You are on page 1of 460

Sophos Certified Engineer

ET30 UTM

December 2014
Training version: 9.3.0
Product version: UTM 9.3

2014 Sophos Limited. All rights reserved. No part of this document may be used or
reproduced in any form or by any means without the prior written consent of Sophos.

Sophos and the Sophos logo are registered trademarks of Sophos Limited. Other
names, logos and marks mentioned in this document may be the trademarks or
registered trademarks of Sophos Limited or their respective owners.

While reasonable care has been taken in the preparation of this document, Sophos
makes no warranties, conditions or representations (whether express or implied) as
to its completeness or accuracy. This document is subject to change at any time
without notice.

Sophos Limited is a company registered in England number 2096520, whose


registered office is at The Pentagon, Abingdon Science Park, Abingdon, Oxfordshire,
OX14 3YP.

1
----

Hello, and welcome to this Sophos Certified Engineer course for UTM version 9.3, this
is Module 300: Course Introduction.

1
Prior to taking this training you should have:
Technical networking knowledge such as CompTIA N+, CCNA or equivalent
Knowledge of general Windows networking
Experience in installing and configuring network gateways and firewalls

2
To complete the UTM course you need to complete and pass the online assessment
that is available in the partner portal:
EA30a v9.3 Assessment Certified Engineer UTM

You must complete and pass this assessment if you wish to register for the Certified
Architect course.

Note that this assessment will include questions from both theory and labs portions
of this course.

Please remember that to become a Sophos Certified Engineer you need to complete
and pass 2 product courses.

3
This course is made up of 15 theory modules, with 10 practical labs interspersed
throughout the course to allow for application of the content discussed in the
previous modules.

4
Once you complete this course you will be able to:
Describe the main technical capabilities of the UTM and their benefits
Demonstrate the use of the most commonly used features
Know how to size the solution appropriately
Deploy and manage the UTM in a simple non-production environment
Locate and use additional online resources

5
Please take a couple of minutes to answer these few questions to see what you
already know about the UTM. Dont worry if you get them wrong they dont count
towards the assessment.

6
7
8
9
You can download the course materials from the training portal, under module
ET300:
The lab workbook (EL30) you will need this to complete the practical part of this
course
Combined hand-out of these theory modules (EH30)

10
Feedback on our courses is always welcome and helps us to improve our training. If
you have any comments or suggestions please email them to
globaltraining@sophos.com.

11
Now that you have completed this module, you should complete Module 301:
Overview and installation.

12
Thank you for your time, please close this window to return to the Partner Portal.

13
Sophos Certified Engineer
ET301 UTM

January 2015
Training version: 9.3.1
Product version: UTM 9.3

2015 Sophos Limited. All rights reserved. No part of this document may be used or
reproduced in any form or by any means without the prior written consent of Sophos.

Sophos and the Sophos logo are registered trademarks of Sophos Limited. Other
names, logos and marks mentioned in this document may be the trademarks or
registered trademarks of Sophos Limited or their respective owners.

While reasonable care has been taken in the preparation of this document, Sophos
makes no warranties, conditions or representations (whether express or implied) as
to its completeness or accuracy. This document is subject to change at any time
without notice.

Sophos Limited is a company registered in England number 2096520, whose


registered office is at The Pentagon, Abingdon Science Park, Abingdon, Oxfordshire,
OX14 3YP.

1
----

Hello, and welcome to this Sophos Certified Engineer course for UTM 9.3. This is
Module 301: Overview and installation.

1
This course is made up of 15 theory modules, with 10 practical labs interspersed
throughout the course to allow for application of the content discussed in the
previous modules. You are now on the first module out of 15.

2
This module provides an overview of the UTM and its features, as well as the steps
required to get it up and running.

3
Once you complete this module you will be able to:
Describe the modules available on the UTM
Identify the additional devices and software that can be used with the UTM
Install the UTM software
Setup the UTM using the wizard

4
The Sophos UTM provides a comprehensive suite of security tools from one easy to
use web interface, which includes realtime and historical logging and reporting.

At the core of the UTM is the Essential Network Firewall, which is available for every
Sophos UTM as a free license. It provides the basic core security features for
protecting company networks including routing, firewall, network address translation
and basic remote access options. This core functionality can be extended in a
modular fashion by enabling additional subscriptions in your license.

Network Protection extends the core firewall functionality with a dynamic intrusion
prevention system, advanced threat protection, advanced routing options, site-to-site
VPN, additional remote access VPN options and network security reporting. The
Network Protection subscription also enables management of Sophos Remote
Ethernet Devices (RED) for branch office security.

The Web Protection subscription provides a secure policy based web proxy, security
through dual anti-malware engines, and layer 7 application control.

The Email Protection subcription allows you to scan mail traffic going in and out of
the network via SMTP or POP3, encrypt sensitive email, and provides options for user
quarantine management.

5
The Endpoint subscription helps you easily deploy and manage our Sophos antivirus
software on your computers whether they are connected inside or outside the
corporate network.

The Wireless Protection subscription allows the UTM to act as a wireless controller
for the Sophos Access Points.

The Webserver Protection subcription provides reverse proxy and web application
firewall to protect webservers from common attacks and intrusions.

This modular architecture allows Sophos to easily add or modify components to


address new security concerns or changing business requirements. All components
are grouped in multiple subscriptions so that customers can tailor the solution to
their business needs and their budgets. If you need to enable other subscriptions
later, you only need to obtain a new license to turn those features on.

5
In addition to the Sophos UTM itself, there are additional devices and software that
can be used with it:
The Sophos RED (Remote Ethernet Device) provides plug and play layer 2 VPNs for
small branches, and acts like a virtual Ethernet cable back to the main office
Sophos wireless access points provide centrally managed, plug and play secure Wi-
Fi
Sophos SSL and IPsec VPN clients for remote access
The Sophos UTM Manager (SUM), which provides central management of multiple
UTM appliances

6
We will now take a slightly more in-depth look at each of the UTM modules and what
they offer.

The Essential Firewall at the core of the UTM, is a stateful firewall based on Linux's
iptables and netfilter. The firewall provides layer 3 and 4 packet filtering, routing,
network address translation (NAT), and secure remote access using PPTP/L2TP. These
are fundamental security functions which should be implemented by all businesses,
and which are available free of charge for all UTMs.
The stateful packet inspection firewall performs packet filtering on the packet
headers, and inspects the packets for irregularities in the sessions. All data packets
are checked twice, both when entering and leaving the gateway.
Firewall rules are interface based, and can be configured for hosts, networks or VPN
users, and can be enabled and disabled based on time to create a dynamic firewall
policy.
The Essential Firewall includes three types of network address translation; source
NAT (SNAT), destination NAT (DNAT) and masquerading.
The UTM supports both IPv4 and IPv6 in a dual stack with static routing, transparent
bridging, and dynamic DNS; and provides NTP, DHCP and DNS servers.

7
Firewalls alone are not enough to protect against advanced network attacks. With the
Network Protection subscription, the firewall is supplemented by an Intrusion
Prevention System (IPS) which is able to detect and block complex exploits, and
Advanced Threat Protection (ATP) that monitors activity across active processes on
the UTM to detect compromised computers on the internal network.

The integrated VPN gateway provides both site-to-site VPNs for secure
communication between two locations, and remote access VPNs for home workers
and mobile users.

The VPN gateway supports SSL and IPsec for site-to-site and remote access VPNs.
Remote access additionally supports L2TP and PPTP.

The remote access VPN works with VPN clients which are integrated in to all
operating systems (Windows, Linux, Mac OS X, iOS and Android), as well as the Cisco
IPsec client and free Sophos SSL VPN client. The UTM also provides a clientless
HTML5 VPN solution.

As an alternative to using site-to-site VPNs, branch office security can also be


achieved using Sophos RED.

8
The Web Protection subscription includes web and FTP proxies, as well as powerful
application control functionality.

The UTM web filtering is configured using a flexible policy-based approach which
allows different levels of Internet access depending on who you are. Paired with the
ability to have multiple authentication sources configured, the UTM provides a highly
granular level of control over web access.

The web filter itself includes malware protection provided by either a single antivirus
engine or dual scanning with both Sophos and Avira, as well as URL and content
filtering.

Using application control you can easily allow or block Internet access for specific
applications, without having to block access to whole domains.

9
Email protection on the UTM protects both SMTP and POP3 traffic from both
malware and spam.

The SMTP proxy includes data protection to help you control potentially confidential
data leaving the company. This can be configured using the rules managed and
provided by SophosLabs, which include rules for:
Personally identifiable information
Financial information
Classified documents
Alternatively, you can create custom rules using regular expressions.

The UTM can handle email encryption using S/MIME, OpenPGP and SPX, which is
Sophos secure PDF exchange, which encrypts confidential emails as PDFs and
provides a secure web portal for the recipients to reply.

Users are able to manage their own quarantined email using either the User Portal or
quarantine digest emails. In addition to managing quarantined mails, users can
manage their own sender whitelists and blacklists.

10
Sophos has a mature Endpoint Protection product which can be managed from the
UTM. Using Sophos LiveConnect service endpoints can be managed wherever they
are; both connected to the Internal network or while out on the road. It includes
comprehensive malware protection, device control and web control.

11
Sophos have a range of wireless access points which can be managed easily from the
UTM. Deployment is automatic from the UTM when the access point is connected to
the network.

Our wireless access points support multiple wireless networks allowing you to
separate corporate and guest access, and the UTM also allows you to configure
hotspot captive portals to control access and manage resource usage.

12
The UTMs Webserver Protection operates as a reverse proxy to protect Internet
facing web servers from attacks, including SQL injection and cross-site scripting, as
well as providing additional security through form hardening, URL hardening, cookie
signing and antivirus scanning.

Further security can be achieved using reverse authentication, where the UTM
authenticates users before they gain any access to the protected web servers.

13
The UTM is managed entirely through a browser-based user interface called the
WebAdmin; which uses technologies such as Ajax and JSON to provide a powerful
and intuitive console which is supported in all of the major browsers.

The WebAdmin is accessible on port 4444 using HTTPS. The default IP address of the
UTM for hardware appliances is 192.168.0.1; this can be set during the installation of
software appliances.

14
The WebAdmin helps to simplify management tasks by using drag and drop
configuration with global objects. The WebAdmin also supports keyboard shortcuts
which can be configured by each user.

15
All changes made in the WebAdmin are audited making it easy to review the changes
made during any session.

16
There are four deployment options for the Sophos UTM:
Hardware appliance
Software
Virtual appliance
Cloud
The same UTM software is used for all deployment methods.

There are various different models of hardware appliances to suit any requirement;
all are supplied with the software installed ready to be deployed.

The software appliance is supplied as a bootable CD ISO file which can be written on
to a disc. The software can be installed on a dedicated Intel-compatible computer
within a few minutes. The hardware compatibility list can be found online in the
Sophos knowledgebase, article number 118185.
http://www.sophos.com/en-us/support/knowledgebase/118185.aspx

Virtual appliances are installed from the software ISO and can be run on a variety of
hypervisors including VMware, Citrix, Microsoft Hyper-V and Linux KVM.

The UTM can be deployed in the Cloud on Amazon Web Services (AWS) using an
Amazon Machine Image (AMI).
Note: you still need to purchase a software license from Sophos to be able to use the

17
UTM.

17
Installing the UTM as a software appliance either on to hardware or a virtual machine
from the downloadable ISO requires very little input; the only things you need to
configure are to select which network interface you will use to connect to the
WebAdmin as this interface will be considered your internal LAN and should be
eth0 - and configure the IP address and netmask for that interface. As the UTM is
designed to be a gateway it is unlikely that you will need to configure a default
gateway for this interface.

Note that 192.168.0.1 does not have to be used when installing the UTM; you should
match the IP address and netmask to your network.

18
The first time you access a UTM you need to complete the basic system setup. This
consists of:
The fully qualified hostname of the UTM. This should be resolvable in public DNS
The company or organization name, city and country
The password for the admin user
An email address for the admin user. This will be used for system alerts by default
but can be changed later

This is compulsory for all installations of the UTM.

Once this information has been entered and the basic system setup is complete you
will need to login using the admin user with the password defined during the basic
system setup.

Note: the license agreement should be accepted by the end user not a third party
performing the installation.

There are then three options:


Restore a backup
Perform configuration using the wizard
Manual configuration. To configure the UTM manually, cancel the setup wizard

19
The Sophos setup wizard guides you through the configuration of all the subscriptions
necessary to establish a basic level of security for your network.

We recommend using the setup wizard for the initial configuration, as it provides the
quickest way to get up and running without overlooking any of the required settings
such as masquerading or firewall rules. Once the setup is complete all of the options
selected can be modified.

The setup wizard starts with the License Installation screen. Here you can upload a
license file if you already have one or continue without uploading a license to begin a
30-day trial.

On the Internal (LAN) Network Settings screen you can modify the IP configuration of
the UTM on your LAN. If you installed the UTM from the CD ISO you will have
configured this during the installation.

The Internet Uplink (WAN) Settings screen is for configuring the Internet facing
interface IP configuration. You can skip this step by selecting the option to Setup
Internet connection later.

On the Allowed Services Settings screen you can select what protocols computers
connected to the LAN can use out to the Internet. You can also configure how the

20
UTM responds to ping requests.

Here you can enable Advanced Threat Protection Settings.

On the Web Protection Settings screen you can configure the default base web
filtering policy options by selecting which categories will be blocked.

The Email Protection Settings allow you to enable scanning of POP3 email traffic and
configure routing for inbound SMTP traffic.

Once you have completed the Setup Wizard you will see a Summary screen where
you can review you settings.

20
Lets take a quick tour around the dashboard of the WebAdmin.

Along the top of the console there are five icons:


The currently logged on user
Quick access to live logs
Access to context sensitive help
Refresh. It is important to use this refresh button and not the browsers refresh or
back buttons as that will result in you being logged out
An activity indicator, which is an animated icon to indicate when a process is
running in the background while the WebAdmin waits to be updated

In the top-right corner of the Dashboard is access to the Dashboard settings where
you can configure what appears on the dashboard and the layout.

Down the left-hand side is the menu for navigating the console. Currently shown are
the top-level sections; when one of these is selected a sub-menu will open beneath
it.

The UTM type, license details and uptime.

Version information.

System information showing resource usage.

21
Current threat status.

System configuration overview.

Advanced Threat Protection status.

UTM interface status and throughput.

The WebAdmin supports multiple concurrent logins with each user getting their own
instance.

21
On completion of this module, you can now:
Describe the modules available on the UTM
Identify the additional devices and software that can be used with the UTM
Install the UTM software
Setup the UTM using the wizard

22
Please take a few minutes to answer the following knowledge check questions.

23
24
25
26
27
28
Thank you for taking this Sophos Certified Engineer module for UTM.

Feedback is always welcome as it helps us to improve our courses for you. Please
email globaltraining@sophos.com with your comments.

29
Now that you have completed this module, you should complete Module 302: System
configuration.

30
Thank you for your time, please close this window to return to the Partner Portal.

31
Sophos Certified Engineer
ET302 UTM: System configuration

December 2014
Training version: 9.3.0
Product version: UTM 9.3

2014 Sophos Limited. All rights reserved. No part of this document may be used or
reproduced in any form or by any means without the prior written consent of Sophos.

Sophos and the Sophos logo are registered trademarks of Sophos Limited. Other
names, logos and marks mentioned in this document may be the trademarks or
registered trademarks of Sophos Limited or their respective owners.

While reasonable care has been taken in the preparation of this document, Sophos
makes no warranties, conditions or representations (whether express or implied) as
to its completeness or accuracy. This document is subject to change at any time
without notice.

Sophos Limited is a company registered in England number 2096520, whose


registered office is at The Pentagon, Abingdon Science Park, Abingdon, Oxfordshire,
OX14 3YP.

1
----

Welcome to this Sophos Certified Engineer course for UTM 9.3. This is Module 302:
System configuration.

1
This course is made up of 15 theory modules, with 10 practical labs interspersed
throughout the course to allow for application of the content discussed in the
previous modules. You are now on module 2 out of 15.

2
This module will look at the core configuration for managing the UTM, subsequent
modules will look at configuring each of the subscriptions.

3
Once you complete this module you will be able to:
Perform basic system configuration
Create network, service and time definitions
Configure interfaces on the UTM
Configure how multiple Internet links are used by the UTM

4
The Management menu contains the base system configuration for the UTM; we will
take a brief look at some of the important settings and features found here, starting
with the System Settings.

The information in the Organization information is populated from what is entered in


the Basic System Setup wizard and is used when generating certificates and for IPsec.

[Click]
The hostname of the UTM should be set to the fully qualified domain name, and
should resolve in public DNS to the external interface.

[Click]
For certificates, logging, time-based rules and remote authentication, it is important
that the UTM has the correct time and date configured. By default the UTM uses a
public NTP server, however you may want to use an internal NTP server.

[Click]
Remote shell access to the UTM is disabled by default. Before enabling it you should
restrict which networks are able to connect to the UTM using SSH, and set passwords
for root and loginuser.
Optionally, you can also configure public key authentication for either loginuser, or
both root and loginuser.

5
The root user is not able to login to the UTM directly unless configured with public
key authentication; when using only passwords you first need to connect as loginuser
and then switch to root.
Note that root and loginuser and Linux users cannot be used to login to the
WebAdmin.

Note: when switching to the root user it is advisable to use su as this will set the
path and environment correctly.

[Click]
The UTM provides two antivirus engines: Sophos and Avira. There is a global option
that allows you to configure which of these antivirus engines is used for features
where you can select to use single antivirus engine over dual engine scanning.

[Click]
Here you are able to reset the system passwords for the Linux users and admin user,
perform a full factory reset, and reset the Endpoint Protection UTM ID.

5
Under the general WebAdmin settings you can configure the users and networks that
can login to the WebAdmin, and set the language. Note that the language is a global
setting for all users.

[Click]
Roles can be configured to define what permissions WebAdmin users have. The
default administrator role cannot be edited and so is not listed. By default two
additional roles are preconfigured:
Auditor who has limited read-only access to the WebAdmin and is restricted to
log files and reports
Readonly who has full read-only access to the WebAdmin
Individual rights grant either manager or auditor access to the selected feature
Managers have full read and write access to that feature
Auditors have read-only access to that feature
There is a separate global read-only permission which can be assigned to a role

[Click]
You can download and import the WebAdmin CA certificate into your browser so that
you do not get a certificate error when you connect to the WebAdmin.
As you need to use the public hostname for the UTM, this is the hostname used by
default for the WebAdmin certificate. As you are likely to be accessing the WebAdmin
from an internal network using a private hostname you can specify what hostname

6
you will be using to access the WebAdmin and re-generate the certificate. Note that
the WebAdmin and User Portal share the same certificate.
Optionally, you can upload a certificate signed by another CA to the UTM in the
Certificate Management section, which can be accessed from within the Webserver
Protection, Site-to-site VPN and Remote Access menus. Once you have uploaded a
certificate you can select it here.

[Click]
The WebAdmin supports a number of keyboard short cuts; these and other display
options can be configured individually by each WebAdmin user.

[Click]
In the Advanced tab you can change the idle timeout before users are automatically
logged out, and optionally exclude the dashboard from this action.
The WebAdmin port can be modified here.
The WebAdmin has the ability to display a Terms of Use when users login to the
WebAdmin.
On this page you can also change your anonymous data reporting options.

6
The license for the UTM is provided as a signed text file. You can view the base
license details and the license status and expiry date for each of the UTM modules.

[Click]
One of the criteria in the license is a maximum number of users which is determined
by the active IP addresses. This tab displays the number of licensed and in use IP
addresses and provides lists of the IP addresses it is counting as being used by the
license and outside the scope of the license. Note that this is only used for the
software and virtual machine versions; the hardware appliances are unlimited.

7
Up2Date is the system which maintains the UTM software; this includes both the
firmware and pattern data, all of which is digitally signed. The pattern data includes:
Virus definitions
Anti-spam rules
IDS/IPS rules

By default the UTM will check for updates for both firmware and pattern data every
15 minutes, these intervals can be independently configured. If there is a new
firmware update this will be downloaded but not automatically installed. Pattern data
updates are automatically installed once they have been downloaded.

When a firmware update has been downloaded you can review information about
the update before you proceed to install it. Where there are multiple updates to be
installed only a single reboot will be performed at the end of the update if required
and not for each update which needs a reboot.

During the process of checking for updates the UTM authenticates with Sophos over
HTTPS where its license is checked. The updates are then downloaded over HTTP.

On the Advanced tab you can optionally specify a proxy server to use or manually
upload an update package.

8
Information about UTM releases can be found on the Sophos blog tagged with
up2date.
http://blogs.sophos.com/tag/up2date/

8
The UTM allows you to easily create, restore and manage multiple backups.

When creating manual backups you can choose to remove host specific data such as
the license, passwords and certificates. This can be useful if you want to deploy the
same configuration to multiple UTMs.

Once you have created a backup you have the options to download, restore, delete or
send it via email. When either downloading or sending a backup, you are given the
option to encrypt it first - you should always do this.

Backups can be restored in three ways:


In the WebAdmin either from an existing backup or one that you import
By importing a backup in the setup wizard
From USB flash drive with backup file on root directory

Note that you cannot use encrypted backup files to restore the backup from a USB.
When you restore a backup from a USB a lock file is also added so that it will not be
rewritten to the UTM if it is left plugged in.

[Click]
In addition to the manual backup options the UTM also provides automatic backups
which are configured by the setup wizard. By default these backups are taken weekly

9
with a maximum of 10 being kept on the UTM at one time. The backups are emailed
to the admin email address by default, although the list of recipients can be changed.

One setting that is not configured by default is to encrypt email backups. You should
enable this as part of your post installation configuration.

9
The User Portal allows users to carry out various administrative tasks reducing the
burden on the administrators workload. These tasks include being able to manage
their own quarantined email, whitelists and blacklist as well as downloading remote
access configuration and the web filtering HTTPS certificate.

Access to the User Portal can be restricted to specific networks and users.

[Click]
On the Advanced tab you can:
Configure the default language to use if the User Portal is unable to match the
browsers language
Select which items should be accessible in the User Portal
Override hostname, listening interface and port
And configure the welcome message, which supports simple HTML tags

10
The Sophos UTM is self monitoring to ensure that subsystems are working correctly.
When an event is triggered, system status updates are sent via email, SNMP or both.
All of the messages that are sent contain a fixed ID in the subject that can be used for
filtering rules in an email client. In addition to this you can optionally configure device
specific text that will be added to all notifications.

The following groups of events can be monitored:


Base system
HA/cluster
Intrusion prevention
Logging and reporting
Self-monitor
Up2Date
Other

SNMP enables remote monitoring using the Simple Network Management Protocol
(SNMP) which is commonly used by Remote Management and Monitoring (RMM)
systems. The UTM supports SNMP v3 and v2c and the MIB can be downloaded from
the UTM itself.

11
The Sophos UTM uses global object based definitions in rules, which saves time and
resources and helps to minimise errors. Once created, a definition can be used in
multiple rules, and because the rule references the definition it means that you only
need to keep configuration up-to-date in one place the definition.

There are definitions for network objects, services and time periods, all of which can
be managed from a single location within the WebAdmin. With all of the definitions
in a single location it is easier to identify and correct errors.

Definitions can be either pre-created for use within rules using drag and drop (DnD),
or on-the-fly while you are creating or updating a rule.

Each object also has its own change log that shows when the object was last
modified.

We will look at each of the three types of definition in more detail, starting with
network definitions.

12
Lets take a look at the different types of network definition that can be created on
the UTM:
Host definitions are a single IPv4 address with a 32-bit network mask or a IPv6
address
DNS hosts are hostnames which resolve to a single IP address. This type of
definition provides dynamic resolution and is resolved by the UTM according to
the time-to-live (TTL) and is updated with any changes
DNS groups differ from DNS host by supporting hostnames which resolve to
multiple IP addresses
A Range definition is a range of IP address that cannot usually be covered by a
netmask. These definitions can only be used with NAT and Firewall rules. The
alternative is to combine host definitions in a network group
Network definitions are standard networks defined by an IPv4 or IPv6 address and
a netmask
Multicast group is a network Host, definition that is specifically from the multicast
range 224.0.0.0 to 239.255.255.255 (224.0.0.0/4)
Network group is used to consolidate networks, hosts and groups in to a single
object to simplify configuration
Availability group is a group of host or DNS host objects arranged into a prioritized
list. The Sophos UTM regularly checks availability using ICMP pings and the first
available host in the given sequence is used in the configuration

13
Note that once you have created a network definition you cannot change its type.

13
There are a number of static network definition entries that are created automatically
by the UTM that cannot be modified or deleted. These include the definitions for the
interfaces, and other universal definitions such as Internet IPv4 and Any IPv6.

When you create an interface three definitions are created:


(Address) for the current IP address
(Broadcast) for the IPv4 broadcast address
(Network) for the IPv4 network

The name of the network definitions is dependant on the name of the interface with
either (Address), (Broadcast) or (Network) appended.

The definitions for Internet IPv4 and Internet IPv6 are automatically bound to the
interface with the default gateway.

14
Service definitions use a combination of protocol and protocol options, such as
source and destination ports, to define different types of network traffic. These
definitions can then be used in defining firewall rules.

You can create service definitions of the following protocol types:

[Click]
TCP, UDP and TCP/UDP with destination and source ports

[Click]
ICMP and ICMPv6 with the type and code

[Click]
IP with the protocol number
ESP (Encapsulating Security Payload) and AH (Authenticated Header) with the
Security Parameter Index (SPI)
Group a group of services

As with network definitions, once a service definition has been created you cannot
change its type.

15
Time period definitions can be used in firewall rules, web filtering policies and
wireless networks to control when they are active.

There are two types of time period definitions; recurring and one-off, with recurring
definitions being either daily or weekly.

You can only assign one time period definition in a firewall rule or web filtering policy.

If you delete a time period definition that is in use, the time period will be set to <<
Always >> where it was previously being used.

16
The Sophos UTM supports a versatile range of interface types including Ethernet, DSL,
modems and 3G dongles.

Each interface on the UTM requires an IP address, either static or DHCP, and
optionally can also have a default gateway. Each interface must be on a unique
address range.

Once an interface has been configured, additional static IP addresses can be assigned
to it.

If the bandwidth for the connection is not the same as the interfaces maximum
speed, for example where a 1Gbit interface is connected to a 70Mbit Internet
connection, the actual bandwidth should be specified using the Displayed max
option. This will ensure that the bandwidth monitor on the dashboard is able to
function correctly.

Ethernet interfaces support speeds between 10 Mbit/s and 10 Gbit/s and use
either DHCP, static IP addresses or VLANs with static IP addresses
Multiple VLANs can be created on a single interface, including on interfaces
that are already being used as by an standard Ethernet interface
If you require a hostname for the Ethernet DHCP request (this may be if
you are connecting to an ISP using a cable modem), you can specify this as

17
an option

DSL connections support options to specify a username and password for


connecting to your ISP
The UTM provides options to perform a Daily reconnect which can be
useful where ISPs perform an automatic reset at a specific time
You can use the Reconnect delay option if your ISP does not permit
immediate reconnections
With PPPoA you can configure a static IP address

3G/UMTS. The UTM supports USB modem connections as additional WAN


interfaces. This can serve as an emergency wireless option
The USB stick must be connecedt to the UTM when it is booted, it will then
be automatically recognized and connected

17
The UTM supports both static routing and dynamic routing protocols including OSPF
(Open Shortest Path First) and BGP (Border Gateway Protocol). In this course we will
focus on static routing; configuration for dynamic routing protocols are covered in the
Architect course.

Static routes are only required to reach networks which are either:
Not directly connected to the UTM. The UTM automatically creates a direct route
to the LAN corresponding to each interface
Not accessible via the default route. The default route is defined by configuring a
default gateway for one of the interfaces

There are three types of static routes supported on the UTM:


Interface routes send packets straight to the interfaces relevant LAN. This is used
with dynamic PPP connections since the Sophos UTM IP address is not known
Gateway routes send packets to a router which is the next hop
Blackhole routes drop packets without confirmation. These are useful in
combination with OSPF and other dynamic routing protocols to avoid routing loops

18
Policy-based routing offers a mechanism for forwarding and routing traffic based on
rules defined by an administrator. It is a more flexible mechanism for routing packets,
and rounds out the existing mechanisms delivered by routing protocols.

In addition to standard routing, which forwards packets based only on the destination
address, these routing decisions are taken based on other criteria, such as source IP
address, source port and destination port. When a rule is matched, policy-based
routing can forward traffic either to an interface or a specific host.

Policy-based routing makes decisions based on the following criteria:


Source interface
Source
Service
Destination

The main benefits of using policy-based routing are that it can be used for load
balancing, and it can save costs by sending data through the most cost effective links
based on the source of the traffic.

However there are several restrictions for using policy routing, these are:
You cannot select and route all possible traffic, as this would be the equivalent of a
default gateway

19
Policy routes are processed in order from the top down
Network groups cannot be used in policy routes

19
The Sophos UTM supports link aggregation, which enables multiple Ethernet ports to
be logically combined to improve performance and reliability.

For example; if you have two 100 Mbps connections between the UTM and switch,
you can use link aggregation to create a single logical 200 Mbps link.

Up to 4 Ethernet ports can be combined in to a single logical connection, and the


device they are connected to must support link aggregation (802.3ad).

20
Multiple interfaces on the UTM can be configured as an Internet connection, this is
done by assigning a default gateway to the interface. When a second interface is
assigned a default gateway Uplink balancing is automatically enabled.

With uplink balancing enabled, you can configure Internet connected interfaces as
either active or standby.
[Click]
One or more interfaces can be active at the same time with all active connections
being used simultaneously with load balancing. The load balancing rules can be
configured to apply weightings to the connections. Traffic is distributed between
active interfaces using round robin, with connections from each source IP address
persistently using the same active interface; persistence is 1 hour by default but
can be changed, and when an interface goes down all persistence rules for that
interface are deleted. Multipath rules can be used to adjust the distribution of
traffic over the active interfaces.
[Click]
If an interface is in standby it will not be used unless all of the active interfaces fail.
Usually standby interfaces are slower or more expensive links such as 3G/4G or
satellite connections. Standby interfaces can be prioritized as only the first
available standby interface is used when all active interfaces fail.

Uplink balancing supports outbound IPsec site-to-site connections, and by default

21
tunnels will be re-established on backup links should the primary fail.

If you are using dynamic DNS you can bind your dynamic DNS hostname to your
dynamic interface object so that external traffic always has a path into the network.
The dynamic interface object is an interface group called Uplink Interfaces which is
automatically created when uplink balancing is enabled.

21
By default Automatic Monitoring for Uplink balancing uses ICMP to detect possible
interface failures. It pings the third hop that allows pings on the route to one of the
root DNS server, this is its monitoring host.

Optionally, monitoring hosts can be defined manually. This allows you to define
multiple monitoring hosts and select different protocols for the monitoring checks.

By defining multiple monitoring hosts an interface will not be considered failed if one
of the monitoring hosts is unavailable. The consequence of this, however, is that the
interface will only be failed if none of the monitoring hosts respond.

Settings configured for monitoring are applied to all interfaces and the protocol used
for checking is used for all monitoring hosts.

22
Multipath rules are used to streamline load balancing and persistence traffic when
uplink balancing is being used.
For example, you can create rules to restrict traffic to a specific interface.

Multipath rules can identify traffic based on its source, its destination and the service.

You can also configure how persistence is managed.


By connection
By source
By destination
By source and destination
By interface

The sequence of multipath rules is vital; the most restrictive rules should be at the
top so they are processed first.

23
By default when an interface fails the next matching multipath rule will be used for
the traffic. This behavior can be changed by deselecting the option to skip the rule on
interface error. This means that should an interface fail no other multipath rule will be
used for that traffic and it will be blocked.

One example of when this may be useful, is where you need to route your outbound
email through a specific ISP and dont want it to failover to another interface.

24
With two UTMs configured in hot standby one is active and handles all of the normal
operations while the other is in standby mode. All tunnels, firewall connections and
quarantined objects are kept synchronized on the standby UTM.

[Click]
In the case that the active UTM fails, the standby UTM can take over in less than 2
seconds and with the tunnels synchronized you do not have to rebuild your IPsec
connections.

Synchronization of:
IPsec tunnels
Firewall connections
E-mails (spools and quarantine)
Log files
Configuration settings
Time and date settings
Software version
Reporting

To enable high availability on the UTM, the following requirements must be met:
For hardware appliances they must be identical models (e.g. 2x UTM220)

25
All Sophos UTM appliances must have the same software version
A license with active HA option must be available
The HA interface of all UTMs must be located in the same network (same switch or
same VLAN, )

25
The Active-Active (Cluster) mode offers high availability as well as integrated load
balancing for up to 10 nodes.

The load balancing is controlled by the master and so an external load balancer is not
required.

As opposed to other cluster solutions, the master node inspects every data packet
before it is forwarded to the other nodes; this ensures that only the performance
intensive tasks such as virus scanning, IPsec or Intrusion Prevention are distributed to
the other nodes.

The existing network environment does not need to be updated - the complete
cluster is considered as one routing device inside of the network. New nodes can be
added during live operation and the whole configuration including all connections
and Firmware releases will be automatically synched.

The synchronization load between the node is minimal thanks to the innovative
Sophos algorithm however additional network performance can be achieved using
link aggregation.

The following services are distributed in cluster mode:

26
AV for HTTP, FTP, SMTP, POP3
AS for SMTP, POP3
E-mail encryption
IPsec
IPS
Load sharing is done using Round Robin, except for HTTP where each session is split
up.

26
Sophos UTMs can automatically configure themselves for high-availability or cluster
via the HA port. By default this is eth3 on the hardware appliances. To change the
high availability mode to Cluster (active-active) this only needs to be done on the
master and the slave will be automatically reconfigured.

27
On completion of this module, you can now:
Perform basic system configuration
Create network, service and time definitions
Configure interfaces on the UTM
Configure how multiple Internet links are used by the UTM

28
Please take a few minutes to answer the following knowledge check questions.

29
30
31
32
Thank you for taking this Sophos Certified Engineer module for UTM.

Feedback is always welcome as it helps us to improve our courses for you. Please
email globaltraining@sophos.com with your comments.

33
Now that you have completed this module, you should complete Module 303:
Network Services

34
Thank you for your time, please close this window to return to the Partner Portal.

35
Sophos Certified Engineer
ET303 UTM: Network Services

December 2014
Training version: 9.3.0
Product version: UTM 9.3

2014 Sophos Limited. All rights reserved. No part of this document may be used or
reproduced in any form or by any means without the prior written consent of Sophos.

Sophos and the Sophos logo are registered trademarks of Sophos Limited. Other
names, logos and marks mentioned in this document may be the trademarks or
registered trademarks of Sophos Limited or their respective owners.

While reasonable care has been taken in the preparation of this document, Sophos
makes no warranties, conditions or representations (whether express or implied) as
to its completeness or accuracy. This document is subject to change at any time
without notice.

Sophos Limited is a company registered in England number 2096520, whose


registered office is at The Pentagon, Abingdon Science Park, Abingdon, Oxfordshire,

1
OX14 3YP.

----

Welcome to this Sophos Certified Engineer course for UTM 9.3. This is Module 303:
Network Services.

1
This course is made up of 15 theory modules, with 10 practical labs interspersed
throughout the course to allow for application of the content discussed in the
previous modules. You are now on module 3 out of 15.

2
This module will cover using the UTM as a DNS, DHCP and NTP server.

3
Once you complete this module you will be able to:
Configure the UTM as a DNS, DHCP and NTP server
Configure the UTM to use a dynamic DNS service
Configure the UTM as a DHCP relay

4
The Sophos UTM runs a BIND caching DNS proxy server, which offers a secure and
efficient name server service to internal servers and clients.

The UTM responds to DNS queries from the configured allowed networks, and the
results are cached in the DNS resolver cache to enable faster searches; this cache can
be cleared from the WebAdmin.

The UTM supports DNSSEC, however this should only be enabled if the forwarders
also support DNSSEC.

[Click]
DNS forwarders can either be manually defined or provided by an ISP via DHCP. If
more than one DNS forwarder is configured, they are queried in the same order in
which they were added.

[Click]
In Request Routing you can configure the DNS server that should be used for
resolving requests for specific DNS domains; for example, your internal domain.
These DNS requests are not passed on to the DNS forwarders.

[Click]
Static DNS entries are created by adding a hostname to the DNS Settings of a host

5
network definition.

The UTM automatically creates firewall rules that allow TCP and UDP based DNS
traffic for all networks configured in the allowed networks. These rules will always
take priority over user-defined rules. This means that if you add Any to the allowed
networks, the DNS proxy will be open to the world; you cannot then block specific
DNS traffic by adding firewall rules.

Other functions on the UTM rely on the DNS being configured and working, so it is
important to ensure these settings are correct.

5
If your ISP supplies a dynamic IP address, you can use a dynamic DNS service to
assign a static public hostname to your current IP address, and maintain the
assignment when the IP address changes.

The UTM supports several dynamic DNS service providers, which each require slightly
different information. As an example, to create a new dynamic DNS assignment on
the UTM using DynDNS you need to configure:
The dynamic DNS provider. DynDNS in this example
The interface with the IP address you want to use. This will be the external
network interface
The fully qualified public hostname
Any additional aliases
The mail exchanger record for the domain
Your username and password for the provider
You can optionally create a wildcard entry for your domain

Note that not all of these options are available from all dynamic DNS providers.

6
The DHCP server can be used to assign IP addresses and basic network parameters
for client hosts. The DHCP service can be run on multiple interfaces, with a separate
configuration for each interface including for VLAN interfaces.

To configure a DHCP server, you need to specify the interface for it to broadcast on,
the range of the IP address pool, DNS servers and a default gateway. When you select
the interface for the DHCP server to run on, the other fields will be automatically
populated with default values based on the configuration of that interface.

It is possible to configure additional options to be provided to clients by the DHCP


server. The Sophos UTM uses the ISC DHCP Server which supports up to 254 different
option codes, some of which are defined in RFC 2132. You can even define DHCP
options with no predefined type by selecting one of the (code: unknown) options. If
you do this you need to explicitly configure the option parameters.

Options can be applied to different DHCP servers and clients using the scope options.
These can be:
Global: to use the option on all DHCP servers
Server: to select which of the DHCP servers should use the option
Host: to select which hosts should be provided the DHCP option. The box displays
all hosts configured on the Static Mappings tab
MAC prefix: all DHCP clients with a matching MAC address will be provided the

7
DHCP option
Vendor ID: all DHCP clients which match this string will be provided the
DHCP option

7
The DHCP server on the UTM supports assignment of static IP addresses to MAC
addresses for a specific DHCP server; this allows you to use client addresses in
firewall rules.

New static mappings can created from the Lease Table tab using the New mapping
option.

Note that to avoid overlaps between static and dynamic assignments, static IP
addresses should not be taken from the dynamic IP address pool.

8
As an alternative to using UTM as a DHCP server, you can create a DHCP relay, so that
DHCP requests and responses are forwarded between different networks that are
linked through UTM. This is essential if the DHCP server is located in a different
network to the client issuing the request. To do this, you must create a host definition
for the DHCP server, and specify the interfaces involved in the DHCP relay.

9
The UTM can also act as a network time server for clients connecting from the
allowed networks.

You should define an NTP server in the system settings for the UTM to use to
maintain its clock. This could either be a public network time server on the Internet
or an internal server such as a domain controller.

10
On completion of this module, you can now:
Configure the UTM as a DNS, DHCP and NTP server
Configure the UTM to use a dynamic DNS service
Configure the UTM as a DHCP relay

11
Please take a few minutes to answer the following knowledge check questions.

12
13
14
15
Thank you for taking this Sophos Certified Engineer module for UTM.

Feedback is always welcome as it helps us to improve our courses for you. Please
email globaltraining@sophos.com with your comments.

16
Now that you have completed this module, you should complete Module 304:
Network Protection.

17
Thank you for your time, please close this window to return to the Partner Portal.

18
Sophos Certified Engineer
ET304 UTM: Network Protection

January 2015
Training version: 9.3.1
Product version: UTM 9.3

2014 Sophos Limited. All rights reserved. No part of this document may be used or
reproduced in any form or by any means without the prior written consent of Sophos.

Sophos and the Sophos logo are registered trademarks of Sophos Limited. Other
names, logos and marks mentioned in this document may be the trademarks or
registered trademarks of Sophos Limited or their respective owners.

While reasonable care has been taken in the preparation of this document, Sophos
makes no warranties, conditions or representations (whether express or implied) as
to its completeness or accuracy. This document is subject to change at any time
without notice.

Sophos Limited is a company registered in England number 2096520, whose


registered office is at The Pentagon, Abingdon Science Park, Abingdon, Oxfordshire,

1
OX14 3YP.

----

Welcome to this Sophos Certified Engineer course for UTM 9.3. This is Module 304:
Network Protection.

1
This course is made up of 15 theory modules, with 10 practical labs interspersed
throughout the course to allow for application of the content discussed in the
previous modules. You are now on module 4 out of 15.

2
In this module we will look at the configuration of the firewall and other network
protection features of the UTM.

3
Once you complete this module you will be able to:
Create firewall and NAT rules
Configure intrusion prevention and Advanced Threat Protection (ATP)

4
Over the next few slides we will look at the network protection capabilities of the
Sophos UTM including the firewall, network address translation, intrusion prevention
and advanced threat protection.

5
The Sophos UTM packet filter firewall uses the Linux kernel netfilter and iptables
framework to filter IP packets in the network (layer 3) and transport (layer 4) layers of
the ISO/OSI layer model. Each logical connection is logged in the connection tracking
table, creating a link between related packets.

The UTM packet filter rules are constructed using definitions for:
Sources
Services (protocols)
Destinations

For each firewall rule you can optionally:


Further restrict the sources to a list of MAC addresses
Enable logging
Make the rule time-based by selecting a time period when it will be active

Rules are processed in order and the first matching rule decides what happens with
the packet: allow, drop or reject. When creating firewall rules, the most restrictive
rules should be at the top. If the packet does not match a rule it is dropped and
logged.

The UTM starts with an empty rule table, but there are internal rules for all services
used by UTM itself, for example; for DNS, email and web filters. Enabling services

6
(e.g., web filtering and email protection) creates these internal rules, which then take
precedence over manually created rules.

6
The UTM provides the ability to block incoming and outgoing traffic to selected
countries completely, with countries being determined by a GeoIP lookup. Exceptions
can then be created for this blanket blocking to allow specific traffic through.

For example:
You could block all traffic to and from North America then create an exception for
HTTP traffic.

7
Within the firewall you can configure how the UTM handles ICMP traffic globally, and
specifically for ping and traceroute.

The default settings do not allow ping to pass through the UTM. This has to be
enabled here, as creating a firewall rule will have no effect due to internal rules taking
precedence over manually created rules.

8
The UTM supports several types of network address translation (NAT), which we will
look at over the next few slides, starting with masquerading.

Masquerading is used to mask a network of computers using a private IP range, and


present it to the Internet as a single public IP address. This is a type of Source NAT
(SNAT), where the interface address is always set as the source IP. Depending on the
protocol and your requirements, the source port may change dynamically.

Masquerading is also used between internal networks; for example from the VPN
client network to the Internal network. This allows VPN clients to connect to
networks which are not directly connected to the UTM, without requiring additional
routes for the VPN network.

9
In addition to masquerading, the UTM supports Destination NAT (DNAT), Source NAT
(SNAT), 1:1 NAT for whole networks and NoNAT.

This diagram illustrates the configuration of DNAT, which changes the destination of
packets so that once they have reached the UTM they can then be sent on to their
new destination. This form of NAT is used to make an internal resource visible on the
Internet with a public IP address which is configured on the UTM.

It is important to note that the DNAT takes place before firewall rules are applied to
the traffic. This means that when you are creating firewall rules you must use the
translated destination; in this diagram that would mean using 10.0.0.1 and not
195.171.192.81 as the destination in firewall rules.

SNAT is similar to DNAT except in reverse, as the packets leave the internal network
the source IP address is changed to a public IP address assigned to the UTM. This is
similar to masquerading but allows for more detailed customization of the rules.

1:1 NAT is used for whole networks, and maps both the source and destination
addresses. We will take a more detailed look at this on the next slide.

Finally, NoNAT prevents an address translation, so you can think of it as an exception


for NAT rules.

10
1:1 NAT is used to NAT multiple IP addresses on one subnet to IP addresses on a
different subnet. This is done for an entire subnet of IP addresses allowing you to NAT
a whole network. For this to work, the original network and translated network must
have identical network masks.

In the UTM the 1:1 translation is done using network definitions.

Example
LAN 10.10.10.0/24 to 172.20.10.0/24

Original destination New destination (translated)


10.10.10.1 172.20.10.1
10.10.10.2 172.20.10.2
etc.
10.10.10.254 172.20.10.254

So when would this be useful? 1:1 NAT could be used to link two locations which
have identical subnets, for example by VPN. It could also be used to map between
public IP addresses and server in a DMZ.

11
A robust firewall policy can minimize network vulnerability in many cases. Depending
on the target security level, packet filters, proxies and virus scanners may not offer
enough protection against attacks at the application level.

Packet filter firewalls check data packets at the network level, application level
attacks are not detected and protocols that utilize several ports are difficult to
handle.

Proxies (application level gateways) process traffic at the application level and can
filter out unwanted or defective header types and protocol anomalies; however they
are unable to detect attacks at higher levels, for example cross-site scripting attacks.

Through participation in the Microsoft Active Protections Program (MAPP), Sophos is


one of the few vendors who are able to block Microsoft specific attacks long before
official recognition, and also before Microsoft patches are available.

The database of attack patterns contains rules for:


Probing, Port Scans, Interrogations, Host Sweeps
Attacks on application weak-spots
Protocol exploits
MAPP (Microsoft Active Protections Program) Signatures

12
Sophos uses SNORT (www.sourcefire.com) for pattern-based attack detection. By
using SNORT in inline mode all packets have to pass through it no packet is skipped,
even if the network load is high. Inline mode also allows the UTM to perform
detection and prevention at the same time.

An example of a well-known attack that can be blocked using intrusion prevention is


SQL slammer. SQL slammer uses small UDP packets on port 1434 to exploit SQL
servers and remain in RAM, it is never written to disk. This makes it hard for virus
scanners to detect and block, however it can be blocked by the IPS.

13
The UTMs IPS has a database of over 20,000 rules to detect attacks sorted into
categories and sub-categories to simplify management.

Some of the rules in the database are more than 8 years old, and so to improve the
performance on the IPS system the rules can be filtered based on age. By default new
installations will filter out rules older than 12 months. Upgraded existing installations
will not be filtered. These settings can be changed.

Settings can be enabled and configured either at the category or subcategory level.
The action can either be to alert or drop the traffic when an attack is detected.
The rule age can only be configured at the category level to be either 6,12, 24
months or no age limit.
Extra warnings can be enabled for attack patterns which are more likely to return a
false positive because of their general nature.
The Notify option sends an email to the admin email address if a rule is matched.

Further details about these rules see can be found at http://www.astaro.com/lists/.

14
In addition to the attack patterns the UTM also provides protection against Denial of
Service (DoS) attacks and portscans.

The Denial of Service protection can be configured for TCP SYN, UDP and ICMP floods.
For each of these the mode can be configured to be either:
Source addresses, which will drop all packets from the specific source
Destination addresses, which will drop all packets to the specific destination
Source and destination addresses, which will first drop packets from the source
then additionally drop packets to the destination

You can also configure the packet rates for each flood type.

Portscans can either be logged, dropped or rejected.

15
The UTM has a system called Advanced Threat Protection (ATP) which monitors the
information from other processes to detect compromised computers on the internal
network, which are communicating with command and control servers. ATP uses a
pattern engine which analyses information from the DNS, application control, web
filtering and the intrusion prevention system on the UTM.

The ATP policy can either be configured alert or drop traffic on detection of a threat,
and if required, you can optionally create exceptions for hosts, networks and specific
threats.

16
On completion of this module, you can now:
Create firewall and NAT rules
Configure intrusion prevention and Advanced Threat Protection (ATP)

17
Please take a few minutes to answer the following knowledge check questions.

18
19
20
21
22
23
Thank you for taking this Sophos Certified Engineer module for UTM.

Feedback is always welcome as it helps us to improve our courses for you. Please
email globaltraining@sophos.com with your comments.

24
Now that you have completed this module, you should complete labs 1 4, then
Module 305: Authentication.

25
Thank you for your time, please close this window to return to the Partner Portal.

26
Sophos Certified Engineer
ET305 UTM: Authentication

January 2015
Training version: 9.3.1
Product version: UTM 9.3

2015 Sophos Limited. All rights reserved. No part of this document may be used or
reproduced in any form or by any means without the prior written consent of Sophos.

Sophos and the Sophos logo are registered trademarks of Sophos Limited. Other
names, logos and marks mentioned in this document may be the trademarks or
registered trademarks of Sophos Limited or their respective owners.

While reasonable care has been taken in the preparation of this document, Sophos
makes no warranties, conditions or representations (whether express or implied) as
to its completeness or accuracy. This document is subject to change at any time
without notice.

Sophos Limited is a company registered in England number 2096520, whose


registered office is at The Pentagon, Abingdon Science Park, Abingdon, Oxfordshire,

1
OX14 3YP.

----

Welcome to this Sophos Certified Engineer course for UTM 9.3. This is Module 305:
Authentication.

1
This course is made up of 15 theory modules, with 10 practical labs interspersed
throughout the course to allow for application of the content discussed in the
previous modules. You are now on module 5 out of 15.

2
In this module we will look at the different options for authenticating users for the
services the UTM is running, such as the web proxy and VPN gateway.

3
Once you complete this module you will be able to:
Describe the authentication methods available on the UTM
Configure local users and groups
Enable directory services authentication
Configure single sign-on for web filtering
Enable one-time passwords

4
The UTM supports several authentication sources for its services including local users,
Active Directory, eDirectory, LDAP and RADIUS. In addition to these authentication
sources, the UTM supports the addition of one-time passwords.

5
The UTM has an internal directory for managing local users and groups. During
installation the SuperAdmins group is created and the default admin user is added to
it. The SuperAdmins group is used to grant full administrative access to the
WebAdmin.

It is important to note that to be able to use the User Portal the user must have a
local user in the internal directory, this can be automatically created on successful
authentication.

Note that email addresses must be unique for each user.

The UTM supports three types of group:


Static members groups are a manually maintained group of user objects. These
can be locally or remotely authenticated users
IPsec X509 DN mask groups are for IPsec users. Users who log in successfully to the
firewall via an IPsec connection are automatically assigned to the relevant group if
the user's Distinguished Name matches the DN Mask defined in the group
Backend membership groups are for remotely authenticated users. Group
membership can either be defined by a group on the backend authentication
server or by the method of authentication (e.g., Active Directory or eDirectory).
Note that backend authentication groups can only support one method of backend
authentication, for example; Active Directory or eDirectory but not Active

6
Directory and eDirectory at the same time. The backend group objects remove the
need to have accounts for each user on the UTM

Note that groups cannot contain other groups.

6
Remote authentication can be processed using several directory services:
Active Directory: Microsoft, partly LDAP-based*
eDirectory: Novell, partly LDAP-based*
RADIUS: Remote Access Dial-In User Service
TACACS+: Terminal Access Controller Access-Control System Plus, Cisco
LDAP: Lightweight Directory Access Protocol

You can configure as many authentication servers as required using any mix of
directory service types. This allows you to build in redundancy by configuring backup
authentication servers.

Authentication requests are attempted against the authentication servers in the


order listed until the first match where the request is successful.

For each of the directory service types that has an authentication server configured a
dynamic group definition is created for all users that authenticate using that method.
For example; Active Directory Users and eDirectory Users.

Configuration of Active Directory, eDirectory and LDAP are very similar; you need to
provide the credentials for a user account that has read access, this is the bind DN, as
anonymous queries are not normally supported. Note that an administrator account
is not necessary.

7
We will look at the notation used for defining the bind DN in the next couple of
slides, but where the backend server is Active Directory 2008 or later, you can use the
shortname for the bind DN; for example, readonly@sophos.internal.

You also need to specify a base DN, which determines the starting point for the user
search in the directory structure. eDirectory allows you to configure multiple base
DNs for searching.

Note: the UTM supports both LDAP and secure LDAP (SLDAP).

You can test the settings of the authentication server with user credentials, which will
return the groups the user is a member of, including dynamic UTM user groups.

Note: for Active Directory the sAMAccountName attribute serves as the basis for
authentication of individual users.

* LDAP (Lightweight Directory Access Protocol) is an information model and protocol


for querying and manipulating tree format, hierarchical directories. LDAP's general
data and name space model is essentially based on X.500.

7
When configuring LDAP and Active Directory authentication services on the UTM, you
need to provide the bind DN (Distinguished Name) which is the user to authenticate
as, and the base DN, which is the location in the directory to search.

The distinguished name is the unique path to an object in Active Directory or LDAP. As
Active Directory uses LDAP but only supports a subset of the object types, we will use
it for the examples here.

Lets start by looking at the base DN. This defines where in the directory to search for
a user that is trying to authenticate. There are two types of object used to define this:
Organizational Units, which are denoted by OU, are used for the location within
the directory
Domain Components, which are denoted by DC, are used for the root of the
directory and appended to the location

To create a bind DN for support managers we start with the OU they are located in,
which in this example is managers.
Then we append each parent OU. In this example there is a single parent OU which is
support.
Finally, we append the root of the directory. This is the domain name with each part
defined as a separate Domain Component (DC).

8
Each part of the distinguished name is separated by a comma.

It is important to note that in Active Directory the built-in users object is addressed
using CN for Common-Name rather than OU. We will look at an example which uses
CN now, as we move on to look at the bind DN the user to authenticate with.

8
User objects in Active Directory are addressed using their Common-Name, which is
denoted by CN. So if we want to use a support manager John Smith we would use
CN=JohnSmith,OU=Managers,OU=Support,DC=Sophos,DC=Internal.

Note that in this example the domain we are using is Sophos.Internal and so there are
only two domain components rather than the three we had for UK.Sophos.Internal in
the previous example.

To check the distinguished name of any object in Active Directory you can use the
tool ADSI Edit. Using this tool you can connect to Active Directory and browse the
structure with all of the object names. By viewing the properties of an object you can
see the distinguished name.

For more information about Active Directory object naming see TechNet article
cc977992:
http://technet.microsoft.com/en-us/library/cc977992.aspx

9
The UTM supports single sign-on (SSO) with Microsoft Active Directory and
eDirectory for use with web filtering profiles.

For Active Directory, the Sophos UTM requires a computer account which is achieved
by joining the domain. This only needs to be done once.

Note that when joining an Active Directory domain, the UTM hostname should be
configured to match a DNS A record in the internal Active Directory DNS domain. You
should still use the publicly resolvable hostname during the basic system setup
however, as this ensures that all of the VPN certificates will include public hostnames.

The configured Active Directory server is needed for creating the computer account
as well as on-going authentication requests.

The requirements for Active Directory SSO are:


An A record in DNS for the UTM in the Active Directory domain
Ensure UTM and domain controller time settings are within 300 seconds of each
other. Both should be using the same time source
Ensure that in Network Services > DNS there is a DNS request route for the local
domain pointing to a DNS server for the Active Directory domain

10
The UTM supports one-time passwords to add two factor authentication and improve
security of remote access, servers and the UTM itself.

A one-time password (OTP) is a password that is valid for only one login session or
transaction. OTPs avoid a number of shortcomings that are associated with
traditional passwords. The most important shortcoming that is addressed by OTPs is
that, in contrast to static passwords, they are not vulnerable to replay attacks. This
means that a potential intruder who manages to record an OTP that was already used
to log into a service or to conduct a transaction will not be able to abuse it, since it
will be no longer valid.

The implementation of one-time passwords on the UTM is a time-based one-time


password (TOTP), which is compatible with both hardware and software tokens, for
example Google Authenticator, which has applications for Android, iOS and
BlackBerry devices.

Once enabled, the UTM can be configured with secrets for existing token, or the UTM
can generate a new secret for a user the next time they login.

When a user logs in to the User Portal for the first time after one-time passwords
have been enabled they will see a QR code, which they can scan to configure a
software token on their phone. Alternatively, the user can click the Details link to see

11
the secret. When the user clicks Proceed with login, they will need to login again with
their username, password and one-time password.

11
Within the OTP settings you can select which facilities one-time passwords are
enabled for, and enforce the use of one-time passwords for all users for these
facilities.

You can optionally choose to have tokens automatically created for users to reduce
the administrative load. This can only be used for software tokens.

In the Timestep Settings you can configure the default timestep to use with tokens,
and the maximum number of steps that the entered password can be offset from the
current password while still being accepted.

12
Multiple tokens can be configured per user, for example; a user might have a
hardware token as well as a software token on their mobile device. Each token is
based on a secret that must be a minimum of a 128-bit Hex string which is 32
characters. You can either have a token generated automatically with a secret or
enter a secret manually, which you would do for hardware tokens.

When adding existing token secrets, these can either be created individually or
uploaded in a comma separated file.
The format of the file is:
secret,timestep,comment
The timestep and comment are optional
The secret must be a 128-bit hexadecimal (32 character) string or longer
Once added the token can be assigned to a user.

In the token configuration the timestep used can override the default global setting
we saw on the previous slide.

If users are using company owned hardware tokens there is no need for them to be
able to see the token information in the User Portal, which includes the secret. In this
case there is an option to hide the token information.

Tokens can be enabled to work with shell access, however it is not possible to

13
configure tokens for either the loginuser or root.

In addition to the regularly generated token codes created by either a hardware token
or software generator, 10 additional codes can be generated for a token which can
each be used once. These tokens do not expire until they are used, and they can be
used in any order.

Using the one-time passwords with the UTM, a user must combine their normal
password with the token code by appending it without spaces.
For example:
User password: Sophos
Token code: 123456
One-time password: Sophos123456

13
On completion of this module, you can now:
Describe the authentication methods available on the UTM
Configure local users and groups
Enable directory services authentication
Configure single sign-on for web filtering
Enable one-time passwords

14
Please take a few minutes to answer the following knowledge check questions.

15
16
17
18
Thank you for taking this Sophos Certified Engineer module for UTM.

Feedback is always welcome as it helps us to improve our courses for you. Please
email globaltraining@sophos.com with your comments.

19
Now that you have completed this module, you should complete Module 306: Web
Protection.

20
Thank you for your time, please close this window to return to the Partner Portal.

21
Sophos Certified Engineer
ET306 UTM: Web Protection

December 2014
Training version: 9.3.0
Product version: UTM 9.3

2014 Sophos Limited. All rights reserved. No part of this document may be used or
reproduced in any form or by any means without the prior written consent of Sophos.

Sophos and the Sophos logo are registered trademarks of Sophos Limited. Other
names, logos and marks mentioned in this document may be the trademarks or
registered trademarks of Sophos Limited or their respective owners.

While reasonable care has been taken in the preparation of this document, Sophos
makes no warranties, conditions or representations (whether express or implied) as
to its completeness or accuracy. This document is subject to change at any time
without notice.

Sophos Limited is a company registered in England number 2096520, whose


registered office is at The Pentagon, Abingdon Science Park, Abingdon, Oxfordshire,

1
OX14 3YP.

----

Welcome to this Sophos Certified Engineer course for UTM 9.3. This is Module 306:
Web Protection.

1
This course is made up of 15 theory modules, with 10 practical labs interspersed
throughout the course to allow for application of the content discussed in the
previous modules. You are now on module 6 out of 15.

2
In this module we will cover the features and configuration of the web filter and
application control.

3
Once you complete this module you will be able to:
Describe the main features in the Web Protection module
Configure web filtering with multiple policies
Enable Application Control and create rules to block applications

4
The unrestricted usage of the Internet, Instant Messaging, and Peer-to-Peer Programs
not only reduces employee productivity, but can also lead to serious legal liability.
Furthermore, malware hidden within downloads needs to be filtered out to protect
users and PCs from infection and data loss.

The UTM protects your organization and your users and gives you visibility into how
they spend their time online.

Spyware and viruses in FTP, HTTP and in encrypted HTTPS data is reliably recognized
and stopped before they are able to reach the network and create any damage. The
URL filter ensures when and where your employees spend their time online and with
Application Control you are able to restrict the use of Facebook, Skype, instant
messaging, Peer-to-Peer and other applications and prioritize business critical
applications like salesforce.com.

All of the information is collected and displayed in detailed reports, which shows how
effective your security policies are and which areas need to be worked on.

5
The UTM Web Protection provides malware protection for HTTP, HTTPS and FTP
traffic using both the Sophos and Avira antivirus engines. This includes protection
against not only viruses in web and FTP downloads but also legitimate websites
which have been infected with malicious code, web-based email and other sources of
infection.

In addition to scanning for malicious code, access to known spyware URLs are
blocked, preventing infected systems from reporting back and sending information
out to the Internet.

Downloads can be restricted by file type based on either the file extension or the files
MIME type. Using the MIME type prevents a file being renamed to circumvent file
extension restrictions. The file type detection is performed by the Sophos Anti-Virus
engine which allows the UTM to inspect the type of files inside archives; this works
for archives up to 16 levels deep.

6
The URL filter allows you to control access to 18 categories made up of more than
100 sub-categories which can be used to build your own filtering categories for use in
web filtering policies.

By providing this granular control of web usage you can enforce compliance with
company Internet usage policies and improve productivity. These controls can often
be relaxed at lunch time and after work and so you can configure time-based policies
which will only be active during the defined time periods.

You can also locally override the category and reclassify website which fall in to a
category you have blocked access to. For example; if a customer is a media company
their website might be classified as Entertainment/Culture. If you need to allow
access to this website you can reclassify it locally on the UTM so that it no longer gets
blocked. If you only want to allow access to the site within a single web filtering
policy you can add it to a whitelist.

Web filtering profiles can be configured to use different authentication modes


including prompting for credentials using a pop-up or within the browser, agent
authentication or single-sign on.

7
Web filtering on the Sophos UTM is built around profiles; these define which
networks can access the Internet through the web filter, what mode the filter will be
operating in standard, transparent or full transparent what authentication mode
will be used and what level of HTTPS scanning to use. In this course we will only be
looking at the base profile.

[Click]
Profiles have a Base Policy which cannot be deactivated, and can have multiple
additional policies which are defined in a prioritized list. We will look at policy
configuration shortly.

8
The HTTPS configuration is defined in the profile in its own tab. There are three
options:
URL filtering only, which will just filter access based on the URL that is being
accessed
Decrypt and scan, which will scan all HTTPS traffic
Decrypt and scan the following, which will selectively scan HTTPS traffic depending
on which categories or tags are selected

Using the selective decrypt and scan option can be used to improve the performance
of the UTM, while still decrypting targeted traffic including:
Malicious websites/downloads
Search engines so as to be able to enforce safe search

9
Web filtering policies define who the policy will apply to, when it will be active and
what Filter Action will be applied.

[Click]
The Filter Action contains:
What action to take on the URL filtering categories. The actions that can be taken
are: allow, block, warn or quota. The warn action will present a screen to the user
where they can choose to proceed to the website. We will look at configuring
quotas over the next couple of slides
Website whitelist and blacklist
Download restrictions for file types, file extensions and file size
Antivirus scanning options
And website protection features such as enforcing safe search features in search
engines

In addition to this you can restrict which domains Google Apps work for. For example,
you could allow Google Apps for only your company domain. This would prevent
users accessing their personal Google Apps.

To summarize, the profile defines how a user authenticates, the policies define what
filter action will be applied to a user and the filter action itself is the configuration to
be applied.

10
In a lot of business environments, administrators do not want to entirely block access
to personal websites but do want to put controls in place to limit their usage. In
addition to the Allow, Block and Warn actions, you can also select to enforce a
Quota, which can be selected in the filter action for either whole categories or for
tags.

11
You can configure a daily time quota for using the categories and tagged websites
that have been configured. This quota is shared between all of the websites
configured with the Quota option.

12
You can locally override the category and reclassify websites which fall into a category
you have blocked access to using URLs, domains (optionally include subdomains), IP
addresses or ranges of IP addresses.

13
In addition to being able to reclassify a website, you can also apply tags to a website.
These tags can be used to manage how the sites are handled in the profile and filter
action configuration as we will see in a moment.

Important: tags are checked before recategorization, and so take precedence.

So lets take a look at where these tags can be used.

14
There are three areas of configuration where the tags can be used:
1. You can define an action for each tag on the Websites tab of the filter action
2. As we saw earlier in this module, if you are using selective HTTPS scanning you
can include websites with specific tags
3. Finally, you can also configure exceptions based on tags

15
The UTM includes a Policy Helpdesk, which contains two tools:
Policy Test
Quota Status

The Policy Test allows administrators to easily check how web filtering policies will
effect requests from specific IP addresses and users at a given time.

Note that the Policy Test does not actually download and scan the content from the
tested URL.

16
When a user tries to access a website that has a quota action applied, they will be
prompted to select how much of their daily quota they want to use. They can then
proceed to access any website which has a quota action for that duration that they
selected before being prompted again to select how much of their quota to use, if
they have any remaining. If a user exhausts their quota they will no longer be able to
access any of the websites which have the quota action applied.

In the WebAdmin, the quota can be reset for a user in the Policy Helpdesk using the
Quota Status tool.

17
We will now take a look at the example of using Active Directory SSO with the web
filter in transparent mode, and over the next couple of slides we are going to look at
some information to help you configure it successfully.

Lets start by looking at the requirements.


You need to configure an authentication service for Active Directory and test that it
is working
The UTM must be joined to the domain
All of the clients must be able to resolve the UTMs internal IP address using its
hostname and its fully qualified domain name
All of the clients which will be authenticating against the UTM using Active
Directory SSO need to be joined to the domain

18
There are a number of limitations when using Active Directory SSO in transparent
mode, as it only authenticates standard HTTP requests. This means that it will not
authenticate:
HTTPS
Any URL with a parameter
AJAX requests
Or any non-browser application that is not using Mozilla in the agent string

For each of these types of request the UTM will use the last cached successful
authentication for the same user. This will prevent further authentication challenges
from the proxy as long as there is an initial successful standard HTTP request which
has been authenticated.

19
To configure the web proxy profile, select Transparent for the Operation mode,
then select Active Directory SSO as the Default Authentication.

On Windows, the single sign-on may fail if the UTM URL is treated as a public URL. To
prevent this, add both the hostname and FQDN of the UTM to the local intranet zone
in the browser. Chrome will use the same settings as Internet Explorer, but Firefox will
need to be configured independently.

As we have mentioned in the requirements, for Active Directory SSO to work the
clients must be able to resolve the hostname and FQDN of the UTM to the internal IP
address.

Mac OS X does not support NTLM authentication, so Kerberos authentication must be


enabled on the AD server. The proxy hostname used must match the UTMs Kerberos
keytab entries, which are case sensitive.

Note: you cannot specify which authentication method to use, only setup and allow
both Kerberos and NTLM; the client will decide which to use.

For more information see Knowledgebase article 120791:


http://www.sophos.com/en-us/support/knowledgebase/120791.aspx

20
Application Control delivers another level of network protect and productivity
controls. Regardless of the reputation and categorization of websites in the web filter,
Application Control detects and controls applications by either allowing, blocking or
prioritizing them with traffic shaping rules.

Application Control is able to recognize around 1000 relevant applications by


performing deep packet inspection for true application identification. It provides
detailed real-time reporting and forensic history and allows you to see everything as
it happens using the Flow Monitor.

For example, if social networks are allowed by the URL filter but you do not want to
allow Facebook apps such as Farmville, you can block the Farmville application while
still allowing Facebook.

21
You can establish a detailed set of rules to specify which recognized applications can
be used in the network and which are blocked.

By default traffic is allowed but not logged. To enable logging for an application you
need to create a rule for it which is configured to allow and log the traffic.

Note that for data to be classified Network Visibility must be enabled.

Rules can be defined in two ways:


For one or more applications
Based on dynamic filters and defined categories

Similarly to firewall rules, application control rules have a sequence which is


processed in descending order. The first rule that is matched is used while all of the
other rules are ignored. With this in mind, order is important and the most restrictive
rules should be at the top of the list.

This example shows how to create a rule based on a dynamic filter and how to
manage application categories.

[Click]
1. Sophos categorizes applications by productivity and risk

22
[Click]
2. When you choose one or more categories, productivity and risk, WebAdmin
creates a list of suitable applications that are selected by the filter
[Click]
3. The blue info button opens an information field showing details about the
recognized application

22
We will now take a look at the Flow Monitor.

The Flow Monitor can be launched either from the Application Control menu, or by
clicking on the In or Out bandwidth monitors on the dashboard. This opens in a new
window.

The Flow Monitor has two views; a table that shows the current network traffic and a
chart that shows data from the last 10 minutes. In the chart view you can hover your
mouse over the data to display the bandwidth used by an application at specific
times.

The table view shows the applications recognized in the last 5 seconds and you can
pause the display while you review the information and create a rule.

[Click]
1. Use the Actions column to create a blocking rule or to define bandwidth for
recognized applications directly from the table view
[Click]
2. Some protocols that are important to the running of Sophos UTM, such as access
to WebAdmin and the Endpoint broker service, cannot be blocked. Those entries are
greyed out in the Actions column
[Click]

23
3. To see more detailed information you can click on the field in the Application
column

23
On completion of this module, you can now:
Describe the main features in the Web Protection module
Configure web filtering with multiple policies
Enable Application Control and create rules to block applications

24
Please take a few minutes to answer the following knowledge check questions.

25
26
27
28
Thank you for taking this Sophos Certified Engineer module for UTM.

Feedback is always welcome as it helps us to improve our courses for you. Please
email globaltraining@sophos.com with your comments.

29
Now that you have completed this module, you should complete Module 307: Email
Protection.

30
Thank you for your time, please close this window to return to the Partner Portal.

31
Sophos Certified Engineer
ET307 UTM: Email Protection

January 2015
Training version: 9.3.2
Product version: UTM 9.3

2015 Sophos Limited. All rights reserved. No part of this document may be used or
reproduced in any form or by any means without the prior written consent of Sophos.

Sophos and the Sophos logo are registered trademarks of Sophos Limited. Other
names, logos and marks mentioned in this document may be the trademarks or
registered trademarks of Sophos Limited or their respective owners.

While reasonable care has been taken in the preparation of this document, Sophos
makes no warranties, conditions or representations (whether express or implied) as
to its completeness or accuracy. This document is subject to change at any time
without notice.

Sophos Limited is a company registered in England number 2096520, whose


registered office is at The Pentagon, Abingdon Science Park, Abingdon, Oxfordshire,
OX14 3YP.

1
----

Welcome to this Sophos Certified Engineer course for UTM 9.3. This is Module 307:
Email Protection.

1
This course is made up of 15 theory modules, with 10 practical labs interspersed
throughout the course to allow for application of the content discussed in the
previous modules. You are now on module 7 out of 15.

2
This module will cover the basic configuration of the SMTP proxy, encryption using
Sophos secure PDF exchange, and management of the quarantine and mail logs.

3
Once you complete this module you will be able to:
Describe the main capabilities of the Email Protection module
Configure SMTP email filtering
Enable Data Protection rules
Enable SPX encryption
Manage the quarantine and mail logs

4
The UTM ensures that email threats including spam, viruses and data protection, do
not affect your daily business.
Dual yet individual anti-virus engines operate in parallel to scan and block threats in
content before it has a chance to enter the network. The UTM stops spam, phishing
and other unwanted email before it gets delivered and clutters up mailboxes, using a
combination of different recognition mechanisms to offer high detection rates and
low false positives.
Using email encryption, sensitive information can be automatically encrypted and
protected; and with Sophos SPX secure PDF exchange email encryption is easier to
configure and use.
The UTM provides the ability to scan content for sensitive data using rules created
and managed by SophosLabs, or custom rules created yourself. This can be paired
with the SPX encryption to secure sensitive data as it leaves the company.
The UTM also provides tools to assist the administrator in managing the quarantine
and reviewing mail logs. To help reduce the administrative workload, the UTM
includes quarantine management for end users through the User Portal and
Quarantine Report emails.

5
Using Email Protection you can scan both SMTP and POP3 email traffic with either
Sophos, Avira or both anti-virus engines, to protect your users from malware.

The UTM also provides controls for attachments, allowing you to restrict which file
types are sent and received by file extension and MIME type.

Live anti-virus lookups further improve the malware detection rates by consulting the
latest information from SophosLabs for possible threat matches using Sophos cloud
infrastructure.

Just like we saw for the Web Protection earlier, Email Protection also uses the Sophos
Anti-Virus engine to identify files that you want to warn or block for by MIME type,
allowing us to check the types of files within archives and perform blocking actions
based on the results.

6
The UTM utilizes multiple checks to identify spam as outlined in this table. Note that
POP3 is not capable of supporting the same range of spam checks because the email
has already been received on a POP3 server, usually at an ISP.

The range of spam checks include the use of:


Heuristic spam filtering
Real-time blacklists to check whether the email is coming from a known spam
server
Greylisting to temporarily reject new senders, as most mass mailing tools do not
re-queue the email to be resent
BATV (Bounce Address Tag Verification) to validate that bounced messages were
sent from your network
SPF (Sender Policy Framework) records are checked where available to ensure
emails for a domain are sent from an authorized server

In addition to these anti-spam checks, the subject and body of emails can be checked
for custom expressions.

7
The UTM can handle the encryption and decryption of emails, which then allows it to
still perform the virus and content checks.

The UTM supports three methods of encryption:


OpenPGP
S/MIME
Sophos SPX secure PDF exchange

Encryption configuration is simple, and because it is managed centrally there is no


key or certificate distribution required.

8
The SMTP proxy can forward both inbound and outbound mails, and can be
configured in two modes:
Simple mode where all email domains use the same settings
Profile mode where you can configure separate profiles for each domain or group
of domains

This course will cover the simple mode of configuration.

9
The SMTP routing configuration defines which domains the UTM will accept and
process email for and where to send them once they have been checked. All domains
are treated the same, so if you select to use a static host list or DNS hostname email
for all of the domains will be sent to the same internal mail server.

There is a third option for routing emails and that is to use mail exchanger (MX)
records. These can resolve to different mail servers but must be used with care, as
there will already be Internet facing MX records for these domains which routed the
email to the UTM in the first place.

The email recipients can be validated either using callout to the email server or Active
Directory. When callout is selected, the UTM will contact the downstream SMTP
server to find out if it will accept an email for the recipient.

10
Relaying is required for the UTM to be able to process outbound emails. You need to
specify which servers on your internal network are allowed to use the UTM to send
email out to the Internet. Be careful not to open the UTM up as a relay to the whole
Internet, as this will likely result in your server being used for sending spam, and your
public IP addresses being added to a real-time blacklist.

In addition to specific hosts, you can also allow selected users to authenticate with
the UTM to be able to relay email out to the Internet. This will only work if the
network being connected from is also configured in the host-based relay.

If your UTM receives email from an upstream email server, maybe an ISP, you must
declare it in the relaying configuration. This is so that it can be ignored when tracing
the source of emails being received and improve the effectiveness of spam detection.

By default the UTM will scan outbound email, however this option can be disabled.

11
In the antivirus configuration you can select whether to enable single engine scanning
for performance, or dual engine scanning for increased protection, and what action
to take for email containing viruses, either quarantine them or blackhole them.

The UTM can optionally reject emails which contain malware while it is receiving the
email, however this can only be done by the first anti-virus engine. If you are using
dual engine scanning, the email is received onto the UTM before the second anti-
virus engine scans it. In this case the email will be quarantined.

If the anti-virus engines are unable to scan content because it is either malformed or
encrypted, you can select to quarantine it as it cannot be guaranteed to be clean.

By default, the UTM will block attachments with common executable file extensions.
The list of blocked file extensions can easily be managed by adding and removing
extensions.

In addition to the file extensions, the UTM can filter attachments based on their
MIME type. This is a more reliable way of checking what file format an attachment is
than using the file extension. Attachments MIME types can either be quarantined or
whitelisted. The UTM provides tick boxes to configure commonly quarantined MIME
types for audio, video and executable files.

12
The UTM can add a footnote to emails that have been checked; this can be edited
and be used to append a company email footer.

12
The UTM can optionally reject spam emails during the receipt of the message once it
has enough information to classify it. This can be done with either spam or confirmed
spam. The definition of these are:
Spam: emails which are most likely to be spam
Confirmed spam: emails which are almost certainly spam

In the spam filter section you can configure what action to take on emails which are
categorized as spam or confirmed spam. The options are:
Off: deliver the email
Warn: add a spam marker to the subject line, this can be customized
Quarantine
Blackhole: delete

When real-time blackhole lists are enabled, external IP reputation databases are used
to determine if the sending server is a known spammer. The default RBLs used are:
Commtouch IP Reputation (ctipd.org)
cbl.abuseat.org
You can also configure additional RBLs to use.

The anti-spam configuration contains a global sender blacklist which supports


wildcards.

13
The expression filter can be used to scan the subject and body of emails for specific
content using regular expressions (Perl Compatible Regular Expressions PCRE) or
simple case insensitive strings. Emails that match the expression filter are
quarantined.

Advanced anti-spam options can also be enabled, including reverse DNS checks,
greylisting, BATV and SPF.

Heuristic spam filter


Patented process RPD (Recurrent Pattern DetectionTM)
Generates a hash for each message
This hash is sent via HTTP to the provider's external server
Ranked based on the provider's response
Feedback from Commtouch server:
no spam
Spam
confirmed spam

Greylisting
Greylisting is carried out early on in SMTP communication
A message is temporarily rejected for a period of at least 5 minutes before being
accepted at the next delivery attempt
For each rejected email, an entry is created in the Sophos UTM database
Many tools used by spam senders to dispatch emails en masse do not support
repeat sending of emails
NOTE: Activating greylisting will increase the load on your email servers

BATV
BATV cryptographically signs the envelope for an email, which serves as proof that
the email really came from the original sender
BATV reliably stops the receipt of virus warning messages and rejects any spam
with a blank sender address
BATV eliminates fake "bounce/NDR" messages sent by external (third-party)
servers

SPF: Sender Policy Framework (http://www.openspf.org)


SPF tackles faked sender addresses by checking the IP addresses defined for delivery
for an email domain. Domain owners use DNS entries to flag their sender email
server and receiving SMTP gateways check the sender address in SMTP
communication based on the SPF entry in the DNS record, and can differentiate
between authentic and fake messages before any actual message content is
transmitted.

13
Exceptions can be created to exclude emails from any of the checks based on the
source host, sender or recipient. If the email is to multiple recipients the exception
will be matched if any one of the recipients matches, resulting in the configured
checks being skipped for all recipients.

14
The UTM can scan emails and attachments for confidential, personally identifiable,
financial and health information and take action to protect that data. To do this,
Sophos provides over 200 Content Control Lists (CCLs), created and managed by
SophosLabs, for detecting a wide range of different sensitive data including bank
details, phone numbers, address, social security numbers and more.

The CCLs are categorized by type and region so that you can easily select the ones
that are relevant to your business.

In addition to the CCLs provided by Sophos you can also create your own rules using
regular expressions.

15
Secure PDF Exchange (SPX) encryption provides an easy way to send encrypted emails
without the need to exchange keys or certificates with the recipient. The original
email is converted to a PDF with any attachments and then encrypted using either
128-bit or 256-bit AES.

Inside the encrypted PDF a button is provided so the recipient can reply securely. The
button opens the Secure Reply Portal on the senders UTM where they can reply to
the original message including with attachments.

There are three ways for the encryption password to be created:


1. The sender can define the encryption password in the subject line using an
encryption tag
2. The UTM can generate the password and email it to the sender. This password
can be generated for each email, or stored and reused for a recipient
3. The recipient can create their own password using a self-registration portal

Lets take a look at how this would work.

16
1. User A sends an email with sensitive data that will trigger SPX encryption. This
could be detected using data protection on the UTM or User A may have selected to
encrypt the email using the Outlook plugin

2. The UTM receives the email and converts it to a PDF, encrypts it and attaches it to
a template email which explains to User B how SPX works

3. The UTM sends the email to User B. User B cannot read the email yet as they do
not have the password for the encrypted PDF

4. User A needs to give this to the recipient via a separate channel. This could be a
over the phone, via SMS, IM or a separate email

17
Now lets look at how this would work with the self-registration portal.

1. User A sends an email with sensitive data that will trigger SPX encryption. This
could be detected using data protection on the UTM or User A may have selected to
encrypt the email using the Outlook plugin

2. The UTM receives the email and checks to see if the recipient, User B, has a
password for encrypting the email. If there is no password for the recipient the UTM
sends them an email with a link to the self-registration portal and asks them to set a
password

3. User B receives the email and follows the link to the self-registration portal

4. User B creates an encryption password

5. The UTM encrypts the original email using the password set by User B and sends it
to them

6. User B receives the email and can decrypt it using the password they set

With the self-registration portal, recipients of an SPX encrypted email now are
offered the option to register themselves through an online-portal where they will be

18
able to create, reset and recover passwords to access their encrypted emails. This will
eliminate the need to manually communicate passwords to recipients of encrypted
email.

18
The UTM will encrypt email using SPX in three circumstances:
1. When a user selects encryption using the Sophos Outlook plugin. This plugin adds
an additional x-header to the email being sent, which the UTM is looking out for.
The plugin can be downloaded as an MSI from the WebAdmin
2. When a user specifies an encryption password using the subject line tag
3. When Data Protection detects confidential data, and the Data Protection policy is
configured to enforce SPX encryption

19
Within the encrypted PDF the recipient can access any files that were attached to the
original email before it was encrypted and use the Reply button to send a reply using
the secure reply portal.

This opens a browser to the portal on the UTM.

20
SPX is easy to configure and once setup requires little or no action from an
administrator. In the configuration the administrator can set the password length and
optionally require special characters.

If the secure reply portal is going to be used, access settings such as the port, listen
address and allowed networks can be configured. Because the original email needs to
be stored on the UTM for the secure reply portal you can configure how long it
remains available. The longer this is set for the more disk space SPX will require.

The SPX template configuration allows you to customize the encrypted PDF that is
created and both the notification of the password that is sent to the sender and the
SPX instructions which are sent to the recipient. The template is also where you
configure how you want the password to be set via the subject line of the email, by
the UTM, or by the recipient and enable the secure reply portal.

Note that the active SPX template is selected in the global SMTP settings.

21
If OpenPGP or S/MIME have been configured on the UTM, there may be times when
an email triggers both the OpenPGP or S/MIME and SPX encryption. Rather than
encrypt the email twice, you can choose to prefer to use SPX encryption. In this case,
whenever SPX encryption is triggered by data protection or the Outlook plugin, the
email will only be encrypted with SPX and not OpenPGP or S/MIME. If SPX encryption
is not triggered, the email will be encrypted by OpenPGP or S/MIME as normal.

22
Mail Manager is an administrative tool for managing all emails stored on the Sophos
UTM. The Mail Manager menu displays an overview of mail statistics of emails stored
on the UTM and processed in the last 24 hours. From here the Mail Manager can be
launched in a new window.

SMTP and POP3 have separate quarantines which can be viewed, filtered and
searched.

Filters:
Quarantine type: malware, spam, term/expression, file extension, MIME type,
unscannable, other error
Filter options: profile/domain, sender/recipient, date received
Sort by: date received, sender address, email size

Note: please be aware that only the administrator can release any emails located in
quarantine. Users can only release filtered emails in the user portal or through the
quarantine report.

Mail Manager can also be used to search and filter the SMTP log which can help with
troubleshooting.

23
Quarantine Reports can be configured to be sent to users who have had new items
quarantined allowing them to release items and add senders to their personal
whitelist. These can be sent once or twice a day at set times you can configure.

Spam sent to email aliases of a user will be listed in an individual Quarantine Report
for each email alias which will be sent to the users primary email address.

To prevent a single recipient of a mailing list email releasing it from the quarantine to
all recipients you can define mailing list patterns. When these are matched the user
who is releasing the email must enter their email address so that it can be released
only to them. If a mailing list pattern is not matched then it will be released to all
recipients.

Within the advanced settings you can override the hostname and change the default
port used for the release links in the Quarantine Report emails. You can also
configure which networks users are able to release emails from. While it is possible to
make this accessible from the Internet, it is not recommended.

By default users are not able to release all quarantined items, for example; emails
containing malware. You can configure which quarantine reasons users will be able to
release emails for. These options are:
Malware

24
Spam
Expression
File extension
Unscannable
MIME-Type
Other

Note: the Quarantine Report will be created in the language which is used within the
WebAdmin.

24
The User Portal provides users with another option for managing their quarantined
items and personal sender whitelist and blacklist. Filtered emails are displayed for all
configured email addresses including aliases.

The User Portal provides the same interface as Mail Manager for filtering, searching,
previewing and releasing emails. Users also have access to see the mail log
information for their emails enabling them to see which emails have been sent,
received and blocked.

Using their personal sender whitelist and blacklist users can filter messages using:
A full email address. E.g., johnsmith@sophos.com
A whole domain using a wildcard. E.g., *@sophos.com

25
On completion of this module, you can now:
Describe the main capabilities of the Email Protection module
Configure SMTP email filtering
Enable Data Protection rules
Enable SPX encryption
Manage the quarantine and mail logs

26
Please take a few minutes to answer the following knowledge check questions.

27
28
29
30
31
32
33
34
Thank you for taking this Sophos Certified Engineer module for UTM.

Feedback is always welcome as it helps us to improve our courses for you. Please
email globaltraining@sophos.com with your comments.

35
Now that you have completed this module, you should complete Module 308:
Endpoint Protection.

36
Thank you for your time, please close this window to return to the Partner Portal.

37
Sophos Certified Engineer
ET308 UTM: Endpoint Protection

December 2014
Training version: 9.3.0
Product version: UTM 9.3

2014 Sophos Limited. All rights reserved. No part of this document may be used or
reproduced in any form or by any means without the prior written consent of Sophos.

Sophos and the Sophos logo are registered trademarks of Sophos Limited. Other
names, logos and marks mentioned in this document may be the trademarks or
registered trademarks of Sophos Limited or their respective owners.

While reasonable care has been taken in the preparation of this document, Sophos
makes no warranties, conditions or representations (whether express or implied) as
to its completeness or accuracy. This document is subject to change at any time
without notice.

Sophos Limited is a company registered in England number 2096520, whose


registered office is at The Pentagon, Abingdon Science Park, Abingdon, Oxfordshire,

1
OX14 3YP.

----

Welcome to this Sophos Certified Engineer course for UTM 9.3. This is Module 308:
Endpoint Protection.

1
This course is made up of 15 theory modules, with 10 practical labs interspersed
throughout the course to allow for application of the content discussed in the
previous modules. You are now on module 8 out of 15.

2
This module will cover how endpoint protection can be managed from the UTM,
including installing the client and configuring policies.

3
Once you complete this module you will be able to:
Install and launch the endpoint client
Manage protected endpoints
Create and manage policies
Create and manage groups

4
Gone are the days when only computers physically connected to the company
network had to be able to access resources; added to this the variety of new devices
that need access and the additional complications that arise from Bring-Your-Own-
Device (BYOD) it is no longer possible to simply ring-fence the company network.

Users expect to be able to access resources from anywhere at anytime using any
device.

The challenge is how to protect and manage the devices that need to access the
corporate network.

This is where Sophos Endpoint Security and Control comes in.

Sophos Endpoint Protection on the UTM provides central management of malware


protection, device control, web control and tamper protection for Windows
computers.

The UTM uses Sophos cloud-based LiveConnect service to send policy updates and
receive alerts from protected endpoints wherever they are; both on and off the
company network. Sophos Endpoint Protection makes no distinction between
stationary devices such as servers and desktops and mobile devices like laptops.

5
When Endpoint Protection is enabled on the UTM it registers with the Sophos
LiveConnect service and is assigned a unique ID and a token which endpoints can use
when communicating with the UTM via LiveConnect.

Both the UTM and client communicate with LiveConnect over HTTPS. Endpoints also
download their updates directly from Sophos over HTTP.

5
The installer for the Sophos Endpoint Protection client is downloaded from the
central broker in Sophos LiveConnect. The link for downloading the installer
includes both the unique ID of the UTM and the token the client needs to use for
communicating via LiveConnect.

The download of the installer is less than 15MB.

6
The file downloaded from LiveConnect using the unique link is called
SophosMCS_<TOKEN>.exe. You must not rename this file as the installer retrieves the
token from the filename.

During the installation you have the option to remove third party products; this is
recommended as having more than one antivirus product installed on a computer can
have unpredictable results and cause instability.

Once the installation is complete the Sophos Endpoint client will register with
LiveConnect using the token; it will then appear in the UTM.

7
Once the endpoint client is installed it can be launched from the system tray icon or
through the Start menu.

If Tamper Protection is enabled users have restricted access and cannot modify the
configuration, even if they are local administrators. To gain full access to the client
software you need to authenticate with the Tamper Protection password, which is
configured globally on the UTM in the Advanced tab of Computer Management.

8
Lets take a look at the Endpoint Protection Status screen on the UTM.

The Online status shows whether the endpoint is currently connected to the
LiveConnect server. If an endpoint is on and has an Internet connection they should
be able to contact LiveConnect and be online.

The computer Status indicates whether there are an problems with an endpoint; this
can include the software being out of date or threats having been detected.

The Group column provides a link to the group which the computer is a member of.
By clicking this link you can view the configuration assigned to that group of
computers.

The computer name is a link to that computers configuration. Here you can change
the computers group and enable or disable Tamper Protection on an individual
device.

The filter allows you to sort the devices by their online status or alert status.

The Endpoint Protection Live Log shows the communication between the UTM and
LiveConnect.

9
Endpoint groups define which Antivirus and Device Control policies are applied to its
members, allows you to enable and disable Tamper Protection and Web Control, and
configure proxy settings for AutoUpdate.

Note that the password for Tamper Protection can be viewed and set on the
Computer Management > Advanced tab.

The Antivirus policy configures on-access and scheduled scanning settings.

On access settings allow you to scan for PUAs (Potentially Unwanted Applications),
HIPS, malicious websites and infected downloads, and make use of Sophos cloud-
based live protection.

In the scheduled scan settings you can configure when the scan will take place and
enable options to scan for rootkits and make the scan run with a low priority so that
it does not interfere with users work.

The device control policy covers three groups of devices; storage, network and short
range devices.
Access to storage devices can be allowed, blocked or set to read-only
Network devices can be allowed, blocked or block bridged. By using the option to
block bridged network connections the network devices will be blocked when

10
another network connection is detected, preventing users computers from
bridging between the networks
Short range devices can either be allowed or blocked

10
Enabling Web Control in Endpoint Protection allows you to enforce the same web
filtering policy on endpoints which are not connected to the network as those that
are being filtered by the UTM providing consistent protection against web threats.

So how does this work? Lets see this in action step by step.

First the administrator sets their policy in the Sophos UTM - in this instance blocking
games websites.

This policy is then available on the UTM and in replicated in the Sophos LiveConnect
cloud service.

If required it is possible to set an alternative Web Policy just for the Web in the
Endpoint feature but we expect most customers will simply choose to apply the
same policy in both places.

A request is made by the end user to visit a website in this example the gaming site
Zynga.com but it could be any inappropriate website.

If the Endpoint is accessing the Internet through the UTM, this request is processed
by the web filter on the UTM.

11
If the user is browsing from outside the corporate network the Endpoint Client then
instantly checks this request against the UTM Web Policy in the cloud and the filter is
enforced by the endpoint client.

Whichever route is taken the URL is checked against the SophosLabs database of
URLs and the result is the same the policy is enforced.

11
On completion of this module, you can now:
Install and launch the endpoint client
Manage protected endpoints
Create and manage policies
Create and manage groups

12
Please take a few minutes to answer the following knowledge check questions.

13
14
15
16
Thank you for taking this Sophos Certified Engineer module for UTM.

Feedback is always welcome as it helps us to improve our courses for you. Please
email globaltraining@sophos.com with your comments.

17
Now that you have completed this module, you should complete Labs 5 8, then
Module 309: Wireless Protection.

18
Thank you for your time, please close this window to return to the Partner Portal.

19
Sophos Certified Engineer
ET309 UTM: Wireless Protection

December 2014
Training version: 9.3.0
Product version: UTM 9.3

2014 Sophos Limited. All rights reserved. No part of this document may be used or
reproduced in any form or by any means without the prior written consent of Sophos.

Sophos and the Sophos logo are registered trademarks of Sophos Limited. Other
names, logos and marks mentioned in this document may be the trademarks or
registered trademarks of Sophos Limited or their respective owners.

While reasonable care has been taken in the preparation of this document, Sophos
makes no warranties, conditions or representations (whether express or implied) as
to its completeness or accuracy. This document is subject to change at any time
without notice.

Sophos Limited is a company registered in England number 2096520, whose


registered office is at The Pentagon, Abingdon Science Park, Abingdon, Oxfordshire,

1
OX14 3YP.

----

Welcome to this Sophos Certified Engineer course for UTM 9.3. This is Module 309:
Wireless Protection.

1
This course is made up of 15 theory modules, with 10 practical labs interspersed
throughout the course to allow for application of the content discussed in the
previous modules. You are now on module 9 out of 15.

2
This module covers the deployment of Sophos access points, and the configuration
and management of wireless networks.

3
Once you complete this module you will be able to:
Describe the main capabilities of Wireless Protection
Configure wireless access points
Create hotspots
Describe the advantages of Sophos wireless security

4
Wireless network solutions for use in businesses need to be able to provide a fast,
reliable and uninterrupted signal for the entire office. In an office environment it is
important that wireless networks provide strong security options and are able to be
easily deployed and centrally managed.

So what are the options?

5
Consumer access points for home users are affordable but offer only a limited
amount of features. These usually lack in areas of functionality such as
authentication, multiple wireless networks and guest zones, and security features
such as content filtering. They are also hard to individually manage, especially when
there is more than one in use.

Low-end UTM appliances with integrated WLAN often require a substantial initial
investment and offer integrated UTM security; however, they have only a limited area
of coverage since these appliances are usually located in the server room and so are
unable to provide coverage for the whole office.

Enterprise wireless solutions offer comprehensive wireless LAN functionality but are
expensive and are often complex and hard to manage. As they are dedicated point
solutions they do not provide the layered security that can be found in the Sophos
UTM.

6
Sophos Wireless Protection doesnt suffer from the limitations of other solutions.

Wireless networks are created on the UTM by an administrator,

then when a Sophos access point is connected to anywhere on the network it

reports in to the UTM and is shown to be pending.

The administrator accepts the access point and selects which wireless networks it will
broadcast. This configuration is retrieved from the UTM automatically by the access
point using a secure connection.

For this plug and play deployment to work, the network that the Sophos access point
is connected to must provide DHCP, and the UTM which will manage the access
points must be on the default route to the Internet. This is how the access point is
able to route discovery packets to the UTM.

Sophos access points can broadcast up to 8 wireless network SSIDs.

7
Wireless networks managed by the Sophos UTM can provide either limited or full
access to both the Internet and resources on the internal company network, with all
of the same security as computers that are connecting from a physical network
connection.

As well as being able to deploy wireless access points in the main office you can also
deploy and manage wireless access points in branch offices through a RED
connection.

Guests can connect to a separate wireless network which can be broadcast by the
same access points as the internal company wireless networks. Guest networks can
provide Internet access using either the same or different web filtering policies as
internal clients.

The UTM can protect the internal networks from being accessed by computers
connecting to guest wireless networks.

8
To activate Wireless Protection on the UTM you need to define which networks the
Sophos access points will be connecting to the UTM on.

When you first activate Wireless Protection there is a one-time automatic


configuration wizard which can setup common options to create a guest wireless
network with a DHCP server, firewall and masquerading rules.

The automatic configuration wizard can be skipped but it will not be presented again
even if you disable and re-enable Wireless Protection.

9
To create a wireless network on the UTM you need to provide:
An SSID which is the name of the network which is broadcast
And the type of encryption to use. The UTM supports WPA/WPA2, WEP and no
encryption. You should not rely on WEP as it is insecure. WPA and WPA2 are
supported using preshared keys (personal) or RADIUS authentication (enterprise).
The RADIUS server is configured in Global Settings > Advanced
Client traffic can be handled in three ways:
Routed to the UTM using a separate zone to isolate it from the internal network
Routed to the same network the access point is connected to (bridge to AP LAN)
Routed to a specific VLAN

You can apply additional restrictions to the wireless network by:


Configuring the wireless network to only be available during certain time periods
Isolating wireless clients so they cannot communicate with each other
Restricting access to an allowed list of MAC addresses
Blocking access to a specific list of MAC addresses

10
If you configure a wireless network which routes client traffic to the UTM using a
separate zone then you need to create a new interface on the UTM to manage that
traffic.

To do this you need to create a normal Ethernet interface using the logical wireless
network interface that was created for your wireless network. This will be called
wlan<NUMBER>.

[Click]
You should then create a DHCP server for this interface. Once this is done the
interface can then be used to allow and configure services on the UTM like another
interface.

Remember to:
Add the interface to the allowed networks for DNS
Create firewall and NAT rules
Add the interface to the allowed networks for web filtering

11
Each new access point that is connected to the internal network will appear in the
UTM in the Pending Access Points list.

The administrator needs to accept the access point to start managing it.

[Click]
When an access point is accepted the administrator can configure which group the
access point will belong to. This can be an existing group or a new group, and it is the
group that determines which wireless networks the access point will broadcast.

[Click]
Groups can be configured in the Access Points > Grouping tab.

12
The UTM can manage any mix of Sophos access points:
The AP15 is a desktop access point designed for small offices and home offices
(SOHO), and it will replace the current AP10
The AP30 and AP50 are suitable for larger offices, with the AP50 having some
benefits over the AP30 such as a Gbit interface and dual radios so it can support
both 2.4Ghz and 5Ghz bands
The AP100 tops our range of access points, and can provide up to 1.3 Gbps using
802.11ac on the 5 Ghz frequency and up to 450 Mbps on the 2.4 Ghz frequency

13
Sophos have a range of four appliances that include built-in wireless, which provide
all of the same functionality as using a Sophos access point without the need for
extra hardware. Unlike other UTMs with built-in wireless however, coverage can be
extended by connecting other Sophos access points.

All of the appliances with built-in wireless:


Have three external antennas which support 3x3 MIMO (Multiple In, Multiple Out)
Support both 2.4 Ghz and 5 Ghz frequencies, however as they only have one radio
they can only use one of these frequencies at a time
Support 802.11a/b/g/n up to 450 Mbps

The SG125W and SG135W will also support 802.11ac on the 5 Ghz frequency up to
1.3 Gbps. This will be able to fall back to using 802.11n for clients which do not
support the ac standard.

If the built-in wireless is unable to cover the whole office it can be extended by
connecting additional Sophos access points and using them just as you would for
appliances which do not have built-in wireless.

There are no significant differences between using the built-in wireless and a Sophos
access point. The main things are:
Because the built-in wireless is part of the hardware and not connected through

14
the network, you do not need to add any networks to the Allowed interfaces
The built-in wireless will appear as a Local Wifi device in the access points list. It
cannot be deleted from this list and it will always be active

14
All access points support automatic channel selection, which will scan all channels
and select the best channel at start-up; this is the channel that is furthest from other
wireless devices. As the best channel to use may change over time, access points will
scan all of the channels in the background hourly, and change which channel it is
using as required to remain on the best channel. All access points will do this for the
2.4Ghz frequency; the AP50 will also do this on the 5Ghz frequency.

While the background scan is taking place there may be a small drop in performance.
To avoid this happening during peak usage times, you can select a time definition to
schedule when the scans will take place.

15
The hotspot function in the UTM permits the definition of a captive portal. Users in a
defined network can only use the UTM functions following the release procedure.
The captive portal is usually used in WLAN environments, however it can also be
used with wired networks as it is applied to an interface on the UTM. Hotspots let
cafs, hotels, companies and the like provide controlled access for guests.

Use of the hotspot can be regulated in a variety of ways:


Acceptance of a usage policy, or terms of services
Entering a password which is changed daily. The Password of the Day
authentication type can now be configured to update the pre-shared key (PSK) of
wireless networks to the newly generated password. This change is only
synchronized to separate zone networks that are in the hotspot interface list
Note: users will need to use the password of the day to connect to the wireless
network; they will then need to enter it again to authenticate with the hotspot
Entering a voucher code. Vouchers are generated in the User Portal by the
administrators that are defined for the hotspot
Backend authentication allows you to select users and groups which can use the
hotspot, and these are authenticated using the authentication servers already
configured in the UTM
Using a MICROS Fidelio server for authentication. Hotspot authentication can be
handled using Micros Fidelio hotel management software via the FIAS protocol,
and allows users to login to the hotspot using their name and room number as

16
credentials

Both vouchers and the hotspot page can be customized by downloading and editing a
template and including it in the hotspot definition. This means that if you have
multiple hotspots they can have different login pages and voucher templates.

16
Hotspots can be configured to redirect to HTTPS, this is particularly important if you
are using backend authentication with network credentials. The hostname for the
hotspot can either be None (IP address) or Custom hostname. If Custom
hostname is selected you need to provide a DNS name for the hotspot.

On the Hotspots > Advanced tab you can select which certificate will be used for
HTTPS hotspots. This is a global setting which will apply to all hotspots.

Note: it is important to ensure that the hostname specified for the hotspot matches
the common name in the certificate to prevent users seeing certificate errors in their
browser.

17
You can configure the AP50 as a network bridge and a repeater.

As a repeater you can use the AP50 to extend the coverage of your wireless network
to areas where an Ethernet port is not available, only a power outlet.

As a bridge, you can connect wired devices to an AP50 and use the wireless link as a
backhaul to another AP50.

It is also possible to combine both of these features by creating repeater bridges, that
both provide a backhaul for a wired network and repeats wireless networks.

18
There are three main advantages to using the Sophos UTM for wireless security:
1. It is easy to install and manage with centralized configuration
2. It is secure and reliable, allowing you to use all of the security features of the
UTM for your wireless connections
3. It provides flexible access, with a continuous signal throughout the entire office,
and supporting multiple SSIDs for separate corporate and guest networks

19
On completion of this module, you can now:
Describe the main capabilities of Wireless Protection
Configure wireless access points
Create hotspots
Describe the advantages of Sophos wireless security

20
Please take a few minutes to answer the following knowledge check questions.

21
22
23
24
Thank you for taking this Sophos Certified Engineer module for UTM.

Feedback is always welcome as it helps us to improve our courses for you. Please
email globaltraining@sophos.com with your comments.

25
Now that you have completed this module, you should complete Module 310: RED
Management.

26
Thank you for your time, please close this window to return to the Partner Portal.

27
Sophos Certified Engineer
ET310 UTM: RED Management

December 2014
Training version: 9.3.0
Product version: UTM 9.3

2014 Sophos Limited. All rights reserved. No part of this document may be used or
reproduced in any form or by any means without the prior written consent of Sophos.

Sophos and the Sophos logo are registered trademarks of Sophos Limited. Other
names, logos and marks mentioned in this document may be the trademarks or
registered trademarks of Sophos Limited or their respective owners.

While reasonable care has been taken in the preparation of this document, Sophos
makes no warranties, conditions or representations (whether express or implied) as
to its completeness or accuracy. This document is subject to change at any time
without notice.

Sophos Limited is a company registered in England number 2096520, whose


registered office is at The Pentagon, Abingdon Science Park, Abingdon, Oxfordshire,

1
OX14 3YP.

----

Welcome to this Sophos Certified Engineer course for UTM 9.3. This is Module 310:
RED Management.

1
This course is made up of 15 theory modules, with 10 practical labs interspersed
throughout the course to allow for application of the content discussed in the
previous modules. You are now on module 10 out of 15.

2
This module will look at the capabilities of RED for branch office security, and how to
deploy it.

3
Once you complete this module you will be able to:
Explain how Sophos RED is deployed and its different modes of operation
Describe the main advantages of Sophos RED

4
Businesses such as travel agents and retails stores that have many small branch
offices need an easy, affordable and secure way to connect back to the main office to:
Give branch offices access to central resources
Manage computers from the main office
Secure branch office Internet access

What are the options?

5
Routers for private users are cheap. However, to install these individually and manage
them requires a lot of time, and very often important security features which
business customers require are not present.

Low-end UTM appliances usually have the obligatory security features. However, if
you sum up the effort and the hidden costs for roll out, maintenance, subscriptions
and management software, these products are anything but simple and affordable.

MPLS and Managed VPN Services provide all of the functionality but require large
budgets. Furthermore, they are not available everywhere.

6
Sophos Remote Ethernet Devices (RED) are designed to address these challenges by
providing a solution that is centrally configured and managed, and requires no
configuration or expertise to install just plug it in.

All the RED requires is a router running DHCP which will provide the RED with an IP
address, DNS server and default gateway to the Internet.

Once connected, the RED behaves like a long virtual Ethernet cable and sends all
traffic securely to the central UTM where all of the UTM security features can be
applied before it reaches the Internet. As far as the UTM is concerned the RED simply
appears to be another network interface like any other.

7
Lets look in detail at how a RED is deployed.

The administrator configures the RED on the UTM setting the publicly resolvable
hostname of the UTM, the IP address and netmask of the RED interface on the
remote network, and the RED ID which is a 15 character string printed on a sticker
on the back of the RED.

The UTM sends the configuration to the cloud-based provisioning server.

The RED is plugged in at the remote office and gets an IP address, DNS server and
gateway from the local DHCP server.

The RED connects to the provisioning server with its ID and the provisioning server
sends back the configuration the RED needs to connect to the UTM at the central
office. The provisioning server is not used from this point.

The RED establishes a layer 2 tunnel to the Sophos UTM using TCP and UDP port
3400.

Note: The RED50 uses TCP port 3400 and UDP port 3410.

8
The Sophos RED can be deployed in three different modes.

In Standard/Unified mode the remote network is managed by the UTM which serves
as the DHCP server and default gateway for all clients connecting through the RED. All
traffic generated on the remote network is sent through the RED to the UTM.

In Standard/Split mode the UTM still manages the remote network acting as the
DHCP server and default gateway; but in this configuration only traffic to defined
networks is sent through the RED to the UTM, all other traffic is sent directly to the
Internet.

In Transparent/Split mode the UTM does not manage the remote network but is a
member of it. The UTM gets its IP address from a DHCP server running on the remote
network. Only traffic to defined networks is sent through the RED to the UTM. All
other traffic is sent directly to the Internet.

In the case of Standard/Split and Transparent/Split deployment modes, the UTM does
not provide any web filtering or other security to clients on the remote network.

Note that you still need to create firewall and masquerading rules for the computers
connected to the remote network to be able to interact with computers on the
central office network.

9
Sophos offers two versions of RED, the RED10 and RED50.

There are two main differences between these two models; the first is that the
RED10 has a maximum VPN throughput of 30 Mbit/s and because the RED50 uses
hardware accelerated encryption it has a maximum VPN throughput of 360 Mbit/s.

The other main difference is with the connectivity. The RED10 has a single WAN port
with all WAN and LAN ports being 100 Mbit; whereas the RED50 has two WAN ports
with all WAN and LAN ports being Gbit.

The dual WAN ports on the RED50 can be used for either uplink balancing or failover.

The RED10 can also provide a failover uplink using a 3G/UMTS dongle connected to
the USB port the RED50 also supports this functionality. Note that the 3G/UMTS
dongle must be connected when the RED is booted for it to be detected.

Neither the RED10 nor RED50 restrict the number of users that can connect through
it so which model is selected depends on your requirements.

The RED50 also has an LCD display which can be used to check status messages.

10
There are three main advantages for using Sophos RED for branch office security:
It is easy to implement and manage
It is cost efficient
It can provide complete UTM security for branch offices

11
On completion of this module, you can now:
Explain how Sophos RED is deployed and its different modes of operation
Describe the main advantages of Sophos RED

12
Please take a few minutes to answer the following knowledge check questions.

13
14
15
16
Thank you for taking this Sophos Certified Engineer module for UTM.

Feedback is always welcome as it helps us to improve our courses for you. Please
email globaltraining@sophos.com with your comments.

17
Now that you have completed this module, you should complete Module 311: Site-
to-site and Remote Access VPNs.

18
Thank you for your time, please close this window to return to the Partner Portal.

19
Sophos Certified Engineer
ET311 UTM: Site-to-site and Remote Access VPNs

December 2014
Training version: 9.3.0
Product version: UTM 9.3

2014 Sophos Limited. All rights reserved. No part of this document may be used or
reproduced in any form or by any means without the prior written consent of Sophos.

Sophos and the Sophos logo are registered trademarks of Sophos Limited. Other
names, logos and marks mentioned in this document may be the trademarks or
registered trademarks of Sophos Limited or their respective owners.

While reasonable care has been taken in the preparation of this document, Sophos
makes no warranties, conditions or representations (whether express or implied) as
to its completeness or accuracy. This document is subject to change at any time
without notice.

Sophos Limited is a company registered in England number 2096520, whose


registered office is at The Pentagon, Abingdon Science Park, Abingdon, Oxfordshire,

1
OX14 3YP.

----

Welcome to this Sophos Certified Engineer course for UTM 9.3. This is Module 311:
Site-to-site and Remote Access VPNs.

1
This course is made up of 15 theory modules, with 10 practical labs interspersed
throughout the course to allow for application of the content discussed in the
previous modules. You are now on module 11 out of 15.

2
This module covers the most commonly used types of VPN on the UTM, for both site-
to-site connections and remote access.

3
Once you complete this module you will be able to:
Configure SSL and IPsec site-to-site VPNs
Configure SSL remote access
Enable the HTML5 VPN portal
Describe the capabilities of the IPsec VPN client
Describe support for native Cisco VPN clients

4
The Sophos RED provides a plug-and-play way to connect branch offices to a central
UTM; however some scenarios may benefit from using a site-to-site VPN.

In its Standard/Unified mode the RED will send all traffic back to the central UTM.
This provides strong security for the branch office but may result in unwanted traffic
being sent back to the central office.

In the other two modes, Standard/Split and Transparent/Split only traffic destined for
the configured networks is sent back to the UTM; however this leaves the Internet
traffic from the remote office unprotected. In this scenario the remote office may
benefit from having a UTM to protect its network and a site-to-site VPN to provide
access to the central network.

The UTM supports three types of site-to-site VPN connections which are, IPsec -
which is the most commonly used, SSL and Amazon VPC.

When creating an Amazon VPC site-to-site VPN a UTM is not needed on the remote
end of the tunnel as it is established directly to your Amazon VPC.

5
SSL site-to-site VPNs provide a robust and secure connection between two UTMs
over an unsecure network. The implementation in the Sophos UTM is based on
OpenVPN and uses the most recent SSL version (TLS).

6
The SSL VPN uses a simple client/server configuration.
First the server connection needs to be configured on one of the UTMs. Here the
local and remote networks are defined then the configuration is downloaded to a
file
[Click]
On the other UTM a client connection needs to be created by uploading the
configuration file from the server UTM

[Click]
Once configured the connection is automatically established from the client to the
server.

The other configuration options on the server are global for all SSL VPNs. This
includes the listening interface, port and hostname.

7
These are the configuration steps to create a secure connection between two sites
using IPsec with preshared keys. These steps need to be completed on both UTMs.

1. The first step is to configure an IPsec policy; this defines which encryption and
hashing functions will be used for the Internet Key Exchange (IKE) and IPsec
tunnel
2. The next step is to create a Remote Gateway definition
3. Once the gateway is configured you can create a connection
4. Once these first three steps have been completed on both UTMs, the IPsec tunnel
should be established. Firewall rules should be configured to control access to the
networks on either side of the VPN
5. The last step is to test the VPN connection

We will now look at each of these steps in more detail.

8
Step 1: Create an IPsec policy

The UTM comes with preconfigured policies that you can use or edit. Alternatively
you can create a new policy.

The IPsec policy describes the parameters for encryption, authentication and key
management.

Where possible a policy which uses AES encryption should be used.

9
Step 2: Create a Remote Gateway object

This is where you define what server will be the other end of the IPec tunnel, the
preshared key to use, and what remote networks will be through the VPN.

Start by creating a network definition for the remote gateway.

And a network definition for remote networks that will be on the other end of the
VPN.

10
Step 2: Create a Remote Gateway object continued

Create the remote gateway for IPsec.

11
Step 3: Setup connection

The connection brings together the Remote Gateway and IPsec policy with the local
interface that the VPN will be established on and the local networks involved in the
VPN.

Note that the local interface can also be dynamic.

The Automatic Firewall Rules option automatically adds firewall rules that allow data
traffic through the VPN connection.

The Strict Routing option checks the source and destination IP address for VPN
routing.

12
Step 4: Configure firewall rules

If you configured automatic firewall rules in the IPsec connection this step is not
required.

For a stricter policy, automatic creation of firewall rules should be deactivated and
instead you can manually create your own firewall rules for dedicated connections.

13
Step 5: Test the connection
Once the IPsec tunnel has been successfully established, the VPN connection
indicator turns green and you can view the connection definitions.

The live log displays details about the connection, and as soon as the tunnel is
established an IPsec route appears in the Route Table (Support > Advanced).

14
Remote access to corporate network data from any location at any time is a necessity
for mobile or home workers in many businesses. However, setting up these clients on
individual PCs often becomes a huge administrative burden. Sophos VPN clients offer
secure and flexible remote access for any type of network environment and operating
system with minimal administrative effort.

Sophos offers two different clients; one for IPsec connections and one for SSL
connections.

Depending on your individual requirements and client operating systems in use, you
can easily deploy both clients to securely connect to any Sophos UTM.

15
Sophos SSL Client is an easy-to-use client for transparent SSL access to all company
applications. The client can be Installed on Windows, Linux, Mac OSX and UNIX
operating systems; and is available free of charge with any Sophos UTM.

The client is based on the OpenVPN SSL client, is easy to install and configure, and
offers secure stable authentication and encryption.

The SSL VPN can work over the standard HTTPS port which means that there is rarely
a problem with firewalls.

Supported platforms:
Windows
Linux
Mac OSX
Solaris
OpenBSD, FreeBSD, NetBSD, etc.
Android
iOS

16
The Sophos UTM provides simple configuration for the SSL remote access VPN; you
only need to select which users and groups are able to connect to the VPN and which
internal networks they can access.

You can choose to either create firewall rules to allow access to the internal networks
from the VPN automatically, or if you want to restrict access to certain resources you
can configure the firewall rules manually. Note that connections via automatically
created firewall rules are not logged.

If you want users to be able to download and install the VPN client themselves, the
users you allow access to the VPN will also need access to the User Portal.

By creating different remote access profiles on the server for different users and
groups you can provide different levels of network access to different users.

If you want to avoid split tunnelling you can select Any in the Local networks, and
route all traffic back to the UTM.

If you want VPN users to be able to access the Internet over the VPN, then you can
either allow the VPN pool access to the web filter or setup the required firewall and
masquerading rules.

17
Within the SSL VPN settings you can override a number of default settings including:
The port and protocol of 443/TCP
Hostname to connect to
And the IP address pool. Note that network masks smaller than /29 are not
supported
Allow multiple concurrent connections per user

[Click]
The Advanced tab allows you to adjust the SSL settings used for the VPN connection.
You can also select a different server certificate to use to authenticate to VPN clients
and enable or disable data compression.

[Click]
In the Remote Access > Advanced menu you can configure the global remote access
settings, these will be assigned to VPN users connecting using any remote access
connection method. The settings can be used to provide configuration of DNS
servers, WINS servers and the connection domain name.

18
The SSL VPN client can be downloaded from the User Portal. There are three options
available:
A complete package consisting of an executable program, configuration and the
certificates required to authenticate (Windows)
An executable program for a previously installed SSL VPN client with new
configuration data (Windows)
A ZIP archive for configuring SSL VPN on Linux, Mac OSX, BSD and Solaris

Note: as the driver that is installed on Windows is not Microsoft certified you may
receive a warning message during the installation; this can safely be ignored.

19
The VPN client can be controlled using the system tray icon. To establish the VPN
connection, right-click on the system tray icon and select Connect; this will bring up
the username and password dialog.

When the system tray icon goes green the connection is successful.

You can also access information about the connection using the Show Status option
which includes information regarding the authentication, encryption and routing.

For more detailed information you can view the log.

20
The Sophos UTM provides a clientless HTML5 VPN portal, based on HTML5 and
WebSocket. If WebSocket is not available in your browser the VPN portal will try and
fall back to using Flash.

The portal provides access to predefined internal applications using common


protocols without the need to install additional software. To access the VPN portal,
users just need to login to the User Portal.

Supported browsers which support HTML5 and WebSocket:


Internet Explorer 10
Firefox from Version 6
Chrome
Safari 5 onwards (on Mac only)

Supported connection types:


Remote Desktop Protocol (RDP) - supports RDP, TLS and NLA protocol security. TLS
is the default.
Virtual Network Computing (VNC)
Web applications with HTTP and HTTP/S
SSH
Telnet

21
To configure an application for the VPN portal you need to select the connection type
and destination. You can optionally save login data for the application although you
should use this with care.

Note that when configuring the allowed users they must have access to the User
Portal.

The HTML5 portal is not designed to be a full replacement for most VPN client
deployments as it may not be suitable for all business users. Instead the HTML5
portal can be used in addition to the other VPN methods offered to support a wider
variety of secure remote access. Suggested use cases include supporting temporary
connections for guest workers, contractors, and remote support personnel.

Note that only one user is permitted to use each application defined. To enable more
than one user the Share session option must be selected: there is still only a single
session but it can now be shared.

22
The Sophos IPsec Client supports multiple different authentication and encryption
options as well as split tunnelling and NAT traversal.

The client is available for both 32 and 64 bit versions of Window.

23
The Sophos UTM supports remote access using Cisco VPN clients including the iOS
native client. The Cisco clients use IPsec with special parameters.

Configuration for Cisco VPN clients is straight-forward:


You need to define the interface which will be used to establish the VPN
connection
Select a server certificate
Specify the network pool from which IP addresses are assigned to VPN clients
Specify the local networks that should be accessible via the VPN connection
Configure which users/groups are allowed to connect via Cisco VPN

Configuration information for iOS devices is saved in the User Portal for automatic
configuration. It contains all of the settings that are required for the VPN connection
and can easily be imported in to an iOS device.

Note: when an iOS device establishes a connection it checks whether the VPN ID in
the server certificate matches the Sophos UTM hostname. If it does not, then the
connection is blocked.

24
On completion of this module, you can now:
Configure SSL and IPsec site-to-site VPNs
Configure SSL remote access
Enable the HTML5 VPN portal
Describe the capabilities of the IPsec VPN client
Describe support for native Cisco VPN clients

25
Please take a few minutes to answer the following knowledge check questions.

26
27
28
29
30
31
Thank you for taking this Sophos Certified Engineer module for UTM.

Feedback is always welcome as it helps us to improve our courses for you. Please
email globaltraining@sophos.com with your comments.

32
Now that you have completed this module, you should complete labs 9 and 10, then
Module 312: Webserver Protection.

33
Thank you for your time, please close this window to return to the Partner Portal.

34
Sophos Certified Engineer
ET312 UTM: Webserver Protection

December 2014
Training version: 9.3.0
Product version: UTM 9.3

2014 Sophos Limited. All rights reserved. No part of this document may be used or
reproduced in any form or by any means without the prior written consent of Sophos.

Sophos and the Sophos logo are registered trademarks of Sophos Limited. Other
names, logos and marks mentioned in this document may be the trademarks or
registered trademarks of Sophos Limited or their respective owners.

While reasonable care has been taken in the preparation of this document, Sophos
makes no warranties, conditions or representations (whether express or implied) as
to its completeness or accuracy. This document is subject to change at any time
without notice.

Sophos Limited is a company registered in England number 2096520, whose


registered office is at The Pentagon, Abingdon Science Park, Abingdon, Oxfordshire,

1
OX14 3YP.

----

Welcome to this Sophos Certified Engineer course for UTM 9.3. This is Module 312:
Webserver Protection.

1
This course is made up of 15 theory modules, with 10 practical labs interspersed
throughout the course to allow for application of the content discussed in the
previous modules. You are now on module 12 out of 15.

2
This module will outline how the web application firewall works and its security
features.

3
Once you complete this module you will be able to:
Describe the main capabilities of Webserver Protection

4
Sophos Webserver Protection hardens your web servers using Reverse Proxy
technology to protect them from modern attacks and data loss. With it, you can
securely offer applications like Outlook Web Access (OWA) and guard against
techniques like SQL Injection and Cross Site Scripting (XSS), and prevent hackers from
using these types of attacks to gain access to sensitive information like credit card
data, personal information, and social security numbers. Sophos Webserver
Protection aids you in compliance efforts where a web application firewall is required,
such as PCI-DSS.
The Reverse Proxy will monitor and manage the connections to and from your web or
Outlook Web Access servers. Using this technology, Sophos can scan all of the
transactions occurring in real-time while giving you layered security options for how
the Internet interacts with your servers, both over normal HTTP and encrypted
HTTPS.
The integrated Web Application Firewall helps to protect your web server and
applications using antivirus, URL hardening, form hardening and cookie signing.

5
The Sophos UTM Webserver Protection works by running an Apache webserver on
the UTM between the Internet and the real webserver that you are protecting. This
provides much greater protection than configuring a DNAT rule to allow Internet
traffic to pass straight through the UTM to the real webserver.

For each real webserver or service you want to protect, you need to configure a
virtual webserver and select a firewall profile. The firewall profile determines what
URL filtering rules and client reputation checks the virtual webserver will perform, as
well as which modules will be loaded to perform additional security checks.

A single virtual webserver can be used to protect multiple real webservers, in which
case the UTM will do basic load balancing between the selected real webservers.

6
Sophos Webserver Protection uses antivirus to scan both uploads and downloads
with scanning engines. This means that your servers are protected from malicious
code being uploaded, and on the other side users are protected if your servers have
been compromised and infected.

7
The Web Application Firewall adds a scanning engine and attack pattern recognition
to the Webserver Protection suite of tools. The patterns are kept current using
Up2Date, and are downloaded and applied regularly to keep your protection current.
Unlike many products which many require extensive knowledge and understanding,
Sophos protection is kept simple allowing the administrator to select which
protection methods they want to enable without having to deal with pages of
complex patterns and configuration screens.

These patterns protect against:


SQL Injection
Cross Site Scripting
URL Hardening
Form Hardening
Client Reputation
Authentication & Session Management

8
The Web Application Firewall signs each outgoing cookie with a digital, tamper-proof
signature. Returning cookies are inspected by the Web Application Firewall and if the
signature is invalid or missing it will be discarded.

9
URL hardening checks every website request that a visitor makes, restricting them to
valid ones only.

The list of allowed URLs can either be manually configured by the administrator, or
alternatively, the administrator can generate and upload a Google site map to define
the allowed URLs.

If someone tries to access a page which is not allowed, for example


www.sophos.com/admin, the Web Application Firewall will reject the request.

In addition to this, URLs and objects which are sent to the browser from the server
will be signed to prevent tampering.

10
Form Hardening inspects and validates the information submitted by visitors via
forms on your web sites. This stops malicious users from passing invalid data which
can damage or exploit your server as it is processed.

11
Reverse authentication allows you to either add authentication to a website which
currently does not have any, or pass-through authentication to a site which is using
basic authentication.

The UTM can present either a login form, which can be customized, or a basic
authentication prompt; both of which support the UTMs one-time password
functionality.

12
Webserver Protection can be used to protect any webserver, but is commonly used
for protecting Microsoft products which are Internet facing, including:
Exchange
Lync
Remote Desktop gateway
SharePoint

To make this possible the web application firewall includes the ability to pass RPC
over HTTPS traffic, which is required for services such as Outlook Anywhere and
Remote Desktop Gateway.

Knowledgebase article 120454 has guides on how to configure the web application
firewall for common Microsoft products.
http://www.sophos.com/en-us/support/knowledgebase/120454.aspx

13
On completion of this module, you can now:
Describe the main capabilities of Webserver Protection

14
Please take a few minutes to answer the following knowledge check questions.

15
16
17
18
Thank you for taking this Sophos Certified Engineer module for UTM.

Feedback is always welcome as it helps us to improve our courses for you. Please
email globaltraining@sophos.com with your comments.

19
Now that you have completed this module, you should complete Module 313: Central
management and reporting.

20
Thank you for your time, please close this window to return to the Partner Portal.

21
Sophos Certified Engineer
ET313 UTM: Central management and reporting

December 2014
Training version: 9.3.0
Product version: UTM 9.3

2014 Sophos Limited. All rights reserved. No part of this document may be used or
reproduced in any form or by any means without the prior written consent of Sophos.

Sophos and the Sophos logo are registered trademarks of Sophos Limited. Other
names, logos and marks mentioned in this document may be the trademarks or
registered trademarks of Sophos Limited or their respective owners.

While reasonable care has been taken in the preparation of this document, Sophos
makes no warranties, conditions or representations (whether express or implied) as
to its completeness or accuracy. This document is subject to change at any time
without notice.

Sophos Limited is a company registered in England number 2096520, whose


registered office is at The Pentagon, Abingdon Science Park, Abingdon, Oxfordshire,
OX14 3YP.

1
----

Welcome to this Sophos Certified Engineer course for UTM 9.3. This is Module 313:
Central management and reporting.

1
This course is made up of 15 theory modules, with 10 practical labs interspersed
throughout the course to allow for application of the content discussed in the
previous modules. You are now on module 13 out of 15.

2
This module covers central management of UTMs using the Sophos UTM Manager,
then moves on to look at the reporting and logging options available on the UTM.

3
Once you complete this module you will be able to:
Describe the capabilities and advantages of Sophos UTM Manager
Describe the reports available on the UTM

4
Whether you have two or more than two hundred UTMs deployed, the Sophos UTM
Manager (SUM) can save you time and make your life much easier.

A browser-based user interface provides a centralized point where administrators can


get a global view of their infrastructure and be kept aware of events in real-time
simplifying the process of working with multiple sites.

SUM provides real-time monitoring of threats, updates and resource utilization


The aggregated reporting creates a consolidated company-wide report on all of
your gateways
The inventory management provides a quick overview of your devices hardware
configuration including, CPU, memory, hard disk, network interfaces and more
SUM can act as a central updating cache for all of your gateways
With SUM you are able to centrally configure IPsec, firewall rules and web filtering
policies
Like the UTM WebAdmin, SUM provides role-based administration with full
session auditing

5
The Sophos UTM Manager (SUM) can be deployed as either software or a virtual
machine. As software it can be installed on to a dedicated Intel-compatible PC. SUM
can also be installed as a virtual machine that can be run within a VMware
environment such as VMware Player or VMware ESX.

Deployment as software or a virtual appliance are both done from an ISO which is
available for download for free.

6
A summary of the benefits of the Sophos UTM manager are that it can:
1. Save and distribute administration tasks
2. Simplify configuration for company-wide security policies
3. Provide an overview for important resources used
4. Monitor critical system parameters in real-time
5. Simplify maintenance for worldwide distributed devices

7
The Sophos UTM can be configured to work with common remote monitoring and
management (RMM) tools through SNMP (traps and queries), Syslog and email.

Email is less commonly used with RMM tools and is more useful as a way of alerting
administrators to potential issues. All alerts that can be sent via email can also be
sent via SNMP.

8
Simple Network Management Protocol (SNMP) can be used with either traps or
queries. SNMP traps are notifications which are proactively sent from the UTM to a
monitoring application. Queries allow some system values, such as CPU usage or
network throughput, to be polled periodically by an agent.

Every system value that can be queried or alerted on has a unique Object ID which is
stored in the Message Information Base (MIB). The MIB stores the entire hierarchy of
Object IDs and provides translations so these can easily be identified.

The MIB can be downloaded directly from the UTM in Management > SNMP.

The UTM allows you to designate machines that SNMP traps will be sent to. This will
need to be a machine with a remote monitoring and management agent installed and
you can specify multiple hosts to receive the traps. You can also configure the SNMP
version and the community name. By default, SNMP traps will be sent to port 162.

Note that SNMP queries are read-only and that SNMP utilities are not permitted to
write configuration back to the UTM. The UTM supports both SNMPv2c and SNMPv3
protocols. If authenticated access is necessary the SNMPv3 protocol should be
selected.

For more information see KBA 119092:

9
http://www.sophos.com/en-us/support/knowledgebase/119092.aspx

9
The UTM can be configured to write events using the Syslog protocol to one or more
remote Syslog servers, and each server can be configured with the Syslog port it is
using (the default Syslog port is 514).

Syslog messages are the most verbose source of information offered by UTM, with
each message being logged with a priority to allow easy filtering. In most cases Syslog
messages with a priority of warning and above will also be duplicated via SNMP.

If Syslog messages cannot be delivered they will be buffered and re-sent when
possible. By default up to 10,000 logs may be buffered. This feature is most reliable
when using TCP as it will most accurately detect when sending fails. When using UDP,
failure will only be detected if the target IP is online and able to respond with an
ICMP service unavailable message.

Once Syslog target servers have been configured, the logs to send via Syslog must
also be selected on the same screen.

10
Log files are available for all subsystems of the Sophos UTM. You can configure the
maximum age of logs and the maximum amount of the hard disk they can use.

Logs can be automatically archived via FTP, CIFS, SSH or email.

11
Sophos iView is a logging and reporting solution which gives you a single view of all of
the activity on your network. iView can be used to enhance the reporting you already
get from your Sophos UTM devices, whether you have a single UTM or multiple UTMs
deployed throughout your network.

Individual reports from all of the configured UTMs are consolidated into one place,
where over 1000 different reports are available to help you see whats happening on
your network. In each report you can drill-down level by level to hone in on the
device or area that youre interested in. This gives you increased visibility and better
control over who and what uses your network, meaning that you can respond to any
potential threats as they occur.

Compliance reports to support the HIPAA, PCS DSS, GLBA, SOX and FISMA standards
are built in, making finding the reports to comply with these even easier and theyre
always ready when you need them.

On top of the pre-configured reports, you can create custom reports and views to suit
your own requirements, and bookmark reports that you need to get to quickly or
often.

The other advantage of using Sophos iView is that it provides a backup facility for
your logs, again keeping all of these in one place. This means that should you need to

12
access old logs for any reason, youll be able to search and retrieve them, even if the
device that generated them doesnt exist on your network any longer.

Configuring your existing UTMs to log to iView is simple, as it is done using Syslog.

To find out more about iView, take the short online course ET350 Sophos iView.

12
The UTM provides reporting on all of the subsystems, including:
Hardware
Network Protection
Web Protection
Email Protection
Remote Access
and others ...
Graphs can be plotted with different time spans for all reporting elements, either:
daily, weekly, monthly, yearly; and the reports are linked directly to the respective
statistics overviews in the main menu.
Individual reporting areas can be deactivated if required, to save system resources.
However, If you want to create executive reports and other statistics, the
corresponding report areas must be activated.

In order to reduce hard disk capacity requirements, it is possible to configure how


long information should be stored in the UTM database for each individual reporting
area.

Note: you should try to keep time frames as short as possible since high amounts of
stored data result in a higher base load and decreased responsiveness on the
dynamic reporting pages. We recommend one month.

13
Anonymization for user data for web and email security can be activated under
Logging & Reporting > Report Settings > Anonymizing.

To de-anonymize data requires two passwords. In the case of web filtering this will
then reveal the username or associated IP address.

14
The Executive Report contains an easily understandable summary of the key reports
that can be sent to recipients in a configurable email on a daily, weekly or monthly
basis.

Alternatively, a current version for that particular day can be displayed in a browser
window.

15
The executive report can be sent via email either as a HTML email or a plain text
email with a PDF attached. The settings for the daily, weekly and monthly reports can
configured independently, including the list of recipients and the format to send the
report in.

The reports can be archived in a PDF format, and the number of executive reports
stored on the UTM can be configured in the settings.

It is also possible to omit data from the report for the following areas:
Web protection (by domain)
Email protection (by domain or email address)
Network protection (by IP address)
This allows unnecessary information to be removed from the reports.

16
You can search the log files for any desired time period to create detailed reports.
Depending on which log file you are searching relevant filters and search fields are
made available to help create a targeted search.

In the screenshots above a search is being done on the web filtering logs for blocked
content requests from the IP address 172.16.1.1.

The output can either be displayed as the raw log entries or presented in a report
format as shown here.

17
On completion of this module, you can now:
Describe the capabilities and advantages of Sophos UTM Manager
Describe the reports available on the UTM

18
Please take a few minutes to answer the following knowledge check questions.

19
20
21
22
Thank you for taking this Sophos Certified Engineer module for UTM.

Feedback is always welcome as it helps us to improve our courses for you. Please
email globaltraining@sophos.com with your comments.

23
Now that you have completed this module, you should complete Module 314:
Sophos Mobile Control.

24
Thank you for your time, please close this window to return to the Partner Portal.

25
Sophos Certified Engineer
ET314 UTM: Sophos Mobile Control

January 2015
Training version: 9.3.1
Product version: UTM 9.3

2015 Sophos Limited. All rights reserved. No part of this document may be used or
reproduced in any form or by any means without the prior written consent of Sophos.

Sophos and the Sophos logo are registered trademarks of Sophos Limited. Other
names, logos and marks mentioned in this document may be the trademarks or
registered trademarks of Sophos Limited or their respective owners.

While reasonable care has been taken in the preparation of this document, Sophos
makes no warranties, conditions or representations (whether express or implied) as
to its completeness or accuracy. This document is subject to change at any time
without notice.

Sophos Limited is a company registered in England number 2096520, whose


registered office is at The Pentagon, Abingdon Science Park, Abingdon, Oxfordshire,
OX14 3YP.

1
----

Hello, and welcome to this Sophos Certified Engineer course for UTM 9.3. This is
Module 314: Sophos Mobile Control.

1
This course is made up of 15 theory modules, with 10 practical labs interspersed
throughout the course to allow for application of the content discussed in the
previous modules. You are now on module 14 out of 15.

2
This module will introduce the integration between Sophos Mobile Control and the
UTM.

3
Once you complete this module you will be able to:
Describe the integration between Sophos Mobile Control and the UTM
List the types of configuration that can be pushed to Sophos Mobile Control
Explain how network access can be managed using device compliance data
from Sophos Mobile Control
Locate relevant troubleshooting information in the log files

4
As part of the Sophos Mobile Control (SMC) 4.0 release, new features were added to
the UTM to provide information sharing between UTM and SMC servers.

The UTM can push Wi-Fi and VPN configuration to the SMC server, which can in turn
be pushed to managed mobile devices.

The UTM can also retrieve compliance data for the mobile devices managed by the
SMC server, and use this to control access to its VPN and wireless networks.

5
To configure the connection between the UTM and SMC server, you need to specify
the URL for the server, and the login details for an administrator. Because SMC
supports multi-tenancy, the login details will include a customer name as well as the
username and password.

Note that each SMC customer (tenant) requires their own UTM.

When defining the SMC server to connect to, you must use the DNS hostname that is
identified in the server certificate of the SMC server.

If the SMC server certificate is self-signed or signed by an untrusted certificate


authority, the CA certificate also needs to be uploaded on the UTM as a verification
CA.

The certificate then needs to be selected in the general settings, so that the UTM is
able to verify SMCs server certificate when it tries to connect.

6
The UTM can push configuration for any of its wireless networks to the SMC server,
however it can only push L2TP over IPsec and Cisco VPN configurations.

The configuration profiles created on the SMC server are only for Android and iOS
devices.
iOS natively supports both the L2TP over IPsec and Cisco VPN configurations
Android natively supports L2TP over IPsec VPN configuration

The profiles created on the SMC server by the UTM can easily be identified using the
description column.

The profiles that the UTM creates cannot be edited using the built-in editor on the
SMC server. Changes made to the VPN and wireless configuration on the UTM will not
automatically be reflected on the SMC server; the administrator needs to manually
push the configuration from the WebAdmin.

7
Even though the UTM can only push VPN configuration for L2TP over IPsec and Cisco
VPNs, it is able to enforce connections to any of its other VPN protocols; this is done
based on the username of the person trying to logon to the VPN.

The UTM can also restrict access to wireless networks being broadcast by access
points it is managing, and this is done based on the MAC address of the device
connecting.

In this screenshot we can see that a non-compliant device would not be able to
connect to the company VPNs or the corporate wireless LAN, but would still be able
to connect to the guest wireless network. This ensures that the device still has
Internet access which may be needed to become compliant again (for example, by
connecting to the app store to install a mandatory app such as Sophos Mobile
Security).

In the network access configuration the administrator can also define the poll
frequency, this is how often the UTM requests compliance data from the SMC server.
As this will cause load on the SMC server this value should not be set too low. If the
UTM requests data too frequently the SMC server will respond with a please try
later message.

The amount of data actually transferred between the SMC server and the UTM is

8
fairly small. For 100 devices it would be around 250KB.

8
You can review which MAC addresses are being reported as compliant and non-
compliant, and which users are non-compliant. This can be useful in troubleshooting
VPN and wireless network access issues.

9
The Sophos Mobile Control log file can be opened by using the log menu at the top of
the WebAdmin. It can also be opened from the Logging & Reporting section of the
UTM, and using the Open live log button in the Sophos Mobile Control General
settings.

By default the log file does not provide much detail so you will need to enable debug
mode if you need to troubleshoot any issues.

10
This is an extract of the smc.log with debug logging enabled. As you can see the UTM
is querying the SMC server for device compliance and retrieves three lists:
Non-compliant users
Compliant MAC addresses
Non-compliant MAC addresses

11
On the SMC server the requests from the UTM to SMC are logged in the
webservice.log.

There is one line in the log for each request, and you can clearly see the action the
UTM is performing.

12
On completion of this module, you can now:
Describe the integration between Sophos Mobile Control and the UTM
List the types of configuration that can be pushed to Sophos Mobile Control
Explain how network access can be managed using device compliance data
from Sophos Mobile Control
Locate relevant troubleshooting information in the log files

13
Please take a few minutes to answer the following knowledge check questions.

14
15
16
17
Thank you for taking this Sophos Certified Engineer module for UTM.

Feedback is always welcome as it helps us to improve our courses for you. Please
email globaltraining@sophos.com with your comments.

18
Now that you have completed this module, you should complete Module 315: Sizing
and support.

19
Thank you for your time, please close this window to return to the Partner Portal.

20
Sophos Certified Engineer
ET315 UTM: Sizing and support

December 2014
Training version: 9.3.0
Product version: UTM 9.3

2014 Sophos Limited. All rights reserved. No part of this document may be used or
reproduced in any form or by any means without the prior written consent of Sophos.

Sophos and the Sophos logo are registered trademarks of Sophos Limited. Other
names, logos and marks mentioned in this document may be the trademarks or
registered trademarks of Sophos Limited or their respective owners.

While reasonable care has been taken in the preparation of this document, Sophos
makes no warranties, conditions or representations (whether express or implied) as
to its completeness or accuracy. This document is subject to change at any time
without notice.

Sophos Limited is a company registered in England number 2096520, whose


registered office is at The Pentagon, Abingdon Science Park, Abingdon, Oxfordshire,

1
OX14 3YP.

----

Welcome to this Sophos Certified Engineer course for UTM 9.3. This is Module 315:
Sizing and support.

1
This course is made up of 15 theory modules, with 10 practical labs interspersed
throughout the course to allow for application of the content discussed in the
previous modules. You are now on the last module.

2
This module will walk through the process of sizing an appliance, then look at the
support tools available on the UTM, and further resources that can be found online.

3
Once you complete this module you will be able to:
Describe how to size UTM appliances
Locate tools and information on the UTM for checking the configuration
Find additional resources online

4
There are five steps to effectively sizing hardware appliances:

1. Understand the customer environment including user behaviour, application


usage and the network and server infrastructure
2. Starting with the number of users to be protected by the UTM, the subscriptions
licensed and the information gathered about the customers environment, derive
an initial estimate
3. Check for any specific throughput requirements and compare these to the
hardware specifications and adjust the initial estimate accordingly
4. Offer an on-site evaluation of the hardware to confirm that it meets the
customers needs

Some useful information to gather when sizing include:


The number of site-to-site VPNs required
The number of REDs they are going to manage
The number of APs they are going to manage
The number of endpoints they are going to mange
The average and peak volume of email traffic
The average and peak volume of web traffic
The number of webservers they are going to protect and the average/peak volume
of traffic for those servers

5
The figures used in this section come from the UTM 9.2 SG Series Appliances sizing
guide; you should always use the latest sizing guide available in the partner portal.

5
First we will use the user behaviour to apply a weighting to the number of users to be
protected by the UTM. To do this, identify which category of user best describes the
typical user behaviour (average/advanced/power). Then multiply the number of users
by the categorys weight to get the weighted number of users.

For example, if the customer has 80 users and the majority of them fall in to the
advanced user category, you would multiply by 1.5 giving a weighted number of users
of 120.

If large groups of users fit in to different categories you can take two approaches.
1. Adjust the weight based on the percentage of users that fall into a different
category
E.g.,
If you have 80 users, the majority are average users but 25% are power users,
you might use a weighting of 1.25 (2 x 25 % + 1 x 75%).
2. Calculate the weighted number of users for each category type then add the
results together
E.g.,
If you have 30 average users, 20 advanced users and 15 power users your
weighted number of users would be 90.
30 + (20 x 1.5) + (15 x 2) = 90

6
We then want to apply a weight based on any requirements which may increase the
overall system load, thereby affecting the performance requirements.

To do this, identify the category that most closely fits your customers environment,
then multiply the weighted number of users calculated in the previous step by the
category multiplier. This will give you the total weighted number of users.

Example:
If you have 80 advanced users you have 120 weighted users
If you identify the category as high system usage then the total weighted number
of users will be 180

7
Use the total weighted number of users to make a first estimate for the required
hardware appliance.

For example if you had 500 weighted users and you are using all UTM features, then
an SG 430 would be the right appliance. If you had 500 users for Web protection only,
the SG 330 would be the right appliance.

Rule of thumb: estimate that adding Wireless Protection, Webserver Protection or


Endpoint Protection in will decrease range by 5-10% each.

8
Next, check for specific throughput requirements.

The capacity of the customers internet connection (Up- and downlink) should match
the average throughput rate that the selected unit is able to forward (depending on
the subscriptions in use). However, data might not only be filtered on its way to the
Internet but also between internal network segments. Hence, you also need consider
internal traffic that traverses the firewall in this assessment.

If the customer knows their overall throughput requirements among all connected
internal and external interfaces (e.g., based on their past experience), then check
whether the selected unit is able to meet these numbers.

For instance, the customer might have several servers located within a DMZ and
wants to get all traffic to those servers from all segments to be inspected by the IPS.
Or the customer may have many different network segments that should be
protected against each other (by using the FW packet filter and/or the Application
Control feature). In this case the unit is required to scan the complete internal traffic
between all segments.

1) Numbers are for single AV engine scanning throughput. Dual AV engine scanning
will decrease the numbers by approximately 20% - 25%.
2) When activating additional features overall throughput will decrease roughly by

9
the following percentages:
Wireless Protection: 5% - 10%
Webserver Protection: 10%
Endpoint Protection: 5% - 10%
URL filter: 10% - 15%
IPS: 60% - 70%
1) Appliances can be clustered to support additional users; however remember that
not all functions are clustered.

9
The average number of access points shown in the table is based on broadcasting 8
SSIDs per access point. If you were only broadcasting 1 SSID you could potentially
manage more access points. The maximum number of access points that can be
managed is 222.

The maximum number of REDs supported is 799.

An additional consideration when sizing is what the customer is licensed for. When
purchasing three or more modules a Full Guard license for all modules will be sold.
This means that although a customer may only intend on using the three modules
they were originally purchasing they will have the ability to turn on more additional
features. It is important that the customer understands which features the UTM has
been sized for, and that if they expect to make use of additional modules in the future
a larger UTM should be bought now.

If you are in doubt about any throughput or sizing requirements we recommend to


perform an on-site evaluation of the selected hardware.

10
Where either the software or virtual appliance is being used, the hardware
requirements are shown here. Note that these are minimum specifications for a
production system. Most workloads will require more advanced hardware.

CPU
Minimum Dual Core 1.5Ghz+ CPU
Recommend dual core 2 Ghz or better
RAM
Minimum 2GB RAM
The more the better
Hard disk
Minimum 40 GB hard disk
IDE, SCSI or S-ATA HDD
Network
Minimum 2 Ethernet network cards

The Sophos UTM will automatically recognize hardware including support for
SMP/multicore CPUs.

During the installation, the available hard disk space will be partitioned using
automatic allocation. There is no option for manual allocation.

11
When installing the software UTM on Intel-compatible servers, Sophos recommends
selecting a hardware appliance that fits the needs first based on the guidance
covered in the previous slides, and then use the hardware model to choose a suitable
hardware configuration from this table.

Note that using a Sophos UTM in a virtual environment has an estimated ~10%
performance decrease caused by the Hypervisor framework.

12
With software and virtual UTMs the license defines the maximum number of IP
devices which are allowed to connect to the UTM, and the maximum number of
concurrent connections. Note that hardware appliances have no limit on the number
of IP devices or concurrent connections.

13
Sizing a computer to run Sophos UTM Manager is done based on the number of
UTMs that you want to manage, as outlined in this table.

14
We will now move on to look at the support tools on the UTM.

The Support section on the UTM contains additional tools and information for
identifying and solving problems. The homepage of the support section contains links
to important sources of information provided by Sophos.

The support section also includes tools for checking connectivity:


Ping Check: for checking whether an IP address can be reached from the UTM
Traceroute: for identifying the path from the UTM to another system
DNS Lookup: for testing DNS configuration

In Support > Advanced you can review the current state of internal data. This
includes:
Process List
Local Network Connection
Routes Table
Interfaces Table
Config Dump
Resolve REF_ (Resolves internal references to objects located in logs)

15
With increasing numbers of global support sites with different IP ranges, it has
become increasingly complex for customers to allow Sophos support teams access to
their UTM via WebAdmin and SSH. To simplify this we have implemented a function
inside WebAdmin that allows simple and secure access by Sophos support on request
and under control of the customer.

When activated the UTM will establish a secure tunnel back to Sophos which will
provide support staff access to the WebAdmin. The tunnel is time limited and the
expiry date is clearly shown; the customer can also deactivate the tunnel at any time.

To provide access to the UTM you only need to provide the Access ID to Sophos
support.

16
On the Support section of the Sophos website you will find links to:
The UTM Downloads for the latest product ISO
The support knowledgebase
The Sophos UTM manuals (Documentation)
Customer Resource center, with the system requirements, product release notes,
feature requests, technical videos and whitepapers
UTM User Bulletin board
UTM feature requests
MyUTM

On the partner portal you will find restricted documents such as the sizing guide and
competitive battlecards.

17
Customers can create a MyUTM account on the myutm.sophos.com website.

As a partner you can create a partner account on MyUTM, which allows you to
manage your customers licenses and create evaluation licenses.

From MyUTM license management you can see the status of your subscriptions and
you can take the following actions:
Download the license file for the Sophos UTM
Delete the license
Apply the license key from your invoice
Upgrade the number of nodes in your cluster
Upgrade the number of protected devices (IP addresses) in your network (for
software installations only)
Manage the subscriptions, for example from Basic Guard to Full Guard, or align
different expiration dates

Please note that the last 3 actions allow you to modify your subscription licenses
without any upgrade key by trading in your license term.

For more info read this manual https://myutm.sophos.com/docs/sophos-myutm-


user-guide-na.pdf

18
You can download a 30 day trial of the Sophos UTM from the Free Trials section of
the Sophos website.
http://www.sophos.com/en-us/products/free-trials.aspx

If you want to continue using the UTM beyond 30 days you just need to install a full
product license file.

19
The Sophos UTM Home Edition is a free fully equipped software version of Sophos
UTM for up to 50 IP addresses and 10 endpoints for non-commercial use.

The Sophos Essential Firewall Edition is a free version of the Sophos UTM Essential
network firewall software version.

Both of these free editions can be downloaded from the Free Tools section of the
Sophos website.
http://www.sophos.com/en-us/products/free-tools.aspx

20
On completion of this module, you can now:
Describe how to size UTM appliances
Locate tools and information on the UTM for checking the configuration
Find additional resources online

21
Please take a few minutes to answer the following knowledge check questions.

22
23
24
25
On completion of this course, you can now:
Describe the main technical capabilities of the UTM and their benefits
Give a technical overview of the UTM to a technical audience
Demonstrate the use of the most commonly used features
Know how to size the solution appropriately
Deploy and manage the UTM in a simple non-production environment
Locate and use additional online resources

26
Thank you for taking this Sophos Certified Engineer course for UTM.

Feedback is always welcome as it helps us to improve our courses for you. Please
email globaltraining@sophos.com with your comments.

27
Now that you have completed this module, you should complete EA30a v9.3
Assessment Certified Engineer UTM.

Please remember that to become a Sophos Certified Engineer you need to complete
and pass 2 product courses.

28
Thank you for your time, please close this window to return to the Partner Portal.

29