Sophos

[zoomzoom]

@jgreco You stated in an owncloud thread:

"Only if you happen to free up port 443 and dedicate 443 on your NAT gateway to hitting the OwnCloud instance (or reverse proxy, or whatever).

In general, this is a terrible idea because of the sheer number of bots out there looking at ${everyip}:443 and ${everyip}:80 ... the bad guys build databases of what they find running and where, so when some exploit for OwnCloud or your HTTP server becomes available, they merely need to query their databases for the sites running that software and they can then target you"

Should Sophos and OpenVPN be left at default for the user portal on 443 (currently routable from WAN due to DDNS)? I thought it odd it was set to 443 to begin with, but didn't think too much about it until I set up DDNS earlier today to configure OpenVPN.

 

[jgreco]

No, I really would encourage you to pick a random port number. It's ugly, yes, that you then might need to type in "https://owncloud.foo.bar:42829/" but it makes it substantially less likely your OwnCloud instance would be found, or (worse) your Sophos control portal.

We've just this week had a great example of the folly I'm talking about. Changing the port numbers doesn't eliminate the risks. It just reduces the likelihood.

 

[zoomzoom]

No, I really would encourage you to pick a random port number. It's ugly, yes, that you then might need to type in "https://owncloud.foo.bar:42829/" but it makes it substantially less likely your OwnCloud instance would be found, or (worse) your Sophos control portal.

We've just this week had a great example of the folly I'm talking about. Changing the port numbers doesn't eliminate the risks. It just reduces the likelihood.

I've never minded having to type in the port numbers, I simply found it odd an OS built around security for a router would set 443 as the default port for most services.

I love Sophos overall, however a few directions they've chosen to go in really defy comprehension [or common sense for that matter]; such as no ability to manage OpenVPN via the WebAdmin, which wouldn't be an issue at all, except their terminal warning about staying out of the cli unless directed by them to do to so; the inability [thus far] to run simultaneous OpenVPN servers, which should be able to be done from a single config file, except their implementation of OpenVPN dynamically creates the OpenVPN config and subsequently deletes it when the VPN is turned off or a reboot occurs (request from 3 1/2 years ago shows a user who asked for this exact ability to be implemented); and the inability to have separate ssh configurations for LAN and WAN.

Don't get me wrong, Sophos UTM is hands down amazing... the OpenVPN implementation is just baffling.

 

[jgreco]

Actually I thought the admin portal was on :4444 and something else like end user auth was on :https ....?

I think the usual problem with an all-in-one box is that it will invariably have some things it doesn't excel at. Our VPN servers here are based on FreeBSD and handle a fair bit of complexity, including OpenVPN in multiple roles, L2TP/PPTP, etc., but the flip side is that I'd hate to have to find something to replace them because that hypothetical replacement won't be able to do all the things we've spent years tweaking them into doing. That's the long way to say, don't blame Sophos too much, this stuff is complicated, sometimes in ways that aren't apparent.

 

[pirateghost]

The admin portal is on 4444, port 443 is for client access (check spam filter, get vpn keys, configs, etc)

You can set the admin port to only allow admin access from within a specific subnet and the system will email you when any failed attempt to login is made.

Overall, there really isn't a better complete package available out there without spending a long time rolling your own solution(s)

 

[zoomzoom]

Actually I thought the admin portal was on :4444 and something else like end user auth was on :https ....?

I think the usual problem with an all-in-one box is that it will invariably have some things it doesn't excel at. Our VPN servers here are based on FreeBSD and handle a fair bit of complexity, including OpenVPN in multiple roles, L2TP/PPTP, etc., but the flip side is that I'd hate to have to find something to replace them because that hypothetical replacement won't be able to do all the things we've spent years tweaking them into doing. That's the long way to say, don't blame Sophos too much, this stuff is complicated, sometimes in ways that aren't apparent.

I should have been more specific, the webadmin is set to 4444 (which is a port that should be auto blocked by everyone as there's more exploits attributed to that port than legitimate assigned uses lol), the user portal and SSL VPN are all set to 443.

I'm not blaming Sophos, I simply don't understand the lack of configuration they allow through the WebAdmin for OpenVPN, in conjunction with a very plain prohibited warning that modifying anything via CLI voids support (It's the cli warning when used in context with the lack of any other way to configure OpenVPN that's baffling and has me scratching my head with a "huh..."). OpenVPN server and client configs require tweaking in order to decrease latency and increase throughput, and to not allow a way to configure the server and client configs when it's fundamental to an SSL VPN is... well... baffling

I assume the reasoning [regarding the cli] is to prevent an end user inadvertently causing major issues, thereby wasting support's time and is completely understandable from the point of view on Sophos as a whole. None of this is a criticism of Sophos, as to me it's like discovering OpenWRT/DD-WRT for the first time.

 

[TheDubiousDubber]

Maybe this is related to the conversation previous, though I'm guessing it is a loose relation. I'm wondering if anyone has successfully setup VPN access on UTM Home using DynDNS? I had it working for what I would guess is a week or two, then it stopped working. I hadn't changed anything so I'm not sure why it did. I'm guessing it has to do with the DNS not updating, but I reconfigured it with a new address, made sure it was up to date, and even rebooted the Sophos router and I can't get the bloody thing to work anymore. Trying to connect from my phone, the OpenVPN logs show that it is timing out when trying to connect. I set it up according to the documentation direct from Sophos so I'm pretty sure this is not a stupid mistake of mine, or if it is, it isn't anything explicit.

 

[pirateghost]

I don't use dyndns but I have a dynamic DNS service that works flawlessly

 

[ChriZ]

Just tested mine from my phone (haven't used it since September)
It worked as expected with my dyndns service.

 

[zoomzoom]

I'm wondering if anyone has successfully setup VPN access on UTM Home using DynDNS?

I had it working for what I would guess is a week or two, then it stopped working. I hadn't changed anything so I'm not sure why it did. I'm guessing it has to do with the DNS not updating, but I reconfigured it with a new address, made sure it was up to date, and even rebooted the Sophos router and I can't get the bloody thing to work anymore. Trying to connect from my phone, the OpenVPN logs show that it is timing out when trying to connect. I set it up according to the documentation direct from Sophos so I'm pretty sure this is not a stupid mistake of mine, or if it is, it isn't anything explicit.

I have mine setup with DynDNS... OpenVPN is easy to troubleshoot, so we should be able to get you up and running fairly quickly =]

More likely than not, it's either web filtering, ATP, IPS or the firewall.

• If you haven't already, I would open up the firewall log and ssl vpn log on UTM, then try and connect on your phone and see if traffic is being blocked.
  • I would also recommend utilizing OpenVPN for Android if using an Android device (as it provides full control over everything, including dynamically setting the log to verb 10).

• On UTM, change to protocol TCP for OpenVPN, as this provides the ability to track the packets
• If you uploaded your own CA (Certificate Authority), it must be a CA and not an Intermediate CA, otherwise OpenVPN authentication will fail every time due to how ConfD manages the OpenVPN authentication
• OpenVPN must be set up under Remote Access, not Site-to-Site VPN
  • Profile Name: VPN
  • Users and Groups: %UserName%
  • Local Networks: Internal (Network)
  • You can choose to have it auto create a firewall rule, however I prefer to manually create them as it keeps the rules far more organized.
• You should have the following firewall rule (set it to #1 for troubleshooting)
  • %UserName% (User Network) --> Any --> Internal (Network)
    • For troubleshooting, under Advanced, ensure Log traffic is ticked
  • Ensure your username is added under Network Protection --> Advanced Threat Protection --> Network/Hosts Exceptions
  • Ensure your username is added under Network Protection --> Intrusion Prevention --> Local Networks
  • Ensure Internal (Network) is added to Web Protection --> Web Filtering --> Allowed Networks
  • Create the following rule under Web Protection --> Application Control
    • Action: Allow
    • Control These Applications: IPsec ; OpenVPN
    • For: Any

If you've done the above, you'll need to review the following logs to trace where the problem is occurring: SSL VPN Log, Firewall Log, Web Filtering Log, Advanced Threat Protection Log, and the Intrusion Prevention System Log

 

[zoomzoom]

Anyone notice static assigned IPs aren't being deducted from the 50 allotted for license usage?

I use a /26 netmask and only have 25 addresses allotted for the DHCP range with static assigned addresses assigned below the DHCP range, and I'm curious if this is why the addresses aren't being deducted from the 50 allotted to the license?

If someone else could attempt to replicate this to confirm, it'd be extremely appreciated =]

 

[pirateghost]

Because it uses the dhcp addresses

Sent from my Nexus 6P using Tapatalk

 

[zoomzoom]

I thought you mentioned a while back even static IPs were deducted from the allotted 50 (although you could very well have meant to imply it applies to the DHCP pool)

 

[pirateghost]

It should only apply to dhcp addresses.

My entire main LAN is not counted in Sophos IP counts. I run dhcp server elsewhere in my network. My vlans use Sophos for dhcp and those IPs are counted

 

[zoomzoom]

Does it only apply to those addresses dynamically assigned within the DHCP pool, or does it also apply to dynamic IPs from the DHCP pool that have been saved [converted] as [to] static IPs?

 

[pirateghost]

The ones you use dhcp reservations on get counted too

 

[gpsguy]

astaro.org (community support forum) unusable

I ran into a problem on Saturday and thought I had posted a message about a special configuration, a few years ago. Can't login, can't search, can't view messages, drat.

You can read all about the forum issue here - https://community.sophos.com/products/unified-threat-management/f/41/t/10717

 

[joeschmuck]

Thanks for the heads up! I haven't been on the Sophos forums in a few weeks. Hopefully it will be back online soon for those folks who need it.

To be honest, my Sophos installation is running very well (knock on wood). I was going to play around with it this past weekend but never had the time, likely a very good thing.

 

[ChriZ]

Just looked at the new community forum they are migrating to... Yayyyyy!
It sucks...

 

[joeschmuck]

Just updated to version 9.351003, I was a bit uneasy not having an active forum to run to if thins became broken but I could always restore to an older version if need be. So far the new version is fine but it's been less than 15 minutes so we will see who starts yelling saying they can't do something on the internet within the next hour or so.