Quantcast
Channel: Sophos User Bulletin Board
Viewing all 14361 articles
Browse latest View live

No access to AP10 DHCP not despensing???

August 22, 2013, 1:44 pm
$
0
0
I thought I would try this great new access point idea...

I bought and installed a AP10.
I tried the auto set up but deleted it.
I manually configured a spare nic named it "wireless".
I added "wireless to the DNS allowed networks.
I added a new DHCP server to the list and assigned it to "wireless".
I added a Masquerading NAT.
I went to the "Wireless Protection" section of the UTM.
I added "Wireless" to the allowed interfacess in Wireless Portection.
I added a wireless network with WPA2 AES (Secure).
I set the frequency to 2.4 Ghz (AP10).
I set the SSID and pass-phrase.
The wireless network label has (on wlan0) on the right.
I plugged in the AP10 to power.
I plugged in the cat5 from the appropriate nic.
I accepted the AP10 to active and renamed it.
I placed a check next to the wireless network I previously created.
No group, power 100%, channel - auto, STP - disabled, vlan tag - disabled
Tried to connect...
SSID seen, Pass-phrase accepted, optaining IP address...then nothing

The log from the DHCP server shows the the AP10 receive its IP but no other activity. I have tried multiple devices and can not obtain an IP address.

Any clues as to what I am overlooking?
Search

"Log Accessed pages" Needed for Dashboard Reporting?

August 22, 2013, 5:14 pm
$
0
0
Quick question on Web Filtering. I noticed when I have the option "Log Accessed pages" disabled the dashboard never counts and would always show "Web Filtering is active, 0 requests served today". When its enabled however it start to count up. Is this option required to be enabled?

What type of performance hit would I expect by logging every webpage that's visited? The hardware isn't anything special, 3GB RAM/Atom D510 setup.

Thanks!

Rebuilding UTM, Endpoint redeploy needed?

August 22, 2013, 5:32 pm
$
0
0
I am thinking about moving away from a physical box and virtualizing my home UTM setup. The question is however, when the rebuild it complete and backup config imported will it save the Endpoint settings or will I need to reinstall/re-register them to the new unit?

Zte mg628

August 23, 2013, 12:39 am
$
0
0
Gents,

i'm trying to get a ZTE MF628 working in UTM9.

With the commmand lsusb i get the following output:

DJICTVEN00F001:/home/login # lsusb
Bus 001 Device 003: ID 03f0:1024 Hewlett-Packard Smart Card Keyboard
Bus 003 Device 003: ID 19d2:0015 ONDA Communication S.p.A.
Bus 001 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
Bus 002 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
Bus 003 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
Bus 004 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
Bus 005 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
DJICTVEN00F001:/home/login #

And with dmesg | grep usb:

[ 4.576020] usb 3-1: new full-speed USB device number 3 using uhci_hcd
[ 4.744075] usb 3-1: New USB device found, idVendor=19d2, idProduct=0015
[ 4.744232] usb 3-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[ 4.744378] usb 3-1: Product: ZTE CDMA Technologies MSM
[ 4.744523] usb 3-1: Manufacturer: Qualcomm, Incorporated
[ 4.744668] usb 3-1: SerialNumber: Data Interface
[ 4.747311] scsi3 : usb-storage 3-1:1.0
[ 4.750393] usb 3-1: GSM modem (1-port) converter now attached to ttyUSB0
[ 4.752380] usb 3-1: GSM modem (1-port) converter now attached to ttyUSB1
[ 4.754376] usb 3-1: GSM modem (1-port) converter now attached to ttyUSB2
DJICTVEN00F001:/home/login #

So my UTM9 sees the modem, but i don't see him as an interface...
And my UTM9 sees the internal flash during the installation of UTM9, it's a clean install btw.

Has someone some ideas for getting this working..??

My UTM9 is a soft-appliance.

Kinds regards

Do i need to bridge EthX interfaces

August 23, 2013, 2:48 am
$
0
0
Hello again,

I have a small PC with 4x NICs.

In UTM9:

Eth0 is the WAN (picks up an external address)
Eth1 is the INTERNAL DHCP address 192.168.1.1/24
Eth2 not configured
Eth3 not configured

I had *thought* that if i plug a DHCP client into either Eth2 or Eth3 (even though the respective interfaces aren't configured) that said client would assign a DHCP address to that client.

What do i need to configure the Eth2/3 as in order that they pick up DHCP from the main network interface?

Likewise... i am trying to set up a Wireless AP by plugging it into Eth2 or 3. The wireless AP has a static IP of 192.168.1.2 however, when i try to access this IP address from my browser, it times out...Again, what interface configuration steps am i missing to be able to access the WIrelessAP from my wired network?

Thanks in advance for any advice.

UTM@Home Network Performance

August 23, 2013, 7:54 am
$
0
0
Hi

I'm running a UTM installation on a HP microserver at home to protect the network and ensure the kids don't go places they shouldn't.

The problem I have is the impact the UTM is having on network throughput and pings.

I'm running 9.104. The dashboard says the CPU is <20% and 30% of 4Gb memory is in use.

On the broadband side of the UTM I get the following results with speedtest.net:

Ping 10ms
Download 69Mbps
Upload 16.1Mbps

On the network side of the UTM these figures become:
Ping 276ms
Download 34Mbps
Upload 10Mbps

I can live with the drop in upload/download speeds but the ping is causing much ear ache from the PS3/Xbox playing community in the house.

Am I just expecting too much from the (admittedly inexpensive) hardware? Any suggestions for how to improve those pings?

Many thanks

IPSEC bitte helft mir...

August 23, 2013, 11:28 am
$
0
0
Hallo,

ganz kurz und einfach gesagt, ich will zwischenb zwei asg 220 eine IPSec verbindung herstellen...(der tunnel steht auch, aber ich kann die ander ASG nicht pingen...)ich find einfach kein howto wie ich das anstellen soll...google liefert mir keine brauchbaren infos.

mir ist total pupe welche ip ich für was verwende...hat irgendjemand vielleicht eine zeichnung für mich das ich mir das mal bildlich vorstellen kan?


Ich bin echt genervt von dem misst....

Vielen Dank!

AP10 über Netgear-Router mit UTM verbinden

August 23, 2013, 1:39 pm
$
0
0
Hallo Sophos-Experten,

ich spiele aus Schulungszwecken privat etwas mit meiner UTM120, einem AP10 sowie einem Netgear-Router rum.

Ich möchte den AP10 über meinen Netgear-Router mit meiner UTM verbinden.

Der AP10 ist am LAN-Interface des Netgear-Routers angeschlossen,
der über seinen WAN-Anschluss mit der UTM verbunden ist.

Ich habe die Verkabelung bereits hergestellt und die Geräte konfiguriert,
jedoch kann sich der AP10 nicht an der UTM anmelden.

Soweit ich weiß versucht der AP10 sich mit der IP-Adresse 1.2.3.4 zu verbinden,
ich sehe auch per tcpdump auf der UTM, dass entsprechende Verbindungsversuche existieren.

Die Absenderadresse der Verbindungsversuche ist die WAN-Adresse
des Netgear-Routers, dieser maskiert also die Verbindungsversuche des AP10.

Der AP10 kann sich jedoch nicht an der UTM anmelden, die Verbindungsversuche
( SYN-Pakete ) werden nicht beantwortet.

Im Anhang habe ich eine Skizze meines Testaufbaus mitgeschickt.

Ich würde mich freuen, wenn Ihr mir erklären könntet, wie ich es schaffe,
dass der AP sich erfolgreich an der UTM anmelden kann.

Gruß, Datax

Attached Images
File Type: jpg Test-Aufbau.JPG (22.6 KB)
Search

Google Apps for Education

August 23, 2013, 4:40 pm
$
0
0
Has anyone out there been able to get Google Apps for Education to work through the filter?

Is there a comprehensive list of what needs to be allowed through the filter to get it to work?

A student account can get to the log on page and successfully log on but all of the Apps are blocked.


Thanks,

multiple internal interfaces on same subnet

August 23, 2013, 7:54 pm
$
0
0
UTM 9.105-9 installed on a repurposed workstation-computer with 5 NICs
I started with
1x external interface
1x internal interface
let's say I want to add another internal interface on the same /24 subnet,
but connected to a new switch , both interfaces would have to use the same dhcp server, same everything...

how can I do that?

Thanks

Utm 120 + vpn client to join computer to ad

August 25, 2013, 12:24 pm
$
0
0
Is their any reason this shouldn't work


I was able to get to the network via VPN but when I try to join the domain it says not found

Any ideas on what to check

SNMP Fehler trotz original OID

August 26, 2013, 1:43 am
$
0
0
Hallo Community,

ich habe ein kleines Problem.

Ich habe daheim ne Astaro v8.309 im Einsatz und wollte dies per SNMP überwachen.

Ich bin gerade dabei den SNMP-Versand mittels Tool zu testen.

Bei Abfrage der Uptime bekomme ich die korrekten Werte.

Wenn ich allerdings die OID´s von der Astaro nehme bekomme ich den Fehler #222 (Value: no such object). Ein SNMPWalk klappt auch nciht.

Wie kann das sein wenn ich die OID aus der original MIB nehme?

EP webprotecton profile OR Network webprotection profile

August 26, 2013, 2:31 am
$
0
0
Dears,
I am asking about the URL-filtering in both EP and UTM, if I have my EP reside in a network behind and protected by the UTM,
Then I allow for example social networking in the EP profile but disallow it in a profile assigned to the network where the EP reside.
Which profile will have the last word, EP profile or network profile?
What I experienced is that the network profile has the last word always "and this disagree with what sophos mentioned.
So if I allow social networking in EP profile and disallow it in network profile , the result is that the social networking is disallowed.
And when I disallow social networking in EP profile and allow it in the network profile , the result is that the social networking is allowed.
I changed the order of my profiles so the network profile is in the bottom, but this did not change the above result.
Please note that the EP profile working fine when the EP is outside the private network.
I am asking about any ideas about troubleshooting this issue.
Thanks,
Mostafa Aly

IPSEC CLIENT has no Gateway IP

August 26, 2013, 3:05 am
$
0
0
Hallo,

kurz zu meinem Aufbau

1x UTM Zentrale 192.168.1.0
2x UTM Niederlassungen 192.168.2.0 / 192.168.3.0
3x Sophos IPsec Clients 10.242.4.0

Site to Site Ipsec Verbindungen zu den Niederlassungen sind ok.

Jetzt noch eine Default Sophos IPSEC Client Installation mit den Default werten ok.
Verbindungsausbau = OK
jetzt bekommen die IPSEC Clients eine 10.242.2 Adresse aber keinen Client bekommt ein Gateway zugewiesen. Wie überrede ich die Clients das Sie en Gateway zugewiesen bekommen, damit diese dann auch auf die Niederlassungen zugreifen können.
Anbei noch Bilder zu Konfiguration.

Attached Images
File Type: jpg ipsec IP.JPG (23.6 KB)
File Type: jpg utm ipsec.JPG (31.5 KB)
File Type: jpg Unbenannt.JPG (30.1 KB)

sinnvolle Werte für Anti-DoS/Flooding bestimmen

August 26, 2013, 3:15 am
$
0
0
Hi,

gibt es irgendeine Möglichkeit sinnvolle Werte für die Anzahl der Pakete/Sekunde für das Anti-DoS/Flooding zu bestimmen?
Irgendwie fehlt mir an der Stelle ein Ansatz zur Berechnung.
Oder können die vorhandenen Default-Werte erstmal übernommen werden?

Wir setzen eine Sophos UTM 220 (FW 9.006) ein.

Gruß

-pro_mrjetter-
Search

HowTo Ping eth->eth3

August 26, 2013, 4:25 am
$
0
0
Hallo,

noch mal schnell ein Verständnissfrage, WIE kann ich wenn ich mit meinem Laptop (192.168.0.10/24 def.Gw ist immer 0.0.0.0) mit dem ich über 192.168.0.1 aufs web interface komme und über 192.168.1.10(eth1/0.0.0.0)
jeweils n ping senden kann, auch einen ping auf eth3 mit der 10.77.66.130 senden? (hab das mit cisco paket trace durchespielt...da klappts :-O was muss ich bei der Kiste einstelle das ich vom eth0/eth1 auf eth3 pingen kann

noch mal:
eth0=192.168.0.1
eth1=192.168.1.10
eth3 = 10.77.66.130

danke schön ;)

Fehler SSL VPN Client

August 26, 2013, 4:59 am
$
0
0
Hallo Leute,

ich bekomme folgende Fehlermeldung wenn ich mich mit den VPN Client verbinden will->



Mon Aug 26 13:57:47 2013 MANAGEMENT: >STATE:1377518267,TCP_CONNECT,,,
Mon Aug 26 13:57:57 2013 TCP: connect to [AF_INET]176.94.85.34:4499 failed, will try again in 5 seconds: Das System hat versucht, einem Verzeichnis, das sich auf einem mit JOIN zugeordneten Laufwerk befindet, ein Laufwerk mit SUBST zuzuordnen.


könnt ihr damit was anfangen?

Grüße

[9.105-9] Callout does not work as expected

August 26, 2013, 5:40 am
$
0
0
I can't tell exactly when this odd behaviour started, but I am pretty sure that callout was ok with 9.605.
Since early V7 I have a separate mail server configured as the target for the static host list and the ASG used this mail server for callouts, too. This mail server knows all our valid mail addresses and gives a "421 - recipient not in route list" back to the ASG, if the receiver is not on the list. In this case the mail, obviously for a non-existant mail address, was denied at SMTP time.

Now with 9.105-9 this mail server still delivers the 421 message back to the UTM in case the receiver is not on the list. But mails for non-existant receivers are not denied anymore, they will be accepted by UTM and are stored in the SMTP spool. The UTM tries to deliver such mails again and again, every 2 or 3 minutes and for days.

WTF??? What is the reason for changing this behaviour and how can I change the config to get back the old (And correct) way?
I want the UTM to deny mails for non-existant receivers and not to store them in the SMTP spool.

PS: Switching to AD mode is not an option.

Loginuser password not recognized

August 26, 2013, 9:44 am
$
0
0
I don't know when this started happening - I've recently updated to 9.104 and today to 9.105 - but I am no longer able to log in via ssh. I have direct root login disabled, so I must log in as loginuser and then su if needed. This worked fine last time I used it, which was several months ago, but the system is now rejecting my loginuser password.

Thinking I must just be using the wrong password, I changed it via the web interface, but still it refused to let me in. I then logged in as root from the console and used the "passwd loginuser" command to change it again, but still the sshd daemon refuses to accept it. I've tried restarting sshd, too, but still no-go.

The sshd log simply shows
Code:
2013:08:26-11:37:04 astaro sshd[10283]: Failed password for loginuser from 192.168.0.14 port 63896 ssh2

Multiple VoIP DMZ question

August 26, 2013, 1:23 pm
$
0
0
I have a general VoIP deployment best/practices type question which may lead to more specific practical implementation questions.

I currently have a PIAF instance connected exclusively to a DMZ interface. The PIAF instance is utilizing a GV number (XMPP)for making and receiving calls domestically and works just fine.

I would like to install another DMZ interface for my viatalk (International) VoIP service. I would prefer not to put anything in front of my UTM WAN interface but would be open to the idea if it makes more sense.

Looking into the ports that need to be forwarded for viatalk (SIP) I am thinking that there may be a problem trying to "split" these two VoIP services onto separate DMZ interfaces.

Are there any ideas/recommendations on how to best accomplish this task? TIA for any thoughts or comments.
Viewing all 14361 articles
Browse latest View live
Search