Well, I apparently missed doing this. And there are some important steps here, because the installation for Sophos UTM isn’t as turn key as it could be. There are some specific things you have to do before it’s up and running 95%.
So lets cover that.
First thing to do is to … well, start the installation. I’ve tried using some of the “pendrive” tools, as well as Rufus. They don’t seem to work properly. So you’ll need is a CD or DVD to burn the image to. Or some other way to load an ISO directly. Then you will need to download the latest ISO from here. You want the “UTM ISO for software and virtual appliances” section, and download the latest ISO. You then will want to register for the Home license here.
Once you have the ISO/CD/DVD ready for installation, it’s time to boot into it on the device you’re going to use. This is the screen that you’ll be greeted with:
Hit “Enter” and start the installation. This will immediately take you to the next screen, which will inform you that it will format the attached hard drive. That’s fine, as it’s what we want. Hit “Enter” again, and lets get this started!
The next screen is a hardware detection wizard. Let that run, and detect the hardware. Make sure that it detects the hard drive and the network adapters. Also, this installer is smart enough to know if you’re running it as a VM (and to install the appropriate drivers).
Once you’ve verified the hardware, hit “OK”, and select the language, time zone, date and time. The next page asks which network adapter that you want to use for the “WebAdmin user interface”. This is asking which adapter is to be the internal “LAN” adapter. Select whichever one you want, and hit “Next”.
The next page asks for the IPv4 configuration for then LAN adapter. You don’t need to set up a gateway for this, as that will be done later on. Once you’ve set the IP Address to what you want, hit “Next”.
If you have a 64-bit capable CPU, the next page will ask you if you want to install that 64-bit kernel instead of the 32-bit one. Given the disclaimer, I would definitely recommend the 64-bit kernel. If you have issues, you’ll need to reinstall and select the 32-bit kernel.
The next page is for GPL compliance. Since Sophos UTM (aka Astaro) is based off of linux, they need to include this message. Since we want what makes Sophos UTM unique, we absolutely want to install all of these tools. So, select “Yes” here.
Now, it confirms that you want to wipe the drive. Since this is required to proceed, select “Yes”.
Now, it will proceed to partition, format, and install the OS and packages required to work onto the system. This will take a while, depending on the hardware in question. It may be time to sit back and have a beer now.
Once it’s done installing everything, you will see the completion screen. Note the URL on the screen. You will need to use this to finish the setup for the Sophos UTM router.
From here, remove whatever you used to install Sophos UTM. Then reboot it. Give it a while, and you’ll see the following image eventually.
Once you see this screen, Sophos will be accessible over the network. Unfortunately, the DHCP Server is not configured by default. This means that you will have to set it up manually on a client computer. Use an IP address that is within the appropriate subnet (such as 192.168.2.10, based on the examples here).
Once you have done that, log into the website for your Sophos Router and start the setup.
Set the “Hostname” to be the full URL that you want for the router. If you have a domain controller, then something like “sophos.domain.local” would be best for the hostname (change “domain.local” to match your domain). Otherwise, “sophos” should be fine here.
As for the rest of the information, fill it out as you want, and then check the “I accept the license agreement” and click on the “Perform basic system setup”. This will refresh the page and require you to log in with the credentials that you’ve just provided.
Once you’ve logged in, it will start setting up everything. Yes, this is an extra step, but Sophos is marketed as a turn key solution. It means that this is the step you’d see when you bought the box. None of the initial installation.
Also, once you login, it will prompt you about restoring from a backup or to continue to run the setup wizard. If you had a backup of the router, load it here and you’ll be done. Otherwise, “Continue” with the setup.
The next page asks you to install the license file. You get this by registering for the Home license. If you don’t already have this file, no worries. Just continue on, and it will set up a 30 day trial (useful to see what your usage is actually like).
The next page asks for the LAN configuration information again. you can change it here (again), or leave it. It also asks you if you want to set up DHCP. Since you most likely do, enable it and configure the range of IP addresses that you want to use. Since Sophos only really supports 50 active IP addresses for home use, you may want to limit it to that many devices (for simplicity).
The next page asks you about the WAN settings. Choose the adapter that you want to use and the correct “type” for the adapter.
The next page is a list of the “Allowed Services”. These are the default ports that it will be open. Check the “Web (HTTP, HTTPS)”, “Email (SMTP, POP3, IMAP)”, and “DNS (outgoing)” options. Any options that are not checked here will not connect to the outside internet. If you want, check the FTP and Terminal services options as well. As for the Ping settings, that’s up to you. It would definitely be more secure to uncheck both of the Ping options, but that’s up to you.
The next page is for the “Advanced Threat Protection Services”. Since this is meant to protect your network against intrusion, or from reporting back to a C&C server, I highly recommend making sure both options are enabled here.
The next page is for the Web Protection settings. This is for the webpage proxy. I would recommend enabling the “Scan sites for viruses” option here. Also check any other categories that you want to block.
A note here, you may want to reconfigure this later to work better for your network.
The next page is for email protection. Check the options that you want. I would recommend the “Scan email fetched over POP3”.
And the next page is the final one. This will list all the configurations that you’ve enabled. Click on “Finish” and you’re “super router” is good to go.
And the file page it shows you will be the dashboard for Sophos. From here, you can get a good look at everything in the system and get to about everything, quickly.
From here, you can start using your network just fine. Don’t forget to change your IP address back to a dynamically assigned address!
And don’t forget to check out the post on how to configure the firewall (as it is very draconian).