Quantcast
Channel: Sophos User Bulletin Board
Viewing all 14361 articles
Browse latest View live

Installation Problem / PC + VM

August 13, 2013, 12:29 am
$
0
0
Hi dears,

When trying to install UTM 9 and UTM 9 Home Edition into a DELL PC or Virtual Machine with the iso files, i got an error message (Attached picture)

Please Help me to complete installation

Thanxs a lot

Attached Images
File Type: png Astaro pc.PNG (54.6 KB)
Search

Nortel IPsec problem

August 13, 2013, 1:18 am
$
0
0
Hi;

I want to do Nortel VPN Router to IPsec VPN between ASG 625 , but I get the following error message.

packet from ****:500: unsupported exchange type ISAKMP_XCHG_AGGR in message
2013:08:13-11:13:16 IVEIFW-2 pluto[7257]: packet from ****:500: sending notification UNSUPPORTED_EXCHANGE_TYPE to ****:500
2013:08:13-11:13:43 IVEIFW-2 pluto[7257]: | handling event EVENT_RETRANSMIT for **** "S_VoIP_Acbm" #332204

9.104-17 ftp listing in browser causes "Cannot allocate memory"

August 13, 2013, 2:00 am
$
0
0
Hello,

I'm wondering why I cannot find astaro/sophos related information about this Cannot allocate memory problem anywhere, so I decided to make it public in this forum. Perhaps others have this problem as well.
When trying to access any ftp site or even a non existing dummy site in a browser, the UTM proxy brings an error "cannot allocate memory" (CAM).
If I restart the machine, it will work for some hours and then the CAM error appears again.

I wonder if there is some workarround?

ASG320
v9.104-17
Machine load: CPU ~5%, RAM ~70-85%

Support acknowledged this bug as: Mantis 27348. What is Mantis??


2013:08:13-10:43:22 astaroproxy-1 httpproxy[5485]: id="0002" severity="info" sys="SecureWeb" sub="http" name="web request blocked" action="block" method="GET" srcip="1.2.3.56" dstip="" user="username" statuscode="502" cached="0" profile="REF_PMadUFlIJm (profilename)" filteraction="REF_PZCHjrztsC (SG_Internet_IT)" size="2624" request="0x2dde2c08" url="ftp://ftp.dell.com/" exceptions="" error="Cannot allocate memory" category="105,175" reputation="trusted" categoryname="Business,Software/Hardware"
2013:08:13-10:43:27 astaroproxy-1 httpproxy[5485]: id="0002" severity="info" sys="SecureWeb" sub="http" name="web request blocked" action="block" method="GET" srcip="1.2.3.56" dstip="" user="username" statuscode="502" cached="0" profile="REF_PMadUFlIJm (profilename)" filteraction="REF_PZCHjrztsC (SG_Internet_IT)" size="2624" request="0x2ea30010" url="ftp://ftp.dell.com/" exceptions="" error="Cannot allocate memory" category="105,175" reputation="trusted" categoryname="Business,Software/Hardware"
2013:08:13-10:43:40 astaroproxy-1 httpproxy[5485]: id="0002" severity="info" sys="SecureWeb" sub="http" name="web request blocked" action="block" method="GET" srcip="1.2.3.56" dstip="" user="username" statuscode="502" cached="0" profile="REF_PMadUFlIJm (profilename)" filteraction="REF_PZCHjrztsC (SG_Internet_IT)" size="2626" request="0x305dccc8" url="ftp://ftp.astaro.com/" exceptions="" error="Cannot allocate memory" category="105,175" reputation="trusted" categoryname="Business,Software/Hardware"
2013:08:13-10:43:43 astaroproxy-1 httpproxy[5485]: id="0002" severity="info" sys="SecureWeb" sub="http" name="web request blocked" action="block" method="GET" srcip="1.2.3.56" dstip="" user="username" statuscode="502" cached="0" profile="REF_PMadUFlIJm (profilename)" filteraction="REF_PZCHjrztsC (SG_Internet_IT)" size="2626" request="0x8e5d6a8" url="ftp://ftp.astaro.com/" exceptions="" error="Cannot allocate memory" category="105,175" reputation="trusted" categoryname="Business,Software/Hardware"
2013:08:13-10:43:52 astaroproxy-1 httpproxy[5485]: id="0002" severity="info" sys="SecureWeb" sub="http" name="web request blocked" action="block" method="GET" srcip="1.2.3.56" dstip="" user="username" statuscode="502" cached="0" profile="REF_PMadUFlIJm (profilename)" filteraction="REF_PZCHjrztsC (SG_Internet_IT)" size="2629" request="0x96571c0" url="ftp://ftp.microsoft.com/" exceptions="" error="Cannot allocate memory" category="105,175" reputation="trusted" categoryname="Business,Software/Hardware"
2013:08:13-10:43:54 astaroproxy-1 httpproxy[5485]: id="0002" severity="info" sys="SecureWeb" sub="http" name="web request blocked" action="block" method="GET" srcip="1.2.3.56" dstip="" user="username" statuscode="502" cached="0" profile="REF_PMadUFlIJm (profilename)" filteraction="REF_PZCHjrztsC (SG_Internet_IT)" size="2629" request="0x2dfa0090" url="ftp://ftp.microsoft.com/" exceptions="" error="Cannot allocate memory" category="105,175" reputation="trusted" categoryname="Business,Software/Hardware"
2013:08:13-10:44:04 astaroproxy-1 httpproxy[5485]: id="0002" severity="info" sys="SecureWeb" sub="http" name="web request blocked" action="block" method="GET" srcip="1.2.3.56" dstip="" user="username" statuscode="502" cached="0" profile="REF_PMadUFlIJm (profilename)" filteraction="REF_PZCHjrztsC (SG_Internet_IT)" size="2638" request="0x2dd6b7d8" url="ftp://ftp.dieseitegibtsnicht.com/" exceptions="" error="Cannot allocate memory" category="9998" reputation="neutral" categoryname="Uncategorized"
2013:08:13-10:44:07 astaroproxy-1 httpproxy[5485]: id="0002" severity="info" sys="SecureWeb" sub="http" name="web request blocked" action="block" method="GET" srcip="1.2.3.56" dstip="" user="username" statuscode="502" cached="0" profile="REF_PMadUFlIJm (profilename)" filteraction="REF_PZCHjrztsC (SG_Internet_IT)" size="2638" request="0x2ea30a90" url="ftp://ftp.dieseitegibtsnicht.com/" exceptions="" error="Cannot allocate memory" category="9998" reputation="neutral" categoryname="Uncategorized"
2013:08:13-10:44:08 astaroproxy-1 httpproxy[5485]: id="0002" severity="info" sys="SecureWeb" sub="http" name="web request blocked" action="block" method="GET" srcip="1.2.3.56" dstip="" user="username" statuscode="502" cached="0" profile="REF_PMadUFlIJm (profilename)" filteraction="REF_PZCHjrztsC (SG_Internet_IT)" size="2638" request="0x2dfe0300" url="ftp://ftp.dieseitegibtsnicht.com/" exceptions="" error="Cannot allocate memory" category="9998" reputation="neutral" categoryname="Uncategorized"

Attached Files
File Type: txt cannot_allocate_memory.txt (4.4 KB)

End to Site to Site or: How to?

August 13, 2013, 2:24 am
$
0
0
Hello everyone,

I am planning to do a classic scenario, however, the FAQ and KBs don't help me at all.

My idea is as this

Code:

My Laptop --- VPN (L2TP) ---- my UTM ====== IPSec ==== my friend's UTM ----- his network
Seems easy, but what configurations do I have to do? What firewall rules, what NAT masking?

I appreciate your suggestions.


Regards


ZeroEnna

QOS over VPN ?

August 13, 2013, 2:40 am
$
0
0
Hello,
I'am trying to make QOS over a Site to site VPN, but it seem that it doesnt work.
Without VPN QOS is working correctly.
Our local Sophos Support Partner thinks that QOS over VPN does work.

On the Sophos site :
Using QoS: Astaro Security gateway
It is said :
"*QoS only works on physical interfaces. This means that VPN tunnels are troublesome or impossible to QoS."

So is QOS over VPN possible or not ?

vpn wierd error

August 13, 2013, 5:02 am
$
0
0
Hi team !

when i am connecting to my astaro vpn server . it is giving following error.

there is already a user connected to this session and sessoin
sharing is not allowed


i m not sure how to trouble shoot this error . As i supposed all users sessions are unique .

IE10 - User Portal

August 13, 2013, 6:43 am
$
0
0
Hallo Zusammen,

wir nutzen im Haus den IE10 unter Win 7. Es wird kein Login Fenster im User Portal geladen. Die Titelleiste wird geladen und der Throbber dreht seine Runden. Aber es kommt kein Login.

Kann jmd. weiterhelfen?

Ja, mit FF funktioniert es. Aber den verteilen wir nicht im Haus. Die User nutzen nur IE.

Pasqual

outgoing mail to IBM marked as SPAM (confirmed)

August 13, 2013, 9:25 am
$
0
0
9.104-17

Started this morning. Any mail that any internal user sends to us.ibm.com is coming back immediately as undeliverable. I looked in the SMTP log and it shows rejected from our exchange server to us.ibm.com for reason SPAM (confirmed).

How can I get more info like why it's confirmed spam?

It was like this for about 2 hours, then suddenly they started going through again.

Ideas?
Search

Firewall: MS-RPC filtering / UUID

August 13, 2013, 10:28 am
$
0
0
Is there any way in Sophos UTM Network Protection Firewall to identify, and either permit or reject MS-RPC traffic?

I'm not talking about RPC over HTTP, but a regular RPC traffic (destination port: 1024:65535/tcp)

I want to let clients coming from VPN to talk to domain controllers, but I do not want to open a big hole of 64511 ports for them. Setting a static RPC port range on the server side is not an option.

With Juniper SRX firewall I can very easily use UUID's (Universally Unique IDentifiers) to identify RPC traffic. For example:

Code:
# show groups junos-defaults applications application junos-ms-rpc-uuid-any-tcp
term t1 protocol tcp uuid ffffffff-ffff-ffff-ffff-ffffffffffff;

{primary:node0}[edit]
Then I can use "junos-ms-rpc-uuid-any-tcp" as a destination port instead of opening a range of ports (1024:65535/tcp), and SRX firewall knows it's a related MS-RPC traffic based on the UUID obtained by the protocol inspection.

Can Sophos UTM work with RPC UUID's?

See the following links for more information about UUID:

callout not working anymore?

August 13, 2013, 10:34 am
$
0
0
9.104-17
A few weeks ago I moved from UTM 8 to a new pair of appliances running UTM9. The only real difference in my configuration is that I now use the UTM9 to filter the outgoing as well as incoming. I also disabled greylisting as too many users all the time are like "hey this guy says he sent me an email 10 mins ago and i still haven't received it, why does our email suck?".

We have a single Exchange 2010 server in the host list, and I use the setting "with callout (recommended)". I'm not sure the effects of changing this to "In Active Directory".

With version 8 I would always see the SMTP log rejecting emails to mailbox users we deleted like 10 years ago. With version 9 now I see those messages to those same non-existent users being delivered. I used an external account of mine to send a test message to a non-existant mailbox at my domain and the UTM allowed the delivery to my exchange server. My external account then received a message back from my exchange server about it being undeliverable.

...so is callout suddenly broken? What are my next steps here?

Inbound traffic with dual wan

August 13, 2013, 10:43 am
$
0
0
Hi,

currently i'm using a leased line with a /24 public ip-subnet. these ips are configured as additional addresses on the external interface and then dnatted to internal servers. Sounds common for me.
in the near future i'm switching to a multihomed stub, connecting with two providers via bgp. Besides bgp-configuration (which will be hard enough for me anyway!) there is one thing i cannot imagne how to realize it.
i cannot set public ip-addresses as aditional interfaces on both wan-interfaces.
How can inbound traffic e.g. to internal webserver be accomplished with two wan-interfaces and bgp?

thanks in advance
Toni

ASG220 v9.103.5

loggin issues

August 13, 2013, 1:17 pm
$
0
0
Hi all ,

recently we have installed a cluster of Astaro 625 and ware happy to migrate from previous firewall. However after one month we face issues when loggin in to the firewall

1) it says " please wait loggin in "

next it hangs and asks " Do you want to wait for 30 seconds "

if we say no . then it stops and displays " request has been cancelled "

if we say yes ..after some time same msg appears ..if we say yes it says " you have extended 1 time " ..then it continues same cycle.

obviously some issue going on . i have tested with firefox.

Interesse an Sophos RED, noch eine Frage offen

August 13, 2013, 1:29 pm
$
0
0
Hallo!

derzeit lebe ich noch bei meinen Eltern. Da ich aber in der nächsten Zeit vor habe mir eine eigene Wohnung zu suchen bin ich auf der Suche nach einer geeigneten Lösung um beide Standorte zu "einem" Netzwerk zu verbinden.

Da ich eine UTM 9 habe fiel meine Lösung auf eine RED Verbindung.

Für eine Frage konnte ich aber im Internet keine Antwort finden.
Vielleicht könnt Ihr sie mir beantworten.

Wie sieht es mit der Internetverbindung an beiden Standorten aus? Ich möchte auf jedenfall vermeiden, dass die PCs welche an der RED hängen den Internetverkehr nicht über die VPN Verbindung leiten sondern direkt auf das Internet zugreifen können.

Ist dies damit möglich?

Ich hoffe Ihr versteht was ich meine.

L.G.
fireb

Astaro Virtual Appliance

August 13, 2013, 2:31 pm
$
0
0
Hello.

Looking to find some information on the virtual appliance for vmware vsphere esx server.

Couple of quesitons right of the bat.

First, how does the internet connection work? Do you need a separate ethernet connection on the esx server itself to represent the network connection from the ISP (wan side)?

Second, can the virtual appliance be vmotioned to other esx servers? If so, how is the wan side network connection configured on multiple esx servers?

What is normal Exchange 2010 Receive Connector setup for UTM?

August 13, 2013, 2:45 pm
$
0
0
How should your receive connector be setup in Exchange 2010 for typical UTM 9 deployment?

See 4 pictures attached.

Is that best practice and correct?

only port 25 or should I add 587?

should the HELO response be my internal name or external MX name?

what about auth and permission groups?

Attached Images
File Type: png 01.png (14.5 KB)
File Type: png 02.png (15.1 KB)
File Type: png 03.png (14.4 KB)
File Type: png 04.png (11.6 KB)
Search

Port Forwarding site traffic over VPN

August 13, 2013, 4:36 pm
$
0
0
Hi All,
I've been working on accomplishing something the last couple days and I'm not having much luck. I've looked over the forums and found somewhat similar issues, but none of them seem to really help with the problem I'm having.

Basically I have two sites that are connected via an IPsec tunnel. One of the sites has been whitelisted for traffic to come to it to one of our vendors, so I want to have specific web traffic routed through the smaller office to the main one.
What I've done is try to set up a routing policy at the smaller satellite office like follows:

Position: 1
Route Type: Gateway route
Source interface: any
source network: any
service: any
Destination network: /24 of the ips the vendor uses
Gateway: the internal ip gateway at the main office

Traceroutes are showing that this isn't going through the main office at all, nor can I ping it (which is normal, the other office is out of the country). Am I barking up the wrong tree here? Is there a better way I should be doing this?

Live Log not working

August 13, 2013, 5:27 pm
$
0
0
Since my upgrade to UTM9 the Live Log for the Firewall is not working.

I get the display as normal and Autoscroll is selected but nothing is being displayed.

I have tried Chrome/Firefox/IE and all of them have the same result.

Any ideas?

WebAdmin Roles - Add Users and groups

August 14, 2013, 1:37 am
$
0
0
Hello everyone,
I am currently restricting access to our firewall.
Nevertheless our IT support needs to be able to add users/groups so that they can configure Remote Access for users.

I added a role for them to enable Remote Access Administrator.
That works but they can not add users/groups since they do not have the permission to do so.

I dont see a Role that would allow them to do so?!
Is that just missing or am I missing something?

Best regards

Use UTM Waf feature to do reverse proxy for lync

August 14, 2013, 2:02 am
$
0
0
Hello,


I am planning to try to configure the Web server protection feature of one UTM to do reverse proxy for LYNC 2013 products.

Does anyone already tried this type of configuration? Is it possible/suuported?

If someone does where did you find all the information needed?

Do you have some advices ?
Thansk for your help.

Authentifizierung Domänenumstellung

August 14, 2013, 2:42 am
$
0
0
Hallo Zusammen,

wir wechseln demnächst unsere Anmeldedomäne. Die UTM steht aktuell in der noch aktiven Domäne und authentifiziert per AD SSO. Primär geht es in diesem Fall um die Web Protection.

Per LDAP kann auch bereits das AD der neuen Domäne ausgelesen werden.
Da wir wahrscheinlich nicht alle User erwischen können, wäre eine kurze Übergangszeit mit beiden Domänen unvermeidbar. Natürlich scheitert die Authentifizierung der neuen Domain-User, da anscheinend mit dem zweiten Authentifizierung Server nicht abgeglichen wird (ich kann halt noch keinen Domain Join mit der UTM machen, solange nicht alle User umgestellt sind).

Abschalten der Authentifizierung ist auch nicht wirklich praktikabel, da dann die Filterzuweisungen nicht greifen.

Gibt es irgendwelche Umwege, mit denen ich für eine kurze Übergangszeit
beide Domänen managen kann?

Cheers
Plast0r
Viewing all 14361 articles
Browse latest View live
Search