Sophos

[zoomzoom]

As I stated already, I did download and try it. I didn't see much more to the app than some logging verbosity. Again, like I said, that doesn't affect me at all.

You say I am ignorant for not acknowledging a simple fact, yet you still don't understand the context and the wording of your original post on the subject. What you MEANT to say and what you actually said are different things. I was trying to get clarity on that, and see if I was, indeed, missing something cool about the other client app. Somehow this turned into a longer conversation than it should. You even stated yourself that in the context of Sophos it didn't actually provide much but logging levels. What thread are we in again?

I think you need to try and look at your post from another perspective and see how it can be confused and misconstrued. I don't know how this has been drawn out this long, or why, because honestly, I asked a simple question based on a statement you made. I read the words you posted in a manner that didn't make sense to me and asked for clarity. I didn't ask for snide remarks or to be called ignorant.

I appreciate your point of view, however we will have to agree to disagree.

I also did not call you ignorant, nor did I imply you were. I stated " fail[ing] to acknowledge a simple, benign fact is ignorant", as it is ignorant because facts matter. Does that make the person not acknowledging a fact ignorant, no... it simply makes the act of non-acknowledgement ignorant. Nor did I make snide remarks; as everything I said was worded neutrally. More often times than not, the impact a writer's words has on the reader says more about the reader than it does about the writer

 

[pirateghost]

LOL. OK.

 

[TheDubiousDubber]

Sorry if I failed to specify. I'm actually using the OpenVPN Connect app on iOS. If that even matters. I might also mention that everything was working fine previously after my initial setup. Then it just stopped working for no particular reason. I retraced all the steps of the initial config. Setting it up using a new DNS address and it still fails to connect. I'll try to follow some of the suggestions here and report back.

 

[zoomzoom]

The log files are needed, as if there's a problem with the connection, it will show in the logs from Sophos (verb 7) and the client application (verb 7). If the log files show the tunnel forms successfully, your problem is firewall related.

 

[TheDubiousDubber]

The log files are needed, as if there's a problem with the connection, it will show in the logs from Sophos (verb 7) and the client application (verb 7). If the log files show the tunnel forms successfully, your problem is firewall related.

I appreciate all the help thus far, but I'm honestly debating getting rid of Sophos and going back to standard off the shelf consumer router. It seems I'm running into way too many problems and am running out of patience to fix them all. I've just realized I can no longer receive email using either mail client on my Macbook. It works perfectly fine when I'm not behind the firewall, but when I am I can't pull in new messages or send any out. I've opened ports, I've setup url exceptions for apple.com and icloud.com and still doesn't work. Props to you guys who manage to make these things work. It seems like I'm more than capable, but things like to stop working for no apparent reason and it's driving me insane. Maybe I'll start over from a blank config before anything and try to reconfigure from scratch. Doing one thing at a time. The hard part is the old Sophos thread contained a lot of helpful information and is no longer accessible. A lot of relevant google searches result in a dead page.

 

[zoomzoom]

It's does no good to post about specific problems and not post log files, especially for the VPN issue, as no one can help you without the logs from sophos and the client.

In regards to email, if you're set up for granular control (i.e. all outbound traffic, and/or all LAN traffic, isn't allowed), then you must create web filter application control rules and firewall rules for the ports the email service uses . Sophos is not plug and play and there is a learning curve, which is where the 9.3 UTM manual is extraordinarily helpful, as well as the astaro forum (which is unfortunately shut down and will be offline for several weeks).

If you do not require granular control over outbound traffic, simply allow all traffic from Internal (Network) to pass through the firewall. Have you tried disabling web filtering to determine if that's the issue (which it probably is)?

 

[zoomzoom]

With regards to web filtering, it's not necessary to have activated. I only did so I could learn Sophos UTM through experience and trial and error. Web filtering is extremely frustrating at times, especially for someone like you or I who had no prior experience with it. To make it even worse for you, the astaro forum is down, allowing access to only the first post in any thread. The Sophos Communities forum is up for UTM however, but as other regular users of astaro.org have repeatedly said, it's horrendous and counterintuitive to users as it's not set up like a forum, but like a search provider.

The purpose of Web Filtering, as I understand it, is to filter traffic passing through LAN, which is a must for corporate networks, and would only be useful in a home environment if there are users, such as children, you want to restrict from having access to certain things. If you open up the basic profile, you'll see categories of sites, ranging from the benign to extremism content that can have accessed blocked to (just one example of a type of filtering Web Filtering offers).

My guess is if you have web filtering active, and its the cause of your email issues, it's also probably responsible for your VPN issues (which can't be known for sure without viewing the VPN logs from Sophos and the client), in combination with turning off web filtering and trying to connect to the VPN .

• In regards to VPNs, if you have a consumer grade router running DD-WRT or OpenWRT, and you're using the VPN for anything other than terminal access, it would serve you better to set it up on the consumer router. (Inaccurate... Please my post below)
• Sophos' implementation of OpenVPN, as with all OEMs who attempt to integrate it, is a horrendous implementation that hinders more than it helps if you're looking to do anything more than terminal access. This is due to the fact you have no control over the VPN server and cannot customize the server to increase throughput and decrease latency (due to ConfD, a custom, in-house daemon created by Sophos to control all aspects of their OS).

 

[TheDubiousDubber]

Maybe I will just leave web filtering off in that case. Sadly I did create web filter exceptions for all the email servers related. The only thing left that could be blocking the traffic is Intrusion Prevention, which I didn't even think of since it didn't make any sense to me why it would. The web filter logs show "pass" under all email traffic, but it's still not getting through. I'll have to check logs when I get home. Hopefully that will lead to a fix for the issue.

 

[Rand]

• In regards to VPNs, if you have a consumer grade router running DD-WRT or OpenWRT, and you're using the VPN for anything other than terminal access, it would serve you better to set it up on the consumer router. Sophos' implementation of OpenVPN, as with all OEMs who attempt to integrate it, is a horrendous implementation that hinders more than it helps if you're looking to do anything more than terminal access. This is due to the fact you have no control over the VPN server and cannot customize the server to increase throughput and decrease latency (due to ConfD, a custom, in-house daemon created by Sophos to control all aspects of their OS).

Are the tweaking options on a DDWRT router sufficient to overcome the potential negative impact due to suboptimal hardware?
I mean I can throw near unlimited hardware on the Sophos whereas the most expensive DDWRT capable router is around the GHz limit currently...

Oc I only need to reach 5 Mbit (maybe 20 for the furture) in the end since thats my upload, but i still wonder ;) [Looking for site to site vpn for FreeNas backup, not Internet access VPN which o/c would need more throughput]

 

[zoomzoom]

My previous post was bad advice, or at the very least inaccurate advice, and I'll be editing it at some point today with a better explanation, as well as a copy of my custom openssl.cnf.

About a week ago I created my own customized openssl.cnf and learned how to fully utilize cli openssl. Using openssl speed demonstrated the massive severity of performance loss when utilizing consumer routers for encryption/decryption versus that of utilizing the board Sophos is installed on.

With this in mind, utilizing OpenVPN on Sophos is recommended, provided you edit the server and client configs on sophos via cli. You'll need to keep backups of your configs on your PC, in case an update to OpenVPN is applied on Sophos (which would default all configs due to ConfD). I also recommend creating your own certs and importing them into Sophos, as it will provide continuity and provide you better control over your certs.

...Looking for site to site vpn for FreeNas backup, not Internet access VPN

Are the two endpoints routers? My understanding, which very well could be wrong, is site-to-site is to connect two routers, whereas remote access is to allow endpoints to create a VPN with the Sophos router in question. If the endpoints are two routers, whichever one is Sophos will have to be the server, as Sophos routers cannot be configured as SSL VPN clients.

 

[Rand]

Great, thanks.
Being late to the party (Sophos) has its merits sometimes;)

Are the two endpoints routers? My understanding, which very well could be wrong, is site-to-site is to connect two routers, whereas remote access is to allow endpoints to create a VPN with the Sophos router in question. If the endpoints are two routers, whichever one is Sophos will have to be the server, as Sophos routers cannot be configured as SSL VPN clients.

I have the same understanding. I currently have two routers (fritzbox's) doing site to site and will try to replicate that setup with the UTM(s).
Still reading up on it on how to set it up properly/what to get/repurpose

 

[zoomzoom]

In regards to VPNs, if you have a consumer grade router running DD-WRT or OpenWRT, and you're using the VPN for anything other than terminal access, it would serve you better to set it up on the consumer router.

My statement above is factually inaccurate, which I learned about a week ago while learning how to fully utilize openssl via cli. You can verify the speed of encryption/decryption on your hardware by issuing the command openssl speed [which can be run more granularly as well]. More likely than not, the Sophos hardware will be far faster at processing the encryption/decryption requests. This is also an extremely helpful command in determining what digest and encryption method to use (anything lower than RSA1024/AES128/SHA256 should not be utilized).

I also chose to build my own openssl.cnf from scratch to allow for a more cohesive learning experience. I've included it here to make it easier for anyone wishing to utilize their own certs and CAs. I've also included the 5 commands you'll need to utilize at the bottom of the file, as well as uploaded the config to GitHub

OpenSSL Config (Windows, minor modifications needed for *nix/bsd OSes)

Code:

            ##::[[---  Windows OpenSSL Config  ---]]::##

# For *nix/bsd users:
    # Use notepad to change all backslashes " \ " to forward slashes " /". You
    # may also wish to utilize lowercase only, and if you choose to utilize
    # spaces in cert names, ensure you utilize the proper break format,
    # i.e. "./Sophos\ UTM\ CA.crt"

# For Sophos users:
    # Prior to generating user certs, ensure you change "x509_extensions = usr_cert_dn"
    # to "usr_cert_not_dn"  This should result with "RFC822 Name = user email"
    # in the SubjectAlternativeName of the final user.crt/user.pem details.
    # Without this, it will be impossible to authenticate to VPNs on Sophos

#####################################################################
            ##----- Establish working directory -----##
#####################################################################

dir                       = .


#####################################################################
            ##----- Establish CA Profile and Policy -----##
#####################################################################

[ default ]
sophos                    = Sophos UTM CA

[ ca ]
default_ca                = CA_default

#####################################################################

[ CA_default ]
certs                     = $dir\Certs
new_certs_dir             = $dir\Certs

database                  = index
RANDFILE                  = $dir\rand
serial                    = serial

crldir                    = $dir\CRL
crlnumber                 = crlnumber
crl                       = "$crldir\$sophos.crl"
default_crl_days          = 3650

certificate               = "$dir\$sophos.crt"
private_key               = "$dir\$sophos.key"

default_days              = 3650
default_md                = sha512
preserve                  = no

x509_extensions           = usr_cert_dn
copy_extensions           = copy
unique_subject            = no

policy                    = policy_match
name_opt                  = esc_2253,esc_ctrl,esc_msb,sep_comma_plus_space,ignore_type
cert_opt                  = ca_default

#####################################################################

[ policy_match ]
countryName               = match
stateOrProvinceName       = match
organizationName          = match
organizationalUnitName    = match
commonName                = supplied
emailAddress              = optional

[ policy_supply ]
countryName               = match
stateOrProvinceName       = match
organizationName          = match
organizationalUnitName    = match
commonName                = optional
emailAddress              = optional


#####################################################################
            ##----- Establish Certificate Options -----#
#####################################################################

[ req ]
default_bits             = 2048
default_keyfile          = private.key
# encrypt_key            = yes
default_md               = sha256
string_mask              = utf8only
utf8                     = yes

distinguished_name       = req_distinguished_name
attributes               = req_attributes
req_extensions           = v3_req
x509_extensions          = v3_ca
copy_extensions          = copy
string_mask              = utf8only

#####################################################################

[ req_distinguished_name ]

countryName              = Country
countryName_min          = 2
countryName_max          = 2
stateOrProvinceName      = State
localityName             = Locality
0.organizationName       = Organization
organizationalUnitName   = Organizational Unit
commonName               = Common Name
commonName_max           = 64
emailAddress             = Email
emailAddress_max         = 64

countryName_default             = US
stateOrProvinceName_default     = State
localityName_default            = Locality
0.organizationName_default      = Sophos UTM
organizationalUnitName_default  = LAN


#####################################################################
           ##----- Establish SubjectAltName Profiles -----##
#####################################################################

[ alt_asrock ]
IP.1                     = 192.168.2.4
IP.2                     = 192.168.2.5
DNS.1                    = C2750D4I-IPMI
DNS.2                    = C2750D4I-eth0
DNS.3                    = C2750D4I-eth1

[ alt_freenas ]
IP.1                     = 192.168.2.13
IP.2                     = 192.168.2.130
DNS.1                    = Free.NAS
DNS.2                    = FreeNAS.igb0
DNS.3                    = FreeNAS.igb1

[ alt_openwrt ]
IP.1                     = 192.168.2.2
DNS.1                    = OpenWRT.WRT1900

[ alt_owncloud ]
IP.1                     = 192.168.2.150
DNS.1                    = OwnCloud.FreeNAS

[ alt_sophos ]
IP.1                     = 192.168.2.1
DNS.1                    = SophosUTM
DNS.2                    = your.ddns.com

[alt_supermicro ]
IP.1                     = 192.168.2.3
DNS.1                    = SuperMicro.IPMI
DNS.2                    = SuperMicro-IPMI

[ alt_vpnserver ]
IP.1                     = 10.0.0.1
DNS.1                    = your.ddns.com

[ req_attributes ]
# challengePassword      =
# challengePassword_min  = 4
# challengePassword_max  = 20

#####################################################################
           ##----- Establish Default Certificate Profiles -----##
#####################################################################

[ crl_ext ]
issuerAltName            = issuer:copy
authorityKeyIdentifier   = keyid:always,issuer:always

[ usr_cert_dn ]
basicConstraints         = CA:FALSE
subjectKeyIdentifier     = hash
authorityKeyIdentifier   = keyid,issuer:always
keyUsage                 = nonRepudiation, digitalSignature, keyEncipherment, keyAgreement
extendedKeyUsage         = clientAuth, emailProtection

[ usr_cert_not_dn ]
basicConstraints         = CA:FALSE
subjectKeyIdentifier     = hash
authorityKeyIdentifier   = keyid,issuer:always
subjectAltName           = email:copy
keyUsage                 = nonRepudiation, digitalSignature, keyEncipherment, keyAgreement
extendedKeyUsage         = clientAuth, emailProtection

#####################################################################

[ v3_ca ]
basicConstraints         = CA:TRUE, pathlen:0
subjectKeyIdentifier     = hash
authorityKeyIdentifier   = keyid:always,issuer:always

[ v3_req ]
basicConstraints         = CA:FALSE
subjectKeyIdentifier     = hash

#####################################################################
           ##----- Establish Custom Certificate Profiles -----##
#####################################################################

[ v3_asrock ]
basicConstraints         = CA:FALSE
subjectKeyIdentifier     = hash
authorityKeyIdentifier   = keyid,issuer:always
keyUsage                 = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName           = @alt_asrock

[ v3_freenas]
basicConstraints         = CA:FALSE
subjectKeyIdentifier     = hash
authorityKeyIdentifier   = keyid,issuer:always
keyUsage                 = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName           = @alt_freenas

[ v3_openwrt ]
basicConstraints         = CA:FALSE
subjectKeyIdentifier     = hash
authorityKeyIdentifier   = keyid,issuer:always
keyUsage                 = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName           = @alt_openwrt

[ v3_owncloud ]
basicConstraints         = CA:FALSE
subjectKeyIdentifier     = hash
authorityKeyIdentifier   = keyid,issuer:always
keyUsage                 = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName           = @alt_owncloud

[ v3_sophos ]
basicConstraints         = CA:FALSE
subjectKeyIdentifier     = hash
authorityKeyIdentifier   = keyid,issuer:always
keyUsage                 = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName           = @alt_sophos

[ v3_supermicro ]
basicConstraints         = CA:FALSE
subjectKeyIdentifier     = hash
authorityKeyIdentifier   = keyid,issuer:always
keyUsage                 = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName           = @alt_supermicro

[ v3_vpnserver ]
basicConstraints         = CA:FALSE
subjectKeyIdentifier     = hash
authorityKeyIdentifier   = keyid,issuer:always
keyUsage                 = nonRepudiation, digitalSignature, keyEncipherment, keyAgreement
extendedKeyUsage         = serverAuth
subjectAltName           = @alt_vpnserver


#####################################################################
#--------------------------------------------------------------------
                ##----- OpenSSL Commands -----##
#--------------------------------------------------------------------
#####################################################################

#--- Prerequisistes ---#

    # Create "serial" file: echo 00 > serial
    # Create "crlnumber" file: echo 00 > crlnumber
    # Create "index" file, leave blank
    # Create "rand" file, leave blank

# ENCRYPT_KEY is currently commented out, however, it's recommended to
# set it to yes for any use other than a webserver/vpn server, etc.

# Provided you utilize the SubjectAltName section, the Common Name is not
# required to be the IP/DNS, and can be whatever name you wish it to be

#####################################################################
#--------------------------------------------------------------------
#####################################################################

#--- Generate CA ---#
  # openssl req -x509 -new -sha512 -nodes -days 3650 -extensions v3_ca -newkey rsa:4096 -keyout ".\Sophos UTM CA.key" -out ".\Sophos UTM CA.crt" -config .\openssl.cnf

#--- Generate CRL Cert ---#
  # openssl ca -config .\openssl.cnf -gencrl -keyfile '.\Sophos UTM CA.key' -cert '.\Sophos UTM CA.crt' -out '.\Sophos UTM CA.crl.pem'

#--- Convert CRL Cert to DER CRL ---#
  # openssl crl -inform PEM -in '.\Sophos UTM CA.crl.pem' -outform DER -out '.\Sophos UTM CA.crl'

#--- Request ---#
  # openssl req -out '.\OwnCloud.csr' -new -days 3650 -sha256 -newkey rsa:2048 -keyout '.\OwnCloud.key' -config .\openssl.cnf -extensions v3_owncloud

#--- Sign ---#
  # openssl x509 -req -sha256 -days 3650 -in '.\OwnCloud.csr' -CA '.\Sophos UTM CA.crt' -CAkey '.\Sophos UTM CA.key' -CAserial .\serial -out '.\OwnCloud.crt' -extfile .\openssl.cnf -extensions v3_owncloud

#--- Export ---#
  # openssl pkcs12 -export -out '.\OwnCloud.p12' -inkey '.\OwnCloud.key' -in '.\OwnCloud.crt' -certfile '.\Sophos UTM CA.crt'

#####################################################################
#--------------------------------------------------------------------
#####################################################################
                ##---- Index File -----##
#--------------------------------------------------------------------

  # If you wish to maintain the index file automatically, you'll need to
  # use "openssl ca" to sign certs.

  # You can manually maintain the index file, by inputting 1 cert entry
  # per line in the following format:

# V    251201090544Z    0a    unknown    /C=US/ST=State/L=Locality/O=Sophos UTM/OU=LAN/CN=Cert Common Name/emailaddress=whatever@whichever.com
# 1    2----------->    4->   5----->    6--------------------------------------------------------------------------------------------------->

    # 1. V [Valid] R [Revoked] E [Expired]
    # 2. Expiration Date [Format: YYMMDDHHMMSS followed by "Z"]
    # 3. Revocation Date [(Empty if not revoked) Format: YYMMDDHHMMSSZ,reason]
    # 4. Serial # [0a is hex for 10]
    # 5. unknown [Certificate filename or literal string "unknown"]
    # 6. Distinguished Name

#--------------------------------------------------------------------
#####################################################################
                ##----- Key Usage -----##
#--------------------------------------------------------------------

#--- digitalSignature ---#
  # Certificates with this flag set can be used to apply a digital signature.
  # Digital signatures are often used for entity authentication and data
  # origin authentication with integrity.

#--- nonRepudiation ---#
  # Certificates with this flag set can be used to sign data as above but the
  # certificate public key may be used to provide non-repudiation services
  # preventing the signing entity from falsely denying some action.

#--- keyEncipherment ---#
  # Certificates with this flag set may be used by the subject to encrypt a
  # symmetric key which is then transferred to the target, decrypted, and
  # subsequently used to encrypt and decrypt data sent between the two entities.

#--- dataEncipherment ---#
  # Certificates with this flag set can be used by the subject to encrypt and
  # decrypt actual application data.

#--- keyAgreement ---#
  # Certificates with this flag set enable the subject to use a key agreement
  # protocol, such as Diffie-Hellman, to establish a symmetric key with a target
  # that may then be used to encrypt and decrypt data sent between the two entities

#--------------------------------------------------------------------
#####################################################################

 

[jgreco]

Great, thanks.
Being late to the party (Sophos) has its merits sometimes;)

Be warned that Sophos is deploying a new version of their software, so I wouldn't invest in the current hardware that's licensed for the current software unless you understand the implications.

Beware being early to the next party. ;-)

 

[zoomzoom]

Be warned that Sophos is deploying a new version of their software, so I wouldn't invest in the current hardware that's licensed for the current software unless you understand the implications.

Beware being early to the next party. ;-)

XG UTM looks awesome, however I was disappointed to learn many key features of UTM 9.3 won't be fully integrated until ~2017 (many of which are features most home users utilize on UTM 9.3). I was also disappointed by the endpoint security packaged with XG UTM, which, while more cohesive, forces the uninstall of any internet security product currently installed, whereas UTM 9.3's does not. This creates a major issue since most internet security packages are more than just an anti-virus, of which cannot be separated from the other IS programs [malware/HIPS, firewall, etc.]. While running two antivirus softwares can conflict with one another, provided you disable each from accessing the other's quarantine folder, they should operate fine alongside one another. I've noticed Endpoint packaged with UTM 9.3, while having HIPS, rarely seems to utilize it; whereas CIS 8 Pro has an extremely obtrusive HIPS implementation (which I prefer). Sophos endpoint, as well as XG's, also seems to lack efficiency algorithms, as configuring it the same way as I configure CIS 8 Pro results in a severe performance hit.

IIRC, XG endpoint also includes a firewall, however it's a pointless feature since it only allows the ability to either allow all traffic for a specific application, or deny all traffic. (Perhaps I'm in the minority, as I don't believe applications and services should have blanket access to both LAN and WAN on every port.)

 

[Rand]

Be warned that Sophos is deploying a new version of their software, so I wouldn't invest in the current hardware that's licensed for the current software unless you understand the implications.

Beware being early to the next party. ;-)

:)

Yes I have seen it, decided to hop on the old version for now. From what I have seen/read that one will at least get some further development (till 9.5 I read).

I actually bought some new hw for it just yesterday (i3-6100) based on recommendations that single thread performance is key (snort), but even if they manage to mitigate that issue I fully assume it will be sufficient for the next couple of years - and easily swapped out for a next-gen i5 if need be:) Its not server grade but i needed to stay within tax limits for the package (€400).

 

[TheDubiousDubber]

Anyone here have any experience configuring Plex Remote Access in Sophos? I had NAT and Firewall configured to allow the connection. It was working, and somewhere along the line it broke. I haven't made any changes other than updating the Sophos software. Maybe that is what broke it, but no idea how to fix.

 

[pirateghost]

Anyone here have any experience configuring Plex Remote Access in Sophos? I had NAT and Firewall configured to allow the connection. It was working, and somewhere along the line it broke. I haven't made any changes other than updating the Sophos software. Maybe that is what broke it, but no idea how to fix.

Open port in firewall, forward port in NAT. Done.

 

[zoomzoom]

Have you looked through the logs to see where it's being blocked?

Open up the Firewall and IPS logs (Web Filtering and Application Control logs as well if enabled), then have Plex attempt network usage. If the packets are being dropped/blocked by Sophos, you should see it in the logs. However, if you don't see any dropped/blocked packets, it's most likely a network config issue within Plex

 

[TheDubiousDubber]

It must be a Plex issue then. Nothing is being blocked. That would explain why its not working when it previously was, when I haven't made any changes to Sophos. Guess I'll try the Plex forums. Thanks.

 

[zoomzoom]

It must be a Plex issue then. Nothing is being blocked. That would explain why its not working when it previously was, when I haven't made any changes to Sophos. Guess I'll try the Plex forums. Thanks.

Did you attempt to have Plex use the network while the firewall log was open? There may be a way to view the entire log, but I'm not sure how, as opening the log only shows you entries starting from when you opened the log.

Also, if you have web filtering turned on, turn it off for troubleshooting purposes