1. Yeah, it blocks everything not explicitly allowed.
      I do talk about this, and how to enable “normal router functionality” in one of the firewall posts. But it is definitely better to whitelist stuff. But it can make it difficult for home use, sometimes.

      Also, I’ve found that http://portforward.com/ is a great resource for figuring out which ports are used by a specific application.

      1. I agree. It’s safer to add the ones you need as you go. Just found another 8333 for Bitcoin Wallet Sync.

  8. Great guide. Thank you! I am a noob with all this stuff. I installed Sophos and am in the process of accessing the http for set up. My question is this, even though most will laugh. Do I have the unit that Sophos is installed on connected to my modem (via one NIC), and my switch (via the second NIC) before I do the setup? Was I suppose to have it that way before I did the install? What I did was have one NIC connected to my switch so that it was attached to the network during install. I just want to be sure before I proceed.

    Thanks

    Patrick

    1. It doesn’t really matter, as long as it doesn’t share the same IP address as any other device on the network.

      Personally, I set it up before putting it “into production”. Once I had it setup, then I connected it to the modem and switch.

      However, you can connect it first and then set it up if you want. It doesn’t really matter. At least not to Sophos.

  9. Ummm. I didn’t make it very far. I realize that this is basic networking stuff, but what should I set my client network settings to?
    default gateway is 192.168.1.1
    submask is 255.255.255.0
    ip address is 192.168.1.103

    If I try to create a static ip address of 192.168.2.10 I lose connection. I need to access 192.168.2.100:444

    1. How are you creating the static IP address?
      And is this for an internal client or for the router?

      If it’s for a client, go to “Definitions & Users” and create a network definition. Set it up as a “host”. Specify an IP address, and add the MAC address (under advanced).

      If this is for the router, internal or external?
      Internal? Then make sure that the DHCP scope is also changed to match the new information.
      External, make sure this is a valid range for the network it’s connected to.

  10. I am setting this up in my home network, nothing advanced. In WIndows 7, I go to network settings>local area connection>internet protocol version 4. This is where I have always changed my PC’s static address. I currently have a consumer grade router that I wish to dispose of. I may have used the term “client” incorrectly, I only have PC’s on my network. It sounds like Sophos UTM may be a bit beyond my scope, but that it would be worth a try. Again, I have limited knowledge on IT. Thank you for helping a newbie play with the pros!

    Patrick

  11. Patrick, I think I see what you’re saying.

    When you initially configure the router, it gives you the option of setting the static IP address for the internal (LAN) network. By default, this is 192.168.2.100.
    This means that the local computer’s IP address needs to be set to 192.168.2.x (where “X” is any number between 1 and 254 that isn’t 100).

    This is required, because of the subnet mask, which limits the router’s access to that group of IP Addresses.
    Once you’ve set up a valid IP address, then you need to go to “https://192.168.2.100:4444/” and set up the router (note, this is four 4’s).

    Once you’ve done that, you should be able to access it and set up the router.
    (also note, the NIC you selected during the initial setup is the LAN adapter.

  12. Thanks for the quick reply. Ok, I did set a PC on the network to 192.168.2.10 and the subnet was left at 255.255.255.0. But, that did not allow me access to 192.168.2.100:444/ which is Sophos’s GUI. Do I need to change anything in my Linksys rounter, or just the internet protocol in a PC on the network?

    I understand the Sophos device is set to 192.168.2.100/4444/
    But, I don’t know how to access the GUI from a PC on the network. Any other thoughts?

  13. Sorry for the late post drashna. I did get it installed successfully. My problem was my current network was 192.168.1.1 and sophos webUI is set to 192.168.2.1. Obviously, I can’t connect to that with my current network settings. (not obvious when I was trying to make it work). So, I simply, temporarily, set my network to 192.168.2.1, accessed the webUI, changed it’s default gateway to 192.168.1.1

    Thank you again for all your help.
    Cheers,

    Patrick

  14. Glad to hear it!

    Though, you could connect to both, but you’d have to change the subnet on both devices to 255.255.0.0 (which still requires access). 🙂

  15. Got UTM Home Edition installed – needed to run Kevin Fonda’s tip and also it is posted over on Network Guy Blog (http://networkguy.de/?p=728). Took a while to get it installed though because I was trying to use a Corsair 128GB SSD and kept getting a failed to install error. Looked at the log (Alt-F4) and saw that the /dev/sda1 device was being used by the system. Could not figure out why, so I swapped out the drive for another (OCZ 60GB SSD) and then I was able to install.

    Now to setup the DNS portion to point to S2012R2E, this is a bit different than pfSense, so I hope I am in the right area. I go to Network Services -> DNS. From reading the text in the settings “I will be removing “Internal (Network)” from Global -> Allowed Networks and then add my S2012R2E server in the Forwarders tab, setting Name, Type = Host, IP address of the server, leave DHCP Settings and DNS Settings blank and under Advanced set Interface to Internal. Also I believe that I would uncheck “User forwarders assigned by ISP”.

    Is this correct?

  16. Another thank you for the wonderful Sophos UTM Home guides!

    With your help I have the UTM up and running. Only issue seems to be IM programs are not able to connect. Am I correct in assuming that if I set a firewall rule to allow ANY-ANY-ANY that I have in effect bypassed the firewall for testing purposes? Even with this rule IM programs still cannot login.

    Thanks
    James

    1. This sounds like a port issue. By default, only explicitly allowed ports can communicate with the internet. That means that anything that’s not on the default approved list can’t escape. That list includes HTTP/HTTPS (web) traffic, DNS queries and a couple of other “service” ports.

      Please check out the “Learning to use Sophos Firewall” post:
      https://drashna.net/blog/2014/03/learning-to-use-sophos-firewall/

      It includes a “consumer router rule” if you don’t want to mess with ports. Basically, it is “Internal Network” for the source, and “Any” for the services and destinations. This will fix a majority of issues. Also, this is what “consumer” grade routers due (and is why I call it the “Consumer Router” rule.

      If you’ve already done that, you will want to check the web filter stuff. Some of the chat services use web traffic to communicate, and the web filter may interfere with that. You can find a list of the exceptions you may want to use here:
      https://drashna.net/blog/2015/03/an-exercise-in-frustration-fine-tuning-the-web-filter-in-sophos-utm/

  17. Thanks for the quick reply. I found the problem to be related to NAT Masquerading and once a rule was in place the IM issues went away.

    Most everything has settled down except for a DNS problem that is only affecting my Synology NAS units. Apps running on the NAS are throwing lots of Name Resolution errors. The same apps running on my Windows boxes are ok. They all point to the same UTM so I dont know why the NAS boxes cant navigate the DNS while the WIndows boxes are ok ? UTM logs dont shed any light. I know this is getting pretty far afield…was hoping you might have an insight.

    Thanks for your help,

    James

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.