Quantcast
Channel: Sophos User Bulletin Board
Viewing all 14361 articles
Browse latest View live

SSL Decrypt & Scan - Cheap Certificates from a CA?

July 8, 2014, 7:36 am
$
0
0
Hello,

I'm helping some families setup filtering boxes using the 50 user home license and I'm wondering if there is a more user-friendly way of handling full SSL scanning. I can import the certificate Sophos generates into the browser (Firefox) and it works reasonably well but certain sites still don't like that they are being intercepted by a self-generated certificate. Just as an example, Google requires users to fill CAPTCHAs almost constantly in order to do basic searches.

StartSSL offers free level 1 certificates and NameCheap offers something similar from Comodo for about $10. Since these certificates would be generated by CAs that Google trusts, I assume some of these annoyances would disappear.

Has anyone attempted something like this? Are there other solutions to this problem that I am overlooking?

Alternatively, scanning the URL of SSL enabled sites is an option but I'm wary of the effectiveness of this. Can anyone comment on how thorough this is in comparison to properly configured deep SSL scanning?

Thanks for any help!
Search

Web filtering

July 8, 2014, 8:40 am
$
0
0
I am having some issues setting up the UTM to filter web traffic with AD SSO.

As far as I can tell the SSO/ AD is working and works with normal http traffic.

When I try to access any https traffic I get the certificate is not trusted due to there being no certificate chain present.

I have tried using the default cert with SOphos UTM and importing that into my trusted root certs, Making a new cert from my CA which is trusted by all clients & using a *.domain.com cert which is externally signed. (This works for the admin page.).

Has anyone seen an issue like this before or know a work around for it?

From firefox I get:
Technical Details
google.com uses an invalid security certificate.
The certificate is not trusted because no issuer chain was provided.
(Error code: sec_error_unknown_issuer)

Ie has the same issue but without the useful information!

Rob

Allow download, prevent upload

July 8, 2014, 9:33 am
$
0
0
Hi

Iam setting up a new UTM is it possible to allow my users to download from dropbox/one drive etc.. but not to upload anything?

Site to Site IPsec Problem

July 8, 2014, 11:01 am
$
0
0
Hey all,

I've set up a few Site-to-Site VPNs using Astaro and Sophos product in my time and it's always been a slam-dunk experience.

Until now. I'm having a problem connecting an SG210 to a UTM110 via IPsec and it's really getting to my head! Hopefully another set of eyes on this issue will reveal some stupid fat-finger mistake or something.

I don't have time to go screenshot everything in the config right now but here's the logs off the SG210 at the head-office:
Code:
2014:07:08-11:49:23 <LOCAL HOSTNAME> pluto[6069]: "L_for admin"[228] <Destination IP>:4500 #378: max number of retransmissions (2) reached STATE_MAIN_R2
2014:07:08-11:49:23 <LOCAL HOSTNAME> pluto[6069]: "L_for admin"[228] <Destination IP>:4500: deleting connection "L_for admin"[228] instance with peer <Destination IP> {isakmp=#0/ipsec=#0}
2014:07:08-11:49:23 <LOCAL HOSTNAME> pluto[6069]: packet from <Destination IP>:4500: received Vendor ID payload [strongSwan]
2014:07:08-11:49:23 <LOCAL HOSTNAME> pluto[6069]: packet from <Destination IP>:4500: ignoring Vendor ID payload [Cisco-Unity]
2014:07:08-11:49:23 <LOCAL HOSTNAME> pluto[6069]: packet from <Destination IP>:4500: received Vendor ID payload [XAUTH]
2014:07:08-11:49:23 <LOCAL HOSTNAME> pluto[6069]: packet from <Destination IP>:4500: received Vendor ID payload [Dead Peer Detection]
2014:07:08-11:49:23 <LOCAL HOSTNAME> pluto[6069]: packet from <Destination IP>:4500: received Vendor ID payload [RFC 3947]
2014:07:08-11:49:23 <LOCAL HOSTNAME> pluto[6069]: packet from <Destination IP>:4500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
2014:07:08-11:49:23 <LOCAL HOSTNAME> pluto[6069]: packet from <Destination IP>:4500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02]
2014:07:08-11:49:23 <LOCAL HOSTNAME> pluto[6069]: packet from <Destination IP>:4500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
2014:07:08-11:49:23 <LOCAL HOSTNAME> pluto[6069]: packet from <Destination IP>:4500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
2014:07:08-11:49:23 <LOCAL HOSTNAME> pluto[6069]: "L_for admin"[229] <Destination IP>:4500 #379: responding to Main Mode from unknown peer <Destination IP>:4500
2014:07:08-11:49:23 <LOCAL HOSTNAME> pluto[6069]: "L_for admin"[229] <Destination IP>:4500 #379: NAT-Traversal: Result using RFC 3947: peer is NATed
2014:07:08-11:49:23 <LOCAL HOSTNAME> pluto[6069]: "L_for admin"[229] <Destination IP>:4500 #379: next payload type of ISAKMP Identification Payload has an unknown value: 28
2014:07:08-11:49:23 <LOCAL HOSTNAME> pluto[6069]: "L_for admin"[229] <Destination IP>:4500 #379: malformed payload in packet. Probable authentication failure (mismatch of preshared secrets?)
2014:07:08-11:49:23 <LOCAL HOSTNAME> pluto[6069]: "L_for admin"[229] <Destination IP>:4500 #379: sending encrypted notification PAYLOAD_MALFORMED to <Destination IP>:4500
2014:07:08-11:49:33 <LOCAL HOSTNAME> pluto[6069]: "L_for admin"[229] <Destination IP>:4500 #379: next payload type of ISAKMP Identification Payload has an unknown value: 28
2014:07:08-11:49:33 <LOCAL HOSTNAME> pluto[6069]: "L_for admin"[229] <Destination IP>:4500 #379: malformed payload in packet. Probable authentication failure (mismatch of preshared secrets?)
2014:07:08-11:49:33 <LOCAL HOSTNAME> pluto[6069]: "L_for admin"[229] <Destination IP>:4500 #379: sending encrypted notification PAYLOAD_MALFORMED to <Destination IP>:4500
I'll post the log from the remote unit in the next post.

Before anyone suggests it: YES! I've made sure the secrets match. (replaced the 30+ character randomly generated key with something much simpler)

running remote sites despite network outage in central

July 8, 2014, 11:30 am
$
0
0
Hi evereyone,

We are running severeal remote sites equipped with RED10s. However the "hub" in this topology suffers from frequent outages of its internet connection.

When the VPN from the remote sites is down, users there have the tendency to unplug all network devices, to see if the connection comes back up.
However, this leads to the RED10s not connecting at all, and leaving the sites without DHCP, etc.
Is there a way to embed, the configuration within the REDs, so that even after a reboot, the configuration is still available, even if there is no connection to the UTM available. ?

Regards
Tobias

Re-IP

July 8, 2014, 2:11 pm
$
0
0
Hey all,

I am in the process of configuring two (or possibly more) sites that will be connected to my SG210 appliance via site-to-site IPsec VPN. Not sure that it matters but the local IP of my SG210 is 10.0.102.1.

I have a server on my LAN here that has the IP 10.0.102.50 that will be polling remote sites that are connected via VPN but we have run into a problem already: We have two remote sites that have a local IP schema of 192.168.1.x and I need my server to poll two devices located at physically different sites that are both locally addressed 192.168.1.1 (Now is one of those times where I'd love to choke someone for lack of foresight!)

My question: what is the best way to address this with the stipulation that I cannot change any of the remote IPs? (There are literally hundreds of devices per site that all have hardcoded IPs -no, not PCs)

The remote connectivity will be provided by UTM110 appliances.

Adobe update failing in Ubuntu 14.04 LTS

July 8, 2014, 3:09 pm
$
0
0
There's a new critical bug fix for Flash that I want to install.
The flashplugin-installer app is failing with a message that it couldn't download the key file from the interwebs.

The Web Application Log shows related traffic:
Code:
2014:07:08-13:08:17 ravenna ulogd[4772]: id="2017" severity="info" sys="SecureNet" sub="packetfilter" name="AFC Alert" action="log" fwrule="4" outitf="ppp0" mark="0x3468" app="1128" srcmac="0:0:2f:82:39:f7" srcip="10.1.2.3" dstip="96.17.15.158" proto="6" length="535" tos="0x00" prec="0x00" ttl="63" srcport="35185" dstport="443" tcpflags="ACK PSH" 
2014:07:08-13:16:07 ravenna ulogd[4772]: id="2017" severity="info" sys="SecureNet" sub="packetfilter" name="AFC Alert" action="log" fwrule="4" outitf="ppp0" mark="0x3468" app="1128" srcmac="0:0:2f:82:39:f7" srcip="10.1.2.3" dstip="96.17.15.172" proto="6" length="535" tos="0x00" prec="0x00" ttl="63" srcport="54434" dstport="443" tcpflags="ACK PSH" 
2014:07:08-13:19:27 ravenna ulogd[4772]: id="2017" severity="info" sys="SecureNet" sub="packetfilter" name="AFC Alert" action="log" fwrule="4" outitf="ppp0" mark="0x3468" app="1128" srcmac="0:0:2f:82:39:f7" srcip="10.1.2.3" dstip="96.17.15.165" proto="6" length="536" tos="0x00" prec="0x00" ttl="63" srcport="60407" dstport="443" tcpflags="ACK PSH" 
2014:07:08-13:22:42 ravenna ulogd[4772]: id="2017" severity="info" sys="SecureNet" sub="packetfilter" name="AFC Alert" action="log" fwrule="4" outitf="ppp0" mark="0x3468" app="1128" srcmac="0:0:2f:82:39:f7" srcip="10.1.2.3" dstip="96.17.15.190" proto="6" length="535" tos="0x00" prec="0x00" ttl="63" srcport="39453" dstport="443" tcpflags="ACK PSH" 
2014:07:08-14:33:54 ravenna ulogd[4772]: id="2017" severity="info" sys="SecureNet" sub="packetfilter" name="AFC Alert" action="log" fwrule="4" outitf="ppp0" mark="0x3468" app="1128" srcmac="0:0:2f:82:39:f7" srcip="10.1.2.3" dstip="96.17.15.190" proto="6" length="535" tos="0x00" prec="0x00" ttl="63" srcport="39911" dstport="443" tcpflags="ACK PSH" 
2014:07:08-14:34:16 ravenna ulogd[4772]: id="2017" severity="info" sys="SecureNet" sub="packetfilter" name="AFC Alert" action="log" fwrule="4" outitf="ppp0" mark="0x3468" app="1128" srcmac="0:0:2f:82:39:f7" srcip="10.1.2.3" dstip="67.132.183.78" proto="6" length="535" tos="0x00" prec="0x00" ttl="63" srcport="52346" dstport="443" tcpflags="ACK PSH"
The Livelog is more readable:
Code:
13:08:17 Application control rule #4 Adobe Flash 10.1.2.3 : 35185 96.17.15.158 : 443 [ACK PSH] len=535 ttl=63 tos=0x00 srcmac=0:0:2f:82:39:f713:16:07 Application control rule #4 Adobe Flash 10.1.2.3 : 54434 96.17.15.172 : 443 [ACK PSH] len=535 ttl=63 tos=0x00 srcmac=0:0:2f:82:39:f7
13:19:27 Application control rule #4 Adobe Flash 10.1.2.3 : 60407 96.17.15.165 : 443 [ACK PSH] len=536 ttl=63 tos=0x00 srcmac=0:0:2f:82:39:f7
13:22:42 Application control rule #4 Adobe Flash 10.1.2.3 : 39453 96.17.15.190 : 443 [ACK PSH] len=535 ttl=63 tos=0x00 srcmac=0:0:2f:82:39:f7
14:33:54 Application control rule #4 Adobe Flash 10.1.2.3 : 39911 96.17.15.190 : 443 [ACK PSH] len=535 ttl=63 tos=0x00 srcmac=0:0:2f:82:39:f7
14:34:16 Application control rule #4 Adobe Flash 10.1.2.3 : 52346 67.132.183.78 : 443 [ACK PSH] len=535 ttl=63 tos=0x00 srcmac=0:0:2f:82:39:f7
Something is blocking the download/installation and it appears to be the UTM.
Does anyone else see this on their systems?

Thanks,
~D

QoS Application Selector missing

July 8, 2014, 4:19 pm
$
0
0
I have two hardware UTMs running 9.2. One has Full Guard and has the Application Traffic Selector available. The other only has Base and Network Protection and does not have the Application Traffic Selector. Do I need another license for this?
Search

Advice on build for branch office

July 8, 2014, 4:40 pm
$
0
0
Hello
Im looking for some advice on a UTM build for a branch office. Im new to Sophos UTM so I haven't got a feel for which hardware runs well. Though I've picked up from the forums that Intel nics are better than RealTek.

I have 2 offices:

Head office - 160 users and voip phones 30meg up/down internet connection.

For this build I am going to use a spare Dell 2950 (2 x xeons , 16gb RAM 3 Broadcom nics)

Now for my branch office I have 20 users and voip phones with a 30meg up/down internet connection. I would like something small, reasonable priced and able to handle the Essential version of the UTM.

I was looking at mini ITX boards with dual nics but Im unsure how good the performance will be. Do you have any advice on these?

Also does Sophos perform just as well with AMD CPU's?

thanks

Youtube and blocking specific categories within

July 8, 2014, 5:12 pm
$
0
0
Hi,

I'm coming from McAfee Web Gateway and one of the features I like/had was that I could block categories within YouTube. We are a School District that needs to access YouTube (YouTube for Education has limited content). It would be nice to setup a policy or rule to be able to block these YouTube Categories.

Currently available categories are:
• Film
• Autos
• Music
• Animals
• Sports
• Shortmov
• Travel
• Games
• Videoblog
• People
• Comedy
• Entertainment
• News
• Howto
• Education
• Tech
• Nonprofit
• Movies
• Movies_anime_animation
• Movies_action_adventure
• Movies_classics
• Movies_comedy
• Movies_documentary
• Movies_drama
• Movies_family
• Movies_foreign
• Movies_horror
• Movies_sci_fi_fantasy
• Movies_thriller
• Movies_shorts
• Shows
• Trailers

Thanks,

Jahad Suboh

SSL site to site reconnect issue

July 8, 2014, 5:49 pm
$
0
0
Hi,

I've got 3 sites setup


1 site I guess you can call the hub has 2 connections going to it

the other 2 sites connect back to the hub.

anyways long story short,

if any of the links go down, or the hub gets rebooted the ssl vpns stay connected and still show connectivity but no traffic is passed through.

I have to manually restart all the ssl vpns for traffic to flow through again. (I can restart the tunnels from any side to re-establish the connection)

This has only become apparent since the latest update, which is running on all 3 sides.

I have seen a similar issue in the past on these forums but it has only just started happening here.


NOTE: 1 side is running an 320, and the other 2 sides are running virtual machines

View web pages in another subnet via UTM

July 8, 2014, 6:57 pm
$
0
0
How do I view an internal domain web site on another subnet via the UTM?


all our clients are on a 10.72.0.0 network, we have a router in our network that routes to a 192.168.0.0 network and in this network is a dns that is local, It is different DNS to the outside world.

How do I make clients on our 10.72.0.0 network route to domain.com which is in our 192.168.0.0 network locally via our utm proxy.

Migration von UTM 220 auf SG 230

July 9, 2014, 2:11 am
$
0
0
Hallo und Guten Tag,

zur Zeit läuft bei uns eine UTM 220 noch auf letzten Software-Stand vor Version 9.
Wir wollen diese gegen eine SG 230 austauschen.
Daher meine Frage ob jemand damit bereits Erfahrungen hat, bzw was es hierbei zu beachten gibt.
Gibt es eine Guide-Line an die man sich halten kann.:confused:


Spezielles Interesse in hinsicht auf
- Wann und wie Lizenz upgrade im MyUTM-Portal
- Möglichkeit des einspielen des alten Backups
- Funktion aller vorherigen Einstellungen
- Gibt es bereits bekannte Stellen auf die man besonders achten muss

Wäre für alle Infos sehr dankbar.
Vielen dank im Vorraus

Firewall dropping all traffic

July 9, 2014, 2:49 am
$
0
0
Hi everyone,

I have installed UTM9 (Home license) and can't get working configuration for Firewall.

What I did:

1. Created needed definitions for my internal hosts
2. Created group for all mentioned definitions
3. Added masquerading rule for that group
4. Added Firewall rule "My Group -> any -> Allow", also I have checked "log packets" checkbox for checking purposes

Now I can see that UTM just dropping all traffic thru it (from log window):

13:36:59 Default TCP drop 192.168.1.30:1563->130.57.118.109:1677

Appropriate record from packetfilter.log:

2014:07:09-13:36:59 utm ulogd[20934]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60002" initf="eth0" outitf="eth3" srcmac="0:30:48:5a:6d:f6" dstmac="0:c:29:93:70:84" srcip="192.168.1.30" dstip="130.57.118.109" proto="6" length="48" tos="0x00" prec="0x00" ttl="126" srcport="1563" dstport="1677" tcpflags="SYN"

This packet is for Novell GW Client.

I have done all settings by using previous ASG experience from my memory - it was no problem with ASG (I mean - such configuratuion) but for UTM9 it seems to be not working at all.

At the moment in my understanding UTM just ignores this rule (or can't recognize 192.168.1.30 as one of hosts from My Group). I have also been trying to use Host with assigned "192.168.1.30" - with same results.

Could anybody please help me to sort this annoying problem out?

Site to site IPsec VPN issue with Local VPN id

July 9, 2014, 3:11 am
$
0
0
I have a UTM (9.203-3) running in AWS and terminating IPsec tunnels from 100 sites. To get it working on all the remote sites we had to set the remote VPN ID to the UTM private ip. I would like to have a preconfigured hot standby node running in a second availability zone so that I can just move the Elastic IP address to it in case of an Amazon availability zone failure.

The problem is because we are using the private ip as the remote VPN ID, this means in the event of failure we have to reconfigure all 100 remote gateways to use the standby node's private ip to get the VPN to work.

This problem can easily be solved if UTM allows you to change the "local" VPN ID to a hostname instead of an ip - in Strongswan the setting is called "leftid". Currently this setting is only available under Local RSA Key VPN options and not for preshared key authentication.

I found two feature requests:

VPN: Local VPN ID choices when using Pre-Shared-Key

Expand ipsec.conf control to webadmin

Is someone from the Sophos team is reading this, any thoughts, suggestions will be very appreciated.
Search

Problem mit der Endpoint Security

July 9, 2014, 3:35 am
$
0
0
Hallo Leute,

ich habe folgendes Problem:

Vor einiger Zeit habe ich mir eine 9.2 installiert, alleine für die Endpointprotection mit der Home-Lizenz.

Leider hat die Kiste die Grätsche gemacht und ich habe die Config nun in eine neue VM geladen.
Meine Endpoints werden auch angezeigt, allerdings bekomme ich keinen Status mehr. Auch der Download für den DeployAgent funktioniert nicht mehr.

Weiß jemand, woran das liegen kann? Mag die Endpointprotection einen Maschinenwechsel nicht?

PS:Die UTM läuft hinter einer FritzBox, aber daran kann es nicht liegen, denn vorher tat sie es auch und es funktionierte einwandfrei.

Ich danke schonmal für Eure Antworten :)

RPC over HTTPS

July 9, 2014, 4:03 am
$
0
0
Managed to get the UTM working and filtering my http/https traffic as expected.
Currently we are just using it as a proxy to route traffic through for web filtering and not as the default gateway.

The proxy seemed to be working with clients and filtering websites on group membership etc.
However I noticed that my Rdweb server is now not working and just pops up with a generic error message.
Is there anyway to allow this though the proxy? (Assuming its using the proxy settings from IE.)
The Network protection part is pretty much disabled and there is a rule Any > all > which should allow all traffic through that part. (We have another device at the edge currently doing this.)

I have also added the ports to Allowed target services from Filtering options > misc.

Has anyone seen this issue before?

Rob

Sophos UTM 9.2 hinter DSL-Modem (DHCP Vergabe)

July 9, 2014, 5:27 am
$
0
0
Hallo,

ich habe folgendes Problem. Ich habe ein DSL-Modem an dem eine UTM angeschlossen ist (Eth1). Ich möchte nun ein kleines Netzwerk an eth7 anschließen. Bis jetzt kann ich nur feste IP-Adressen vergeben oder von der UTM vergebene per DHCP.

Wie schaffe ich es das die UTM die DHCP-Adressevergabe auf den eth7 weiterleitet, do dass die angeschlossenen PC´s die IP von dem Modem bekommen?? Ich denke mal die der Relayfunktion, aber dort muss ein DHCP-Server angegeben werden? :confused:

Danke schon im voraus.......

Gerd

PPoE issue

July 9, 2014, 6:10 am
$
0
0
Hi,

I have some issues with PPPoE daemon. Each time the UTM is rebooted fot any reason ,the interface seems to be up but I cannot connect to internet. If I mannually reconnect it works . No errors appear in the PPPoE logs.

If I try to ping an IP from internet I receive "destination net unreachable"

I am using UTM Home 9.201-25/ fiber to home internet connection.

Any ideas about this issue?

Regards,
Ghebosu

Connection through SSL VPN client is redirected always to the Domain Controller

July 9, 2014, 7:49 am
$
0
0
Hi,

Up to now we were using L2TP protocol to establish VPN connection with our machines in the workplace. When using the L2TP protocol, it was possible to connect to both the Terminal Server and the Domain Controller, with their respective IPs through Remote Desktop Services.

To take away the burden of configuring the L2TP VPN connection for typical users, I decided to switch into the SSL VPN client, provided by Sophos, which is much easier to install and use.

However, each time I try to connect to the Terminal Server, using its IP, I am redirected to the Domain Controller. Why does this happen. Is it a configuration problem at Sophos router, SSL VPN client, or should I look for the problem elsewhere on the Operating System level?

Thanks,

Devices: Sophos UTM 9.1
Domain Controller (main server) : Windows Server R2 2008
Terminal Server : Windows Server R2 2008
Viewing all 14361 articles
Browse latest View live
Search