Quantcast
Channel: Sophos User Bulletin Board
Viewing all 14361 articles
Browse latest View live

Can UTM9 manage Wireless AP at a remote site?

May 8, 2013, 1:40 pm
$
0
0
We are investigating the Sophos UTM9 Wireless Protection.
We have it running at our main office on the local subnet and all is working well.
One questions I have is this. If we put a Sophos Wireless AP into one of our remote sites which are connected via our WAN, can we still manage this Remote site AP via our Main office UTM or do we need to put in a RED at the remote site to be able to manage this AP?
Search

[9.100-12]Executive Report isn't displayed

May 8, 2013, 5:56 pm
$
0
0
Hi,

After updating to 9.100-12, if WebAdmin language is set to Japanese, Executive Report isn't displayed.
When the following command was executed, the error outputted.

Code:
# /usr/local/bin/report_render.plx --type yesterday --sendmail

command: /usr/bin/xsltproc /usr/local/lib/exec_report.xslt /opt/tmpfs/executive_report_daily.xml | /usr/bin/tidy -q -f /dev/null -utf8 -ashtml --wrap 0 > /opt/tmpfs/executive_report_daily.html
/usr/local/lib/exec_report.xslt:5: parser error : DOCTYPE improperly terminated
]&gt; <xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" version="
 ^
/usr/local/lib/exec_report.xslt:5: parser error : Start tag expected, '<' not found
]&gt; <xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" version="
  ^
cannot parse /usr/local/lib/exec_report.xslt
sending mail ...

ESXi 5.1, Dell R720 and Intel I350 Network Cards

May 8, 2013, 7:48 pm
$
0
0
Hi,

We are encountering some serious performance issues running running UTM 9.0 on a Dell R720 with ESXi 5.1. The network cards in the machine are all Intel I350 Quad-port 1GB adapters.

The throughput from the adapters is approximately only 200 Mbit instead of 1 Gb.

Is anyone else using a similar configuration and encountering performance issues?

If so have you been able to solve it and how?

More than 4 LAGs

May 8, 2013, 7:49 pm
$
0
0
With UTM 9.0, is it possible to create more than 4 LAG groups?

The user interface seems to only support 4 but we are hoping to create up to 8 on a piece of hardware.

Manage Users - Multi Select

May 8, 2013, 11:32 pm
$
0
0
Hi,

Will it be possible to perform multi-selects on the "Manage users" control for Folders, Groups, Users and Logins, even if it's just for "delete" operations? I can see foresee if AD-Sync type functionality is realised that a user may require this if they can automatically import a large number of objects.

Regards,
Jak

Deployment tool

May 8, 2013, 11:37 pm
$
0
0
Hi,

Are there any plans in the future to provide a on-premise deployment tool for the cloud solution?

I could imagine something like SECs discovery options for finding computers, i.e. IP range scanning, AD, Windows Networking. Then maybe the ability to host the cloud bootstrapper in a share, the tool can schedule deployment jobs as it does today, maybe with some additional scheduling ability.

In an ideal world this same tool could also provide AD integration with the cloud.

Regards,
Jak

POP3 proxy and RBL's

May 9, 2013, 4:19 am
$
0
0
Hello dear community,

I have a question regarding the astaro pop3 proxy. I searched a bit about additional RBL's like zen.spamhaus.org to enhance the filter capability of the smtp proxy.
Everything fine so far, some more unwanted mails were tagged and sorted out.

My question now, is this possible for the pop3 proxy for incoming mails too? And if so, how can i do this?.
I do not found anything helpful here in the forum and via google so far.
Maybe it is some missunderstanding on my side in this case.

If someone could give a clue about it, that would be great.

Thanks in advance.

IPS question...

May 9, 2013, 8:00 am
$
0
0
Hi all,

I'm using an UTM 9.006-5 only for "WEB PROTECTION",no packet filter or routing.
So I didn't configure the Masquerading or any other kind of NAT.

Then I enabled also the Intrusion Prevention specifying all the networks involved but
I can't see any kind of activity on the IPS logs.

So is it possible to use the IPS when the UTM is not forwarding the traffic?

Thanks for your answers...
Search

Base = recommended?

May 9, 2013, 4:15 pm
$
0
0
Hi,

Quick question/suggestion on policies....

Is the "Base" policy essentially the "Sophos Recommended" at the time the user environment is created or is it subject to change over time?

Further to that, are all policies (user defined) subject to change by Sophos at any point?

I can imagine the scenario where a new option comes along which Sophos believes should be enabled. Will all the users pick this up on the next poll? If so, presumably I have no control over this or will it only go into Base, leaving me to define it in my policies for those users that match my polices not base? If this is the case, how would I know it now exists?

Would it not be better if the Base policy was "Sophos Recommended" which could be dynamically manipulated by Sophos as a live feed. User polices could optionally inherit this as the base. I would then only need to configure things specific to me, such as exclusions, scheduled scans, etc... and inherit the dynamic Sophos defaults of everything else.

If I didn't want new settings to be automatically deployed I would choose not to inherit the Sophos Recommended in my policies but to define all options.

Many products today detail if the managed software differs from the policy defined by the admin, which is fine. It would be as important to know (certainly for the admin) if the admin settings comply with the Sophos Recommended/best practice as over time things may change. Having a Sophos Recommended policy would allow the system to highlight which settings may require attention.

I hope that makes sense.

Regards,
Jak

Interesting Observation with SUM4

May 9, 2013, 5:49 pm
$
0
0
We have a SUM4 server and the devices we manage (external clients) reporting having our public IP as their public IP.. yet the agent IPs are correct. Let me explain..

Our Public IP 1.1.1.1 subnetted with /29
We have a public useable block 2.2.2.0/26 which are additional addresses on WAN\eth1 where 1.1.1.1 is of course defined.

Our ISP routes the useable 2.2.2.0/26 block to our 1.1.1.1 public IP.

The SUM server sits in a 3.3.3.0/24 DMZ which is NAT'd behind an address on 2.2.2.0/26. We'll say .10

All external devices we manage for clients point to DNS name sum.ourcompany.com which resolves to 2.2.2.10.

What I do not get is when I look at the details on the devices it shows:

IP Address (Agent) devices actual public IP
IP Address (Public) our 1.1.1.1 public IP

This of course presents a problem as we end up hitting our webadmin instead of theirs from SUM... lol

To make things more confusing, of the 14 devices in SUM, only 12 have this issue.. yet all the devices have the same central management settings.

Thoughts?

Pros and cons of remote access with Sophos OpenVPN client vs. IPSec?

May 9, 2013, 5:58 pm
$
0
0
Pros and cons of remote access with Sophos OpenVPN client vs. IPSec? I set up vpn client access to the UTM with Sophos OpenVPN and generally it works well. I see there is a straight IPSec mechanism as well, where on Windows for example you'd configure an IPSec vpn connection natively in the OS without downloading a client. Perhaps it's similar on OS X.

What are pros and cons of one approach vs. the other? Again this is client <--> VPN.

Multiple Authentication (RADIUS) Possible

May 9, 2013, 9:30 pm
$
0
0
Hi, Currently I'm running 3 different authentication servers. Active directory, eDirectory and 1 RADIUS server. Each one is authenticating the user for a specific task using a slightly different user login format.
I have been using the eDirectory server to authenticate user into the portal almost solely for email functions. The AD and Radius are being used for VPN access.

I'm in the process of phasing out the edirectory server and would like to move that function over to a new (non-windows based) RADIUS server. During the conversion some users will authenticate into the portal via the edirectory server and some (different domain) will authenticate against the new RADIUS server.

This all seems to work individually, but when everything is turned on, authentication doesn't work. So first is it possible to have 2 RADIUS servers running? And if so, does the order in the list matter (I've read other threads where RADIUS should be first)? With all three running, VPN in does not work, even with the new RADIUS server at the bottom, as soon as I disable it VPN starts up again.
Hope someone can point me in the right direction.
Thanks

Hotspot Netz auf eth-Schnittstelle

May 10, 2013, 4:37 am
$
0
0
Hallo Leute,
Ich komme grade nicht weiter. Ich will mein altes Gäste-WLAN-Netz (ist noch nicht alles umgestellt) weiter betreiben bis ich alle APs aufgebaut habe. Es ist ein eigenes physikalisches Netz, das ich nun an eth4 gebunden habe. Netz definiert, DHCP geschaltet die Hotspoteinstellungen gemacht. Nun passiert folgendes: Ich komme nicht ins Internet aber kann auf mein Internes Netz pingen und auch in alle anderen?!? Ich versteh grade nicht warum, denn es gibt keine Regel die den Zugriff erlauben würde. Natürlich hat das Netz die IP von eth4 als Standardgateway... Ev. liegts da dran. Wie kann ich die Sache mit dem HotSpotNetz realisieren?

Danke und Grüße,
Sebastian

UTM-9 und Strato Dyndns

May 10, 2013, 4:44 am
$
0
0
Hallo,

ich habe eine Domain bei Strato gehostet und möchte diese per DynDNS auf meine UTM-9 zeigen lassen. Leider wird der Strato DynDNS Server nicht als DynDNS Option in der UTM aufgelistet. Hat es schon jemand geschafft eine UTM-9 mit dem Strato-DynDNS zu verbinden?

Für jede Hilfestellung wäre ich sehr dankbar.

ICMP Pakete von Außerhalb nicht möglich

May 10, 2013, 5:43 am
$
0
0
Hi,
ich bin relativ neu auf dem Sektor Sophos UTM und habe aktuell das Problem, dass ich keinerlei ICMP Paket von Außerhalb(Internet) durch die Firewall zu einem Client bekomme. Habe dazu bereits einige Beiträge gefunden, leider half bei mir keine der vorgeschlagenen Lösungen.

Hier zwei Varianten die ich ausprobiert habe:

1.


2.


Beide Varianten werden laut Firewall-Log gedropped.

Nun frage ich mich, ob ich grundlegend noch etwas anders konfigurieren muss, oder es doch noch eine andere Variante gibt?


mfg
r4bbit
Search

IP subnets

May 10, 2013, 6:04 am
$
0
0
Hello.

It's the first time I'm working with ASG UTM 220 and RED10. I'm currently deploying the first RED10 out of three.

All appliances (ASG 220 and RED10) are behind the ISP's routers, which for legacy reasons are NAT enabled and using private IP subnets between the router LAN interface and the Sophos aplliances WAN interfaces.

After checking this forum I finally learnt that I have to forward port 3400 TCP/UDP to the Sophos WAN interfaces, and I will set this up next Monday. But I'm currently concerned about the fact that the ASG UTM 220 LAN subnet is 192.168.1.0/24 as well as and one of the ISP's routers LAN.

I guess this won't be a problen in order to get up the tunnel between the ASG 220 and the RED10 but, will it be a problem when it comes to route packets from RED10 LAN to the 192.168.1.0/24 subnet, because the ASG LAN AND the ISPs router LAN in the RED10 side match this subnet?

Regards.

Residential Addrress Blocks

May 10, 2013, 10:13 am
$
0
0
We are having issues with students running their own PROXY servers at home and then connecting to them from school to bypass the web filtering.

Is there any way for the UTM to block access TO residential IP addresses?

[9.100-14][BUG] Active Directory Sync not working fine

May 11, 2013, 3:35 am
$
0
0
hi,


after update form 8 to 9.100-14 my ssl remote access stops working.
We import the users from an active directory server based on one ad group via prefetch directory users.

So if a user is added to this group it is sync'd to the astaro. But If an user removed from the group he is not deleted from the astaro.

But the worst this is. We have an dynamic group with the same ad group as we user for sync. If I activate ssl remote access, make an profile with this group as group. No user in this group can connect, cause the files:

/var/sec/chroot-openvpn/etc/openvpn/conf.d/$USERNAME

aren't created. Only if a add the sync'ed ad user manual to this profile the files will be created.

So I must do now massiv more work for allow one add user access via ssl remote access. Before the update I only must add the user to the right ad group.

After the update, I musst ad the user to the add gourp and also add the user to the ssl remote access profile.

[9.1RC][BUG] network definition

May 11, 2013, 3:51 am

Duplicated DHCP Leases

May 11, 2013, 10:07 pm
$
0
0
I have created static objects for most of the hosts on my network. The only remaining ones are random wireless devices including phones. I noticed that there were duplicated entries showing up so I made one of them static. I'm still getting duplicates. When this occurs, there are two entries that are identical, except one has a hostname and the other has an unknown hostname. I tried removing them from dhcpd.leases, but they reappear. It seems that deleting them from the file doesn't delete them from utm. There should be a way to remove one or all dhcp entries and force new leases to be recreated.
Viewing all 14361 articles
Browse latest View live
Search