Tutorials

Install and Configure Sophos UTM

Required to proceed:

Instructions:

  1. In the Primary Data Center you deployed for the Sophos UTM, click on the arrow in the top right corner of Sophos UTM server Box then the “Remote Console” button.

    To do the install you have to use the Remote Console. You will not be able to SSH into the server until a operating system has been installed.

    help image

  2. A new window will popup with the Remote console session. It will have the Sophos Introduction box Hit the “Enter” button on your keyboard to select <Start>

    NOTE- You can only use the keyboard for the console sessions during the install

    help image

  3. The Detected Hardware window will appear. Hit “Enter” on your keyboard to select <OK>

    help image

  4. Use the up and down arrows on your keyboard to select the Keyboard layout. Then hit the “Tab” button on your keyboard to highlight the <OK> button and hit the “Enter” to select.

    help image

  5. Use the up and down arrows on your keyboard to select your area. Then hit the “Tab” button twice on your keyboard to highlight the “<next>” button and hit the “Enter” to select.

    help image

  6. Use the up and down arrows on your keyboard to select your Timezone. Then hit the “Tab” button twice on your keyboard to highlight the “<next>” button and hit the “Enter” to select.

    help image

  7. Check and make sure the date and time are correct. If they are hit the “Enter” key on your keyboard.

    help image

  8. Highlight “eth0” and hit the “Tab” key twice to highlight “<next>”, the hit the “Enter” key on your keyboard.

  9. For the network configuration options we need to look at the Data Center Designer and click on the Networking tab of the Sophos UTM Server. We are going to use the static IP you assigned to eth0 for the network configuration of the Sophos install.

    Back in the Remote Console window change the “Address:” to your static IP address. Leave the “Netmask:” as “255.255.255.0” and the “Gateway:” your static ip but the last set at “.1”

    help image

    Hit “Tab” twice to highlight <Next> and hit “Enter” to select it.

    help image

  10. It is going to ask you if you want to install the 64-Bit Kernel of Sophos. Hit “Enter” to select <No>.

    DO NOT INSTALL THE 64-Bit Version. There are issues with KVM.

    help image

  11. Hit “Enter” to select <Yes> for do you want to install all capabilities.

    help image

  12. Hit “Enter” to select <Yes> to erase all existing data on ‘/dev/vda’ (Disk).

    help image

  13. You will see the installation configure the disks and run the install. Once it is completes you will see the installation Finished Message appear. Right down the URL to access the Sophos UTM and hit “Enter” to select <Reboot>. The server will start the reboot process.

    help image

  14. Go back to the Data Center Designer and click on the Sophos UTM server, then the Storages Tab in the Inspect Element Box to the right. Go to the Virtual CD-ROM drive and click on the image menu and select “Remove Image”. Then set the Storage as the “Boot Device”. Last click the “Unapplied Changes” Button.

    help image

  15. Hit the “Provision” button in the window that pops up and wait for the changes to provision and the server to restart one more time.

    help image

    When the “Saved Successfully” window appears, click the “OK” button

    help image

  16. Open a new tab in Firefox and go to the UTM address you wrote down in Step 13. It will be https://<your_static_ip>:4444 a security exception message will appear. Click “I understand the risks” and then “Add Exception”

    help image

    Then click the “Confirm Security Exception” button

    help image

  17. Fill out the hostname, Company Name, City, and Country Fields. Create a Admin password and enter the Admins email address (this is where you will get status notifications. Check the “I accept the license agreement” box and click on the “Perform Basic System Setup” button.

    help image

    Be patient once you click the “Perform Basic System Setup” button, it can take up to a minute to respond. You will notice a little green message in the bottom of the window.

  18. The page will refresh and you will have to Click “I understand the risks” and then “Add Exception” again and the “Confirm Security Exception” button again.

    help image

  19. Login with the Username: admin (all lowercase) the password you created in Step 17.

    help image

  20. Select “Continue” and then “Next”

    help image

  21. Click on the File icon next to the License FIle Field

    help image

    Click the Browse button

    help image

    Select the Sophos License File you downloaded in Part One and select “Open”

    help image

    Click the “Start Upload” button

    help image

    Then the “Next” button

    help image

  22. Make sure the Internal (LAN) IP is your public Static IP and the Netmask: is “/24 (255.255.255.0)” we are going to change this connection to be the External (WAN) later. Leave “Enable DHCP server on internal interface” unchecked.

    help image

  23. Check “Setup Internet connect later” then click “Next”

    help image

  24. You can check the Allowed services you would like to be allowed for devices on the internal LAN. Then click “Next”

    help image

  25. Check “Intrusion Prevention Engine” and “Command & Control/Botnet Detection Engine” and click “Next”

    help image

  26. Check “Scan sites for viruses” and click “Next”

    help image

  27. You can Select Scan email fetched over POP3 or Configure internal mail server. For this tutorial, we are going to leave both unchecked and click “Next”

    help image

  28. The summary page will appear click the “Finish” button

    help image

  29. The Sophos Dashboard will come up. Click on the “Interfaces & Routing” Menu then the “Interfaces” option.

    help image

  30. Click the Edit Button next to the “Internal” network adapter

    help image

    Change the Name: from “Internal” to “External (WAN)” and Click “Save”

    help image

  31. Click on the “New Interface...” button

    help image

    Go to the Data Center Manager and look at what IP has been assigned to NIC2

    help image

    Back in the Sophos UTM Configuration Tab name the new interface “Internal (LAN)”. - Set the Type: “Ethernet Static” and for Hardware: Select “eth1 Virtio network device”. - For IPv4 address: type in the IP that was assigned to NIC2 in the Data Center Manager. - Make sure the Netmask: is “/24 (255.255.255.0)” - leave “IPv4 Default Gateway” unchecked. - Click “Save”

    help image

    Clock the Status Switch next to “Internal (LAN)’ to enable it.

    help image

  32. Click on the “Management” Menu, then “Systems Settings” menu and the “Shell Access” Tab > help image

    Turn on SSH Shell Access by clicking the switch in the top right corner so it turns Green.

    help image

    Create a password for the root and loginuser ssh accounts and click the “Set specified passwords” button.

    help image

  33. Now we are going to create Firewall rules to allow servers behind Sophos to talk to each other and to access the Internet so that they can run updates and other servers. Click on the “Network Protection” menu, then “Firewall” and then the “New rule...” button

    help image

    NOTE - The firewall rules and setting we will do in the following steps are very basic. We HIGHLY recommend that you create custom firewall rules that best fit your network environment for best security practices.

  34. Configuring rule to allow servers behind Sophos UTM to talk to eachother.

    • Leave Group as “No Group”
    • Set Position as “Top”

    Click the folder icon in the “Sources:” box and drag “Internal (LAN) (Network)” into the Sources: box

    help image

    Click the folder icon in the “Services:” box and drag the “Any” icon into the “Services:” box

    help image

    Click the folder icon in the “Destinations:” box and drag the “Internal (LAN) (Network)” into the Destinations: box

    help image

    • Action: is “Allow”
    • Click “Save”
    • Check the “Switch” next to the new rule so it turns green to enable it

    help image

  35. Configuring general rule to allow servers behind Sophos UTM to be able to access the internet.

    • Leave Group as “No Group”
    • Set Position as “Top”

    Click the folder icon in the “Sources:” box and drag “Internal (LAN) (Network)” into the Sources: box

    help image

    Click the folder icon in the “Services:” box and drag the “Any” icon into the “Services:” box

    help image

    Click the folder icon in the “Destinations:” box and drag the “Any” into the Destinations: box - Action: is “Allow” - Click “Save” - Check the “Switch” next to the new rule so it turns green to enable it

    help image

  36. Now we are going to configure Masquerading to allow the servers behind Sophos UTM to be able to access the internet.

    Click on “NAT” under the “Network Protection” menu and then click the “New masquerading rule...” button.

    help image

    Click the folder icon next to Network: and drag drag “Internal (LAN) (Network)” into the Network: box - Set Position: as “Top” - Interface: “External (WAN)” - Use Address: <<Primary address>> - Click “Save”

    help image

    Click the switch next to the new masquerading rule to enable it.

    help image

  37. Your base Sophos UTM configuration is complete and you now have a Sophos Firewall protecting the servers in your Data Center. In the next Parts of this tutorial we will configure Site-to-Site VPN’s and Configure the Sophos UTM to direct traffic request to the proper servers behind the Sophos UTM.