Quantcast
Channel: Sophos User Bulletin Board
Viewing all 14361 articles
Browse latest View live

VPN over RED does not work

August 14, 2013, 3:55 am
$
0
0
Hello guys,

following situation:

i have a costumer with two locations. (Hamburg -> Berlin)

Main location with Sophos UTM220(Hamburg), second location with RED10(Berlin).
They are connected, everything is working fine!
(Ping, DNS, DHCP, everything!)

Now the problem i got: When connected to the UTM220 with IPSec VPN (NCP Secure Entry Client) i can not ping any server or client (rdp etc. also not working) in Berlin from my notebook with vpn-client on it. DNS works fine. Of course I can reach all devices in Hamburg now, but to connect to Berlin i have to start a rdp-session to a device in Hamburg.

how do i manage to be able to connect to a device in Berlin directly with a VPN connection to Hamburg?
Search

ASG 220 V8 - Webfilter

August 14, 2013, 5:11 am
$
0
0
Hallo,
ich habe eine Frage zu einer ASG 220 V8 und dem Webfilter.
Unter „Web Security - Webfilter – Erweitert“ kann man die Webfilter-Zwischenspeicherung aktivieren. Ist dies ratsam?
Werden auch heruntergeladene Dateien gespeichert oder nur Webseiten? Wie viel Speicherplatz wird für die Speicherung verwendet und wie lange werden die heruntergeladenen Dateien gespeichert?

Amazon VPC with multiples VPN Connections

August 14, 2013, 7:37 am
$
0
0
Hello,

I am setting up a VPN to connect an Amazon VPC. While the connection is a no brainer, routing has appeared to be a big problem.

The situation:
- there are others VPN connected to the same VPG.
- The config files send by Amazon a build to announce route 0.0.0.0/0, so ASG is announcing this route too, but do not announce locally connected networks.
- There is another router also announcing route 0.0.0.0/0

The result:
Packets sent from the local network gets to its target in the Amazon VPC. The reply from the target goes to the wrong gateway.

The workaround:
Changing the routes announced by quagga solves the problem and packets get back by the correct gateway.

IS there any value to change in the config file send by Amazon to define the routes to announce?
How to properly configure the route in ASG and make it persistent across reboot?

There is an enhancement request to get more control over the route announcement with Amazon, but I didn't find any temporary solution.

Has anyone experienced with that situation?

Thank you for your help.

Port Forwarding for RTSP Stream

August 14, 2013, 7:56 am
$
0
0
Hello,

I have read through and followed the suggestions on other posts regarding port forwarding (NAT) within UTM 9 however, I cannot seem to get things to work.

I have three internal cameras with which I need to allow external access to their RTSP streams. The internal url for these feeds are as follows:

rtsp://192.168.1.30:554/11
rtsp://192.168.1.28:554/11
rtsp://192.168.1.32:554/11

Using my single external IP address, I will need to specify a different port and then forward for each camera such as:

rtsp://200.13.12.42:2007 => rtsp://192.168.1.30:554/11
rtsp://200.13.12.42:2008 => rtsp://192.168.1.28:554/11
rtsp://200.13.12.42:2009 => rtsp://192.168.1.32:554/11

I have tried to accomplish this numerous ways and I am still unable to view these streams externally. Internally, the streams function perfectly. How do I go about configuring this correctly? Thanks in advance for any assistance.

UTM Home Edition Laptop NIC's

August 14, 2013, 9:50 am
$
0
0
I have an Vostro V131 that I will be installing the UTM Home Edition on. The issue with this is I only have 1 NIC. I was looking into purchasing a USB>NIC. I cannot find a compatibility list. Has anyone ever successfully completed this. I would used the native NIC for the untrust connection and the USB for my trusted network. I am migrating from a Cisco ASA 5505

Thanks!

Proxy Bypassing - Content - Application ?

August 14, 2013, 11:51 am

Although Exception: Websites don't load properly

August 16, 2013, 8:07 am
$
0
0
Hi there!

We have specific websites that we need for our teachers to work with but there is some weird behavior when using the webfilter. Without filtering in the network it is working great.

I.e. Interactive ebooks for children

Open the URL. With webfilter turned on it takes ages to load. And When clicking the green button "teacher login" on the upper right it just adds a hash character behind the URL and nothing further.
Without the webfilter a login animation/window appears on the site. That is how it should be.

I put raz-kids.com on the exception list (this can be proofen by the filter log) but somehow the webfilter does something to those pages...

First we thought it's because of some javascript... but even the option to remove Javascript content has never turned on on our Sophos UTM425, v.9.103-5

Please help!! :-/
--Uwe

Site2Site VPN between 10.x networks

August 16, 2013, 8:47 am
$
0
0
Hello everyone
I want to extend one of our branch networks.

We got 10.0.x.x/16 subnets (/24 networks in the 10.0.x.x range) on the main site and a branches with two 10.y.x.x/24 networks (see schema attached)

I want to be able to VPN to the branches (at best with /16 tunnels) and reach all of the remote networks.
Currently only the networks are reachable where the ASG has its Internal interface in (e.g. 10.1.2.x/24)

Is this possible (I guess it is ;))? I am currently not seeing clear after a long work day.

The switches in the branches are L3 and do inter-VLAN routing on-site.

Any help would be nice, since I need to ship an ASG to a branch next week and we need to switch from MPLS to VPN on that site asap.

Thanks in advance everyone :)

Best regards
chas0rde

Attached Images
File Type: jpg VPN.jpg (37.6 KB)
Search

Installer does not find disk and 2nd network card

August 16, 2013, 8:59 am
$
0
0
I am trying to install latest version on Dell 430 laptop. It has an internal network card that is detected by the 2nd one is not which is in the PCMCIA slot. Secondly i have compact flash based IDE HDD that is also not detected.

Note both FreeBSD 9.x and untangle are able to detect both items. I do have the zip file from the installer that i have attached.

Attached Files
File Type: zip install.zip (45.7 KB)

Network usage reporting changed for the worse in UTM 9?

August 16, 2013, 10:06 am
$
0
0
I work in an office with about 30 employees, and we have a bonded T1 pair that's used for both our VOIP phone system and our internet access. Our VOIP system takes top priority, which leaves us with just a little bit under 3 Megabits/second for internet bandwidth. (And yes, when multiple employees try to use the internet at once, it's every bit as awful as you might imagine.)

All our internet traffic goes through an ASG-220 currently running UTM 9.104-17. Back when we had UTM 8 installed, the traffic usage graphs, either in the Executive Reports or in the web interface, were very useful. They showed numerous long plateaus throughout the day, where the "flat spot" at the top was just below 3 Mb/s. The plateaus were even more obvious in the weekly, monthly, and yearly graphs. It was quite clear from the graphs that we were frequently using every bit of bandwidth we had available, and I was using these graphs to help justify to my management that we needed to upgrade our internet access.

Since upgrading to UTM 9, however, the plateaus are gone. The network traffic graphs now show only sharp peaks, that only rarely rise to 3 Mb/s. Here's an example:

Attachment 10544

Last week, one of our T1 lines went down, so we had only 1.5 Mb/s for a couple of days, and the difference was barely even visible on the graphs, though it was obvious from the complaints I got from users about "slow internet". When my management looks at the UTM 9 graphs, their response is that we're clearly not using all our bandwidth, so why should they pay for more?

Did some graphing algorithm or parameters change in UTM 9, and if so, is there any way to change them back to work like they did in UTM 8? Or do I have some kind of setting wrong somewhere, and if so, what could it be? I know I can saturate a bonded T1 pair all by myself without even trying hard, so why don't I see it in the usage graphs? I should note that the ASG does not have QOS turned on. And when I run network speed tests after hours, I typically do get upload and download speeds in the range of 2.9 Mb/s, so I think we're getting what we're supposed to have.

Can anyone explain?

Attached Images
File Type: png UTM9 Traffic.png (47.7 KB)

Can i get when/what version will fix country blocking exceptions

August 16, 2013, 10:59 am
$
0
0
running 9.104-17 and still have the issue that if I block say Germany I can't get to www.astaro.org no matter what type of exception I put in for this site or for my pc to get there. last I heard country exceptions was not working fully/both ways yet. Just wondering where this is on the fix list, thanks for any input you can give.

IIS logs show ip for Firewall instead of Client

August 16, 2013, 11:09 am
$
0
0
I think I have some sort of Masquerading problem. When web traffic is logged to my IIS logs, it gets logged as the internal interface ip on my Firewall instead of the outside client's ip address. Is there a way to tweak the rules so I'm getting actual client ip addresses in my IIS logs?

Red

August 16, 2013, 11:53 am
$
0
0
Just configured new RED device for satellite office - working brilliant in STANDARD/SPLIT mode - such a great device

WAF Exchange 2010 issues

August 16, 2013, 5:10 pm
$
0
0
I have two questions in relation to the Web Application Firewall

#1 Why is the internal IP showing up in the URL for OWA?

Example:
mail.domain.com/owa/auth/logon.aspx?replaceCurrent=1&url=https%3a%2f%2f192. x.x.10%2fowa%2f

Output from WAF LiveLog:
" 2013:08:16-18:55:22 mail-1 reverseproxy: srcip="108.x.x.58" localip="63.x.x.161" size="9303" user="-" host="108.x.x.58" method="GET" statuscode="200" reason="-" extra="-" time="278570" url="/owa/14.1.438.0/themes/resources/lgnbotl.gif" server="mail.domain.com" referer="https://mail.domain.com/owa/auth/logon.aspx?replaceCurrent=1&url=https%3a%2f%2f192. x.x.10%2fowa%2f" cookie="OutlookSession=2ab2b673ed9541f69707a53e196 889cc" set-cookie="-"

#2 Is there no way to export the local x509 cert so I can change that to what the exchange server uses for https? I ask because if I attempt to add a phone to the exchange server I clearly see the cert it's using is the UTM's cert which is not currently the https cert used by exchange. Now if my only option is to purchase a cert from a recognized CA then so be it, but I was curious if there is a way around this issue?

Airplay across multiple LANs

August 16, 2013, 11:30 pm
$
0
0
Sorry if this has been answered before, but does anyone know how to make Apple's Airplay work across different networks? I have wireless devices (including iPhones) on a 172.16.*.* wireless-only network, and I'd like them to be able to Airplay to a specific Airplay-enabled device on my LAN in the 192.168.*.* range.

I've created the correct firewall rules to get them talking (other apps that use TCP or UDP seem to work fine), but I think Airplay uses some kind of broadcast discovery first, which isn't translating across the networks. Am I looking for some kind of NAT rule here?
Search

IT support, access to multiple customers/clients, which solution?

August 16, 2013, 11:39 pm
$
0
0
Hello, everyone.

Working as an IT consultant for 15-20 different companies I frequently need access to their servers and networks, but would like to do this in a secure way (using RDP over VPN as opposed to custom RDP ports open to the internet, for example).

Any recommendations on how to use UTMs VPN functionality to easily connect to the different companies with the least amount of hassle? I'm a bit bewildered as to which type of VPN to select. PPTP is the easiest to set up, but is as far as I know not secure enough. What viable alternatives do I have? I'd rather not having to install/uninstall software or something like that each time I want to connect since I may need to access several clients a day.

Administering from Windows 7, all clients use Astaro/Sophos UTM v8 and v9.

Thanks.

wie Systeme bei bedarf dynamisch drosseln?

August 17, 2013, 7:42 am
$
0
0
Hallo,

ich sitze hier mitten in einem weissen Fleck was Internet angeht.
Satte 378KB sind möglich.
Das bekomme ich hier für ca. 10 Plätze (Linux-Server und Windows-Clients) sogar noch halbwegs geregelt.
Jetzt gibt es aber dumemrweise Win8 mit aktiven Kacheln und sobald so ein "hyperaktives" System im Netz ist bricht alles zusammen.
Meine Idee und Frage:
Wie kann ich der Astaro sagen das sie bestimmte Systeme (sind über MAC und IP eindeutig identifizierbar) bei Bedarf droesselt.
Interfaces Quality of Services?
Suche ich da an der richtigen Stelle?

Gruss

CPU/Network Utilization

August 17, 2013, 9:27 am
$
0
0
I want to provide some feedback for the Sophos UTM 9.1 home version.
I have it running on the following hardware:

GIGABYTE - Motherboard - Socket 1155 - GA-Z77-D3H (rev. 1.0)

CPU: Intel Core i7 (8 Core may be overkill, but performance is incredible)
32 GB RAM
VMWare ESXi 5.1
120 GB SSD

It actually performs better in a VM environment than running it on hardware (I believe I know why….may not be what Sophos tested it with), so that’s why I sent my hardware information.
After measuring performance on 8 cores, I reduced the system to 2 cores and 1 GHz of power. It performed nearly the same, but now I get less bottlenecks from the application. I then added the third core (3 cores) and do not see a difference from the performance of 8 cores. I allocated 16 GB of RAM and noticed that it does not use 16, but 11.8 GB. I’m going to reduce the RAM use to 13 GB.

So I forgot to explain why I added the third core. I am also using the Link Aggregation Group (I haven’t checked to measure NIC performance yet) and I have 3 Broadcom NIC’s as Uplinks to the Cable Modem. I also turned down the power of the CPU to 800 MHz (after learning that my Netgear R6300 is a dual-core router and was shocked a bit). The router runs at 800 MHz, so I deduced that if the UTM is running at 3.7 GHz with 8 cores, network performance may be impacted (no real data to show). What would occur is the Uplinks would show an error and I have to reset the Cable Modem, release the IP’s, renew the IP’s, restart the UTM several times before all is well, so ‘something’ was actually going on at the Data Link layer for some strange reason. The R6300 would not have any impact, but the Cable Modem (Motorola SBG6580 SURFboard) would reset.

I plan to run some media streaming tests across 3 different computers today and measure that data.

Re-use white or black lists

August 17, 2013, 2:24 pm
$
0
0
Somewhere in the last versions the blacklist and whitelist configuration in web filtering has been changed.
Now some sort of definition is created like can be seen in this picture:



What I don't see however is the possibility to reuse these. There's a plus (+) sign to create new, but I don't see the folder icon to open existing ones.
When there are multiple proxy profiles which have to use the same blacklists it seems they have to made multiple times, and using the same name multiple times is not allowed.
Am I not looking good enough, or is this folder button really missing?

Zertifikat für HTTPS Scan???

August 17, 2013, 3:46 pm
$
0
0
Hallo,

woher bekomme ich ein Zertifikat, wenn ich mit dem Webfilter auch Seiten in HTTPS Format Scanen möchte?

Ohne Zertifikat erhalte ich ständig Zertifikatsfelhler im Browser!

Grüße
Boerky
Viewing all 14361 articles
Browse latest View live
Search