Quantcast
Channel: Sophos User Bulletin Board
Viewing all 14361 articles
Browse latest View live

SNI support in 9.1?

May 21, 2013, 12:43 pm
$
0
0
Hi,

is Server Name Indication (basically this means mutliple ssl certificates on one IP) officially supported in UTM 9.1?
I tried it today (9.100-16) and was able to add a second virtual server with ssl and a different certificate to the same interface...
It seems to work (at least with Firefox on Windows 8). I will try to test with some other systems tomorrow.
Search

SSL VPN autopacketfilter rules are not set for backend group

May 21, 2013, 1:17 pm
$
0
0
I just found this in the Reported issues in 9.1 GA release Thread and I have to say this brought us a rainy day, so I thought its worth mentioning in the forum because I couldn't find anything about it. We observed the same thing at multiple customer sites and adjusted the firewall rules manually. This would have saved us some time.

I'm still willed to test the patch if the sophos guys are willed to send it to me, almost all of our customers are setup like this, all got AD backend groups with SSL VPN and Automatic rule (like it or not!).


25787: SSL VPN autopacketfilter rules are not set for backend group objects
>> Problem fixed and staged for version 9.101. Please contact support for a patch if required urgently

ASG220 8.309 Port 443, DNAT to other internal web server

May 21, 2013, 1:56 pm
$
0
0
Good day.

We are using an old ASG220 appliance. We would like to forward port 443 to an internal server.

The documentation describes the process of moving the User Portal to another port (e.g., 1443). We tried this and also disabled the User Portal. We also disabled SSL VPN. However, the DNAT rule that we created still does not appear to work.

Please, we would like some solid suggestions on how we should proceed.

Any suggestions?

Thanks.

Keri

RED 50 not work Split

May 21, 2013, 3:55 pm
$
0
0
Hi All,

We just deploy the RED 50 in our environment and we got a problem.

Today we have one RED10 in your enviroment working in Standard/Split mode and its works correctly.

But put the RED50 to working in Standard/Split defitely not work, its works only in Standard/Unified.

If we put the RED50 in Standard/Split mode the RED50 side do not access any networks.

Then we leave the RED50 working as Standard/Unified but its not our desire.

Note: Red50 are in the same rules in firewall/nat/maskerading etc like the red10

The Firmware version is 9.006-5.

I sent 3 images about the configurations.

Any one can help ?

thx.

Attached Images
File Type: jpg RED10AWorks.jpg (62.6 KB)
File Type: jpg RED50BWorks.jpg (68.7 KB)
File Type: jpg RED50BNotWorks.jpg (88.5 KB)

[9.100-16] Http proxy not running - restarted

May 21, 2013, 7:40 pm
$
0
0
Hi all,

We upgraded to 9.100-16 last night as it appears that most bugs have been ironed out.

However, unfortunately in less than 24 hours I have had 2 notification that the Http proxy has been restarted

Http proxy not running - restarted
--
System Uptime : 0 days 12 hours 6 minutes
System Load : 8.61
System Version : Sophos UTM 9.100-16

Http proxy not running - restarted
--
System Uptime : 0 days 14 hours 21 minutes
System Load : 4.25
System Version : Sophos UTM 9.100-16


Here is what is in the Kernal

2013:05:22-09:45:16 SCAG_SophosUTM-1 kernel: [43546.860743] httpproxy[24004]: segfault at 1 ip 0000000000000001 sp 00000000eae52bfc error 14 in httpproxy[8048000+61000]

2013:05:22-12:00:57 SCAG_SophosUTM-1 kernel: [51687.423803] httpproxy[559]: segfault at e4 ip 00000000f7743792 sp 00000000ed73bc00 error 4 in libssl.so.1.0.0[f7704000+5c000]

I have noticed that the Mantis ID #25298 has been worked on again.

http://www.astaro.org/beta-versions/...tpproxy-5.html

This may relate to my issue (but not sure) anycase I have logged a job with Sophos to see what is up. I have had no issues with the previous version 9.006-5.

Device: Sophos UTM 220

New third party UTM tool(s)?

May 22, 2013, 12:02 am
$
0
0
I have put together a little third-party tool that can really help out any complex Proxy Profile configurations if you're trying to troubleshoot a problem where there are far far too many Filter Actions for any sane person to go through.

Once upon a time, I was trying to troubleshoot a problem where the Web Filter, or more specifically one of the many proxy profiles, wasn't logging a request that I was sure was going through the proxy. After an hour of digging I finally found the culprit, and swore to myself I'd never again spend such a ridiculous amount of time finding the solution to this script-able problem.

So, I spent some time putting this little tool together. It was designed and built on Ubuntu, and tested on Debian stable. It's written in Ruby and it interacts with the UTM via CC via SSH, the code should be pretty easy to understand, if you have any questions please feel free to post them on the Github page linked below (but not on the forums here, see Off Topic). There is a Readme on the Github page with more information and examples of use.

At the moment please consider it alpha software, but thanks to how it is written it won't bork the UTM if anything goes wrong, it will just timeout and disconnect because the program didn't get the response back it expected. Please feel free to construct as elaborate a configuration as you can in a test lab and throw this program at it to see if it can identify all of the Filter Actions that aren't set to log both accessed and blocked pages, and most importantly let me know about the results!

Software patches, comments, questions, and quizzical looks welcome. :)

https://github.com/jeffWelling/utm-plc


In the spirit of generating ideas for potential new tools (weekend projects), what other tools do you think would be handy for troubleshooting UTM or networking problems? Have you written your own tool that you use to troubleshoot that you can share?

Backend Sync. Gruppen im ActiveDirectory

May 22, 2013, 12:19 am
$
0
0
Moin,

wahrscheinlich habe ich hier nur einen Denkfehler. Ich habe eine UTM120 ( Firmwareversion:9.100-16 ) eingerichtet mit ActiveDirectory Auth. und SSO. Klappt wunderbar. Wir nutzen den Webproxy im Standard-Mode. Jetzt sollen aber einige Benutzer berrechtigt sein auch ohne Proxy ins Netz zu kommen. Ich habe eine Backend. Gruppe "Internet" angelegt und eine Firwall Regel erstellt das diese Gruppe raus ins Netz darf. Das klappt so allerdings nicht. Wenn ich einen PC als Host mit IP-Adresse anlege und de da reinschiebe dann klappts sofort. Ich habe die Gruppe natürlich auch im AD angelegt und meinen Benutzer hinzugefügt. Auch PC-Neustart hat nichts gebracht.

Irgendwelche Tipp oder denke ich da grundlegend falsch?

Danke für die Hilfe

Mfg
Koji

Webfilter / Zugelassene Dienste

May 22, 2013, 12:49 am
$
0
0
Moin,

und auch nochmal eine Anfrage.

Ich weiß ja nicht ob das so gewollt ist. Mir ist Folgendes aufgefallen:

Im Webfilter muss man alle Ports/Dienste explizit erlauben auf die zugegriffen werden darf. ( Unter Web Protection -> Webfilter -> Erweitert unter "Zugelassene Dienste". ) Das ist an sich ja eine gute Sache, allerdings wird hier nicht zwischen externer und internen IP-Adressen unterschieden sondern nur ob der entsprechende Dienst erlaubt ist oder nicht.

Gibt es eine Möglichkeit das für das interne Netzwerk zu trennen?
Scheinbar wird hier die IP davor von der UTM gar nicht berücksichtigt. Die Browsereinstellung das lokale Adressen umgangen werden bringt hier auch nichts.

Vorab schonmal vielen Dank.

Gruß
Koji
Search

[9.100-16] New notifications

May 22, 2013, 12:50 am
$
0
0
Thanks for get this feature in 9.1.
But please lets customize this per device with a select button in the config or with timeframe config.

This will drop the false notifications for Reds, where only temporaly online or the typical DSL-Reconnects at nights.

Sophos UTM v 9.080 High availability

May 22, 2013, 12:57 am
$
0
0
Hi, we have 01 ASG220 and willing to have ASG320 shortly. Our concern is that they can be work as cluster? Assumming that they all run the v 9.080.

Regards,
Minh

Snort not running u.a.

May 22, 2013, 3:53 am
$
0
0
ASG220 UTM 9.100-16
In unbestimmten Abständen kommt:
[INFO-115] Snort not running - restarted
[INFO-122] Dhcpd not running - restarted
[INFO-125] Smtpd not running - restarted
[INFO-141] Http proxy not running - restarted
Bitte um Klärung.

Upgrade Memory UTM220

May 22, 2013, 4:55 am
$
0
0
Hello,

The white boxes of UTM220 support what maximum amount of memory? What type (DDR2, DDR3)? :confused:

When will the the UTM update to current StrongSWAN build?

May 22, 2013, 5:53 am

WLan Probleme nach Update 9.100-16

May 22, 2013, 6:21 am
$
0
0
Hallo zusammen,

hat noch jemand das Problem, dass nach dem Update auf 9.100-16 die Verbindung des WLan regelmäßig für vier bis sechs Pings unterbrochen wird?
Nutze zwei ASG220 und habe auch schon den Master getauscht. Alle AP´s neu gestartet. Brachte leider alles keine Besserung. Hat jemand eine Idee zur Abhilfe????

Vor dem Update funktionierte das WLan aller erste Sahne.

Danke im Voraus.

ASG220Rev4 Mainboard getauscht

May 22, 2013, 6:32 am
$
0
0
Hallo,

gleich vorneweg: betreibe meine ASG220 privat mit einer Home-Lizenz.

Meine alte Rev4 ist selbstverschuldet kaputt gegangen.
Also neue gebrauchte Rev4 besorgt und die alte Platte
(übrigens eine Samsung SSD830) eingebaut.

Sie bootet und zeigt auf der Konsole keine Fehler.
(Das Display zeigt auch die richtigen IP-Adressen für die Interfaces.)

Aber sie reagiert den Interfaces auf keinen Ping, keine ARPs, nichts
(Mit einem frisch installierten 9.003 läuft sie problemlos.)

Muß ich neu auf die SSD installieren und alles wieder neu konfigurieren oder kann z.B. mit "cc" die alte Installation mit den neuen Motherboard zusammen zum Laufen bekommen?
Oder kann ich zumindest frisch installieren und dann meine letzte Sicherung der Konfiguration einspielen?
Search

ASG220Rev No function after exchanging mainboard

May 22, 2013, 6:41 am
$
0
0
Hi,

first of all: I use my ASG220 at home with a home license

My Rev4 is broken, it's my fault.
I bought a used Rev4 und plugged in the harddisk of the old one.

It boots perfectly und shows no erros on the console.
But it doesn't answer any ping nor arp on any interface.
The display shows the correct (old) IP-addresses.

With a 9.1 freshly installed it works perfect.

Do I have two user a new installation?
Can I copy last configuration backup onto the new installation?

Or is there any chance to join the old hard disk with the new mainboard?
(I'd prefer this)

Best regards
Xavier

Sophos Cloud updated to 2.1

May 22, 2013, 6:59 am
$
0
0
Hi,

we just updated Sophos Cloud to version 2.1. This release contains one new feature: Email Alerting. For every alert with the severity 'high' all administrators will receive an e-mail. We will provide e-mail digesting as well as configuration options for this in future releases. Apart from that, we fixed the bugs listed below, as well as some more internal bug fixes and improvements.

Fixed Issues
  • [24886] High resolution graphics
  • [25597] Customers who have half-completed the wizard in an old version can never finish the new wizard
  • [25673] Local Directory is missing for at least one customer
  • [25750] Welcome Page Picture is not shown with ie9, ie10 and FF

Astaro 8.3.0.9. L2TP + Windows CA Problem

May 22, 2013, 7:08 am
$
0
0
Hello everybody,

my problem ist perhaps simple. I've successfull configured L2TP over IPSec with Preshared Key and User Radius Authentification.

Now i want to use Certificats to authenticate Clients insted of Preshared Key. So i installed as verification CA my AD CA and changend Authentification Mode to X509 CA check and Certificate to Client Certification Certificate.

If i try to connect, it doesnt work. The Astaro has a Problem to fetch the CRL or the status of the certificate from the client. Here is my Log:

"D_for admin"[4] 2.202.107.161 #75: responding to Main Mode from unknown peer 2.202.107.161
2013:05:22-15:30:40 hostname pluto[3452]: "D_for admin"[4] 2.202.107.161 #75: ECP_384 is not supported. Attribute OAKLEY_GROUP_DESCRIPTION
2013:05:22-15:30:40 hostname pluto[3452]: "D_for admin"[4] 2.202.107.161 #75: ECP_256 is not supported. Attribute OAKLEY_GROUP_DESCRIPTION
2013:05:22-15:30:40 hostname pluto[3452]: "D_for admin"[4] 2.202.107.161 #74: Peer ID is ID_FQDN: '....'
2013:05:22-15:30:40 hostname pluto[3452]: "D_for admin"[4] 2.202.107.161 #74: crl not found
2013:05:22-15:30:40 hostname pluto[3452]: "D_for admin"[4] 2.202.107.161 #74: certificate status unknown
2013:05:22-15:30:40 hostname pluto[3452]: fetching crl from 'http://..../CertEnroll/.....crl' ...
2013:05:22-15:30:40 hostname pluto[3452]: "D_for admin"[4] 2.202.107.161 #74: we have a cert and are sending it
2013:05:22-15:30:40 hostname pluto[3452]: "D_for admin"[4] 2.202.107.161 #74: sent MR3, ISAKMP SA established
2013:05:22-15:30:40 hostname pluto[3452]: fetching crl from 'ldap:///CN=...,CN=...,CN=CDP,CN=Public%20Key%20Services,CN =Services,CN=Configuration,DC=...,DC=...?certifica teRevocationList?base?objectClass=cRLDistributionP oint' ...
2013:05:22-15:30:40 hostname pluto[3452]: LDAP bind to 'ldap:///CN=....,CN=....,CN=CDP,CN=Public%20Key%20Services, CN=Services,CN=Configuration,DC=....,DC=....?certi ficateRevocationList?base?objectClass=cRLDistribut ionPoint' failed: Can't contact LDAP server
2013:05:22-15:30:40 hostname pluto[3452]: crl fetching failed


If i try to connect to CRL via IE or Firefox it works and i can download the crl. LDAP connect works too.

Rename RED Branch Name??

May 22, 2013, 7:34 am
$
0
0
Hi
We have a UTM220 running firmware 9.100-16 and about 12 RED10 devices. The reds are named "reds01, reds02 ..." etc. I would like to give these more descriptive names, but I see that in the WebAdmin there doesn't seem to be a way. Am I missing something?

Is there *any* way to do this, even via a manual config/xml edit? When we get an alert that "redXX is down" it would be really helpful to not have to dig up my notes on which site that actually is.

L2TP over IPSEC w/PSK - Having an issue with traffic over 443

May 22, 2013, 10:45 am
$
0
0
Hi all,

Running UTM 9.1 and trying to get my VPN fully functional on Windows 7/8.

Current setup:
UTM 9.1
L2TP VPN IP pool set to completely different subnet
Firewall rule setup to allow all traffic from the L2TP VPN pool to access whatever network they want on whatever protocol they want
Web filtering (proxy) setup for internal traffic

In order for me to successfully access my internal network from the remote client, I had to set the client to "Use Remote Gateway" - it will not access the internal network otherwise.

Because of this, internet (80/443) traffic is also tunneled through. I don't mind this other than the fact that I see slower internet speeds since the upload speed at my house is not that great. (If someone could find a way around this other than placing my L2TP clients on the same subnet as the internal clients, that would be great)

So in order to get the remote clients to access internet traffic, I had to add the L2TP network to the list of allowed networks on the Web Filtering settings. The problem I have now is that 443 (HTTPS) traffic does not go through at all. If I check the box that says "Scan HTTPS Traffic," it works fine but all of my internal clients experience certificate errors because I do not have a valid HTTPS certificate.

I have tried everything I could think of - I added the L2TP network to the exceptions list as well as the "Skip" lists on the advanced tab of Web filtering. No dice.

Any ideas?
Viewing all 14361 articles
Browse latest View live
Search