Can't download endpoint agent.

May 18, 2013, 7:56 pm

≫ Next: L2TP over IPsec VPN mit AD Login

≪ Previous: PublicKey-Authentication funktioniert nicht mehr seit Update auf Version 9.100-16

$

0

0

Hello,
I have installed the 9.10016 of sophos utm and I can't download the endpoint agent for slim or full installation.

Am I missing something.

Is the 9.1 GA yet? If not when will it be GA?

Thanks,
Chris

---

L2TP over IPsec VPN mit AD Login

May 18, 2013, 10:41 pm

≫ Next: UTM NAT behind Cisco Router

≪ Previous: Can't download endpoint agent.

$

0

0

Hallo,

bei einer UTM9 (Version 9.004-33) sollen sich die User über VPN (L2TP over IPsec) anmelden können. Die User sind im AD hinterlegt. Einen RADIUS Server gab es bisher nicht.

Offensichtlich wird der aber zwingend benötigt, oder man muss einen extra lokalen Login auf der Astaro haben. Zwei Logins sind blöd und die User nutzen noch den Quarantäne Mail Manager, weshalb sie den AD Login benötigen. Weiterhin soll die HTML5VPN Funktion (am besten mit direkt weitergegebenen Logindaten) nutzbar sein.
Folglich werde ich nicht um einen RADIUS Server herumkommen.
Also hab ich einen Netzwerkrichtlinien Server auf dem DC (einziger DC; Windows Server 2008 R2) installiert. Bisher hab ich gar keine Erfahrung mit RADIUS gehabt und habs leider auch nicht hinbekommen, den Server so einzurichten, dass nur die Benutzer in einer bestimmten Gruppe bei L2TP over IPsec authentifiziert werden können (wie gesagt ist dort bisher der einzige Zweck, genau für diesen Service zu authentifizieren).

Meine Zwei Fragen sind nun:

1. Entweder gibt es doch eine Möglichkeit, mein Vorhaben ohne RADIUS hinzubekommen. Mir fehlt ja bisher noch die Erkenntnis, warum es in der Astaro diese Beschränkung gibt (RADIUS oder lokale Authentifizierung)...
2. Auch wenn die Frage nicht unbedingt Astaro/Sophos Security Gateway spezifisch ist: Welche Richtlinie muss ich mit welchen Optionen im RADIUS Server konfigurieren, damit bei Authentifizierung für L2TP over IPsec der Benutzer sich genau dann authentifizieren kann, wenn er Mitglied einer speziellen Gruppe (z.B. SECURITYGATEWAY_L2TPOVERIPSEC) ist

Ich würde mich sehr über Unterstützung und Hinweise freuen.

UTM NAT behind Cisco Router

May 19, 2013, 4:11 am

≫ Next: After Upgrade to 9.100-16 CPU load is 100%

≪ Previous: L2TP over IPsec VPN mit AD Login

$

0

0

Hello,

We have a Sophos UTM 220 device, which sits behind a Cisco ADSL2 router.

Now the router authenticates and creates the internet connection. I believe this has NAT running on it already.

Also the Sophos UTM 220 has NAT running on it. Should I disable NAT on the cisco router or or on the Sophos UTM? Where is it recommend to have NAT?

Bascailly this is the setup

Client PC's (192.168.0.0/24)
|
|
[LAN Port 192.168.0.1]
UTM 220
[WAN Port 192.168.1.2]
|
|
Cisco Router 877 [LAN 192.168.1.1 ]
|
|
Internet

After Upgrade to 9.100-16 CPU load is 100%

May 19, 2013, 9:34 am

≫ Next: 2 DHCP auf einem Vlan - 1x Option 43

≪ Previous: UTM NAT behind Cisco Router

$

0

0

Hi,

i use UTM 9 at home and i tried to update with Up2Date. The base is ESXi 5.1 and the UTM 9 is a virtual machine on it.

After Upgrade to 9.100-16 the CPU load is 100% for hours. After reboot the same problem.

Before the update i take a snapshot and after reset to this snapshot (UTM 9.006-5) everything is ok.

Is there any solution for the problem with 9.100-16?

Thanks for feedback.

Greetings
Erwin

2 DHCP auf einem Vlan - 1x Option 43

May 19, 2013, 1:40 pm

≫ Next: Blocking certain HTTPS sites

≪ Previous: After Upgrade to 9.100-16 CPU load is 100%

$

0

0

Hallo zusammen

Ich würde gerne auf einer ASG 320 mit akt. FW 9.1 auf einem VLAN 2 DHCP Server laufen lassen. Einer davon soll die Option 43 aktiviert haben, da ich allen AP von einem Hersteller eine Addresse auf dem IP-Bereich A geben will und den übrigen Client eine IP aus dem IP-Bereich B.

Allerdings nimmt die ASG nicht meine MAC Parameter an, diese sollen als HEX angegeben werden. Was verlangt die ASG dort genau?
Zum testen habe ich einen Testrechner mit einer Intel Karte in diese Vlan gehangen. Die Vendor ID lautet 0x8086 mit der SUB ID 1502
Nun dachte ich das ich einfach die 80:86:15:02 im Feld Hex: eintragen kann und diese Option dann auf den DHCP Server Bereich A.
Leider bekommt der Rechner nur die IP auf dem Bereich B, so dass die Option 43 nicht zieht.

Woher bekomme ich den Hex Wert für meine Hardware? bzw. wie setzt sich das genau zusammen.

Hat hier jemand eine Idee ?
Vielen Dank und gruß
greenhornXXL

Blocking certain HTTPS sites

May 19, 2013, 8:10 pm

≫ Next: Modify Snort Parameter Using CC Command

≪ Previous: 2 DHCP auf einem Vlan - 1x Option 43

$

0

0

Hi!

Can we actually block certain HTTPS sites like https://www.facebook.com without enabling SCAN HTTPS/SSL site in transparent mode?

Hope a clear solution for this on UTM9

Regards,
Norwel

Modify Snort Parameter Using CC Command

May 19, 2013, 9:57 pm

≫ Next: [9.100-16] "Collisions" with multiple ipsec spokes

≪ Previous: Blocking certain HTTPS sites

$

0

0

Hi All,

Do We can Modify Snort Parameter Using CC Command ?. I want to change max_queued_bytes and max_queued_segs parameter.


Thanks :)

[9.100-16] "Collisions" with multiple ipsec spokes

May 20, 2013, 3:43 am

≫ Next: umt9 Rel:9.003-16 Reboot Config weg

≪ Previous: Modify Snort Parameter Using CC Command

$

0

0

We have Sophos UTM 9.1 as the "hub" gateway, in responder mode to a couple of site-to-site ipsec tunnels. The remote routers are cisco 887 units.

One tunnel by itself works fine, but switching on the second router, and they are 'colliding' somehow at the ipsec negotiation layer. UTM is getting confused.

With the UTM in respond mode, it's matching VPN ID = any. So the only thing that really separates them is the preshared keys, which are unique to each tunnel. We have PSK probing switched on. I can see UTM is trying the different secrets in turn.

But something is still going wrong as the second site to site tunnel won't come up unless we disable the first one. (Actually had to turn off the router in fact!)

The log is somewhat confusing to follow, but here is a section that illustrates what's going on:

Quote:

2013:05:20-06:11:17 vpn pluto[17562]: "S_REF_IpsSitAutest_0"[2] w.x.y.z #884: responding to Main Mode from unknown peer w.x.y.z 2013:05:20-06:11:18 vpn pluto[17562]: "S_REF_IpsSitAutest_0"[2] w.x.y.z #884: received Vendor ID payload [Dead Peer Detection] 2013:05:20-06:11:18 vpn pluto[17562]: "S_REF_IpsSitAutest_0"[2] w.x.y.z #884: ignoring Vendor ID payload [a0eb1c7926ecb7bb6ea2b337065b9476] 2013:05:20-06:11:18 vpn pluto[17562]: "S_REF_IpsSitAutest_0"[2] w.x.y.z #884: received Vendor ID payload [XAUTH] 2013:05:20-06:11:18 vpn pluto[17562]: "S_REF_IpsSitAutest_0"[2] w.x.y.z #884: next payload type of ISAKMP Identification Payload has an unknown value: 151 2013:05:20-06:11:18 vpn pluto[17562]: "S_REF_IpsSitAutest_0"[2] w.x.y.z #884: Preshared secret failed to decrypt message. Trying next one. 2013:05:20-06:11:18 vpn pluto[17562]: "S_REF_IpsSitAutest_0"[2] w.x.y.z #884: next payload type of ISAKMP Identification Payload has an unknown value: 156 2013:05:20-06:11:18 vpn pluto[17562]: "S_REF_IpsSitAutest_0"[2] w.x.y.z #884: Preshared secret failed to decrypt message. Trying next one. 2013:05:20-06:11:18 vpn pluto[17562]: "S_REF_IpsSitAutest_0"[2] w.x.y.z #884: ignoring informational payload, type IPSEC_INITIAL_CONTACT 2013:05:20-06:11:18 vpn pluto[17562]: "S_REF_IpsSitAutest_0"[2] w.x.y.z #884: Peer ID is ID_IPV4_ADDR: 'a.b.c.d' 2013:05:20-06:11:18 vpn pluto[17562]: "S_REF_IpsSitAutest_0"[3] w.x.y.z #884: deleting connection "S_REF_IpsSitAutest_0"[2] instance with peer w.x.y.z {isakmp=#0/ipsec=#0} 2013:05:20-06:11:18 vpn pluto[17562]: "S_REF_IpsSitAutest_0"[3] w.x.y.z #884: Dead Peer Detection (RFC 3706) enabled 2013:05:20-06:11:18 vpn pluto[17562]: "S_REF_IpsSitAutest_0"[3] w.x.y.z #884: sent MR3, ISAKMP SA established

What's concerning about this is that the reference to S_REF_IpsSitAutest is the descriptor for the _other_ tunnel, not the one associated with IP w.x.y.z.

We'll have to do some more testing to try and pin this down, but can anyone confirm, so long as the local subnets behind each remote gw are non overlapping, is there any reason we shouldn't be able to make this work using preshared keys?

As I said, with only one of the two routers powered up, either one, the tunnel works fine.

---

umt9 Rel:9.003-16 Reboot Config weg

May 20, 2013, 3:43 am

≫ Next: [BUG] Help window/page issues

≪ Previous: [9.100-16] "Collisions" with multiple ipsec spokes

$

0

0

Hallo Zusammen;

ich hab seit ein paar Wochen das Problem, dass wenn ich die Firewall boote, dass die komplette konfig tod ist.
Ich kann sie weder üver 172.16.***.254 noch über die default IP erreichen.
Beim Booten hängt sie beim "PrePOSTSQL" (wenn ich es richtig im Kopf hab).
Ich kann dann nur noch einen neue FW deployen und ein altes Backup importieren.
Leider komm ich auch nciht an die LOG-Files, da ich keinen Zugriff mehr auf die Firewall habe.

Hat jemand ein vergleichbares Problem?

gruss
Achim.Z.

[BUG] Help window/page issues

May 20, 2013, 3:45 am

≫ Next: Sophos UTM9 Driving me crazy!

≪ Previous: umt9 Rel:9.003-16 Reboot Config weg

$

0

0

See attached image, the window name could be more fitting rather than give the location of where you are in the help page.

The expand all and remove highlights buttons don't seem to be applicable to this implimention currently.

Attached Images

saas help.PNG (8.0 KB)

Sophos UTM9 Driving me crazy!

May 20, 2013, 4:10 am

≫ Next: Expanding and closing action center

≪ Previous: [BUG] Help window/page issues

$

0

0

Hi all, any responses would be greatly appreciated......

We are currently setting up a Hyper-V guest as an MSP but are having trouble routing packets inbound to our DMZ's message relay (MR) on our Software based Sophos UTM9.

We have created a Network Definition within the UTM pointing to our MR (NOT tied to an interface), we have created Service Definitions for the port forwarding, we have created our DNAT rules for the Services (Traffic Selector - Any to Service to External WAN to Destination MR) and we have created our Firewall rules to allow free flowing traffic for the Services.

However, we are not able to Telnet from an external location into the MR through the UTM. We have checked the logs on the UTM and see no record of any packets over the Service ports we have defined yet we do see rejected packets from other external sources, none of which relate to any of our activity.

We have a Draytek Router on the WAN side of the UTM and we have DMZ'd the LAN port on the Draytek which connects the two and are forcing traffic from our designated public IP for this service through this LAN port to the UTM.

I am tearing my hair out over attempting to resolve this issue and I now have very little left, I may have to resort to a wig and pluck at that instead.

Any help would be greatly appreciated. Thanks in advance.

Expanding and closing action center

May 20, 2013, 6:45 am

≫ Next: Terminology when clearing alerts

≪ Previous: Sophos UTM9 Driving me crazy!

$

0

0

When logged in to the action center one can click on the arrow at the left of the report and it will change to a downward arrow and provide more detail on the alert.

However, if one clicks on the arrow again (now facing down) it doesn't collapse or hide the report - the report stays where it was and the arrow then moves to be a facing right position.

Windows 8 64 bit, IE 10

I've attached a screenshot below.

Attached Images

ScreenHunter_01 May. 20 14.44.jpg (37.2 KB)

Terminology when clearing alerts

May 20, 2013, 6:51 am

≫ Next: Proxy problems after upgrade to 9.100-16

≪ Previous: Expanding and closing action center

$

0

0

When an alert is ticked the options given are to reinstall the end-point or ignore the alert.

Whilst you may want to ignore the alert, once the alert issue has been cleared wouldn't it be better to 'acknowledge the alert' which is in keeping with the Sophos enterprise console.
The 'ignore' option gives rise to the impression that the user is not bothered about the alert so chooses to ignore it, when in reality it may have been dealt with and then can be acknowledged.

Also if you 'ignore' an alert by mistake - how do you get it back?

Proxy problems after upgrade to 9.100-16

May 20, 2013, 7:25 am

≫ Next: UTM 425 active/passive 8.309=>9.1 upgrade

≪ Previous: Terminology when clearing alerts

$

0

0

Hello,

I wonder is anyone else is experiencing this issue:

After upgrading to 9.100-16 PCs with browser configured to the proxy in standard are frequently experiencing connection problems. The browser's page-loading indicator spins continuously but no connection is made. Unchecking the proxy in Internet options restores connectivity. This happens with I.E. 9, Chrome, and Firefox) I never experienced this problem with the earlier firmware version.

If anyone has experienced this and/or can suggest a solution or troubleshooting steps I'd be grateful to hear from you.

UTM 425 active/passive 8.309=>9.1 upgrade

May 20, 2013, 8:35 am

≫ Next: Whitelist nach Update 9.1 verschwunden???

≪ Previous: Proxy problems after upgrade to 9.100-16

$

0

0

Just reporting my recent experience. Active/passive cluster of UTM425 / ASG425 rev4, running 8.309. Downloaded and installed 9 with no problems or dropped packets, but this cluster is very minimally configured. Ran through all of the Up2Dates and it's installing 9.10016 right now. So far, so good, but I'm holding my breath at least for the next week or so.

---

Whitelist nach Update 9.1 verschwunden???

May 21, 2013, 4:18 am

≫ Next: IDS Error DCE/RPC

≪ Previous: UTM 425 active/passive 8.309=>9.1 upgrade

$

0

0

Hallo liebes Forum,

nach unserem heutigen Update auf 9.100-16 sind unsere Whitelisteinträge verschwunden!?

Web Protection – Webfilter-Profile –Und dann das Profil

Hier hatten wir eine Whitelist mit sämtlichen URLs die frei waren.

Die Einstellungen (Also die Freigaben) funktionieren noch!
Wohin wurde dies verschoben?

Kann mir jemand helfen???

Beste Grüße
Jonas

IDS Error DCE/RPC

May 21, 2013, 7:03 am

≫ Next: restart httpproxy

≪ Previous: Whitelist nach Update 9.1 verschwunden???

$

0

0

Hallo,

ich habe heute mal das IDS System eingeschaltet bekomme aber prompt im Log folgenden Fehler:

ERROR: dcerpc2: dce2_co.c(1952) Could not create DCE/RPC frag reassembled packet.

habe hier im Forum gelesen das RAM evtl. ausgelastet ist,jedoch ist der bei mir nur mit 14% ausgelastet.

restart httpproxy

May 21, 2013, 7:49 am

≫ Next: Email Protection

≪ Previous: IDS Error DCE/RPC

$

0

0

Hello,

we have an asg 220 and I want to know how I can stop/start the httproxy process within putty and the ASG webadmin.
How can make a cronjob to restart a process or is that not allowed?

Email Protection

May 21, 2013, 9:42 am

≫ Next: Security bug? SSL VPN UTM 9.100-12 multiple Active Directories

≪ Previous: restart httpproxy

$

0

0

Hi

i am using UTM for home edition
email protection is not logging outgoing mails
it only shows mail sent by firewall notifications

we are using smtp.gmail.com

Security bug? SSL VPN UTM 9.100-12 multiple Active Directories

May 21, 2013, 12:01 pm

≫ Next: SNI support in 9.1?

≪ Previous: Email Protection

$

0

0

Hello

When im configuring two active directories with the new ssl vpn profile based system, it isnt possible to dedicate one of this profiles/users/groups onto one of this active directories.

In my scenario this is a huge security bug:

When my "active directory 1" have the same username in there then my "active directory 2", it is possible to connect with the "active directory 2" username and the password from the user on "active directory 2" (other password then the same username on "active directory 1") to the active directory 1 users ssl vpn and because of that to the wrong customer network (active directory profile 1 customer network). Its random, sometimes my user from "active directory 2" is connected to the "active directory 2" network, sometimes to the "active directory 1" network...

Knows anyone something about this situation/problem?

thank you for help!
kind regards