Sophos UTM

Since these guides have become fairly popular, created a dedicated index page for all of the guides seemed like a very good idea.

So, from start to finish, here are the guides:

  1. Installing Sophos UTM
  2. My Adventures with Sophos
  3. Sophos and a Draconian Firewall
  4. Learning to use Sophos’ Firewall
  5. Port Forwarding (NAT) With Sophos
  6. An exercise in frustration: Setting up Web Filtering on Sophos UTM
  7. An Exercise in Frustration: Setting up Web Filter Certificates in Sophos UTM
  8. An Exercise in Frustration: Fine Tuning the Web Filter in Sophos UTM
  9. Sophos UTM and Wireless Access Points

24 thoughts on “Sophos UTM”

  1. Google Chrome 43.0.2357.124 Google Chrome 43.0.2357.124 on Windows 8.1 x64 Edition Windows 8.1 x64 Edition
    Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.124 Safari/537.36

    Awesome work! I’m in the process of setting up several UTM’s in an enterprise environment, and your posts have helped me immensely.

    1. Google Chrome 43.0.2357.124 Google Chrome 43.0.2357.124 on Windows 8.1 x64 Edition Windows 8.1 x64 Edition
      Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.124 Safari/537.36

      I’m glad that I could be of help!

  2. Google Chrome 43.0.2357.130 Google Chrome 43.0.2357.130 on Windows 7 x64 Edition Windows 7 x64 Edition
    Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.130 Safari/537.36

    I’m a little late to this party but benefiting greatly! Thank you for the well written and screen cap supported explanations. They are the best online!

    1. Google Chrome 43.0.2357.130 Google Chrome 43.0.2357.130 on Windows 8.1 x64 Edition Windows 8.1 x64 Edition
      Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.130 Safari/537.36

      Better late than never. 🙂

      ANd I’m glad that they’re well appreciated! I do plan on adding more (including QoS and the like), but I’ve been busy.

      1. Google Chrome 43.0.2357.130 Google Chrome 43.0.2357.130 on Windows 7 x64 Edition Windows 7 x64 Edition
        Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.130 Safari/537.36

        I’m working on setting up the QoS stuff myself. I look forward to your posts!

  3. Google Chrome 43.0.2357.130 Google Chrome 43.0.2357.130 on Windows 8.1 x64 Edition Windows 8.1 x64 Edition
    Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.130 Safari/537.36

    could you please demonstrate how to using active passive in home edition thanks so much

    1. Google Chrome 43.0.2357.130 Google Chrome 43.0.2357.130 on Windows 8.1 x64 Edition Windows 8.1 x64 Edition
      Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.130 Safari/537.36

      Could you clarify what you mean?

      1. Google Chrome 43.0.2357.130 Google Chrome 43.0.2357.130 on Windows 8.1 x64 Edition Windows 8.1 x64 Edition
        Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.130 Safari/537.36

        I Meant Configure High Availability

        1. Google Chrome 43.0.2357.130 Google Chrome 43.0.2357.130 on Windows 8.1 x64 Edition Windows 8.1 x64 Edition
          Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.130 Safari/537.36

          Ah, okay.

          I’ve not messed with the high availability options yet, and will have to look into that.

          1. Google Chrome 43.0.2357.130 Google Chrome 43.0.2357.130 on Windows 8.1 x64 Edition Windows 8.1 x64 Edition
            Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.130 Safari/537.36

            Thank you so much really i appreciate, i will grateful too if you told me a method to block software proxy such as psiphon 3 , ultrasurf, i tried to block Ultrasurf using app control but actually users they can pass to blocked websites

  4. Internet Explorer 11.0 Internet Explorer 11.0 on Windows 8.1 Windows 8.1
    Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko

    Drashna, I just downloaded the UTM Home Edition also. I wanted to see if you had enabled the EMAIL part. I use GMAIL and Outlook on my local PC. Have you setup the Mail Security section yet? Just wanted to see your experience.

    1. Google Chrome 44.0.2403.107 Google Chrome 44.0.2403.107 on Windows 8.1 x64 Edition Windows 8.1 x64 Edition
      Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.107 Safari/537.36

      I’ve just used the default settings. Though, I’ve had issues with them. But I do want to look into setting up the email stuff, as it would be nice to filter out spam mail on my home network!

  5. Google Chrome 44.0.2403.107 Google Chrome 44.0.2403.107 on Windows 8.1 x64 Edition Windows 8.1 x64 Edition
    Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.107 Safari/537.36

    Drashna, Thank you for putting this together. I just got the parts needed to put together my new router for the UTM Home Edition (actually duplicate hardware that currently have for my pfSense router). Want to get UTM running and working before I tear down pfSense. At the same time I will be tearing down the network rack and putting it in a structured enclosure. Look forward to following these guidelines. 🙂

    1. Google Chrome 44.0.2403.107 Google Chrome 44.0.2403.107 on Windows 8.1 x64 Edition Windows 8.1 x64 Edition
      Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.107 Safari/537.36

      You are very welcome.

      And, well I have a decent track record for writing guides. Been doing it for a while. And it not only helps out others (which I enjoy), but I use my own guides frequently, as they’re easy to reference (I’ve installed Sophos for 2-3 friends, actually).

      1. Google Chrome 44.0.2403.107 Google Chrome 44.0.2403.107 on Windows 8.1 x64 Edition Windows 8.1 x64 Edition
        Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.107 Safari/537.36

        Do you still maintain that for us using Windows Essentials 2012 R2 that we maintain DHCP and DNS on the server and not enable it on Sophos?

        1. Google Chrome 44.0.2403.107 Google Chrome 44.0.2403.107 on Windows 8.1 x64 Edition Windows 8.1 x64 Edition
          Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.107 Safari/537.36

          For DNS, absolutely. Since Windows Server Essentials requires a properly configured DNS server, it’s better to use it’s built in one.

          As for DHCP, it doesn’t really matter. As long as you configure it to hand out the WSE server as the primary DNS, it simplifies the network setup (you don’t have to worry about the DNS auto updater thing in the Connector software).

  6. Google Chrome 44.0.2403.125 Google Chrome 44.0.2403.125 on Windows 8.1 x64 Edition Windows 8.1 x64 Edition
    Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.125 Safari/537.36

    Got UTM Home Edition installed – needed to run Kevin Fonda’s tip and also it is posted over on Network Guy Blog (http://networkguy.de/?p=728). Took a while to get it installed though because I was trying to use a Corsair 128GB SSD and kept getting a failed to install error. Looked at the log (Alt-F4) and saw that the /dev/sda1 device was being used by the system. Could not figure out why, so I swapped out the drive for another (OCZ 60GB SSD) and then I was able to install.

    Now to setup the DNS portion to point to S2012R2E, this is a bit different than pfSense, so I hope I am in the right area. I go to Network Services -> DNS. From reading the text in the settings “I will be removing “Internal (Network)” from Global -> Allowed Networks and then add my S2012R2E server in the Forwarders tab, setting Name, Type = Host, IP address of the server, leave DHCP Settings and DNS Settings blank and under Advanced set Interface to Internal. Also I believe that I would uncheck “User forwarders assigned by ISP”.

    Is this correct?

    1. Google Chrome 44.0.2403.125 Google Chrome 44.0.2403.125 on Windows 8.1 x64 Edition Windows 8.1 x64 Edition
      Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.125 Safari/537.36

      Okay, something screwy here. I seem to have the DNS settings messed up – need some help here to figure out what to set. I am using S2012R2E – It would seem that I lost my internet for about 20 minutes – so I want make sure that have it set correctly.

  7. Google Chrome 44.0.2403.125 Google Chrome 44.0.2403.125 on Windows 10 x64 Edition Windows 10 x64 Edition
    Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.125 Safari/537.36

    Check both the server’s settings and the DHCP server on Sophos.

    For the server, check the IP address information. Set a static IP address for the server. Set the DNS setting to itself (127.0.0.1, and the static IP, you’ve set).

    Then open the Administrative tools, and open the DNS settings. Right click on the server’s name and select properties.
    There should be a “Forwarder” tab. Delete all the entries and set this to your Sophos box’s IP address.

    Then on Sophos, open the “Network Services” section and select “DHCP”.
    Set the DHCP options to use the server’s IP address as the primary server, and then set the secondary DNS server info to be the Sophos box’s IP address.

    What this will do is tell the clients to look at your server for DNS info. This will ensure that the domain stuff will work properly.
    Then the server looks at Sophos for that information (which looks at your ISP’s DNS info).
    However, if the server is down… instead of breaking the internet for you … it will fail over to Sophos directly.
    This is probably want failed here.

    Additionally, by doing this, this should prevent the DNS Autoconfig stuff from Essentials from messing with your internet, as well.

    1. Google Chrome 44.0.2403.125 Google Chrome 44.0.2403.125 on Windows 8.1 x64 Edition Windows 8.1 x64 Edition
      Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.125 Safari/537.36

      I followed these instructions for setting the DNS entries on the Sophos box – https://www.sophos.com/en-us/support/knowledgebase/120283.aspx

      For the server I followed your recommendations – the one thing I did notice when I switched to Sophos for my router the original entries (OpenDNS) that I used for my forwarders no longer resolved.

      Everything is working – but I am confused about nslookup – if I do a lookup for http://www.google.com it comes back from my server as

      Name: http://www.google.com.
      Address: 5.22.149.135

      The IP address turns out to be a moniker.com address. But I can ping http://www.google.com and get the correct address.

      Is there something wrong here?

  8. Google Chrome 44.0.2403.155 Google Chrome 44.0.2403.155 on Windows 8.1 x64 Edition Windows 8.1 x64 Edition
    Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36

    Do you have a guide for getting Sophos configured for external access to ownCloud?

  9. Google Chrome 49.0.2623.87 Google Chrome 49.0.2623.87 on Windows 7 x64 Edition Windows 7 x64 Edition
    Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.87 Safari/537.36

    I like the read. I have had a UTM installed for over a year now and seem to be getting the hang of it now. I have one question that I may put to you. I keep getting these type of errors in my web protection log:

    2016:04:29-14:33:05 salkeldfam httpproxy[5603]: id=”0003″ severity=”info” sys=”SecureWeb” sub=”http” request=”(nil)” function=”http_parser_context_execute” file=”http_parser_context.c” line=”97″ message=”Unable to parse a http message of 291 bytes (HPE_INVALID_METHOD: invalid HTTP method)”

    Not sure if you have seen these before but I can now seem to fine where the rule is that is causing this. Is there a way to edit the http_parser_context.c file and find line 97 to see what is happening and resolve it?

    Any help would be greatly appreicated.

    thanks

    1. Google Chrome 50.0.2661.94 Google Chrome 50.0.2661.94 on Windows 10 x64 Edition Windows 10 x64 Edition
      Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.94 Safari/537.36

      Unfortunately, I suspect that this is an issue with the web filter code, and that you may need to open a ticket with Sophos to get this resolved.

      The “http_parser_context.c” refers to the source code, specifically. And yeah, I’ve seen this issue before, but am not sure what it is aside from an internal handling error.

  10. Opera 12.17 Opera 12.17 on Windows 8 x64 Edition Windows 8 x64 Edition
    Opera/9.80 (Windows NT 6.2; Win64; x64) Presto/2.12.388 Version/12.17

    I loved reading this a lot. I really hope to read more of your articles in the
    future, so I’ve saved your weblog.

Leave a Reply