Domain Wildcard Cert for SMTP, SSL VPN & Red

January 13, 2014, 4:07 am

≫ Next: 100 statt 150Mbit/s

≪ Previous: IPS verlangsamt Internet extrem

$

0

0

Hi All

We are having issues with CA Signed SSL Certs.

We are having PCI Vulnerability scans and failing on SSL Certs not being trusted. It Appears Astaro is no passing the Intermediate or Root Certs.

I've installed a domain wide SSL successfully.

CA CERTS only work for WAF
I create a virtual/physical server rule in WAF
Used an online SSL Cert checker and the check is good.

Everything else fails with not trusted.

Port 25,465,3400,32400 & 1024

We need all of these services running, We also need to pass PCI.

Any Suggestions ?

Many Thanks

---

100 statt 150Mbit/s

January 13, 2014, 5:44 am

≫ Next: Anonym surfen mit UTM 9.107-33 und hide.me

≪ Previous: Domain Wildcard Cert for SMTP, SSL VPN & Red

$

0

0

Hallo zusammen,

habe hier einen Fall der mich beschäftigt.

Eine UTM der 400er Serie mit der Version 9.1.

Der Netzwerkzugang zum ISP beträgt 150/10 Mbit/s. Erreichen tut man nur ca. 100 Mbit/s.

Alle Ethernet Ports sind mit 1000Mbit/s ausgehandelt.

Switch --- Firewall --- Modem

Speedtest ergibt 100 Mbit/s Messung Switch zum ISP Tester.

IPS ist ausgeschaltet.

Danke für Inputs...

Anonym surfen mit UTM 9.107-33 und hide.me

January 13, 2014, 5:49 am

≫ Next: [9.191][BUG]LDAP Backend Group description

≪ Previous: 100 statt 150Mbit/s

$

0

0

Hallo,

wie bzw. was ist zu konfigurieren um (nahezu*) den gesamten Internetverkehr aus dem internen Netzwerk über hide.me (hide.io) zu schleusen? Die Clients sollen nicht einzeln konfiguriert werden, statt dessen an einer zentralen Stelle, so dass auch für hide.me nur eine IP sichtbar ist.

*POP3 abfragen sollen aber immer noch direkt an den POP3 Server gerichtet werden.

Vielen Dank für eure Hilfe.

Gruß,
Indiz

[9.191][BUG]LDAP Backend Group description

January 13, 2014, 7:15 am

≫ Next: VPN/NAT configuration best practises

≪ Previous: Anonym surfen mit UTM 9.107-33 und hide.me

$

0

0

When creating a group with LDAP Backend Membership, the description of this group is faulty (the values for 'attribute' and 'value' are empty (see screenshot).

Attached Images

grp_ldap_descr.png (38.8 KB)

VPN/NAT configuration best practises

January 13, 2014, 10:09 am

≫ Next: Bridging & LAG

≪ Previous: [9.191][BUG]LDAP Backend Group description

$

0

0

Hi,

We are using a Sophos UTM 120 in a remote office, with a site-to-site VPN with a Cisco ASA. I have a couple of NAT specific questions regarding this:

We got the site-to-site VPN working fine, however, we wanted to configure the UTM DNS service to forward specific domains to AD DNS servers. This wasn't working.

After working out that clients connecting either from the Cisco network to the UTM internal network, or clients on the UTM connecting to the Cisco network were fine, we looked at the UTM box for issues.

After doing some investigation, I found that the UTM was using the WAN IP as the source address for outgoing connections from itself to the VPN subnet. This meant that connections from its DNS server was failing to get to the AD DNS servers, and I couldn't ping servers from the UTM box on the Cisco network either.

After head scratching we managed to solve the issue, I just wonder whether it was the best solution, or if there is something else we needed to do:

We solved the issue by creating a SNAT rule as follows:

Traffic source: External WAN address
Traffic destination: a network definition containing the subnets of the Cisco network
Traffic service: Any
Source address: The UTM LAN-side address.

This works - we can now ping all the relevant hosts on the Cisco network from the UTM box, as well as access those hosts (i.e., DNS forwarders work).

My second question is regarding masquerading NAT. We have a couple of networks on the UTM box, such as the main office LAN, wireless networks etc. Do I need a separate masquerading NAT entry for each network going out to the Internet, a single rule containing a network definition for each of the internal UTM networks or something else? What is the best way of doing this?

Thanks for any advice offered.
Andrew.

Bridging & LAG

January 13, 2014, 1:08 pm

≫ Next: Einsteigersetup - Ersatz für Speedport

≪ Previous: VPN/NAT configuration best practises

$

0

0

Dear users,

I have a UTM 220 and I created two LAG:

LAG0: int 4 & int 5
LAG1: int 6 & int 7

Is there any way to bridge those two LAG0 and LAG1??? I just want to have a bridge throughput of 2 Gbit.

Thank you

Einsteigersetup - Ersatz für Speedport

January 14, 2014, 2:42 am

≫ Next: Gateway route

≪ Previous: Bridging & LAG

$

0

0

Hallo Zusammen,

ich spiele zur Zeit mit dem Gedanken meinen konventionellen Router durch Sophos UTM Home zu ersetzen.

Was wäre die günstigste Möglichkeit hier einigermaßen stromsparend etwas auf die Beine zu stellen?

Ist es ohne Speedport ohne weiteres möglich eine Verbindung zum Telekom DSL herzustellen? (müsste ADSL sein)

Grüße

Fabian


Ps: SuFU hab ich benutzt, aber leider nix passendes gefunden =(

Gateway route

January 14, 2014, 2:53 am

≫ Next: Internes Testnetz mit UTM und Red's

≪ Previous: Einsteigersetup - Ersatz für Speedport

$

0

0

Hi

I have sophos full guard, all the modules are enabled.
I installed another gateway and I need that one of the networks will surf the internet via the new connection and the other networks will surf with the old internet connection. Is there a way to do that even if i"m using all the modules?

BR
Shay Hanya

---

Internes Testnetz mit UTM und Red's

January 14, 2014, 3:33 am

≫ Next: Next update

≪ Previous: Gateway route

$

0

0

Hallo,

wie oben schon angedeutet, möchte ich eine Testumgebung mit 2 virtuellen UTM's als HA und 1-2 Red's aufbauen.

Die UTM's habe ich in VMWare Workstation eingerichtet und als funktionierendes HA konfiguriert. Ich sitze hier hinter einer UTM die einen Zugang zum Internet bietet.

Das ganze sieht so aus:

Internet <> UTM120 <> LAN <> mein Rechner <> 2x UTM als VM

in meinen UTM-VM's habe ich 2 Schnittstellen eingerichtet

- Internal ((eigenes vmNet)Ethernet-Statisch)
- Internet ((NAT ins LAN)Ethernet-Dhcp)

Mein Problem: Wie bekomme ich die RED's so angebunden dass es aussieht als kämen diese von außen? Ich möchte praktisch einen Außenstandort simulieren.

Vielleicht hat schon mal jemand so etwas aufgebaut und hat hier einen Tip!?

Grüße HL2

Next update

January 14, 2014, 6:09 am

≫ Next: Strange CPU usage of Astaro 425 box

≪ Previous: Internes Testnetz mit UTM und Red's

$

0

0

Been watching the forum for any updates, Do we know when the next update for the beta will be available. I know when it is baked. Just trying to see where things stand.

Thanks

Strange CPU usage of Astaro 425 box

January 14, 2014, 6:13 am

≫ Next: Top Servers/Clients report - help needed

≪ Previous: Next update

$

0

0

Hi,

I've recently obtained a demo box from a partner. The issue that I am facing is 100% CPU usage of the httpprox process.

top - 17:09:19 up 5:00, 1 user, load average: 2.02, 2.21, 2.33
Tasks: 134 total, 1 running, 131 sleeping, 0 stopped, 2 zombie
Cpu(s): 52.3%us, 46.3%sy, 0.0%ni, 0.3%id, 0.0%wa, 0.0%hi, 1.0%si, 0.0%st
Mem: 3338728k total, 3214524k used, 124204k free, 50332k buffers
Swap: 1048572k total, 105096k used, 943476k free, 2445920k cached

11067 httpprox 20 0 1279m 168m 7508 S 191 5.2 368:04.52 httpproxy

So I would like to see what is wrong with this, I have 6 updates available on the box which need to be installed, I am doing this after working hours as well.

Current firmware version: 9.101-12
Latest available firmware version: 9.107-33

Is this firmware related or I am doing something wrong. With identical setup we had lower device from Sonicwall which was doing the web filtering and we did not have these issues with CPU utilization.

Web filtering is setup in transparent mode. I have one link to internal network, two to ISPs, used actively.

The filtering is pretty simple, antivirus scanning is disabled, only web filtering and application control has been setup. Application control blocks access to facebook, youtube and torrents, while web filtering filters only access to ****ographic content and similar sites.

What could be wrong, we have roughly 50 users active.

Thanks...

P.

Top Servers/Clients report - help needed

January 14, 2014, 8:29 am

≫ Next: Trying To Track Down CPU Spikes

≪ Previous: Strange CPU usage of Astaro 425 box

$

0

0

I'm having trouble interpreting something I am seeing in Network Usage reports. I notice under "Top Servers" for the day that there is a private IP (10.108.142.215) that is listed as the top server. The daily data usage (6.5 GB in the screenshot) always correlates, almost exactly, to the data usage of the Internal firewall interface under "Top Clients", 10.1.1.254.

10.108.142.215 is not part of any internal subnet on our network, and I am unable to ping the address from the firewall. Is this some kind of internal functionality, or something else I'm misunderstanding?

I've attached screenshots from the "Top Servers" and "Top Clients" reports to clarify what I'm trying to explain.

Attached Images

	TopServers.PNG (13.3 KB)
	TopClients.PNG (20.0 KB)

Trying To Track Down CPU Spikes

January 14, 2014, 8:56 am

≫ Next: [9.191] Cant disable Cisco VPN

≪ Previous: Top Servers/Clients report - help needed

$

0

0

Recently in the Executive reports I have been seeing a lot of CPU spiking going on. We have a relatively new ASG 220. It will go up to 100% for a few minutes. Most of the time it is in the evenings when no one is here. We are a small company of about 20 people so the load shouldn't be that high. Can someone tell me where I should start looking to see what is causing the spiking?

Thanks!

[9.191] Cant disable Cisco VPN

January 14, 2014, 8:56 am

≫ Next: [9.191-2] RED 50 VLAN tagging

≪ Previous: Trying To Track Down CPU Spikes

$

0

0

When I try to disable the Cisco VPN in WebAdmin it looks like it is going to turn off, but as soon as you refresh the page or browse to a different section and come back, the Cisco VPN is still enabled.

*EDIT* I should have mentioned that this is both with IE 11 and Firefox web browsers.

[9.191-2] RED 50 VLAN tagging

January 14, 2014, 9:23 am

≫ Next: How is the WebAdmin IP address determined?

≪ Previous: [9.191] Cant disable Cisco VPN

$

0

0

Hi,

I tried some test setups with VLAN tagging.
I used RED 50 only with connected WAN1.
After playing around with VLAN settings no connections is possible (RED tunnel).
I recabled Internet uplinik to WAN2 and RED tunnel came up.

Can you please check the config located at cloud service.
I tried to setup LAN port 4 to tagged 14,1000. May be WAN1 got some misconfiguration from my VLAN configuration.

Sven

---

How is the WebAdmin IP address determined?

January 14, 2014, 10:05 am

≫ Next: Reverse proxy not... reverse proxying?

≪ Previous: [9.191-2] RED 50 VLAN tagging

$

0

0

How does the UTM determine what IP address to use for WebAdmin? I have a new box that I've built up using a temporary address of 192.168.0.100, and the console login prompt reflects that address. If I change it to .101, then after I reboot, the login prompt updates to reflect the new address.

So far, so good, but what happens if I want to disable that port entirely, and start using another port that I've configured as 192.168.0.1 (the intended address once I deploy this box). WebAdmin won't let me disable the port I'm currently connected on, so how can I (or even can I) disable this setup port and have the UTM start using the intended LAN interface and address for WebAdmin?

Reverse proxy not... reverse proxying?

January 14, 2014, 11:05 am

≫ Next: Routing Traffic though UTM Server

≪ Previous: How is the WebAdmin IP address determined?

$

0

0

Hello all...
Just trying to get out Webserver Protection going and having some difficulty with one host.

I have added the Virtual webserver helpdesk.domain.com with no Firewall Profile, and Rewrite HTML/Cookies enabled.
The Real Webserver is set to a DNS host of helpdesk.domain.local

Whenever you try to access helpdesk.domain.com, it refreshes to helpdesk.domain.local. I've tried turning HTML rewrite on and off, no difference. I've tried removing the whole setup and trying again, no difference. I can't see why on earth it keeps trying to redirect.. I've tried putting in just an IP for the Real Server, and again it tries to redirect to that IP instead of proxying the request to that IP. What could I possibly be missing here? It doesn't seem like there are too many options to screw up, the live log doesn't help much at all...

Any insight would be appreciated! I'll upload some screens..

Routing Traffic though UTM Server

January 14, 2014, 1:35 pm

≫ Next: web filtering profiles resets it's order.

≪ Previous: Reverse proxy not... reverse proxying?

$

0

0

Hi,

I have a newbie network question...

Can you advise how I should configure my network to route all traffic through the UTM server.

All devices are connected to a Switch which is connected to a D-Link ADSL router. The UTM server IP is 10.1.1.32, the Router is 10.1.1.1.

Currently all traffic routes directly through the router.

Cheers

web filtering profiles resets it's order.

January 14, 2014, 1:40 pm

≫ Next: [9.191] HTTP cache filling up the Data partition

≪ Previous: Routing Traffic though UTM Server

$

0

0

When we have multiple proxy profiles, then we can order them using the ordering arrow in the corner. But, the order you sets is reset when you refresh the page. I have attached the images and this was tested with 9.191.

Attached Images

	original order.PNG (6.9 KB)
	changed order.PNG (16.3 KB)
	back to original.PNG (15.2 KB)

[9.191] HTTP cache filling up the Data partition

January 14, 2014, 1:46 pm

≫ Next: [9.191] Google Docs

≪ Previous: web filtering profiles resets it's order.

$

0

0

I started getting emails from the UTM that my DATA partition was 77% full. After some investigating I found that the httpcache folder had grown to 18GB over a few day span. Clearing the web proxy cache in WebAdmin fixed the problem. I thought there was some sort of auto cleaning mechanism that prevented the web proxy cache from filling up the disk?