You are on page 1of 57

Sophos Certified

Architect
AL30: UTM
Lab Workbook
April 2014
Version 9.2.65

AL30: UTM

Page 1 of 57

Sophos Certified Architect

2014 Sophos Limited. All rights reserved. No part of this document may be used or
reproduced in any form or by any means without the prior written consent of Sophos.
Sophos and the Sophos logo are registered trademarks of Sophos Limited. Other names, logos
and marks mentioned in this document may be the trademarks or registered trademarks of
Sophos Limited or their respective owners.
While reasonable care has been taken in the preparation of this document, Sophos makes no
warranties, conditions or representations (whether express or implied) as to its completeness or
accuracy. This document is subject to change at any time without notice.
Sophos Limited is a company registered in England number 2096520, whose registered office is
at The Pentagon, Abingdon Science Park, Abingdon, Oxfordshire, OX14 3YP.

AL30: UTM

Page 2 of 57

Sophos Certified Architect

Contents
Introduction .................................................................................................................................................. 7
Prerequisites ............................................................................................................................................. 7
Workbook conventions............................................................................................................................. 7
Lab environment ....................................................................................................................................... 7
Lab 1: System configuration ....................................................................................................................... 11
Objective ................................................................................................................................................. 11
Requirements ......................................................................................................................................... 11
Task 1 ...................................................................................................................................................... 11
Task 2 ...................................................................................................................................................... 13
Review..................................................................................................................................................... 13
Lab 2: Uplink Balancing ............................................................................................................................... 15
Objective ................................................................................................................................................. 15
Requirements ......................................................................................................................................... 15
Task ......................................................................................................................................................... 15
Review..................................................................................................................................................... 16
Lab 3: Multipath Rules ................................................................................................................................ 17
Objective ................................................................................................................................................. 17
Requirements ......................................................................................................................................... 17
Task ......................................................................................................................................................... 17
Review..................................................................................................................................................... 18
Lab 4: Quality of Service ............................................................................................................................. 19
Objective ................................................................................................................................................. 19
Requirements ......................................................................................................................................... 19
Task 1 ...................................................................................................................................................... 19
Task 2 ...................................................................................................................................................... 19
Task 3 ...................................................................................................................................................... 20
Review..................................................................................................................................................... 20
Lab 5: Authentication ................................................................................................................................. 21
Objective ................................................................................................................................................. 21
Requirements ......................................................................................................................................... 21
AL30: UTM

Page 3 of 57

Sophos Certified Architect

Task 1 ...................................................................................................................................................... 21
Task 2 ...................................................................................................................................................... 22
Review..................................................................................................................................................... 22
Lab 6: Web protection ................................................................................................................................ 23
Objective ................................................................................................................................................. 23
Requirements ......................................................................................................................................... 23
Note ........................................................................................................................................................ 23
Task 1 ...................................................................................................................................................... 23
Task 2 ...................................................................................................................................................... 24
Task 3 ...................................................................................................................................................... 24
Task 4 ...................................................................................................................................................... 25
Review..................................................................................................................................................... 27
Lab 7: Email protection ............................................................................................................................... 28
Objective ................................................................................................................................................. 28
Requirements ......................................................................................................................................... 28
Task 1 ...................................................................................................................................................... 28
Task 2 ...................................................................................................................................................... 29
Task 3 ...................................................................................................................................................... 29
Task 4 ...................................................................................................................................................... 31
Review..................................................................................................................................................... 32
Lab 8: Endpoint protection ......................................................................................................................... 33
Objective ................................................................................................................................................. 33
Requirements ......................................................................................................................................... 33
Task 1 ...................................................................................................................................................... 33
Task 2 ...................................................................................................................................................... 34
Review..................................................................................................................................................... 34
Lab 9: Wireless protection .......................................................................................................................... 35
Objective ................................................................................................................................................. 35
Requirements ......................................................................................................................................... 35
Task 1 ...................................................................................................................................................... 35
Task 2 ...................................................................................................................................................... 36
Task 3 ...................................................................................................................................................... 37
AL30: UTM

Page 4 of 57

Sophos Certified Architect

Review..................................................................................................................................................... 38
Lab 10: Webserver protection .................................................................................................................... 39
Objective ................................................................................................................................................. 39
Requirements ......................................................................................................................................... 39
Task 1 ...................................................................................................................................................... 39
Task 2 ...................................................................................................................................................... 41
Review..................................................................................................................................................... 42
Lab 11: RED ................................................................................................................................................. 43
Objective ................................................................................................................................................. 43
Requirements ......................................................................................................................................... 43
Task ......................................................................................................................................................... 43
Review..................................................................................................................................................... 45
Lab 12: Site-to-site VPN .............................................................................................................................. 46
Objective ................................................................................................................................................. 46
Requirements ......................................................................................................................................... 46
Task 1 ...................................................................................................................................................... 46
Task 2 ...................................................................................................................................................... 47
Task 3 ...................................................................................................................................................... 48
Review..................................................................................................................................................... 49
Lab 13: Remote access................................................................................................................................ 50
Objective ................................................................................................................................................. 50
Requirements ......................................................................................................................................... 50
Task ......................................................................................................................................................... 50
Review..................................................................................................................................................... 51
Lab 14: Central management ..................................................................................................................... 52
Objective ................................................................................................................................................. 52
Requirements ......................................................................................................................................... 52
Task 1 ...................................................................................................................................................... 52
Task 2 ...................................................................................................................................................... 54
Task 3 ...................................................................................................................................................... 54
Review..................................................................................................................................................... 55
Lab 15: High availability .............................................................................................................................. 56
AL30: UTM

Page 5 of 57

Sophos Certified Architect

Objective ................................................................................................................................................. 56
Requirements ......................................................................................................................................... 56
Task ......................................................................................................................................................... 56
Review..................................................................................................................................................... 57

AL30: UTM

Page 6 of 57

Sophos Certified Architect

Introduction
These labs accompany the Sophos Certified Architect UTM course and form the practical part of the
certification. You should complete each section of labs when directed to do so in the training.
Throughout the labs there is information to be written down; you will require this information to pass
the online assessment. We would recommend that you complete the course assessment while your lab
environment is still active so that it is available for reference.

Prerequisites
To be able to complete these labs in the time suggested you should have the following prerequisites.
Comprehensive knowledge of networking.
Experience in installing and replacing network gateways and firewalls in production environments.
Sophos Certified Engineer level knowledge of Sophos UTM.
The following optional prerequisite knowledge would be beneficial but is not required.
Experience using Linux command line tools.

Workbook conventions
This workbook uses the following conventions throughout.
At the start of each lab are the objectives of what you should learn and any requirements that must
have been completed prior to starting the lab.
Labs which cover larger topics are divided in to several tasks. Each task has a short description
followed by the steps that are required to complete the task.
Short labs are presented as a single task.
Throughout the guide the following styles are used:
Bold text

Computer names, applications,

Courier New font

Commands to be executed.

Underlined

Hyperlinks.

Lab environment
These labs are designed to be completed on the hosted CloudShare environment; if you are not using
CloudShare, for example if this course is being taught on a local environment, some details such as
hostnames and IP addresses may vary.
You instructor will provide you with details of how to access the lab environment, and any localised
changes.

AL30: UTM

Page 7 of 57

Sophos Certified Architect

Environment overview
The environment used to complete these labs is comprised of multiple computers and networks. This
lab environment is based on the labs from the Certified Engineer course. Configuration created during
the labs for that course is maintained in this environment with the addition of two new virtual
machines; a second UTM gateway for the Lab Network and a Sophos UTM Manager.
Lab Server

This is the computer you connect to for the majority of the labs. It represents a
computer on an internal company network. In this lab environment it is also the
Active Directory server, mail server, web server and DNS server.
Throughout this workbook this will be referred to as LabServer.

Lab Network

This is the internal company network for your lab.

Secondary Link

This network provides a second Internet link.

Sophos UTM Manager

This is an unconfigured virtual UTM Sophos UTM Manager on the Lab Network.
Throughout this workbook this will be referred to as SUM.

Lab Gateway 1

This is the default gateway for the Lab Network. It has the configuration created
during the Certified Engineer labs.
Throughout this workbook this will be referred to as LabGateway1.

Lab Gateway 2

This is an unconfigured virtual UTM which is the gateway and firewall for the Lab
Network.
Throughout this workbook this will be referred to as LabGateway2.

External Network

This network represents the Internet and provides access out to the real Internet.
The gateway on this network is 192.168.1.254.

Services

This server is the DNS server for the external domains used by the Lab Network and
Acme Corp Network. It is connected to both the External Network and Secondary
Link networks.
Throughout this workbook this will be referred to as Services.

Acme Corp Gateway

This is a virtual UTM which has the configuration created during the Certified
Engineer labs.
Throughout this workbook this will be referred to as AcmeCorpGateway.

Acme Corp Network

This is the internal company network of another company Acme Corp.

Acme Corp Server

This computer is the server for Acme Corp. It runs Active Directory, mail server, web
server and DNS.
Throughout this workbook this will be referred to as AcmeCorpServer.

AL30: UTM

Page 8 of 57

Sophos Certified Architect

Network diagram

AL30: UTM

Page 9 of 57

Sophos Certified Architect

User accounts
The table below details the user accounts in the CloudShare lab environment.
Username

Email

Scope and privileges

admin

utm@lab.internal

Lab Gateway 1

utm@lab.external

Built-in admin account

administrator@lab.external

Lab Domain

administrator

Domain administrator
JohnSmith

johnsmith@lab.external

Lab Domain
Domain user

JaneDoe

janedoe@lab.external

Lab Domain
Domain user

readonly

n/a

Lab Domain
Domain user

admin

administrator

utm@acme.internal

Acme Corp Gateway

utm@acme.external

Built-in admin account

administrator@acme.external

Acme Corp Domain


Domain Administrator

TomJones

tomjones@acme.external

Acme Corp Domain


Domain user

All passwords are Sophos1985.

AL30: UTM

Page 10 of 57

Sophos Certified Architect

Lab 1: System configuration


Objective
Upon completion of this section you will be able to:
Complete the initial configuration of the UTM without using the setup wizard.
Create a DHCP server on the UTM.

Requirements
No prerequisites.

Task 1
Complete the initial configuration of LabGateway2 without using the setup wizard.
Steps
On LabServer:
1. Launch your browser and connect to the WebAdmin of LabGateway2 at https://172.16.1.151:4444.
2. Complete the Basic System Setup.
Hostname: lab-gw2.lab.external
Company or Organization Name: Sophos
City: Abingdon
Country: Great Britain
admin account password: Sophos1985
admin account email address: utm@lab.internal
3. Login to the WebAdmin of LabGateway2 as admin.
4. On the Welcome to Sophos UTM page, click Cancel.
5. Navigate to Interfaces & Routing | Interfaces create and enable a New interface with the following
configuration:
Name: External (WAN)
Type: Ethernet static
Hardware: eth1
IPv4 Address: 192.168.1.151
Netmask: /24 (255.255.255.0)
Default GW IP: 192.168.1.254
6. Navigate to Network Services | DNS | Forwarders and create a new DNS Forwarder with the
following configuration:
Name: Lab DNS
Type: Host
AL30: UTM

Page 11 of 57

Sophos Certified Architect

IPv4 Address: 172.16.1.1


7. Deselect the option Use forwarders assigned by ISP.
8. Navigate to the Request Routing tab and create a New DNS Request Route with the following
configuration:
Domain: lab.internal
Target Services: Lab DNS
9. Navigate to Management | System Settings | Time and Date and configure the correct time, date
and time zone.
10. Remove all of the servers from the NTP Servers list and create a new NTP server with the following
configuration:
Name: Lab Active Directory
Type: Host
IPv4 Address: 172.16.1.1
11. Navigate to Management | Shutdown/Restart and select to Restart (Reboot) the system now.
12. Once LabGateway2 has rebooted login to the WebAdmin as admin
13. Navigate to Management | System Settings | Shell Access and Enable shell access.
14. Remove Any from the Allowed networks and add Internal (Network).
15. Set the passwords for the loginuser and root user to Sophos1985.
16. Navigate to Management | WebAdmin Settings | Advanced and set the WebAdmin idle timeout to
3600 seconds.
17. Select the HTTPS Certificate tab and import the WebAdmin CA Certificate.
18. Change the hostname of the WebAdmin in the Regenerate WebAdmin certificate section to the
internal hostname of LabGateway2 (gw2.lab.internal).
19. Close and re-launch your browser and connect to the WebAdmin of LabGateway2 using the internal
hostname gw2.lab.internal and login as admin.
20. Confirm that you no longer receive a certificate error in your browser.
21. Navigate to Support | Tools and test that LabGateway2 is able to ping 8.8.8.8.
22. Select the DNS Lookup tab and confirm that LabGateway2 can resolve the following hosts:
www.sophos.com
acme-gw.acme.external
23. Navigate to Network Protection | Firewall and create and enable a new rule to allow web browsing
with the configuration below:
Sources: Internal (Network)
Services: Web Surfing
Destinations: Any
24. Create and enable a new rule to allow DNS with the configuration below:
Sources: Internal (Network)
Services: DNS
Destinations: Any
AL30: UTM

Page 12 of 57

Sophos Certified Architect

25. Navigate to Network Protection | NAT and create and enable a new masquerading rule with the
configuration below:
Network: Internal (Network)
Interface: External (WAN)
Use address: << Primary address >>
26. Create a backup called Architect Lab 1 on LabGateway2 and download it to the desktop of
LabServer.

Task 2
Configure a DHCP server for the local Lab Network.
Steps
On LabServer:
1. Login to the WebAdmin of LabGateway1 as admin.
2. Navigate to Network Services | DHCP and create and enable a new DHCP server for the Internal
network.
Interface: Internal
Range start: 172.16.1.1
Range end: 172.16.1.100
DNS Server 1: 172.16.1.101
DNS Server 2: 172.16.1.151
Default gateway: 172.16.1.101
Domain: lab.internal
Comment: Lab 1
3. Open a Command Prompt and run:
ipconfig /all

4. Write down the Physical Address for the interface with the IP address on the Lab Network:
__________________________________________________________________________________
5. In the LabGateway1 WebAdmin, navigate to Definitions & Users | Network Definitions and edit the
LabServer host definition by adding the MAC address to the DHCP Settings and selecting the
Internal[172.16.1.1 172.16.1.100] IPv4 DHCP server.
6. Reconfigure the interface that is connected to the Lab Network to get its network settings via DHCP.
7. In the LabGateway1 WebAdmin, navigate to Network Services | DHCP and launch and review the
DHCP Live Log.
8. Create a backup called Architect Lab 1 on LabGateway1 and download it to the desktop of
LabServer.

Review
You have now successfully:
AL30: UTM

Page 13 of 57

Sophos Certified Architect

Completed the initial configuration of a UTM without using the setup wizard.
Created a DHCP server on a UTM.

AL30: UTM

Page 14 of 57

Sophos Certified Architect

Lab 2: Uplink Balancing


Objective
Upon completion of this section you will be able to configure uplink balancing with multiple active
interfaces and with standby interfaces.

Requirements
No prerequisites.

Task
Create a second external interface on LabGateway1 with a default gateway then configure uplink
balancing.
Steps
On LabServer:
1. Login to the WebAdmin of LabGateway1 as admin.
2. Navigate to Interfaces & Routing | Interfaces and create and enable a second external interface
with the following configuration:
Name: Uplink 2
Type: Ethernet static
Hardware: eth2
IPv4 Address: 192.168.3.101
Netmask: /24 (255.255.255.0)
Default GW IP: 192.168.3.254
3. Enable Uplink Balancing when prompted.
4. Select the Uplink balancing tab and configure the Uplink 2 interface to be a standby interface.
5. Select the Interfaces tab confirm that Uplink 2 is now enabled but Down.
6. Navigate to the Uplink balancing tab and disable Automatic Monitoring.
7. Add a new monitoring host with the following configuration:
Name: Services WAN network
Type: Host
IPv4 Address: 192.168.1.1
8. Add a new monitoring host with the following configuration:
Name: Services Secondary Link network
Type: Host
IPv4 Address: 192.168.3.1
9. Edit the monitoring settings to use the configuration below:
Monitoring type: HTTP Host
AL30: UTM

Page 15 of 57

Sophos Certified Architect

URL: /
Interval: 15
Timeout: 5
10. Navigate to the Dashboard and confirm that External (WAN) is Up and Uplink 2 is Down and in
Standby.
11. Launch Remote Desktop and connect to Services at 192.168.1.1 and login as the administrator.
12. Browse to Control Panel | Network and Internet | Network and Sharing Center | Change adapter
settings.
13. Right-click on Ethernet and click Disable then close the Remote Desktop window.
14. In the WebAdmin on LabGateway1, confirm that both External (WAN) and Uplink 2 are Up but that
External (WAN) has a link error.
15. Launch Remote Desktop and connect to Services at 192.168.3.1 and login as the administrator.
16. Right-click on Ethernet and click Enable then close the Remote Desktop window.
17. In the WebAdmin on LabGateway1, navigate to Interfaces & Routing | Interfaces and select the
Uplink balancing tab.
18. Enable Automatic monitoring and configure Uplink 2 to be an Active Interface.
19. On the Dashboard confirm that all interfaces are Up and there are no errors.
20. Create a backup called Architect Lab 2 on LabGateway1 and download it to the desktop of
LabServer.

Review
You have now successfully configured uplink balancing with multiple active interfaces and with standby
interfaces.

AL30: UTM

Page 16 of 57

Sophos Certified Architect

Lab 3: Multipath Rules


Objective
Upon completion of this section you will be able to:
Create interface groups for routing.
Create multipath rules to route different services using interface groups.
Use tcpdump to confirm your multipath rules are working correctly.

Requirements
All instructions in Lab 2 must be completed successfully.

Task
Configure multipath rules on LabGateway1 which will route HTTP and FTP traffic out via different
interfaces.
Steps
On LabServer:
1. Login to the WebAdmin of LabGateway1 as admin.
2. Navigate to Network Protection | Firewall and add FTP to the Services in the Web Surfing firewall
rule.
3. Navigate to Interfaces & Routing | Interfaces | Multipath Rules and create and enable a new
multipath rule with the following configuration:
Name: Use Uplink 2 for HTTP
Source: Internal (Network)
Service: HTTP
Destination: Any
Itf. Persistence: by Connection
Balanced to: create a new interface group with the following configuration:
o Name: Uplink group 2
o Interfaces: Uplink 2
4. Launch Putty and connect to LabGateway1 using SSH.
5. Login as loginuser then change to the root user using the command:
su

6. Use tcpdump to monitor HTTP traffic on Uplink 2 using the command:


tcpdump i eth2 n port 80

7. Access the following URLs in your browser on LabServer and confirm that you can see that traffic in
tcpdump:
192.168.3.1
AL30: UTM

Page 17 of 57

Sophos Certified Architect

www.sophos.com
8. In the WebAdmin on LabGateway1 add and enable a new multipath rule with the following
configuration:
Name: Use Uplink 1 for FTP
Source: Internal (Network)
Service: FTP
Destination: Any
Itf. Persistence: by Connection
Balanced to: create a new interface group with the following configuration:
o Name: Uplink group 1
o Interfaces: External (WAN)
9. In your SSH session to LabGateway1, use tcpdump to monitor the FTP traffic on External (WAN)
using the command:
tcpdump i eth1 n port 21

10. Launch FileZilla and connect to the following URLs:


ftp.astaro.com
11. Confirm that you can see that traffic in tcpdump.
12. In the WebAdmin on LabGateway1, reverse the rules so that HTTP is now balanced to Uplink group
1 and FTP is balanced to Uplink group 2. Test your configuration using tcpdump.
13. Disable your multipath rules.
14. In the Uplink balancing tab, remove Uplink 2 from the Active interfaces and add it to the Standby
interfaces.
15. Create a backup called Architect Lab 3 on LabGateway1 and download it to the desktop of
LabServer.

Review
You have now successfully:
Created interface groups for routing.
Created multipath rules to route different services using interface groups.
Used tcpdump to confirm your multipath rules are working correctly.

AL30: UTM

Page 18 of 57

Sophos Certified Architect

Lab 4: Quality of Service


Objective
Upon completion of this section you will be able to:
Limit bandwidth for an interface.
Shape traffic based on an application.
Throttle traffic based on a protocol.

Requirements
No prerequisites.

Task 1
Enable quality of service on LabGateway1 and define a bandwidth limit on an interface.
Steps
On LabServer:
1. Login to the WebAdmin of LabGateway1 as admin.
2. Navigate to Interfaces & Routing | Quality of Service (QoS) and enable quality of service for all
interfaces.
3. Edit the Internal interface and limit the download bandwidth to 100 kbit/s.
4. Navigate to Web Protection | Web Filtering Profiles | Filter Actions and edit the Default content
filter action.
5. Remove .exe from Blocked file extensions.
6. Verify that the bandwidth limit is not being exceeded when downloading the file:
http://global.services.external/Thunderbird%20Setup%2017.0.5.exe

Task 2
Use the Flow Monitor to create a rule that will shape the traffic for Facebook.
Steps
On LabServer:
1. Login to the WebAdmin of LabGateway1 as admin.
2. Navigate to Web Protection | Application Control and open the Flow Monitor on the eth1
interface.
3. Browse to http://www.facebook.com.
4. In the Flow Monitor shape the traffic for Facebook to 10kbit/s and limit to 20kbit/s.
5. In the WebAdmin, navigate to Interfaces & Routing | Quality of Service (QoS) and review the
Traffic Selector and Bandwidth Pool that have been created.
AL30: UTM

Page 19 of 57

Sophos Certified Architect

6. Write down the name of the Traffic Selector that has been created:
__________________________________________________________________________________

Task 3
Use the Flow Monitor to create a rule that will throttle all HTTP traffic.
Steps
On LabServer:
1. Login to the WebAdmin of LabGateway1 as admin.
2. Navigate to Web Protection | Application Control and open the Flow Monitor on the eth1
interface.
3. Browse to http://www.sophos.com.
4. In the Flow Monitor throttle the traffic for HTTP to 25kbit/s for each source.
5. In the WebAdmin, navigate to Interfaces & Routing | Quality of Service (QoS) and review the
Traffic Selector and Download Throttling that have been created.
6. Disable the Download Throttling rule and Bandwidth Pool.
7. Disable quality of service on all interfaces.
8. Create a backup called Architect Lab 4 on LabGateway1 and download it to the desktop of
LabServer.

Review
You have now successfully:
Limited the bandwidth for an interface.
Shaped traffic based on an application.
Throttled traffic based on a protocol.

AL30: UTM

Page 20 of 57

Sophos Certified Architect

Lab 5: Authentication
Objective
Upon completion of this section you will be able to configure:
The Sophos Authentication Agent.
One-time passwords.

Requirements
No prerequisites.

Task 1
Configure and test the Sophos Authentication Agent.
Steps
On LabServer:
1.
2.
3.
4.

Login to the WebAdmin of LabGateway1 as admin.


Navigate to Definitions & Users | Authentication Services.
Select all options in the Automatic user creation for facilities section.
Navigate to Definitions & Users | Client Authentication and enable client authentication with the
following configuration:
Allowed networks: Internal (Network)
Allowed Users and Groups: Active Directory Users.
5. In the Client Authentication program section, download the EXE version and install it on LabServer.
6. Use Putty on LabServer to login to LabGateway1 as the loginuser then change to the root user using
the command:
su 7. Follow the aua.log and endpoint.log files using the commands:
cd /var/log
tail f aua.log endpoint.log

8. Launch the client authentication program and test it with the Active Directory user JaneDoe.
Note: do not save the password.
9. Confirm that the user JaneDoe has been created on the UTM following successful authentication.
10. Close the Sophos Authentication Agent.
11. Write down the following information from the entries written to the aua.log and endpoint.log
when you authenticated as JaneDoe:
aua.log: user, caller and engine
____________________________________________________________________________

AL30: UTM

Page 21 of 57

Sophos Certified Architect

endpoint.log: the name of the process that wrote to the log


____________________________________________________________________________

Task 2
Configure and test one-time passwords for the User Portal.
Steps
On LabServer:
1. Login to the WebAdmin of LabGateway1 as admin.
2. Navigate to Definitions & Users | Authentication Services | One-time password and enable onetime passwords.
3. Connect to the User Portal on LabGateway1 at https://gw1.lab.internal and login as johnsmith.
4. Click Proceed with login.
5. In the WebAdmin refresh the one-time passwords page.
6. Edit the token for johnsmith and create additional codes.
7. Write down one of the additional codes:
_________________________________________________
8. Login to the User Portal as johnsmith using the additional token code you wrote down.
9. Go to the OTP Token tab and view the token information.
10. Write down the encoding types your secret is displayed in:
__________________________________________________________________________________
__________________________________________________________________________________
11. In the WebAdmin, disable one-time passwords.
12. Create a backup called Architect Lab 5 on LabGateway1 and download it to the desktop of
LabServer.

Review
You have now successfully configured:
The Sophos Authentication Agent.
One-time passwords.

AL30: UTM

Page 22 of 57

Sophos Certified Architect

Lab 6: Web protection


Objective
Upon completion of this section you will be able to configure:

Automatic proxy configuration via DHCP.


File type blocking using MIME types.
Full HTTPS decrypt and scan.
Multiple profiles for different modes of authentication.

Requirements
All instructions in Lab 1 must be completed successfully.

Note
Use Internet Explorer for testing your configuration in this lab. Proxy auto-configuration via DHCP is
unreliable in other browsers.

Task 1
Configure a proxy auto-configuration script.
Steps
On LabServer:
1. Login to the WebAdmin of LabGateway1 as admin.
2. Navigate to Web Protection | Filtering Options | Misc and create and enable a proxy autoconfiguration script on the UTM which returns DIRECT for the lab.internal network and returns the
LabGateway1 as the proxy for all other sites. Example:
function FindProxyForURL(url, host)
{
// Local URLs from the domain lab.internal
// don't need a proxy
if (shExpMatch(host, "*.lab.internal"))
{
return "DIRECT";
}
// URLs within this network are local and dont
// need a proxy
if (isInNet(host, "172.16.1.0", "255.255.255.0"))
{
return "DIRECT";
}
AL30: UTM

Page 23 of 57

Sophos Certified Architect

// All other requests go through


// port 8080 of gw1.internal
// should that fail to respond, try to go direct
return "PROXY gw1.lab.internal:8080; DIRECT";
}

3. Navigate to Network Services | DHCP and edit your DHCP server by enabling the option Enable
HTTP Proxy Auto Configuration.
4. Navigate to Network Protection | Firewall and remove Web Surfing from the Web Surfing and
WebAdmin firewall rule.
5. Release and renew your IP address on LabServer. This can be done using the command:
ipconfig /release && ipconfig /renew

6. Open Internet Explorer and confirm that:


You are able to access http://www.sophos.com.
http://www.games.com is blocked.

Task 2
Configure and test blocking files using MIME-type blocking.
Steps
On LabServer:
1. Login to the WebAdmin of LabGateway1 as admin.
2. Navigate to Web Protection | Web Filtering Profiles | Filter Actions and edit the Default content
filter action.
3. Configure the filter action to warn for downloading of ZIP files based on MIME type.
4. Write down the MIME type for ZIP files: _________________________________________________
5. Try to download the test file from Services: http://192.168.1.1/zip.test

Task 3
Configure and enable Full decrypt and scan HTTPS scanning in the web filter.
Steps
On LabServer:
1. Login to the WebAdmin of LabGateway1 as admin.
2. Navigate to Web Protection | Filtering Options | HTTPS CAs and Upload a new signing CA from the
file c:\certs\lab-LAB-SERVER-CA.p12 with the password Sophos1985.
3. Navigate to Web Protection | Web Filtering and select Decrypt and scan for HTTPS (SSL) traffic.
4. Confirm that you do not get a certificate error when you access: https://www.google.co.uk
5. View the details of the SSL certificate.

AL30: UTM

Page 24 of 57

Sophos Certified Architect

6. Write down the signing certificate authority for the certificate your browser received when you
accessed https://www.google.co.uk: ____________________________________________________

Task 4
Configure multiple web filtering profiles for different connection and authentication methods.
Steps
On LabServer:
1. Login to the WebAdmin of LabGateway1 as admin.
2. Navigate to Definitions & Users | Users & Groups | Groups and add a new group with the following
configuration:
Group name: Contractors
Group type: Backend membership
Backend: Active Directory
Limit to backend group(s) membership: selected
Active Directory Groups: Contractors
3. Add a new group with the following configuration:
Group name: Domain Admins
Group type: Backend membership
Backend: Active Directory
Limit to backend group(s) membership: selected
Active Directory Groups: Domain Admins
4. Navigate to Web Protection | Filtering Options | Categories and create a New filter category with
the following configuration:
Name: Business
Included Sub-Categories: Business.
5. Remove the Business sub-category from the Community / Education / Religion filter category.
6. Navigate to Web Protection | Web Filtering Profiles | Filter Actions and create a new filter action
with the following configuration:
Name: Contractors
Block all content, except as specified below
Category:
o IT: Allow
o Business: Allow
7. Navigate to Web Protection | Web Filtering Profiles and create a new profile with the following
configuration:
Name: Standard mode with AD SSO authentication.
Allows networks: Internal (Network)

AL30: UTM

Page 25 of 57

Sophos Certified Architect

Operation mode: Standard


Default Authentication: Active Directory SSO
HTTPS (SSL) traffic: Decrypt and scan.
8. In Web Protection | Web Filtering Profiles create a new profile with the following configuration:
Name: Transparent mode with Browser authentication.
Allows networks: Internal (Network)
Operation mode: Transparent
Default Authentication: Browser
HTTPS (SSL) traffic: Decrypt and scan.
Policies: create and enable two new policies as below.
o Policy 1:
Name: Contractors
Users/Groups: Contractors
Filter Action: Contractors
o Policy 2:
Name: Domain Admins
Users/Groups: Domain Admins
Filter Action: Default content filter action
o Base Policy:
Filter Action: Default content filter block action
9. Arrange the profiles with the Standard mode with AD SSO authentication at the top and
Transparent mode with Browser authentication beneath it.
10. Open the Web Filtering Live Log and review it while you follow the steps below to test your
configuration.
11. Configure the browser proxy settings as below:
Proxy server: none
Automatic proxy script: none
Automatically detect settings: no
12. In your browser try to connect to http://www.sophos.com and authenticate as ContractorBob.
Note: be sure not to close the window with the logout button.
13. Confirm that you are unable to access http://www.bbc.co.uk.
14. Logout of the browser authentication as ContractorBob.
15. In your browser try to connect to http://www.sophos.com and authenticate as Administrator.
Note: be sure not to close the window with the logout button.
16. Confirm that you are able to access http://www.bbc.co.uk.
17. Logout of the browser authentication as Administrator.
18. Change your browser settings to explicitly use the proxy server on port 8080.

AL30: UTM

Page 26 of 57

Sophos Certified Architect

19. Browser to both http://www.sophos.com and http://www.bbc.co.uk and confirm you can access
them without authenticating.
20. Configure the browser proxy settings as below:
Proxy server: none
Automatic proxy script: none
Automatically detect settings: no
21. Navigate to Web Protection | Web Filtering Profiles and disable the Standard mode with AD SSO
authentication and Transparent mode with Browser authentication profiles.
22. Navigate to Web Protection | Web Filtering and configure the proxy settings as below:
Operation mode: Transparent mode
Default Authentication: None
HTTP (SSL) traffic: URL filtering only
23. Create a backup called Architect Lab 6 on LabGateway1 and download it to the desktop of
LabServer.

Review
You have now successfully configured:

Automatic proxy configuration via DHCP.


File type blocking using MIME types.
Full HTTPS decrypt and scan.
Multiple profiles for different modes of authentication.

AL30: UTM

Page 27 of 57

Sophos Certified Architect

Lab 7: Email protection


Objective
Upon completion of this section you will be able to configure:

End user sender blacklists through the User Portal and WebAdmin.
SMTP profiles for additional domains which override elements of the default SMTP configuration.
Email encryption using OpenPGP.
Email encryption using S/MIME.

Requirements
No prerequisites.

Task 1
Block an email using the per user sender blacklists in the User Portal.
Steps
On LabServer:
1. Connect to the User Portal on LabGateway1 and login as administrator.
2. On the Sender Blacklist tab add *utm@acme.external to the Sender Blacklist.
Note: ensure that you include the * as this is required for the email address to match with BATV
enabled.
On AcmeCorpServer:
3. Launch Thunderbird and send a test email from utm@acme.external to
administrator@lab.external.
On LabServer:
4. Login to the User Portal of LabGateway1 as administrator.
5. Select the Mail Log tab and review the entry for the test email.
6. Select the Mail Quarantine tab and write down why the test email was quarantined from the
Reason column:
__________________________________________________________________________________
7. First view, then release the email and confirm that you received it.
8. In the LabGateway1 WebAdmin, navigate to Definitions & Users | Users & Groups.
9. Edit the Administrator user and view the Sender Blacklist.
10. Add *@services.external to the Sender Blacker.

AL30: UTM

Page 28 of 57

Sophos Certified Architect

Task 2
Configure an additional SMTP profile for a different email domain.
Steps
On LabServer:
1. Login to the WebAdmin of LabGateway1 as admin.
2. Navigate to Email Protection | SMTP and change the SMTP proxy to Profile mode.
3. Navigate to Email Protection | SMTP Profiles and add and enable a new SMTP Profile with the
following configuration:
Profile Name: sophos.external domain
Domains: sophos.external
Blocked Expressions: Use individual settings defined below
Blocked Expressions: create a regular expression to match a string of 16 numbers which
may optionally have a space between each block of 4 digits similar to a credit card
number. E.g., \b([0-9]{4}\s?){4}\b
On AcmeCorpServer:
4. Launch Thunderbird and send an email from administrator to administrator@sophos.external
containing the string 1234 5678 9012 3456.
5. Review the SMTP Live Log and write down the reason it was quarantined:
__________________________________________________________________________________
On LabServer:
6. Connect to the WebAdmin of LabGateway1.
7. Launch the Mail Manager and release the email from the quarantine.
8. Identify the message ID for the email from the SMTP Log in the Mail Manager.
9. Launch Putty and connect to LabGateway1 via SSH.
10. Login as the loginuser then change the root user using the command:
su -

11. Change to the log directory using the command:


cd /var/log

12. Search the maillog for entries containing the message ID using the following command:
grep xxxxxxxxxxxxxxxx smtp.log

Note: where xxxxxxxxxxxxxxxx is replaced with the message ID you identified in step 8.

Task 3
Configure and test email encryption between two UTMs using OpenPGP.

AL30: UTM

Page 29 of 57

Sophos Certified Architect

Steps
On LabServer:
1. Login to the WebAdmin of LabGateway1 as admin.
2. Navigate to Email Protection | Encryption and enable email encryption.
3. On the Internal Users tab create a New email encryption user with the following configuration:
Email Address: administrator@lab.external
Full Name: Administrator (Lab)
4. Download the OpenPGP public key.
5. Launch Thunderbird and email the OpenPGP public key to administrator@acme.external.
On AcmeCorpServer:
6. Login to the WebAdmin of AcmeCorpGateway as admin.
7. Navigate to Email Protection | Encryption and enable email encryption.
8. On the Internal Users tab create a New email encryption user with the following configuration:
Email Address: administrator@acme.external
Full Name: Administrator (Acme)
9. Download the OpenPGP public key.
10. Launch Thunderbird and email the OpenPGP public key to administrator@lab.external.
11. In the AcmeCorpGateway Webadmin, select the OpenPGP Public Keys tab.
12. Use the New public OpenPGP keys(s) option to import the key from administrator@lab.external.
On LabServer:
12. Connect to the LabGateway1 WebAdmin.
13. Select the OpenPGP Public Keys tab.
14. Use the New public OpenPGP keys(s) option to import the key from administrator@acme.external.
15. Launch Thunderbird and send an email to administrator@acme.external.
On AcmeCorpServer:
16. Launch Thunderbird and confirm that you received the email and that it was encrypted by the tag in
the subject line.
17. Write down the subject line tag:
__________________________________________________________________________________
18. Send an email to administrator@lab.external.
On LabServer:
19. Launch Thunderbird and confirm that you received the email and that it was encrypted by the tag in
the subject line.

AL30: UTM

Page 30 of 57

Sophos Certified Architect

Task 4
Configure and test email encryption between two servers using S/MIME.
Steps
On LabServer:
1. Login to the WebAdmin of LabGateway1 as admin.
2. Navigate to Email Protection | Encryption and download the S/MIME CA Certificate.
3. On the Internal Users tab create a New email encryption user with the following configuration:
Email Address: johnsmith@lab.external
Full Name: John Smith (Lab)
4. Launch Thunderbird and email the S/MIME certificate from johnsmith@lab.external to
tomjones@acme.external.
On AcmeCorpServer:
5. Login to the WebAdmin of AcmeCorpGateway as admin.
6. Navigate to Email Protection | Encryption and download the S/MIME CA Certificate.
7. On the Internal Users tab create a New email encryption user with the following configuration:
Email Address: tomjones@acme.external
Full Name: Tom Jones (Acme)
8. Launch Thunderbird and email the S/MIME certificate from tomjones@acme.external to
johnsmith@lab.external.
9. Save the S/MIME certificate from John Smith as lab-smime.pem.
10. In the AcmeCorpGateway WebAdmin, select the S/MIME Authorities tab and upload the labsmime.pem certificate.
On LabServer:
11. Save the S/MIME certificate from Tom Jones as acme-smime.pem.
12. In the LabGateway1 WebAdmin, select the S/MIME Authorities tab and upload the acmesmime.pem certificate.
13. In Thunderbird send an email from johnsmith@lab.external to tomjones@acme.external.
On AcmeCorpServer:
14. Confirm you received the email and that it was signed by the tag in the subject line.
15. Write down the subject line tag:
__________________________________________________________________________________
16. In the AcmeCorpGateway WebAdmin, select the S/MIME Certificates tab and confirm that John
Smiths certificate has been extracted.
17. Send an email to johnsmith@lab.external.

AL30: UTM

Page 31 of 57

Sophos Certified Architect

On LabServer:
18. Launch Thunderbird and confirm that you received the email and that it was encrypted by the tag in
the subject line.
19. Write down the subject line tag:
__________________________________________________________________________________
20. In the LabGateway1 WebAdmin, select the S/MIME Certificates tab and confirm that Tom Jones
certificate has been extracted.
21. Create a backup called Architect Lab 7 on LabGateway1 and download it to the desktop of
LabServer.

Review
You have now successfully configured:

End user sender blacklists through the User Portal and WebAdmin.
SMTP profiles for additional domains which override elements of the default SMTP configuration.
Email encryption using OpenPGP.
Email encryption using S/MIME.

AL30: UTM

Page 32 of 57

Sophos Certified Architect

Lab 8: Endpoint protection


Objective
Upon completion of this section you will:
Know where to look to monitor communication between an endpoint and UTM via LiveConnect.
Be able to configure antivirus exclusions.

Requirements
No prerequisites.

Task 1
Explore the logging of communication between the endpoint and UTM via LiveConnect.
Steps
On LabServer:
1. Login to the WebAdmin of LabGateway1 as admin.
2. Navigate to Management | System Settings | Reset Configuration and click Reset UTM ID.
3. Navigate to Endpoint Protection | Computer Management.
4. Enable Endpoint Protection and click Activate Endpoint Protection.
5. Select the Advanced tab.
6. In the Tamper Protection section set the password to Sophos1985 and click Apply.
7. Select the Deploy Agent tab.
8. Click Download Endpoint Installation Package Now.
9. Once it has downloaded run the installer.
10. On the Welcome to the Sophos Endpoint Security and Control Installer screen click Next.
11. On the Remove third-party security software screen click Install.
12. On the Install is complete screen click Finish.
13. In the WebAdmin navigate to Endpoint Protection.
14. Confirm that the LabServer is registered and online.
15. Browse to:
C:\ProgramData\Sophos\Management Communications System\Endpoint\Config
16. Write down what configuration is included in the config.xml by default:
__________________________________________________________________________________
17. Browse to:
C:\ProgramData\Sophos\Management Communications System\Endpoint\Persist
18. Open the EndpointIdentity.txt file then keep this file open while you do the following steps.
19. Launch Sophos Endpoint Security and Control and authenticate with Tamper Protection.
20. Login to the WebAdmin of LabGateway1 as admin.
21. Navigate to Endpoint Protection, launch the Live Log.

AL30: UTM

Page 33 of 57

Sophos Certified Architect

22. Locate the log entry for where you authenticated against Tamper Protection.
23. Compare the mcs_id field to the contents of the EndpointIdentity.txt.

Task 2
Configure and test the antivirus exclusion.
Steps
On LabServer:
1. Login to the WebAdmin of LabGateway1 as admin.
2. Navigate to Endpoint Protection | Antivirus | Exceptions and create a scanning exclusion for
Eicar.com and apply it to the Default group.
3. Wait for a minute to allow the policy to be applied on LabServer.
4. Launch your web browser and connect to http://www.sophos.com/en-us/press-office/pressreleases/2003/01/eicar.aspx.
5. Open Notepad.
6. Copy the following text from the Sophos Eicar article and paste it in Notepad:
X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

7. Save the file as Eicar.com.


Note: ensure you save it without the *.txt extension.
8. Try to execute the file. This will not cause an anti-virus alert.
Note: the file will not run correctly as it is a DOS application.
9. Create a backup called Architect Lab 8 on LabGateway1 and download it to the desktop of
LabServer.

Review
You have now successfully:
Monitored the communication between an endpoint and UTM via LiveConnect.
Configured antivirus exclusions.

AL30: UTM

Page 34 of 57

Sophos Certified Architect

Lab 9: Wireless protection


Objective
Upon completion of this section you will be able to:
Configure multiple wireless networks for different users.
Connect and configure a wireless access point.
Create a hotspot.

Requirements
No prerequisites.

Task 1
Enable wireless protection and without using the wizard manually configure two wireless networks:
One for guest access using a separate zone.
One for lab access bridged to the access point network.
Steps
On LabServer:
1. Login to the WebAdmin of LabGateway1 as admin.
2. Navigate to Wireless Protection| Global Settings.
3. Enable wireless protection using the following configuration:
Skip automatic configuration: Selected
Allowed interfaces: Internal
4. Navigate to Wireless Protection | Wireless Networks and create a wireless network with the
following configuration:
Network name: Guest
Network SSID: Guest
Encryption Mode: WPA2 Personal
Passphrase PSK: Sophos1985
Client traffic: Separate Zone
Client isolation: Enabled
5. Navigate to Interfaces & Routing | Interfaces and add and enable a new interface for the Guest
wireless network with the following configuration:
Name: Guest WiFi
Type: Ethernet Static
Hardware: wlan0
IPv4 Address: 172.16.21.1

AL30: UTM

Page 35 of 57

Sophos Certified Architect

Netmask: /24 (255.255.255.0)


6. Navigate to Network Services | DHCP and create a new DHCP server for the wireless network with
the following configuration:
Interface: Guest WiFi
Range start: 172.16.21.1
Range end: 172.16.21.254
DNS Server 1: 172.16.21.1
Default gateway: 172.16.21.1
7. Navigate to Network Services | DNS add the Guest wireless network to the Allowed Networks.
8. Navigate to Network Protection | NAT and create and enable a new masquerading rule for the
Guest wireless network with the following configuration:
Network: Guest WiFi (Network)
Interface: Uplink Interfaces
User address: << Primary address >>
9. Navigate to Network Protection | Firewall and create and enable a new firewall rule that allows
web browsing from the wireless network to the Internet with the following configuration:
Sources: Guest WiFi (Network)
Services: Web Surfing
Destinations: Internet IPv4
10. Navigate to Wireless Protection | Wireless Networks create a wireless network with the following
configuration:
Network name: Lab
Network SSID: Lab
Encryption Mode: WPA2 Personal
Passphrase PSK: Sophos1985
Client traffic: Bridge to AP LAN
Client isolation: Enabled

Task 2
Connect a Sophos wireless access point to LabGateway1.
Steps
On LabServer:
1. Launch Putty and connect to LabGateway1 using SSH.
2. Login as the loginuser then change to root using the following command:
su

3. As the root user run the following command:


./clienttest.pl --minc=5 --maxc=10 server=172.16.1.101

4. In the WebAdmin of LabGateway1, navigate to Wireless Protection | Access Points.


AL30: UTM

Page 36 of 57

Sophos Certified Architect

5. Click Accept for the access point and use the following configuration in the Edit Access Point dialog:
Label: Lab9
Group: << New group >>
Name: Training
6. Select the Grouping tab.
7. Edit the Training group and select Guest and Lab wireless networks.
8. In Putty run the clienttest.pl command again on LabGateway1.
Note: leave the SSH session open for the duration of the lab.
9. In the WebAdmin of LabGateway1, confirm that the access point is now active.
Note: this may take a couple of minutes.
10. Navigate to Wireless Protection | Wireless Clients and view the clients connected.
11. Navigate to Wireless Protection | Access Points and select the Grouping tab.
12. Create a new group with the following configuration:
Name: Lab only
Wireless networks: Lab
13. On the Overview tab edit the access point and change it from the Training group to the Lab group.

Task 3
Configure and test a voucher based hotspot.
Steps
On LabServer:
1. Login to the WebAdmin of LabGateway1 as admin.
2. Navigate to Wireless Protection| Hotspots and enable it.
3. Select the Voucher Definitions tab and create a new voucher with the following configuration:
Name: Lab
Validity period: 5 Days
Data volume: 20 MB.
4. Select the Advanced tab and add Internal (Address) to the Allowed hosts/networks in the Walled
Garden section.
5. Select the Hotspot tab and create a new hotspot with the following configuration:
Name: Public
Interfaces: Internal
Hotspot type: Voucher
Voucher Definitions: Lab
6. Login to the User Portal of LabGateway1 as admin and create a Lab voucher.
7. Write down the voucher code:
_________________________________________________________________________________
8. Try to browse to http://www.sophos.com.
AL30: UTM

Page 37 of 57

Sophos Certified Architect

9. Enter the voucher code when prompted.


10. Write down the voucher information displayed:
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
11. Browse the Sophos website then refresh the hotspot portal page; note that the used Data volume
has increased.
12. Write down the Status of the voucher in the User Portal of LabGateway1:
__________________________________________________________________________________
13. Login to the WebAdmin of LabGateway1 as admin.
14. Navigate to Wireless Protection| Hotspots and open the live log.
15. Write down the portal and user fields from your session.
__________________________________________________________________________________
__________________________________________________________________________________
16. Disable Hotpots on LabGateway1.
17. Create a backup called Architect Lab 9 on LabGateway1 and download it to the desktop of
LabServer.

Review
You have now successfully:
Configured multiple wireless networks for different users.
Connected and configured a wireless access point.
Created a hotspot.

AL30: UTM

Page 38 of 57

Sophos Certified Architect

Lab 10: Webserver protection


Objective
Upon completion of this section you will be able to configure webserver protection for both HTTP and
HTTPS webservers and implement reverse authentication.

Requirements
No prerequisites.

Task 1
Configure a reverse proxy for HTTP and HTTPS webservers with a custom firewall profile.
Steps
On LabServer:
1. Open a Command Prompt and use OpenSSL to generate a server key.
openssl genrsa out server.key

2. Create a server certificate signing request for the external hostname of LabGateway1 (labgw1.lab.external).
openssl req new key server.key out server.csr

3.
4.
5.
6.
7.

Country Name: GB
State or Province Name: Oxfordshire
Locality Name: Abingdon
Organization Name: Sophos
Organizational Unit: Training
Common Name: lab-gw1.lab.external
Email Address: utm@lab.external
A challenge password: leave blank
An optional company name: leave blank
Connect to the certificate authority on Services: https://global.services.external/certsrv/en-us.
Download the CA certificate in Base 64 encoded format to
C:\Users\Administrator\ca_certificate.cer.
Request a certificate using advanced certificate request.
Paste in the certificate signing request that you created then download the certificate in Base 64
encoded format to C:\Users\Administrator\certificate.cer.
Use OpenSSL to create a pkcs#12 file from the server key, certificate and CA certificate.
openssl pkcs12 export out lab.p12 inkey server.key in certificate.cer
certfile ca_certificate.cer

8. Login to the WebAdmin of LabGateway1 as admin.

AL30: UTM

Page 39 of 57

Sophos Certified Architect

9. Navigate to Webserver Protection | Certificate Management and create a new certificate with the
following configuration:
Name: lab-gw1 external
Method: Upload
File type: PKCS#12 (Cert+CA)
File: the lab.p12 you created in step 7
Password: the password you set in step 7
10. Navigate to Webserver Protection | Web Application Firewall | Firewall Profiles and create a New
Firewall Profile called Lab with the following features enabled:
Mode: Reject
Common Threats Filter
Cookie signing
Form hardening
Antivirus scanning
Mode: Single Scan
Direction: Uploads and Downloads
Block unscannable content
Block clients with bad reputation
11. Select the Real Webservers tab and create a New Real Webserver with the following configuration:
Name: ArGoSoft Webmail
Host: Lab Server
Type: Plaintext (HTTP)
Port: 80
12. Create another New Real Webserver with the following configuration:
Name: IIS
Host: Lab Server
Type: Encrypted (HTTPS)
Port: 443
13. Select the Virtual Webservers tab and create a New Virtual Webserver with the following
configuration:
Name: ArGoSoft Webmail
Interface: External (WAN) (Address)
Type: Plaintext (HTTP)
Port: 80
Domains: lab-gw1.lab.external
Real Webservers: ArGoSoft Webmail
Firewall Profile: Lab
14. Create another New Virtual Webserver with the following configuration:
AL30: UTM

Page 40 of 57

Sophos Certified Architect

Name: IIS
Interface: External (WAN) (Address)
Type: Encrypted (HTTPS)
Port: 81
Redirect from HTTP to HTTPS: Untick
Certificate: lab-gw1 external
Real Webservers: IIS
Firewall Profile: Lab

On AcmeCorpServer:
15. Connect to:
http://lab-gw1.lab.external - You should be able to access the ArGoSoft Webmail site.
https://lab-gw1.lab.external:81 You should be able to access the IIS default page with no
certificate error.

Task 2
Implement reverse authentication for the HTTPS website.
Steps
On LabServer:
1. Login to the WebAdmin of LabGateway1 as admin.
2. In Webserver Protection | Reverse Authentication create a New Authentication Profile with the
following configuration:
Name: IIS Auth
Frontend mode: Form
Frontend realm: IIS
Backend mode: None
Form Template: Default Template
Users / Groups: Active Directory Users
3. Navigate to Webserver Protection | Web Application Firewall and select the Site Path Routing tab.
4. Edit the Site Path Route for IIS and select the IIS Auth Reverse Authentication profile.
On Services:
5. Connect to https://lab-gw1.lab.external:81.
6. You should be prompted to login via a form and you should not get any certificate errors accessing
the HTTPS site.
7. Write down the certificate authority that issued the HTTPS certificate:
__________________________________________________________________________________
8. Confirm you are able to login as johnsmith.
AL30: UTM

Page 41 of 57

Sophos Certified Architect

9. Create a backup called Architect Lab 10 on LabGateway1 and download it to the desktop of
LabServer.

Review
You have now successfully configured webserver protection for both HTTP and HTTPS webservers and
implemented reverse authentication.

AL30: UTM

Page 42 of 57

Sophos Certified Architect

Lab 11: RED


Objective
Upon completion of this lab you will be able to create a RED tunnel between two UTMs.

Requirements
No prerequisites.

Task
Configure a RED tunnel between LabGateway1 and AcmeCorpGateway.
Steps
On LabServer:
1. Login to the WebAdmin of LabGateway1 as admin.
2. Navigate to RED Management | Global Settings activate RED Management.
3. Select the [Server] Client Management tab add a RED with the following configuration:
Branch Name: AcmeCorp
Client type: UTM
4. Download the provisioning file to the desktop of LabServer.
5. Launch Thunderbird and email the provisioning file to administrator@acme.external.
On AcmeCorpServer:
6. Launch Thunderbird and save the provisioning file from the email to the desktop of
AcmeCorpServer.
7. Launch a browser and connect to the WebAdmin of AcmeCorpGateway and login as admin.
8. Navigate to RED Management | Global Settings and activate RED Management.
9. Select the [Client] Tunnel Management tab and create a new tunnel using the following
configuration:
Tunnel Name: Lab
UTM host: Lab Gateway 1
Prov. File: the provisioning file saved to the desktop
On LabServer:
10. Select the Overview tab in the LabGateway1 WebAdmin and confirm that the connection is
established successfully.
11. Navigate to Interfaces & Routing | Interfaces and create and enable a new interface with the
following configuration:
Name: Acme RED
AL30: UTM

Page 43 of 57

Sophos Certified Architect

Type: Ethernet Static


Hardware: reds1
IPv4 address 10.0.0.1
Netmask: /24 (255.255.255.0)

On AcmeCorpServer:
12. Open the AcmeCorpGateway WebAdmin.
13. Navigate to Interfaces & Routing | Interfaces and create and enable a new interface with the
following configuration:
Name: Lab RED
Type: Ethernet Static
Hardware: redc1
IPv4 address 10.0.0.2
Netmask: /24 (255.255.255.0)
14. Navigate to Interfaces & Routing | Static Routing and create and enable a new static route with the
following configuration:
Route Type: Gateway route
Network: Lab Network
Gateway: create a new network definition
o Name: Lab RED Gateway
o Type: Host
o IPv4 Address: 10.0.0.1
On LabServer:
15. Navigate to Interfaces & Routing | Static Routing and create and enable a new static route with the
following configuration:
Route Type: Gateway route
Network: Acme Corp LAN
Gateway: create a new network definition
o Name: Acme RED Gateway
o Type: Host
o IPv4 Address: 10.0.0.2
16. Navigate to Network Protection | Firewall and create and enable a new firewall rule with the
following configuration:
Sources: Acme Corp LAN
Services: Web Surfing
Destinations: Internal (Network)

AL30: UTM

Page 44 of 57

Sophos Certified Architect

On AcmeCorpServer:
17. Connect to http://172.16.1.1 and confirm you see the ArGoSoft webmail website.
18. In the WebAdmin, disable the Lab RED tunnel, Lab RED interface and Lab RED Gateway static route.
On LabServer:
19. Disable the Acme RED tunnel, Acme RED interface, firewall rule and Acme RED Gateway static
route.
20. Create a backup called Architect Lab 11 on LabGateway1 and download it to the desktop of
LabServer.

Review
You have now successfully created a RED tunnel between two UTMs.

AL30: UTM

Page 45 of 57

Sophos Certified Architect

Lab 12: Site-to-site VPN


Objective
Upon completion of this section you will be able to configure:
A simple SSL site-to-site VPN.
An IPsec site-to-site VPN using cross signed certificates.
An IPsec site-to-site VPN using RSA authentication.

Requirements
No prerequisites.

Task 1
Configure and test a simple SSL site-to-site VPN.
Steps
On LabServer:
1. Login to the WebAdmin of AcmeCorpGateway as admin.
2. Navigate to Site-to-site VPN | SSL, create a server SSL connection with the following configuration:
Connection type: Server
Connection Name: Lab VPN
Local Networks: Internal (Network)
Remote Networks: Lab Network
Automatic Firewall rules: Selected
3. Download the peer configuration file to the desktop of LabServer and encrypt it using the password
Sophos1985.
4. Login to the WebAdmin of the LabGateway1 as admin.
5. Navigate to Site-to-site VPN | SSL and create a connection with the following configuration:
Connection type: Client
Connection Name: Acme VPN
Configuration file: the peer configuration file saved to the desktop of LabServer
Password: Sophos1985
Automatic Firewall rules: Selected
6. Confirm you can connect to http://192.168.2.1
On AcmeCorpServer:
7. Confirm you can connect to http://172.16.1.1
8. Disconnect from the VPN on both UTMs.

AL30: UTM

Page 46 of 57

Sophos Certified Architect

Task 2
Modify the existing IPsec site-to-site VPN to use cross signing authentication.
Steps
On LabServer:
1. Login to the WebAdmin of AcmeCorpGateway as admin.
2. Navigate to Site-to-site VPN | Certificate Management and generate a certificate with the following
configuration:
Name: acme-gw VPN
Method: Generate
VPN ID Type: Hostname
VPN ID: acme-gw.acme.external
Common Name: acme-gw.acme.external
Email: utm@acme.external
3. Download the certificate in PKCS#12 format with the password Sophos1985 to the desktop of
LabServer.
4. Login to the WebAdmin of LabServer as admin.
5. Navigate to Site-to-site VPN | Certificate Management and generate a certificate with the following
configuration:
Name: lab-gw1 VPN
Method: Generate
VPN ID Type: Hostname
VPN ID: lab-gw1.lab.external
Common Name: lab-gw1.lab.external
Email: utm@lab.external
6. Download the certificate in PKCS#12 format with the password Sophos1985 to the desktop of
LabServer.
7. In the LabGateway1 WebAdmin, create a new certificate with the following configuration:
Name: Acme VPN
Method: Upload
File type: PKCS#12 (Cert+CA)
File: the certificate downloaded from AcmeCorpServer.
Password: Sophos1985
8. Navigate to Site-to-site VPN | IPsec | Remote Gateways and reconfigure the gateway for
AcmeCorpGatewau to use the Local X509 Certificate you uploaded (Acme VPN).
9. In the AcmeCorpServer WebAdmin, create a new certificate with the following configuration:
Name: Lab VPN
Method: Upload
AL30: UTM

Page 47 of 57

Sophos Certified Architect

File type: PKCS#12 (Cert+CA)


File: the certificate downloaded from LabServer.
Password: Sophos1985
10. Navigate to Site-to-site VPN | IPsec | Remote Gateways, reconfigure the gateway for LabGateway1
to use the Local X509 Certificate you uploaded (Lab VPN).
11. Open and monitor the IPsec live logs on both LabGateway1 and the AcmeCorpGateway.
12. Enable the IPsec VPN on both LabGateway1 and AcmeCorpServer.
13. Write down the following details from the IPsec log for the last connection made:
NAT-Traversal result:________________________________________________________
Dead peer detection status:__________________________________________________
Variant:__________________________________________________________________
14. Confirm you can connect to http://192.168.2.1
On AcmeCorpServer:
15. Confirm you can connect to http://172.16.1.1
16. Disconnect from the VPN on both UTMs.

Task 3
Modify the existing IPsec site-to-site VPN to use RSA keys
Steps
On LabServer:
1.
2.
3.
4.
5.
6.

Login to the WebAdmin of AcmeCorpGateway as admin.


Navigate to Site-to-site VPN |IPsec | Local RSA Key and configure the VPN ID type to be IP Address.
In the Re-generate local RSA key section click Apply.
Copy the Current local public RSA key.
Login to the WebAdmin of LabServer as admin.
Navigate to Site-to-site VPN |IPsec | Remote Gateways and edit the gateway for
AcmeCorpGateway by updating the following configuration:
Authentication type: RSA key
Public key: paste the public RSA key you copied from AcmeCorpGateway
VPN ID type: IP Address
VPN ID (optional): Leave blank
7. Select the Local RSA Key tab and configure the VPN ID type to be IP Address.
8. In the Re-generate local RSA key section click Apply.
9. Copy the Current local public RSA key.
10. In the WebAdmin of AcmeCorpGateway, navigate to Site-to-site VPN |IPsec | Remote Gateways
and edit the gateway for LabGateway1 by updating the following configuration:
Authentication type: RSA key
AL30: UTM

Page 48 of 57

Sophos Certified Architect

Public key: paste the public RSA key you copied from LabGateway1
VPN ID type: IP Address
VPN ID (optional): Leave blank
11. Open the IPsec live log and confirm that the IPsec connection is established successfully.
12. Confirm you can connect to http://192.168.2.1
On AcmeCorpServer:
13. Confirm you can connect to http://172.16.1.1
14. Disconnect from the VPN on both UTMs.
15. Create a backup called Architect Lab 12 on LabGateway1 and download it to the desktop of
LabServer.

Review
You have now successfully configured:
A simple SSL site-to-site VPN.
An IPsec site-to-site VPN using cross signed certificates.
An IPsec site-to-site VPN using RSA authentication.

AL30: UTM

Page 49 of 57

Sophos Certified Architect

Lab 13: Remote access


Objective
Upon completion of this section you will be able to configure and test IPsec remote access with the
Sophos IPsec client.

Requirements
No prerequisites.

Task
Configure an IPsec VPN on AcmeCorpGateway and test it with the Sophos IPsec client on LabServer.
Steps
On LabServer:
1. Login to the WebAdmin of LabGateway1 as admin.
2. Navigate to Network Protection | Firewall and create a new firewall rule with the following
configuration:
Sources: Internal (Network)
Services: IPsec
Destinations: Any
3. Login to the WebAdmin of AcmeCorpGateway as admin.
4. Navigate to Remote Access | IPsec and create a new IPSec remote access rule with the following
configuration:
Name: AD users to local network
Interface: External
Local Networks: Internal (Network)
Policy: AES-256
Authentication type: X509 certificate
Allowed users: Active Directory Users
5. Navigate to Network Protection | Firewall and create a new firewall rule with the following
configuration:
Sources: VPN Pool (IPsec)
Services: HTTP
Destinations: Any
6. Login to the User Portal of AcmeCorpGateway as TomJones.
7. Select the Remote Access tab and download the configuration file.
8. Download the PKCS#12 of the user certificate specifying the password Sophos1985.

AL30: UTM

Page 50 of 57

Sophos Certified Architect

9. Download and install the Sophos IPsec Client.


Note: the IPsec client will be installed in demo mode with a trial license.
10. Launch the IPsec client and add a new certificate with the following configuration:
Name: TomJones Certificate
Certificate: from PKCS#12 file
PKCS#12 Filename: select the certificate you downloaded from the User Portal
PIN Request at each Connection: Selected
11. Add a new profile by importing the configuration file downloaded from the User Portal.
12. Edit the profile and select Identities on the left. In the Pre-shared Key section, select the certificate
TomJones Certificate.
13. Reboot LabServer.
14. Initiate the VPN connection.
15. Confirm you can connect to http://192.168.2.1.
16. Disconnect from the VPN.
17. Create a backup called Architect Lab 13 on LabGateway1 and download it to the desktop of
LabServer.

Review
You have now successfully configured and tested IPsec remote access with the Sophos IPsec client.

AL30: UTM

Page 51 of 57

Sophos Certified Architect

Lab 14: Central management


Objective
Upon completion of this section you will be able to:

Configure Sophos UTM Manager.


Connect a UTM to a Sophos UTM Manager.
Import configuration from a UTM in to SUM.
Create a new configuration in SUM.
Deploy configuration from SUM to a UTM.

Requirements
No prerequisites.

Task 1
Complete the Basic system setup of the Sophos UTM Manager and perform basic system configuration.
Steps
1. Create a license for Sophos UTM Manager here:
https://secure2.sophos.com/en-us/products/free-tools/sophos-utm-manager/download.aspx
On LabServer:
2. Connect to Sophos UTM Manager at https://172.16.1.2:4444 and complete the Basic system setup
with the following configuration:
Hostname: sum.lab.internal
Admin account password: Sophos1985
Admin account email address: utm@lab.internal
3. Once the basic system setup is complete, login and upload the license you created in Step 1.
4. Once the license has been installed, login.
5. Navigate to Management | System Settings | Time and Date and configure the correct time, date
and time zone.
6. Remove all of the servers from the NTP Servers list and create a new NTP server with the following
configuration:
Name: Lab Active Directory
Type: Host
IPv4 Address: 172.16.1.1
7. Navigate to Management | Shutdown/Restart and select to Restart (Reboot) the system now.
8. Once SUM has rebooted login to the WebAdmin as admin
9. Navigate to Management | System Settings | Shell Access and Enable shell access.

AL30: UTM

Page 52 of 57

Sophos Certified Architect

10. Remove Any from the Allowed networks and add Internal (Network).
11. Set the passwords for the loginuser and root user to Sophos1985.
12. Navigate to Management | Up2Date | Cache and enable the Up2Date Cache with the following
configuration:
Allowed Networks: Internal (Network)
13. Navigate to Network Services | DNS | Forwarders and create a new DNS Forwarder with the
following configuration:
Name: Lab DNS
Type: Host
IPv4 Address: 172.16.1.1
14. Deselect the option Use forwarders assigned by ISP.
15. Navigate to Definitions & Users | Authentication Servers | Servers and add a new authentication
server with the following configuration:
Backend: Active Directory
Server: Lab Active Directory
Bind DN: cn=readonly,cn=users,dc=lab,dc=internal
Password: Sophos1985
Base DN: dc=lab,dc=internal
16. Select the Global Settings tab and enable Automatic user creation for Sophos UTM Manager and
WebAdmin.
17. Navigate to Definitions & Users | Users & Groups | Groups and create a new group with the
following configuration:
Group name: Domain Admins
Group type: Backend membership
Backend: Active Directory
Limit to backend group(s) membership: Selected
Active Directory Groups: cn=Domain Admins,cn=Users, dc=lab,dc=internal
18. Create a new group with the following configuration:
Group name: Domain Users
Group type: Backend membership
Backend: Active Directory
Limit to backend group(s) membership: Selected
Active Directory Groups: cn=Domain Users,cn=Users, dc=lab,dc=internal
19. Navigate to Management | Sophos UTM Manager | Access Control and add the Domain Admins
group to the Allowed Admins and add the Domain Users group to the Allowed Users.
20. Select the Device Security tab and configure Device authentication with the following configuration:
Require authentication: Selected
Automatic Update: Selected

AL30: UTM

Page 53 of 57

Sophos Certified Architect

Shared Secret: Sophos1985

Task 2
Connect LabGateway1 and LabGateway2 to SUM.
Steps
On LabServer:
1. Login to the WebAdmin of LabGateway1 as admin.
2. Navigate to Management | Central Management and enable SUM management with the following
configuration:
SUM host: add a new network definition
o Name: SUM
o Type: Host
o IPv4 Address: 172.16.1.2
Authentication: Selected
Shared Secret: Sophos1985
Use SUM server as Up2Date Cache: Selected
Administration: Selected
Reporting: Selected
Monitoring: Selected
Configuration: Selected
3. Repeat steps 1 - 2 on LabGateway2.

Task 3
Import an Endpoint policy from LabGateway1 on to SUM; clone and then deploy the policy to
LabGateway2.
Steps
On LabServer:
1. Login to the Sophos UTM Manager as admin at https://sum.lab.internal:4422.
2. Navigate to Configuration | Import and configure the Type Select with the following settings:
Gateways: gw1
Endpoint Protection: Antivirus Polices
3. Select the Import tab, select all of the objects and click Import.
4. Navigate to Configuration | Endpoint Protection, clone the Basic protection policy, rename it Lab
14 and enable Scan for PUA.
5. Click Deploy next to the Lab 14 policy and use the following configuration:
Global EPP Definitions: Lab 14
Gateways: lab-gw2
AL30: UTM

Page 54 of 57

Sophos Certified Architect

6. Login to the WebAdmin of LabGateway2 as admin and navigate to Endpoint Protection | Computer
Management and activate Endpoint Protection.
7. Navigate to Endpoint Protection | Antivirus and confirm that the Lab 14 policy is now available on
LabGateway2. Notice that you cannot edit, delete or clone it.
8. In the Sophos Gateway Manager, edit the Lab 14 policy and disable the option Scan for PUA.
9. In WebAdmin on LabGatway2, confirm that the policy has been updated.
10. Create a backup called Architect Lab 14 on both LabGateway1 and LabGateway2 and download
them to the desktop of LabServer.

Review
You have now successfully:

Configured Sophos UTM Manager.


Connected a UTM to a Sophos UTM Manager.
Imported configuration from a UTM in to SUM.
Created a new configuration in SUM.
Deployed configuration from SUM to a UTM.

AL30: UTM

Page 55 of 57

Sophos Certified Architect

Lab 15: High availability


Objective
Upon completion of this section you will be able to configure two UTMs in both Active/Hot Standby
mode and Cluster mode.

Requirements
All instructions in Lab 1 must be completed successfully.

Task
Configure high-availability between the two Lab gateway UTMs and then change them to cluster mode.
Steps
On LabServer:
1.
2.
3.
4.
5.

Login to the WebAdmin of LabGateway1 as admin.


Navigate to Management | Up2Date and update the UTM to the latest version.
Login to the WebAdmin of LabGateway2 as admin.
Navigate to Management | Up2Date and update the UTM to the latest version.
In the WebAdmin on LabGateway1, navigate to Management | High Availability | Configuration
and set the Operation mode to Hot Standby with the following configuration:
Sync NIC: eth3
Device Name: LabGateway1
Device Node ID: 1
Encryption key: Sophos1985
6. In the WebAdmin on LabGateway2, navigate to Management | High Availability | Configuration
and set the Operation mode to Automatic configuration with the following configuration:
Sync NIC: eth3
7. Review the HA Live Log on LabGateway1.
8. Once synchronization has completed (this can take up to 15 minutes), rename Node2 to
LabGateway2.
9. Reboot LabGateway1.
10. Login to the high-availability master at https://gw1.lab.internal:4444.
11. Navigate to Management | High Availability and confirm that LabGateway2 is now the master and
that you can still access the Internet.
12. Once LabGateway1 has finished synchronizing following its reboot, navigate to Management | High
Availability | Configuration and set the Operation mode to Cluster.
13. Review the HA Live Log.

AL30: UTM

Page 56 of 57

Sophos Certified Architect

Review
You have now successfully configured two UTMs in both Active/Hot Standby mode and Cluster mode.

AL30: UTM

Page 57 of 57