Sophos UTM and Wireless Access Points

For a long while, I’ve been using a Linksys Router flashed with DD-WRT. It worked well enough and functioned fine.  However, it’s been on it’s last legs and randomly power cycling frequently. So it was time to replace the wireless, and because I am using Sophos UTM, I figured it would be a good idea to use a Sophos Wireless Access point.

To start off with, the Sophos APs are not exactly cheap. These are enterprise grade access points, and support a lot of features. For instance, a single AP device can host multiple wireless networks.  But you’re paying for quality and, more importantly: Integration with Sophos UTM.

Normally, I’d start with just running the wizard. However, this pretty much configures everything for you out of the box. This is pretty simple and doesn’t require a guide.

But I am going to go over this as if you’re setting it up from scratch, in case you screwed things up (like I did), or you want to know how to create additional wireless networks. Especially as it’s overly complicated to fix.


To start off with, be careful about the device you select. There are a lot of models available. If I had to recommend one, get the Sophos AP 55C.  This is a 802.11ac compatible access point, that supports PoE, meaning you only have to run an ethernet cable to it and mount it on the wall or ceiling. No worrying about running power to it, as it’s delivered over the network cable.  And it isn’t much more expensive than most of the consumer grade Wireless AC access points. This is the model that I picked up, in fact.


When you first connect the Access Point, it will show up as a “Pending Access Point”. To view it, you need to head to “Wireless Protection” and open the “Access Points” entry.  This will list the available access point. Hit “Accept” to start the process to start using the Access Point.

This will bring up an “Edit Access Point” wizard.  You can set the Label to anything you want (it’s set to the model name and ID by default, and this should be fine).  It asks about the country, and this should be accurately set, as it influences what range of frequencies are allowed to be used as this depends heavily on where you live. It can even be illegal to use the wrong sets of frequencies, depending on the country.

Also, select “<< New group >>” from the list, as you need to set up a group to get the wireless working properly. Set the name to whatever you want (“Default Wireless Group” is fine for this).

All the rest of the defaults are fine. Though, if you did create the default wireless groups, open the “Wireless Networks” and select all of the wireless networks.

02 Accepting Wireless

Once you’ve done this, you need to open the “Wireless Networks” settings (under “Wireless Protection”) to create the wireless networks.

Creating  the Main Wireless SSID

First, we’re going to set up the main wireless network. This will be bridged to the LAN network, and Once here, click on the “+ New Wireless Network….” button.

Set the “Network Name” to whatever you want. This is a local identifier and not  shown anywhere outside of the web interface.  The Network SSID is what will be seen by the your wireless clients.

Set the Encryption mode to whatever you plan on using. This should default to “WPA2 Personal”, and that should be fine. Set the Passphrase/passkey to whatever you want.

Set the “Client traffic” to “Bridge to AP LAN”.  This will link it to the “Internal” network and allow you to access the local systems.

You can mess with the advanced settings, but this isn’t necessary.

03 Create Wireless Network

Once you’ve saved it, you’ll need to open up the “Access Points” section again. This time to edit the group that you created initially.  Open the “Grouping” tab under “Access Points”, and click on the “Edit” button. Make sure that your Access Point is checked, and that the wireless network you just created is as well.  And then save the group.

04 Create Wireless Group

After doing this, you should immediately see the SSID and should be able to log in with it.  It will show up as normal and you’ll be able to access the network.

And while I don’t have multiple access points to test this out with, I am pretty certain that if you did have multiple access points hooked up, selecting them in the group here would allow both access points to broadcast the specified SSIDs, allowing you to cover a larger area, if you’re using a house or business that isn’t covered by just one.

And you may see how this grouping feature could be very powerful for a large company!

Creating a Guest Wireless SSID

Some parts of this are the same as the previous section, but there are some clear differences.  Not only tare there added steps that aren’t required in the main wireless SSID, it is also possible to create a “guest” web filter policy, that is different than the main wireless. This is especially useful if you’re using the “Decrypt and Scan” options for the web filter, as you can set up a “URL Filtering” profile for just the guest network (eliminating the need for to import the CA Certificate.

To start off with, head back to the Wireless Networks section, and click on the “+ New Wireless Network…”

Set the name to whatever you want, but you may want to denote that this a guest network.  And the same goes for the SSID.

Set the Encryption mode to WPA2 Personal, and set the passphrase/PSK.

However, for the “Client traffic”, you need to set this to “Separate Zone”. This allows you to set up a separate network that can’t see or communication with your main network.

Open up the “Advanced” section here, as well.  There are a number of options, but the one we’re looking for is the “Client isolation”. Set this to “Enabled” so that guests cannot see other guest devices on the network.

05 Create Guest Wireless

Head back over to the “Groups” section under Access Points and enable both the main and guest wireless networks for the default group.  At this point, you should be able to see the SSID for the guest network, but it’s definitely not ready for use yet.

The next thing to do is to create a new wireless interface.  To do so, open the “Interfaces & Routing” section, and open the “Interfaces” section. Click on the “+ New interface…” option here.

Set the name to “Guest Wireless”.  For the “Type”, leave it as “Ethernet”.  For Hardware, there should be a “wlan0 (*Remote Wireless network” adapter, though the number may not be 0, depending on your setup.

Set an IP Address for this adapter that is outside the normal range. For instance, use “192.168.10.1”, and set the netmask.  You can also set the IPv6 address and netmask here as well.  However, all of the other settings should remain at the default values.

06 Create Wireless Interface

Now, it’s time to really start adding stuff.  Open the “Network Services” section, and open the “DNS” entry.

For the “Allowed Networks” section here, add the new interface. Click on the folder icon to show a list of possible options. If you used “Guess Wireless” as the name, then you want “Guest Wireless (Network)” here, as this will allow any device on the Guest Wireless network to access the DNS server.  Click “Apply” once you’ve added the adapter.

Now, it’s time to head to the DHCP section. Open that section up, and select “+ New DHCP Server…”

Select the “Guest Wireless” for the interface type, and it will autofill the information in.  However, I would recommend narrowing the range, by specifying a higher start and a lower end IP address.  Additionally, I would recommend setting the “Lease time” to “3600” (1 hour) instead of the default “86400” (24 hours), as guests should be more transient in nature.  Click “Save”, and it will create the new DHCP server for the Guest Wireless network.

08 DHCP Server

At this point, you should be able to actually connect to the access point and get an IP address. However, you won’t be able to connect to the internet yet, as we need to set up: NAT Masquerading.

To set this up, open the “Network Protection” section and click on “NAT”. Click on the “+ New Masquerading Rule” button, to set this up.  For the Network, click on the folder icon, and select the “Guest Wireless (Network)” option as you did above for the DNS setting. Set the Interface to “External (WAN)”, and the “Use address” should be set to “<< Primary address >>”.  Click “Save” to create the rule.

09 NAT Masq Rule

From here, we are almost done. Just so close, but not quite there.  In the “Network Protection” section, open the “Firewall” option.

By default, the installation wizard created up to 5 groups: DNS, Terminal Applications (RDP, VNC, etc), Email, Web Surfing (HTTP/HTTPS/HTTP Proxy), and FTP.

You will want to edit each rule, and add the “Guest Wireless (Network)” to the “Sources” list.

10 Firewall Rules

If you created the “Consumer Router Rule” as mentioned in this post, you can use this here, as well. But if you really want to lock down your guest network, to make sure that guests aren’t doing stuff like torrenting, it is much better to add the “Guest Wireless (Network)” entry only to the rules that you absolutely are okay with them accessing.  I’d recommend only allowing the DNS, Email, and Web Surfing groups for the Guest Wireless Network, unless there is a specific reason otherwise.

At this point, the guest wireless network should be up and running and internet ready. Though, if you have DHCP reservations for specific devices, you may want to make sure that these are set for the specific adapter, or it may cause issues (as it’s a single DHCP server serving multiple networks, and it may give out a wrong IP address).

Configuring Web Filtering for your Guests

At this point, the main wireless network is being filtered using the normal methods.  This may be fine for you, but I personally use the “Decrypt and Scan” option for the filter, meaning that each device needs to have the proper CA Certificate imported into it.  Having guests do so isn’t reasonable at all. So we need a solution that will allow you to set up different filtering options. And thankfully Sophos UTM does allow for this.

The caveat here is that any exceptions or modifications that you’ve made apply to ALL of the filtering profiles. I’ll cover this after I’ve covered how to create a guest only policy.

I’m going to show you the quick and cheap way to set this up, the way that involves the minimum of opening different pages.  The process is pretty straightforward, and shouldn’t take too long.

First, head to the “Web Protection” section, and open the “Web Filter Profiles” option. This will show an empty list, and the “Default web filter profile” at the bottom.  Click on the “+” on the right side of the empty list. This will create a new profile.

For the profile, set the name “Wireless Guest Profile”.  For the allowed networks, “trash” the “Internal (Network)”, click on the folder icon, and add the “Guest Wireless (Network)” here instead.

11 Wireless Guest Profile

Click on the “HTTPS” tab, and make sure this is set to “URL Filtering Only”.  Then open the “Policies” tab.  This will have another empty list and the ‘Base Policy” at the bottom. Click on the “+” on the right side again, to create a new policy.

 

From there, set the Name as “Guest Wireless Filter Policy”.  Don’t add any users or groups, and don’t change the time event.  However, click on the “+” next to “Filter action” to create a new “filter action”.

12 Wireless Policies

This should look very familiar, in fact. It should resemble the exact configuration that you set up when initially setting up the web filter. Set the settings as you want, blocking stuff that you don’t deem necessary. here.

13 Categories

After you’ve made all the appropriate configuration changes, hit “Next” and configure the additional settings until you get to the “Save” button, and it will create and select the Filter Action.  Hit the “Save” again, to save the Policy, and hit “Save” again, to save to profile.

Once that’s done, you should see the new profile in the list here. Make sure that this filter is enabled, by toggling the “switch” next to the name.

At this point, your wireless network should be more and less aggressively filtering your guest wireless network.

Tweaking Exceptions

Now, there is one remaining issue. If you’ve added exceptions for sites and services, these are applied to all profiles currently. This may be fine for some content (such as netflix), but what about those gaming websites, or other sites.

If this is a problem for you, there is a solution, and it is rather simple.  Head over to the Exceptions list (Web Protection -> Filter Options) and edit the rule in question.  At the bottom, there is an “and/or” drop down list box . Set this to “and” and set the box next to it to “”Coming from these networks”.  This will create a new list box. Click on the folder icon and select the “Internal (Network)” entry for this.  This will make the exception rule look for this ONLY when it’s on the internal network, and not when it’s on the guest wireless.  That way, you can add rules that allow your network to access resources properly, but will still block your guests from accessing them properly.

14 Exception Rules

Conclusion

Now you should have some pretty good control over your wireless network, and some very nice access points!

Also, some of the parts here can be repurposed into things such as creating custom web filters for specific devices (but this may be much more complicated to implement properly).

Next time, I’ll maybe see about going over to create a Starbucks style hotspot, so you don’t need to have a password on your guest network.

Author: Drashna Jael're

Drashna Jael're

12 thoughts on “Sophos UTM and Wireless Access Points”

  1. Google Chrome 49.0.2623.87 Google Chrome 49.0.2623.87 on Windows 8.1 x64 Edition Windows 8.1 x64 Edition
    Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.87 Safari/537.36

    Awesome article! Where did you purchase the access point from? I am looking at replacing my Netgear AP and was looking at other brands (Ubiquiti, EnGenius, or Open-Mesh) but like the sound of using a Sophos one. This way I have one interface to manage the router and AP from.

    1. Google Chrome 49.0.2623.87 Google Chrome 49.0.2623.87 on Windows 10 x64 Edition Windows 10 x64 Edition
      Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.87 Safari/537.36

      You can find them on eBay for example.

      I bought mine from here: http://www.enterpriseav.com/AP55C.asp

      Both there are other sites, such as: http://www.firewalls.com/firewall/sophos/ap/sophos-ap-55c-ceiling-mount-access-point-1-year-warranty-with-power-supply.html

      The price seems to be pretty similar regardless where.

    1. Google Chrome 49.0.2623.87 Google Chrome 49.0.2623.87 on Windows 10 x64 Edition Windows 10 x64 Edition
      Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.87 Safari/537.36

      Carl, thank you for the catch, and the posting!

      I’ll have to mess with this some more and see about testing it out before updating.

  2. Google Chrome 43.2357.125 Google Chrome 43.2357.125 on Mac OS X  10.10.1 Mac OS X 10.10.1
    Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.2357.125 Safari/537.36

    I found an AP15 on Amazon for £130, and a second hand (but new in box AP30) on eBay for £100. They are good access points but damm expensive for a home user!

    1. Google Chrome 49.0.2623.87 Google Chrome 49.0.2623.87 on Windows 10 x64 Edition Windows 10 x64 Edition
      Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.87 Safari/537.36

      Yes, they are, unfortunately. That’s why I opted for the Wireless AC compatible models, as they’re closer in price to consumer routers, so the price doesn’t hurt so much.

  3. Safari 9.1.1 Safari 9.1.1 on Mac OS X  10.11.5 Mac OS X 10.11.5
    Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_5) AppleWebKit/601.6.17 (KHTML, like Gecko) Version/9.1.1 Safari/601.6.17

    Hows it going a few months down the line?
    Do you still rate them?

    1. Google Chrome 50.0.2661.102 Google Chrome 50.0.2661.102 on Windows 10 x64 Edition Windows 10 x64 Edition
      Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.102 Safari/537.36

      Fantastic. My mounting job is the only issue I’ve had with it. Even several power losses (my fault, entirely) and it’s still working great.

      THe biggest potential issue was visibility, and it’s hardly noticeable unless you look right at it.

      Been planning on messing with stuff like the “hotspot voucher” stuff and RADIUS authentication, but haven’t had a chance to.

      1. Chrome 48.0.2564.87 Chrome 48.0.2564.87 on iPad iOS 9.3.1 iPad iOS 9.3.1
        Mozilla/5.0 (iPad; CPU OS 9_3_1 like Mac OS X) AppleWebKit/601.1 (KHTML, like Gecko) CriOS/48.0.2564.87 Mobile/13E238 Safari/601.1.46

        Sounds good. How is the 5ghz range?

        Also, can the ap55c work in isolation, so if utm is down, you still have wifi to fix the issue?

        1. Google Chrome 55.0.2883.87 Google Chrome 55.0.2883.87 on Windows 10 x64 Edition Windows 10 x64 Edition
          Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36

          I just put a label over the Sophos branding on the ones I deploy at work, once installed to a ceiling, they just look like an oversized smoke detector, the range on them is fairly good.

          As for your isolation question as far as I know, if the UTM dies, you better look for a wired connection. The UTM manages/controls the individual AP’s and logs their associations/de-associations, and would also hand out the IP addresses too.

  4. Safari 10.1 Safari 10.1 on Mac OS X  10.12.4 Mac OS X 10.12.4
    Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_4) AppleWebKit/603.1.23 (KHTML, like Gecko) Version/10.1 Safari/603.1.23

    Hi,

    You’re screenshots are not visible at the moment?

    1. Google Chrome 56.0.2924.87 Google Chrome 56.0.2924.87 on Windows 10 x64 Edition Windows 10 x64 Edition
      Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36

      Screenshots should be working.

      I have been having intermittent hosting issues though. If they continue to fail to show up, let me know.

Leave a Reply