Sophos Certified Architect AL30: UTM Lab Workbook April 2014 Version 9.2.65
AL30: UTM
Page 1 of 57
Sophos Certified Architect
© 2014 Sophos Limited. All rights reserved. No part of this document may be used or reproduced in any form or by any means without the prior written consent of Sophos. Sophos and the Sophos logo are registered trademarks of Sophos Limited. Other names, logos and marks mentioned in this document may be the trademarks or registered trademarks of Sophos Limited or their respective owners. While reasonable care has been taken in the preparation of this document, Sophos makes no warranties, conditions or representations (whether express or implied) as to its completeness or accuracy. This document is subject to change at any time without notice. Sophos Limited is a company registered in England number 2096520, whose registered office is at The Pentagon, Abingdon Science Park, Abingdon, Oxfordshire, OX14 3YP.
AL30: UTM
Page 2 of 57
Sophos Certified Architect
Contents Introduction .................................................................................................................................................. 7 Prerequisites ............................................................................................................................................. 7 Workbook conventions............................................................................................................................. 7 Lab environment ....................................................................................................................................... 7 Lab 1: System configuration ....................................................................................................................... 11 Objective ................................................................................................................................................. 11 Requirements ......................................................................................................................................... 11 Task 1 ...................................................................................................................................................... 11 Task 2 ...................................................................................................................................................... 13 Review..................................................................................................................................................... 13 Lab 2: Uplink Balancing ............................................................................................................................... 15 Objective ................................................................................................................................................. 15 Requirements ......................................................................................................................................... 15 Task ......................................................................................................................................................... 15 Review..................................................................................................................................................... 16 Lab 3: Multipath Rules ................................................................................................................................ 17 Objective ................................................................................................................................................. 17 Requirements ......................................................................................................................................... 17 Task ......................................................................................................................................................... 17 Review..................................................................................................................................................... 18 Lab 4: Quality of Service ............................................................................................................................. 19 Objective ................................................................................................................................................. 19 Requirements ......................................................................................................................................... 19 Task 1 ...................................................................................................................................................... 19 Task 2 ...................................................................................................................................................... 19 Task 3 ...................................................................................................................................................... 20 Review..................................................................................................................................................... 20 Lab 5: Authentication ................................................................................................................................. 21 Objective ................................................................................................................................................. 21 Requirements ......................................................................................................................................... 21 AL30: UTM
Page 3 of 57
Sophos Certified Architect
Task 1 ...................................................................................................................................................... 21 Task 2 ...................................................................................................................................................... 22 Review..................................................................................................................................................... 22 Lab 6: Web protection ................................................................................................................................ 23 Objective ................................................................................................................................................. 23 Requirements ......................................................................................................................................... 23 Note ........................................................................................................................................................ 23 Task 1 ...................................................................................................................................................... 23 Task 2 ...................................................................................................................................................... 24 Task 3 ...................................................................................................................................................... 24 Task 4 ...................................................................................................................................................... 25 Review..................................................................................................................................................... 27 Lab 7: Email protection ............................................................................................................................... 28 Objective ................................................................................................................................................. 28 Requirements ......................................................................................................................................... 28 Task 1 ...................................................................................................................................................... 28 Task 2 ...................................................................................................................................................... 29 Task 3 ...................................................................................................................................................... 29 Task 4 ...................................................................................................................................................... 31 Review..................................................................................................................................................... 32 Lab 8: Endpoint protection ......................................................................................................................... 33 Objective ................................................................................................................................................. 33 Requirements ......................................................................................................................................... 33 Task 1 ...................................................................................................................................................... 33 Task 2 ...................................................................................................................................................... 34 Review..................................................................................................................................................... 34 Lab 9: Wireless protection .......................................................................................................................... 35 Objective ................................................................................................................................................. 35 Requirements ......................................................................................................................................... 35 Task 1 ...................................................................................................................................................... 35 Task 2 ...................................................................................................................................................... 36 Task 3 ...................................................................................................................................................... 37 AL30: UTM
Page 4 of 57
Sophos Certified Architect
Review..................................................................................................................................................... 38 Lab 10: Webserver protection .................................................................................................................... 39 Objective ................................................................................................................................................. 39 Requirements ......................................................................................................................................... 39 Task 1 ...................................................................................................................................................... 39 Task 2 ...................................................................................................................................................... 41 Review..................................................................................................................................................... 42 Lab 11: RED ................................................................................................................................................. 43 Objective ................................................................................................................................................. 43 Requirements ......................................................................................................................................... 43 Task ......................................................................................................................................................... 43 Review..................................................................................................................................................... 45 Lab 12: Site-to-site VPN .............................................................................................................................. 46 Objective ................................................................................................................................................. 46 Requirements ......................................................................................................................................... 46 Task 1 ...................................................................................................................................................... 46 Task 2 ...................................................................................................................................................... 47 Task 3 ...................................................................................................................................................... 48 Review..................................................................................................................................................... 49 Lab 13: Remote access................................................................................................................................ 50 Objective ................................................................................................................................................. 50 Requirements ......................................................................................................................................... 50 Task ......................................................................................................................................................... 50 Review..................................................................................................................................................... 51 Lab 14: Central management ..................................................................................................................... 52 Objective ................................................................................................................................................. 52 Requirements ......................................................................................................................................... 52 Task 1 ...................................................................................................................................................... 52 Task 2 ...................................................................................................................................................... 54 Task 3 ...................................................................................................................................................... 54 Review..................................................................................................................................................... 55 Lab 15: High availability .............................................................................................................................. 56 AL30: UTM
Page 5 of 57
Sophos Certified Architect
Objective ................................................................................................................................................. 56 Requirements ......................................................................................................................................... 56 Task ......................................................................................................................................................... 56 Review..................................................................................................................................................... 57
AL30: UTM
Page 6 of 57
Sophos Certified Architect
Introduction These labs accompany the Sophos Certified Architect UTM course and form the practical part of the certification. You should complete each section of labs when directed to do so in the training. Throughout the labs there is information to be written down; you will require this information to pass the online assessment. We would recommend that you complete the course assessment while your lab environment is still active so that it is available for reference.
Prerequisites To be able to complete these labs in the time suggested you should have the following prerequisites. Comprehensive knowledge of networking. Experience in installing and replacing network gateways and firewalls in production environments. Sophos Certified Engineer level knowledge of Sophos UTM. The following optional prerequisite knowledge would be beneficial but is not required. Experience using Linux command line tools.
Workbook conventions This workbook uses the following conventions throughout. At the start of each lab are the objectives of what you should learn and any requirements that must have been completed prior to starting the lab. Labs which cover larger topics are divided in to several tasks. Each task has a short description followed by the steps that are required to complete the task. Short labs are presented as a single task. Throughout the guide the following styles are used: Bold text
Computer names, applications, …
Courier New font
Commands to be executed.
Underlined
Hyperlinks.
Lab environment These labs are designed to be completed on the hosted CloudShare environment; if you are not using CloudShare, for example if this course is being taught on a local environment, some details such as hostnames and IP addresses may vary. You instructor will provide you with details of how to access the lab environment, and any localised changes.
AL30: UTM
Page 7 of 57
Sophos Certified Architect
Environment overview The environment used to complete these labs is comprised of multiple computers and networks. This lab environment is based on the labs from the Certified Engineer course. Configuration created during the labs for that course is maintained in this environment with the addition of two new virtual machines; a second UTM gateway for the Lab Network and a Sophos UTM Manager. Lab Server
This is the computer you connect to for the majority of the labs. It represents a computer on an internal company network. In this lab environment it is also the Active Directory server, mail server, web server and DNS server. Throughout this workbook this will be referred to as LabServer.
Lab Network
This is the internal company network for your lab.
Secondary Link
This network provides a second Internet link.
Sophos UTM Manager
This is an unconfigured virtual UTM Sophos UTM Manager on the Lab Network. Throughout this workbook this will be referred to as SUM.
Lab Gateway 1
This is the default gateway for the Lab Network. It has the configuration created during the Certified Engineer labs. Throughout this workbook this will be referred to as LabGateway1.
Lab Gateway 2
This is an unconfigured virtual UTM which is the gateway and firewall for the Lab Network. Throughout this workbook this will be referred to as LabGateway2.
External Network
This network represents the Internet and provides access out to the real Internet. The gateway on this network is 192.168.1.254.
Services
This server is the DNS server for the ‘external’ domains used by the Lab Network and Acme Corp Network. It is connected to both the External Network and Secondary Link networks. Throughout this workbook this will be referred to as Services.
Acme Corp Gateway
This is a virtual UTM which has the configuration created during the Certified Engineer labs. Throughout this workbook this will be referred to as AcmeCorpGateway.
Acme Corp Network
This is the internal company network of another company Acme Corp.
Acme Corp Server
This computer is the server for Acme Corp. It runs Active Directory, mail server, web server and DNS. Throughout this workbook this will be referred to as AcmeCorpServer.
AL30: UTM
Page 8 of 57
Sophos Certified Architect
Network diagram
AL30: UTM
Page 9 of 57
Sophos Certified Architect
User accounts The table below details the user accounts in the CloudShare lab environment. Username
Email
Scope and privileges
admin
[email protected]
Lab Gateway 1
[email protected]
Built-in admin account
[email protected]
Lab Domain
administrator
Domain administrator JohnSmith
[email protected]
Lab Domain Domain user
JaneDoe
[email protected]
Lab Domain Domain user
readonly
n/a
Lab Domain Domain user
admin
administrator
[email protected]
Acme Corp Gateway
[email protected]
Built-in admin account
[email protected]
Acme Corp Domain Domain Administrator
TomJones
[email protected]
Acme Corp Domain Domain user
All passwords are Sophos1985.
AL30: UTM
Page 10 of 57
Sophos Certified Architect
Lab 1: System configuration Objective Upon completion of this section you will be able to: Complete the initial configuration of the UTM without using the setup wizard. Create a DHCP server on the UTM.
Requirements No prerequisites.
Task 1 Complete the initial configuration of LabGateway2 without using the setup wizard. Steps On LabServer: 1. Launch your browser and connect to the WebAdmin of LabGateway2 at https://172.16.1.151:4444. 2. Complete the Basic System Setup. Hostname: lab-gw2.lab.external Company or Organization Name: Sophos City: Abingdon Country: Great Britain admin account password: Sophos1985 admin account email address:
[email protected] 3. Login to the WebAdmin of LabGateway2 as admin. 4. On the Welcome to Sophos UTM page, click Cancel. 5. Navigate to Interfaces & Routing | Interfaces create and enable a New interface with the following configuration: Name: External (WAN) Type: Ethernet static Hardware: eth1 IPv4 Address: 192.168.1.151 Netmask: /24 (255.255.255.0) Default GW IP: 192.168.1.254 6. Navigate to Network Services | DNS | Forwarders and create a new DNS Forwarder with the following configuration: Name: Lab DNS Type: Host AL30: UTM
Page 11 of 57
Sophos Certified Architect
IPv4 Address: 172.16.1.1 7. Deselect the option Use forwarders assigned by ISP. 8. Navigate to the Request Routing tab and create a New DNS Request Route with the following configuration: Domain: lab.internal Target Services: Lab DNS 9. Navigate to Management | System Settings | Time and Date and configure the correct time, date and time zone. 10. Remove all of the servers from the NTP Servers list and create a new NTP server with the following configuration: Name: Lab Active Directory Type: Host IPv4 Address: 172.16.1.1 11. Navigate to Management | Shutdown/Restart and select to Restart (Reboot) the system now. 12. Once LabGateway2 has rebooted login to the WebAdmin as admin 13. Navigate to Management | System Settings | Shell Access and Enable shell access. 14. Remove Any from the Allowed networks and add Internal (Network). 15. Set the passwords for the loginuser and root user to Sophos1985. 16. Navigate to Management | WebAdmin Settings | Advanced and set the WebAdmin idle timeout to 3600 seconds. 17. Select the HTTPS Certificate tab and import the WebAdmin CA Certificate. 18. Change the hostname of the WebAdmin in the Regenerate WebAdmin certificate section to the internal hostname of LabGateway2 (gw2.lab.internal). 19. Close and re-launch your browser and connect to the WebAdmin of LabGateway2 using the internal hostname gw2.lab.internal and login as admin. 20. Confirm that you no longer receive a certificate error in your browser. 21. Navigate to Support | Tools and test that LabGateway2 is able to ping 8.8.8.8. 22. Select the DNS Lookup tab and confirm that LabGateway2 can resolve the following hosts: www.sophos.com acme-gw.acme.external 23. Navigate to Network Protection | Firewall and create and enable a new rule to allow web browsing with the configuration below: Sources: Internal (Network) Services: Web Surfing Destinations: Any 24. Create and enable a new rule to allow DNS with the configuration below: Sources: Internal (Network) Services: DNS Destinations: Any AL30: UTM
Page 12 of 57
Sophos Certified Architect
25. Navigate to Network Protection | NAT and create and enable a new masquerading rule with the configuration below: Network: Internal (Network) Interface: External (WAN) Use address: << Primary address >> 26. Create a backup called Architect Lab 1 on LabGateway2 and download it to the desktop of LabServer.
Task 2 Configure a DHCP server for the local Lab Network. Steps On LabServer: 1. Login to the WebAdmin of LabGateway1 as admin. 2. Navigate to Network Services | DHCP and create and enable a new DHCP server for the Internal network. Interface: Internal Range start: 172.16.1.1 Range end: 172.16.1.100 DNS Server 1: 172.16.1.101 DNS Server 2: 172.16.1.151 Default gateway: 172.16.1.101 Domain: lab.internal Comment: Lab 1 3. Open a Command Prompt and run: ipconfig /all
4. Write down the Physical Address for the interface with the IP address on the Lab Network: __________________________________________________________________________________ 5. In the LabGateway1 WebAdmin, navigate to Definitions & Users | Network Definitions and edit the LabServer host definition by adding the MAC address to the DHCP Settings and selecting the Internal[172.16.1.1 – 172.16.1.100] IPv4 DHCP server. 6. Reconfigure the interface that is connected to the Lab Network to get its network settings via DHCP. 7. In the LabGateway1 WebAdmin, navigate to Network Services | DHCP and launch and review the DHCP Live Log. 8. Create a backup called Architect Lab 1 on LabGateway1 and download it to the desktop of LabServer.
Review You have now successfully: AL30: UTM
Page 13 of 57
Sophos Certified Architect
Completed the initial configuration of a UTM without using the setup wizard. Created a DHCP server on a UTM.
AL30: UTM
Page 14 of 57
Sophos Certified Architect
Lab 2: Uplink Balancing Objective Upon completion of this section you will be able to configure uplink balancing with multiple active interfaces and with standby interfaces.
Requirements No prerequisites.
Task Create a second external interface on LabGateway1 with a default gateway then configure uplink balancing. Steps On LabServer: 1. Login to the WebAdmin of LabGateway1 as admin. 2. Navigate to Interfaces & Routing | Interfaces and create and enable a second external interface with the following configuration: Name: Uplink 2 Type: Ethernet static Hardware: eth2 IPv4 Address: 192.168.3.101 Netmask: /24 (255.255.255.0) Default GW IP: 192.168.3.254 3. Enable Uplink Balancing when prompted. 4. Select the Uplink balancing tab and configure the Uplink 2 interface to be a standby interface. 5. Select the Interfaces tab confirm that Uplink 2 is now enabled but Down. 6. Navigate to the Uplink balancing tab and disable Automatic Monitoring. 7. Add a new monitoring host with the following configuration: Name: Services – WAN network Type: Host IPv4 Address: 192.168.1.1 8. Add a new monitoring host with the following configuration: Name: Services – Secondary Link network Type: Host IPv4 Address: 192.168.3.1 9. Edit the monitoring settings to use the configuration below: Monitoring type: HTTP Host AL30: UTM
Page 15 of 57
Sophos Certified Architect
URL: / Interval: 15 Timeout: 5 10. Navigate to the Dashboard and confirm that External (WAN) is Up and Uplink 2 is Down and in Standby. 11. Launch Remote Desktop and connect to Services at 192.168.1.1 and login as the administrator. 12. Browse to Control Panel | Network and Internet | Network and Sharing Center | Change adapter settings. 13. Right-click on Ethernet and click Disable then close the Remote Desktop window. 14. In the WebAdmin on LabGateway1, confirm that both External (WAN) and Uplink 2 are Up but that External (WAN) has a link error. 15. Launch Remote Desktop and connect to Services at 192.168.3.1 and login as the administrator. 16. Right-click on Ethernet and click Enable then close the Remote Desktop window. 17. In the WebAdmin on LabGateway1, navigate to Interfaces & Routing | Interfaces and select the Uplink balancing tab. 18. Enable Automatic monitoring and configure Uplink 2 to be an Active Interface. 19. On the Dashboard confirm that all interfaces are Up and there are no errors. 20. Create a backup called Architect Lab 2 on LabGateway1 and download it to the desktop of LabServer.
Review You have now successfully configured uplink balancing with multiple active interfaces and with standby interfaces.
AL30: UTM
Page 16 of 57
Sophos Certified Architect
Lab 3: Multipath Rules Objective Upon completion of this section you will be able to: Create interface groups for routing. Create multipath rules to route different services using interface groups. Use tcpdump to confirm your multipath rules are working correctly.
Requirements All instructions in Lab 2 must be completed successfully.
Task Configure multipath rules on LabGateway1 which will route HTTP and FTP traffic out via different interfaces. Steps On LabServer: 1. Login to the WebAdmin of LabGateway1 as admin. 2. Navigate to Network Protection | Firewall and add FTP to the Services in the Web Surfing firewall rule. 3. Navigate to Interfaces & Routing | Interfaces | Multipath Rules and create and enable a new multipath rule with the following configuration: Name: Use Uplink 2 for HTTP Source: Internal (Network) Service: HTTP Destination: Any Itf. Persistence: by Connection Balanced to: create a new interface group with the following configuration: o Name: Uplink group 2 o Interfaces: Uplink 2 4. Launch Putty and connect to LabGateway1 using SSH. 5. Login as loginuser then change to the root user using the command: su –
6. Use tcpdump to monitor HTTP traffic on Uplink 2 using the command: tcpdump –i eth2 –n port 80
7. Access the following URLs in your browser on LabServer and confirm that you can see that traffic in tcpdump: 192.168.3.1 AL30: UTM
Page 17 of 57
Sophos Certified Architect
www.sophos.com 8. In the WebAdmin on LabGateway1 add and enable a new multipath rule with the following configuration: Name: Use Uplink 1 for FTP Source: Internal (Network) Service: FTP Destination: Any Itf. Persistence: by Connection Balanced to: create a new interface group with the following configuration: o Name: Uplink group 1 o Interfaces: External (WAN) 9. In your SSH session to LabGateway1, use tcpdump to monitor the FTP traffic on External (WAN) using the command: tcpdump –i eth1 –n port 21
10. Launch FileZilla and connect to the following URLs: ftp.astaro.com 11. Confirm that you can see that traffic in tcpdump. 12. In the WebAdmin on LabGateway1, reverse the rules so that HTTP is now balanced to Uplink group 1 and FTP is balanced to Uplink group 2. Test your configuration using tcpdump. 13. Disable your multipath rules. 14. In the Uplink balancing tab, remove Uplink 2 from the Active interfaces and add it to the Standby interfaces. 15. Create a backup called Architect Lab 3 on LabGateway1 and download it to the desktop of LabServer.
Review You have now successfully: Created interface groups for routing. Created multipath rules to route different services using interface groups. Used tcpdump to confirm your multipath rules are working correctly.
AL30: UTM
Page 18 of 57
Sophos Certified Architect
Lab 4: Quality of Service Objective Upon completion of this section you will be able to: Limit bandwidth for an interface. Shape traffic based on an application. Throttle traffic based on a protocol.
Requirements No prerequisites.
Task 1 Enable quality of service on LabGateway1 and define a bandwidth limit on an interface. Steps On LabServer: 1. Login to the WebAdmin of LabGateway1 as admin. 2. Navigate to Interfaces & Routing | Quality of Service (QoS) and enable quality of service for all interfaces. 3. Edit the Internal interface and limit the download bandwidth to 100 kbit/s. 4. Navigate to Web Protection | Web Filtering Profiles | Filter Actions and edit the Default content filter action. 5. Remove .exe from Blocked file extensions. 6. Verify that the bandwidth limit is not being exceeded when downloading the file: http://global.services.external/Thunderbird%20Setup%2017.0.5.exe
Task 2 Use the Flow Monitor to create a rule that will shape the traffic for Facebook. Steps On LabServer: 1. Login to the WebAdmin of LabGateway1 as admin. 2. Navigate to Web Protection | Application Control and open the Flow Monitor on the eth1 interface. 3. Browse to http://www.facebook.com. 4. In the Flow Monitor shape the traffic for Facebook to 10kbit/s and limit to 20kbit/s. 5. In the WebAdmin, navigate to Interfaces & Routing | Quality of Service (QoS) and review the Traffic Selector and Bandwidth Pool that have been created. AL30: UTM
Page 19 of 57
Sophos Certified Architect
6. Write down the name of the Traffic Selector that has been created: __________________________________________________________________________________
Task 3 Use the Flow Monitor to create a rule that will throttle all HTTP traffic. Steps On LabServer: 1. Login to the WebAdmin of LabGateway1 as admin. 2. Navigate to Web Protection | Application Control and open the Flow Monitor on the eth1 interface. 3. Browse to http://www.sophos.com. 4. In the Flow Monitor throttle the traffic for HTTP to 25kbit/s for each source. 5. In the WebAdmin, navigate to Interfaces & Routing | Quality of Service (QoS) and review the Traffic Selector and Download Throttling that have been created. 6. Disable the Download Throttling rule and Bandwidth Pool. 7. Disable quality of service on all interfaces. 8. Create a backup called Architect Lab 4 on LabGateway1 and download it to the desktop of LabServer.
Review You have now successfully: Limited the bandwidth for an interface. Shaped traffic based on an application. Throttled traffic based on a protocol.
AL30: UTM
Page 20 of 57
Sophos Certified Architect
Lab 5: Authentication Objective Upon completion of this section you will be able to configure: The Sophos Authentication Agent. One-time passwords.
Requirements No prerequisites.
Task 1 Configure and test the Sophos Authentication Agent. Steps On LabServer: 1. 2. 3. 4.
Login to the WebAdmin of LabGateway1 as admin. Navigate to Definitions & Users | Authentication Services. Select all options in the Automatic user creation for facilities section. Navigate to Definitions & Users | Client Authentication and enable client authentication with the following configuration: Allowed networks: Internal (Network) Allowed Users and Groups: Active Directory Users. 5. In the Client Authentication program section, download the EXE version and install it on LabServer. 6. Use Putty on LabServer to login to LabGateway1 as the loginuser then change to the root user using the command: su 7. Follow the aua.log and endpoint.log files using the commands: cd /var/log tail –f aua.log endpoint.log
8. Launch the client authentication program and test it with the Active Directory user JaneDoe. Note: do not save the password. 9. Confirm that the user JaneDoe has been created on the UTM following successful authentication. 10. Close the Sophos Authentication Agent. 11. Write down the following information from the entries written to the aua.log and endpoint.log when you authenticated as JaneDoe: aua.log: user, caller and engine ____________________________________________________________________________
AL30: UTM
Page 21 of 57
Sophos Certified Architect
endpoint.log: the name of the process that wrote to the log ____________________________________________________________________________
Task 2 Configure and test one-time passwords for the User Portal. Steps On LabServer: 1. Login to the WebAdmin of LabGateway1 as admin. 2. Navigate to Definitions & Users | Authentication Services | One-time password and enable onetime passwords. 3. Connect to the User Portal on LabGateway1 at https://gw1.lab.internal and login as johnsmith. 4. Click Proceed with login. 5. In the WebAdmin refresh the one-time passwords page. 6. Edit the token for johnsmith and create additional codes. 7. Write down one of the additional codes: _________________________________________________ 8. Login to the User Portal as johnsmith using the additional token code you wrote down. 9. Go to the OTP Token tab and view the token information. 10. Write down the encoding types your secret is displayed in: __________________________________________________________________________________ __________________________________________________________________________________ 11. In the WebAdmin, disable one-time passwords. 12. Create a backup called Architect Lab 5 on LabGateway1 and download it to the desktop of LabServer.
Review You have now successfully configured: The Sophos Authentication Agent. One-time passwords.
AL30: UTM
Page 22 of 57
Sophos Certified Architect
Lab 6: Web protection Objective Upon completion of this section you will be able to configure:
Automatic proxy configuration via DHCP. File type blocking using MIME types. Full HTTPS decrypt and scan. Multiple profiles for different modes of authentication.
Requirements All instructions in Lab 1 must be completed successfully.
Note Use Internet Explorer for testing your configuration in this lab. Proxy auto-configuration via DHCP is unreliable in other browsers.
Task 1 Configure a proxy auto-configuration script. Steps On LabServer: 1. Login to the WebAdmin of LabGateway1 as admin. 2. Navigate to Web Protection | Filtering Options | Misc and create and enable a proxy autoconfiguration script on the UTM which returns DIRECT for the lab.internal network and returns the LabGateway1 as the proxy for all other sites. Example: function FindProxyForURL(url, host) { // Local URLs from the domain lab.internal // don't need a proxy if (shExpMatch(host, "*.lab.internal")) { return "DIRECT"; } // URLs within this network are local and don’t // need a proxy if (isInNet(host, "172.16.1.0", "255.255.255.0")) { return "DIRECT"; } AL30: UTM
Page 23 of 57
Sophos Certified Architect
// All other requests go through // port 8080 of gw1.internal // should that fail to respond, try to go direct return "PROXY gw1.lab.internal:8080; DIRECT"; }
3. Navigate to Network Services | DHCP and edit your DHCP server by enabling the option Enable HTTP Proxy Auto Configuration. 4. Navigate to Network Protection | Firewall and remove Web Surfing from the Web Surfing and WebAdmin firewall rule. 5. Release and renew your IP address on LabServer. This can be done using the command: ipconfig /release && ipconfig /renew
6. Open Internet Explorer and confirm that: You are able to access http://www.sophos.com. http://www.games.com is blocked.
Task 2 Configure and test blocking files using MIME-type blocking. Steps On LabServer: 1. Login to the WebAdmin of LabGateway1 as admin. 2. Navigate to Web Protection | Web Filtering Profiles | Filter Actions and edit the Default content filter action. 3. Configure the filter action to warn for downloading of ZIP files based on MIME type. 4. Write down the MIME type for ZIP files: _________________________________________________ 5. Try to download the test file from Services: http://192.168.1.1/zip.test
Task 3 Configure and enable Full decrypt and scan HTTPS scanning in the web filter. Steps On LabServer: 1. Login to the WebAdmin of LabGateway1 as admin. 2. Navigate to Web Protection | Filtering Options | HTTPS CAs and Upload a new signing CA from the file c:\certs\lab-LAB-SERVER-CA.p12 with the password Sophos1985. 3. Navigate to Web Protection | Web Filtering and select Decrypt and scan for HTTPS (SSL) traffic. 4. Confirm that you do not get a certificate error when you access: https://www.google.co.uk 5. View the details of the SSL certificate.
AL30: UTM
Page 24 of 57
Sophos Certified Architect
6. Write down the signing certificate authority for the certificate your browser received when you accessed https://www.google.co.uk: ____________________________________________________
Task 4 Configure multiple web filtering profiles for different connection and authentication methods. Steps On LabServer: 1. Login to the WebAdmin of LabGateway1 as admin. 2. Navigate to Definitions & Users | Users & Groups | Groups and add a new group with the following configuration: Group name: Contractors Group type: Backend membership Backend: Active Directory Limit to backend group(s) membership: selected Active Directory Groups: Contractors 3. Add a new group with the following configuration: Group name: Domain Admins Group type: Backend membership Backend: Active Directory Limit to backend group(s) membership: selected Active Directory Groups: Domain Admins 4. Navigate to Web Protection | Filtering Options | Categories and create a New filter category with the following configuration: Name: Business Included Sub-Categories: Business. 5. Remove the Business sub-category from the Community / Education / Religion filter category. 6. Navigate to Web Protection | Web Filtering Profiles | Filter Actions and create a new filter action with the following configuration: Name: Contractors Block all content, except as specified below Category: o IT: Allow o Business: Allow 7. Navigate to Web Protection | Web Filtering Profiles and create a new profile with the following configuration: Name: Standard mode with AD SSO authentication. Allows networks: Internal (Network)
AL30: UTM
Page 25 of 57
Sophos Certified Architect
Operation mode: Standard Default Authentication: Active Directory SSO HTTPS (SSL) traffic: Decrypt and scan. 8. In Web Protection | Web Filtering Profiles create a new profile with the following configuration: Name: Transparent mode with Browser authentication. Allows networks: Internal (Network) Operation mode: Transparent Default Authentication: Browser HTTPS (SSL) traffic: Decrypt and scan. Policies: create and enable two new policies as below. o Policy 1: Name: Contractors Users/Groups: Contractors Filter Action: Contractors o Policy 2: Name: Domain Admins Users/Groups: Domain Admins Filter Action: Default content filter action o Base Policy: Filter Action: Default content filter block action 9. Arrange the profiles with the Standard mode with AD SSO authentication at the top and Transparent mode with Browser authentication beneath it. 10. Open the Web Filtering Live Log and review it while you follow the steps below to test your configuration. 11. Configure the browser proxy settings as below: Proxy server: none Automatic proxy script: none Automatically detect settings: no 12. In your browser try to connect to http://www.sophos.com and authenticate as ContractorBob. Note: be sure not to close the window with the logout button. 13. Confirm that you are unable to access http://www.bbc.co.uk. 14. Logout of the browser authentication as ContractorBob. 15. In your browser try to connect to http://www.sophos.com and authenticate as Administrator. Note: be sure not to close the window with the logout button. 16. Confirm that you are able to access http://www.bbc.co.uk. 17. Logout of the browser authentication as Administrator. 18. Change your browser settings to explicitly use the proxy server on port 8080.
AL30: UTM
Page 26 of 57
Sophos Certified Architect
19. Browser to both http://www.sophos.com and http://www.bbc.co.uk and confirm you can access them without authenticating. 20. Configure the browser proxy settings as below: Proxy server: none Automatic proxy script: none Automatically detect settings: no 21. Navigate to Web Protection | Web Filtering Profiles and disable the Standard mode with AD SSO authentication and Transparent mode with Browser authentication profiles. 22. Navigate to Web Protection | Web Filtering and configure the proxy settings as below: Operation mode: Transparent mode Default Authentication: None HTTP (SSL) traffic: URL filtering only 23. Create a backup called Architect Lab 6 on LabGateway1 and download it to the desktop of LabServer.
Review You have now successfully configured:
Automatic proxy configuration via DHCP. File type blocking using MIME types. Full HTTPS decrypt and scan. Multiple profiles for different modes of authentication.
AL30: UTM
Page 27 of 57
Sophos Certified Architect
Lab 7: Email protection Objective Upon completion of this section you will be able to configure:
End user sender blacklists through the User Portal and WebAdmin. SMTP profiles for additional domains which override elements of the default SMTP configuration. Email encryption using OpenPGP. Email encryption using S/MIME.
Requirements No prerequisites.
Task 1 Block an email using the per user sender blacklists in the User Portal. Steps On LabServer: 1. Connect to the User Portal on LabGateway1 and login as administrator. 2. On the Sender Blacklist tab add *
[email protected] to the Sender Blacklist. Note: ensure that you include the ‘*’ as this is required for the email address to match with BATV enabled. On AcmeCorpServer: 3. Launch Thunderbird and send a test email from
[email protected] to
[email protected]. On LabServer: 4. Login to the User Portal of LabGateway1 as administrator. 5. Select the Mail Log tab and review the entry for the test email. 6. Select the Mail Quarantine tab and write down why the test email was quarantined from the Reason column: __________________________________________________________________________________ 7. First view, then release the email and confirm that you received it. 8. In the LabGateway1 WebAdmin, navigate to Definitions & Users | Users & Groups. 9. Edit the Administrator user and view the Sender Blacklist. 10. Add *@services.external to the Sender Blacker.
AL30: UTM
Page 28 of 57
Sophos Certified Architect
Task 2 Configure an additional SMTP profile for a different email domain. Steps On LabServer: 1. Login to the WebAdmin of LabGateway1 as admin. 2. Navigate to Email Protection | SMTP and change the SMTP proxy to Profile mode. 3. Navigate to Email Protection | SMTP Profiles and add and enable a new SMTP Profile with the following configuration: Profile Name: sophos.external domain Domains: sophos.external Blocked Expressions: Use individual settings defined below Blocked Expressions: create a regular expression to match a string of 16 numbers which may optionally have a space between each block of 4 digits similar to a credit card number. E.g., \b([0-9]{4}\s?){4}\b On AcmeCorpServer: 4. Launch Thunderbird and send an email from administrator to
[email protected] containing the string “1234 5678 9012 3456”. 5. Review the SMTP Live Log and write down the reason it was quarantined: __________________________________________________________________________________ On LabServer: 6. Connect to the WebAdmin of LabGateway1. 7. Launch the Mail Manager and release the email from the quarantine. 8. Identify the message ID for the email from the SMTP Log in the Mail Manager. 9. Launch Putty and connect to LabGateway1 via SSH. 10. Login as the loginuser then change the root user using the command: su -
11. Change to the log directory using the command: cd /var/log
12. Search the maillog for entries containing the message ID using the following command: grep xxxxxxxxxxxxxxxx smtp.log
Note: where “xxxxxxxxxxxxxxxx” is replaced with the message ID you identified in step 8.
Task 3 Configure and test email encryption between two UTMs using OpenPGP.
AL30: UTM
Page 29 of 57
Sophos Certified Architect
Steps On LabServer: 1. Login to the WebAdmin of LabGateway1 as admin. 2. Navigate to Email Protection | Encryption and enable email encryption. 3. On the Internal Users tab create a New email encryption user with the following configuration: Email Address:
[email protected] Full Name: Administrator (Lab) 4. Download the OpenPGP public key. 5. Launch Thunderbird and email the OpenPGP public key to
[email protected]. On AcmeCorpServer: 6. Login to the WebAdmin of AcmeCorpGateway as admin. 7. Navigate to Email Protection | Encryption and enable email encryption. 8. On the Internal Users tab create a New email encryption user with the following configuration: Email Address:
[email protected] Full Name: Administrator (Acme) 9. Download the OpenPGP public key. 10. Launch Thunderbird and email the OpenPGP public key to
[email protected]. 11. In the AcmeCorpGateway Webadmin, select the OpenPGP Public Keys tab. 12. Use the New public OpenPGP keys(s) option to import the key from
[email protected]. On LabServer: 12. Connect to the LabGateway1 WebAdmin. 13. Select the OpenPGP Public Keys tab. 14. Use the New public OpenPGP keys(s) option to import the key from
[email protected]. 15. Launch Thunderbird and send an email to
[email protected]. On AcmeCorpServer: 16. Launch Thunderbird and confirm that you received the email and that it was encrypted by the tag in the subject line. 17. Write down the subject line tag: __________________________________________________________________________________ 18. Send an email to
[email protected]. On LabServer: 19. Launch Thunderbird and confirm that you received the email and that it was encrypted by the tag in the subject line.
AL30: UTM
Page 30 of 57
Sophos Certified Architect
Task 4 Configure and test email encryption between two servers using S/MIME. Steps On LabServer: 1. Login to the WebAdmin of LabGateway1 as admin. 2. Navigate to Email Protection | Encryption and download the S/MIME CA Certificate. 3. On the Internal Users tab create a New email encryption user with the following configuration: Email Address:
[email protected] Full Name: John Smith (Lab) 4. Launch Thunderbird and email the S/MIME certificate from
[email protected] to
[email protected]. On AcmeCorpServer: 5. Login to the WebAdmin of AcmeCorpGateway as admin. 6. Navigate to Email Protection | Encryption and download the S/MIME CA Certificate. 7. On the Internal Users tab create a New email encryption user with the following configuration: Email Address:
[email protected] Full Name: Tom Jones (Acme) 8. Launch Thunderbird and email the S/MIME certificate from
[email protected] to
[email protected]. 9. Save the S/MIME certificate from John Smith as lab-smime.pem. 10. In the AcmeCorpGateway WebAdmin, select the S/MIME Authorities tab and upload the labsmime.pem certificate. On LabServer: 11. Save the S/MIME certificate from Tom Jones as acme-smime.pem. 12. In the LabGateway1 WebAdmin, select the S/MIME Authorities tab and upload the acmesmime.pem certificate. 13. In Thunderbird send an email from
[email protected] to
[email protected]. On AcmeCorpServer: 14. Confirm you received the email and that it was signed by the tag in the subject line. 15. Write down the subject line tag: __________________________________________________________________________________ 16. In the AcmeCorpGateway WebAdmin, select the S/MIME Certificates tab and confirm that John Smith’s certificate has been extracted. 17. Send an email to
[email protected].
AL30: UTM
Page 31 of 57
Sophos Certified Architect
On LabServer: 18. Launch Thunderbird and confirm that you received the email and that it was encrypted by the tag in the subject line. 19. Write down the subject line tag: __________________________________________________________________________________ 20. In the LabGateway1 WebAdmin, select the S/MIME Certificates tab and confirm that Tom Jones’ certificate has been extracted. 21. Create a backup called Architect Lab 7 on LabGateway1 and download it to the desktop of LabServer.
Review You have now successfully configured:
End user sender blacklists through the User Portal and WebAdmin. SMTP profiles for additional domains which override elements of the default SMTP configuration. Email encryption using OpenPGP. Email encryption using S/MIME.
AL30: UTM
Page 32 of 57
Sophos Certified Architect
Lab 8: Endpoint protection Objective Upon completion of this section you will: Know where to look to monitor communication between an endpoint and UTM via LiveConnect. Be able to configure antivirus exclusions.
Requirements No prerequisites.
Task 1 Explore the logging of communication between the endpoint and UTM via LiveConnect. Steps On LabServer: 1. Login to the WebAdmin of LabGateway1 as admin. 2. Navigate to Management | System Settings | Reset Configuration and click Reset UTM ID. 3. Navigate to Endpoint Protection | Computer Management. 4. Enable Endpoint Protection and click Activate Endpoint Protection. 5. Select the Advanced tab. 6. In the Tamper Protection section set the password to Sophos1985 and click Apply. 7. Select the Deploy Agent tab. 8. Click Download Endpoint Installation Package Now. 9. Once it has downloaded run the installer. 10. On the Welcome to the Sophos Endpoint Security and Control Installer screen click Next. 11. On the Remove third-party security software screen click Install. 12. On the Install is complete screen click Finish. 13. In the WebAdmin navigate to Endpoint Protection. 14. Confirm that the LabServer is registered and online. 15. Browse to: C:\ProgramData\Sophos\Management Communications System\Endpoint\Config 16. Write down what configuration is included in the config.xml by default: __________________________________________________________________________________ 17. Browse to: C:\ProgramData\Sophos\Management Communications System\Endpoint\Persist 18. Open the EndpointIdentity.txt file then keep this file open while you do the following steps. 19. Launch Sophos Endpoint Security and Control and authenticate with Tamper Protection. 20. Login to the WebAdmin of LabGateway1 as admin. 21. Navigate to Endpoint Protection, launch the Live Log.
AL30: UTM
Page 33 of 57
Sophos Certified Architect
22. Locate the log entry for where you authenticated against Tamper Protection. 23. Compare the mcs_id field to the contents of the EndpointIdentity.txt.
Task 2 Configure and test the antivirus exclusion. Steps On LabServer: 1. Login to the WebAdmin of LabGateway1 as admin. 2. Navigate to Endpoint Protection | Antivirus | Exceptions and create a scanning exclusion for Eicar.com and apply it to the Default group. 3. Wait for a minute to allow the policy to be applied on LabServer. 4. Launch your web browser and connect to http://www.sophos.com/en-us/press-office/pressreleases/2003/01/eicar.aspx. 5. Open Notepad. 6. Copy the following text from the Sophos Eicar article and paste it in Notepad: X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
7. Save the file as Eicar.com. Note: ensure you save it without the *.txt extension. 8. Try to execute the file. This will not cause an anti-virus alert. Note: the file will not run correctly as it is a DOS application. 9. Create a backup called Architect Lab 8 on LabGateway1 and download it to the desktop of LabServer.
Review You have now successfully: Monitored the communication between an endpoint and UTM via LiveConnect. Configured antivirus exclusions.
AL30: UTM
Page 34 of 57
Sophos Certified Architect
Lab 9: Wireless protection Objective Upon completion of this section you will be able to: Configure multiple wireless networks for different users. Connect and configure a wireless access point. Create a hotspot.
Requirements No prerequisites.
Task 1 Enable wireless protection and without using the wizard manually configure two wireless networks: One for guest access using a separate zone. One for lab access bridged to the access point network. Steps On LabServer: 1. Login to the WebAdmin of LabGateway1 as admin. 2. Navigate to Wireless Protection| Global Settings. 3. Enable wireless protection using the following configuration: Skip automatic configuration: Selected Allowed interfaces: Internal 4. Navigate to Wireless Protection | Wireless Networks and create a wireless network with the following configuration: Network name: Guest Network SSID: Guest Encryption Mode: WPA2 Personal Passphrase PSK: Sophos1985 Client traffic: Separate Zone Client isolation: Enabled 5. Navigate to Interfaces & Routing | Interfaces and add and enable a new interface for the Guest wireless network with the following configuration: Name: Guest WiFi Type: Ethernet Static Hardware: wlan0 IPv4 Address: 172.16.21.1
AL30: UTM
Page 35 of 57
Sophos Certified Architect
Netmask: /24 (255.255.255.0) 6. Navigate to Network Services | DHCP and create a new DHCP server for the wireless network with the following configuration: Interface: Guest WiFi Range start: 172.16.21.1 Range end: 172.16.21.254 DNS Server 1: 172.16.21.1 Default gateway: 172.16.21.1 7. Navigate to Network Services | DNS add the Guest wireless network to the Allowed Networks. 8. Navigate to Network Protection | NAT and create and enable a new masquerading rule for the Guest wireless network with the following configuration: Network: Guest WiFi (Network) Interface: Uplink Interfaces User address: << Primary address >> 9. Navigate to Network Protection | Firewall and create and enable a new firewall rule that allows web browsing from the wireless network to the Internet with the following configuration: Sources: Guest WiFi (Network) Services: Web Surfing Destinations: Internet IPv4 10. Navigate to Wireless Protection | Wireless Networks create a wireless network with the following configuration: Network name: Lab Network SSID: Lab Encryption Mode: WPA2 Personal Passphrase PSK: Sophos1985 Client traffic: Bridge to AP LAN Client isolation: Enabled
Task 2 Connect a Sophos wireless access point to LabGateway1. Steps On LabServer: 1. Launch Putty and connect to LabGateway1 using SSH. 2. Login as the loginuser then change to root using the following command: su –
3. As the root user run the following command: ./clienttest.pl --minc=5 --maxc=10 –server=172.16.1.101
4. In the WebAdmin of LabGateway1, navigate to Wireless Protection | Access Points. AL30: UTM
Page 36 of 57
Sophos Certified Architect
5. Click Accept for the access point and use the following configuration in the Edit Access Point dialog: Label: Lab9 Group: << New group >> Name: Training 6. Select the Grouping tab. 7. Edit the Training group and select Guest and Lab wireless networks. 8. In Putty run the clienttest.pl command again on LabGateway1. Note: leave the SSH session open for the duration of the lab. 9. In the WebAdmin of LabGateway1, confirm that the access point is now active. Note: this may take a couple of minutes. 10. Navigate to Wireless Protection | Wireless Clients and view the clients connected. 11. Navigate to Wireless Protection | Access Points and select the Grouping tab. 12. Create a new group with the following configuration: Name: Lab only Wireless networks: Lab 13. On the Overview tab edit the access point and change it from the Training group to the Lab group.
Task 3 Configure and test a voucher based hotspot. Steps On LabServer: 1. Login to the WebAdmin of LabGateway1 as admin. 2. Navigate to Wireless Protection| Hotspots and enable it. 3. Select the Voucher Definitions tab and create a new voucher with the following configuration: Name: Lab Validity period: 5 Days Data volume: 20 MB. 4. Select the Advanced tab and add Internal (Address) to the Allowed hosts/networks in the Walled Garden section. 5. Select the Hotspot tab and create a new hotspot with the following configuration: Name: Public Interfaces: Internal Hotspot type: Voucher Voucher Definitions: Lab 6. Login to the User Portal of LabGateway1 as admin and create a Lab voucher. 7. Write down the voucher code: _________________________________________________________________________________ 8. Try to browse to http://www.sophos.com. AL30: UTM
Page 37 of 57
Sophos Certified Architect
9. Enter the voucher code when prompted. 10. Write down the voucher information displayed: __________________________________________________________________________________ __________________________________________________________________________________ __________________________________________________________________________________ 11. Browse the Sophos website then refresh the hotspot portal page; note that the used Data volume has increased. 12. Write down the Status of the voucher in the User Portal of LabGateway1: __________________________________________________________________________________ 13. Login to the WebAdmin of LabGateway1 as admin. 14. Navigate to Wireless Protection| Hotspots and open the live log. 15. Write down the portal and user fields from your session. __________________________________________________________________________________ __________________________________________________________________________________ 16. Disable Hotpots on LabGateway1. 17. Create a backup called Architect Lab 9 on LabGateway1 and download it to the desktop of LabServer.
Review You have now successfully: Configured multiple wireless networks for different users. Connected and configured a wireless access point. Created a hotspot.
AL30: UTM
Page 38 of 57
Sophos Certified Architect
Lab 10: Webserver protection Objective Upon completion of this section you will be able to configure webserver protection for both HTTP and HTTPS webservers and implement reverse authentication.
Requirements No prerequisites.
Task 1 Configure a reverse proxy for HTTP and HTTPS webservers with a custom firewall profile. Steps On LabServer: 1. Open a Command Prompt and use OpenSSL to generate a server key. openssl genrsa –out server.key
2. Create a server certificate signing request for the external hostname of LabGateway1 (labgw1.lab.external). openssl req –new –key server.key –out server.csr
3. 4. 5. 6. 7.
Country Name: GB State or Province Name: Oxfordshire Locality Name: Abingdon Organization Name: Sophos Organizational Unit: Training Common Name: lab-gw1.lab.external Email Address:
[email protected] A challenge password: leave blank An optional company name: leave blank Connect to the certificate authority on Services: https://global.services.external/certsrv/en-us. Download the CA certificate in Base 64 encoded format to C:\Users\Administrator\ca_certificate.cer. Request a certificate using advanced certificate request. Paste in the certificate signing request that you created then download the certificate in Base 64 encoded format to C:\Users\Administrator\certificate.cer. Use OpenSSL to create a pkcs#12 file from the server key, certificate and CA certificate. openssl pkcs12 –export –out lab.p12 –inkey server.key –in certificate.cer –certfile ca_certificate.cer
8. Login to the WebAdmin of LabGateway1 as admin.
AL30: UTM
Page 39 of 57
Sophos Certified Architect
9. Navigate to Webserver Protection | Certificate Management and create a new certificate with the following configuration: Name: lab-gw1 external Method: Upload File type: PKCS#12 (Cert+CA) File: the lab.p12 you created in step 7 Password: the password you set in step 7 10. Navigate to Webserver Protection | Web Application Firewall | Firewall Profiles and create a New Firewall Profile called Lab with the following features enabled: Mode: Reject Common Threats Filter Cookie signing Form hardening Antivirus scanning Mode: Single Scan Direction: Uploads and Downloads Block unscannable content Block clients with bad reputation 11. Select the Real Webservers tab and create a New Real Webserver with the following configuration: Name: ArGoSoft Webmail Host: Lab Server Type: Plaintext (HTTP) Port: 80 12. Create another New Real Webserver with the following configuration: Name: IIS Host: Lab Server Type: Encrypted (HTTPS) Port: 443 13. Select the Virtual Webservers tab and create a New Virtual Webserver with the following configuration: Name: ArGoSoft Webmail Interface: External (WAN) (Address) Type: Plaintext (HTTP) Port: 80 Domains: lab-gw1.lab.external Real Webservers: ArGoSoft Webmail Firewall Profile: Lab 14. Create another New Virtual Webserver with the following configuration: AL30: UTM
Page 40 of 57
Sophos Certified Architect
Name: IIS Interface: External (WAN) (Address) Type: Encrypted (HTTPS) Port: 81 Redirect from HTTP to HTTPS: Untick Certificate: lab-gw1 external Real Webservers: IIS Firewall Profile: Lab
On AcmeCorpServer: 15. Connect to: http://lab-gw1.lab.external - You should be able to access the ArGoSoft Webmail site. https://lab-gw1.lab.external:81 – You should be able to access the IIS default page with no certificate error.
Task 2 Implement reverse authentication for the HTTPS website. Steps On LabServer: 1. Login to the WebAdmin of LabGateway1 as admin. 2. In Webserver Protection | Reverse Authentication create a New Authentication Profile with the following configuration: Name: IIS Auth Frontend mode: Form Frontend realm: IIS Backend mode: None Form Template: Default Template Users / Groups: Active Directory Users 3. Navigate to Webserver Protection | Web Application Firewall and select the Site Path Routing tab. 4. Edit the Site Path Route for IIS and select the IIS Auth Reverse Authentication profile. On Services: 5. Connect to https://lab-gw1.lab.external:81. 6. You should be prompted to login via a form and you should not get any certificate errors accessing the HTTPS site. 7. Write down the certificate authority that issued the HTTPS certificate: __________________________________________________________________________________ 8. Confirm you are able to login as johnsmith. AL30: UTM
Page 41 of 57
Sophos Certified Architect
9. Create a backup called Architect Lab 10 on LabGateway1 and download it to the desktop of LabServer.
Review You have now successfully configured webserver protection for both HTTP and HTTPS webservers and implemented reverse authentication.
AL30: UTM
Page 42 of 57
Sophos Certified Architect
Lab 11: RED Objective Upon completion of this lab you will be able to create a RED tunnel between two UTMs.
Requirements No prerequisites.
Task Configure a RED tunnel between LabGateway1 and AcmeCorpGateway. Steps On LabServer: 1. Login to the WebAdmin of LabGateway1 as admin. 2. Navigate to RED Management | Global Settings activate RED Management. 3. Select the [Server] Client Management tab add a RED with the following configuration: Branch Name: AcmeCorp Client type: UTM 4. Download the provisioning file to the desktop of LabServer. 5. Launch Thunderbird and email the provisioning file to
[email protected]. On AcmeCorpServer: 6. Launch Thunderbird and save the provisioning file from the email to the desktop of AcmeCorpServer. 7. Launch a browser and connect to the WebAdmin of AcmeCorpGateway and login as admin. 8. Navigate to RED Management | Global Settings and activate RED Management. 9. Select the [Client] Tunnel Management tab and create a new tunnel using the following configuration: Tunnel Name: Lab UTM host: Lab Gateway 1 Prov. File: the provisioning file saved to the desktop On LabServer: 10. Select the Overview tab in the LabGateway1 WebAdmin and confirm that the connection is established successfully. 11. Navigate to Interfaces & Routing | Interfaces and create and enable a new interface with the following configuration: Name: Acme RED AL30: UTM
Page 43 of 57
Sophos Certified Architect
Type: Ethernet Static Hardware: reds1 IPv4 address 10.0.0.1 Netmask: /24 (255.255.255.0)
On AcmeCorpServer: 12. Open the AcmeCorpGateway WebAdmin. 13. Navigate to Interfaces & Routing | Interfaces and create and enable a new interface with the following configuration: Name: Lab RED Type: Ethernet Static Hardware: redc1 IPv4 address 10.0.0.2 Netmask: /24 (255.255.255.0) 14. Navigate to Interfaces & Routing | Static Routing and create and enable a new static route with the following configuration: Route Type: Gateway route Network: Lab Network Gateway: create a new network definition o Name: Lab RED Gateway o Type: Host o IPv4 Address: 10.0.0.1 On LabServer: 15. Navigate to Interfaces & Routing | Static Routing and create and enable a new static route with the following configuration: Route Type: Gateway route Network: Acme Corp LAN Gateway: create a new network definition o Name: Acme RED Gateway o Type: Host o IPv4 Address: 10.0.0.2 16. Navigate to Network Protection | Firewall and create and enable a new firewall rule with the following configuration: Sources: Acme Corp LAN Services: Web Surfing Destinations: Internal (Network)
AL30: UTM
Page 44 of 57
Sophos Certified Architect
On AcmeCorpServer: 17. Connect to http://172.16.1.1 and confirm you see the ArGoSoft webmail website. 18. In the WebAdmin, disable the Lab RED tunnel, Lab RED interface and Lab RED Gateway static route. On LabServer: 19. Disable the Acme RED tunnel, Acme RED interface, firewall rule and Acme RED Gateway static route. 20. Create a backup called Architect Lab 11 on LabGateway1 and download it to the desktop of LabServer.
Review You have now successfully created a RED tunnel between two UTMs.
AL30: UTM
Page 45 of 57
Sophos Certified Architect
Lab 12: Site-to-site VPN Objective Upon completion of this section you will be able to configure: A simple SSL site-to-site VPN. An IPsec site-to-site VPN using cross signed certificates. An IPsec site-to-site VPN using RSA authentication.
Requirements No prerequisites.
Task 1 Configure and test a simple SSL site-to-site VPN. Steps On LabServer: 1. Login to the WebAdmin of AcmeCorpGateway as admin. 2. Navigate to Site-to-site VPN | SSL, create a server SSL connection with the following configuration: Connection type: Server Connection Name: Lab VPN Local Networks: Internal (Network) Remote Networks: Lab Network Automatic Firewall rules: Selected 3. Download the peer configuration file to the desktop of LabServer and encrypt it using the password Sophos1985. 4. Login to the WebAdmin of the LabGateway1 as admin. 5. Navigate to Site-to-site VPN | SSL and create a connection with the following configuration: Connection type: Client Connection Name: Acme VPN Configuration file: the peer configuration file saved to the desktop of LabServer Password: Sophos1985 Automatic Firewall rules: Selected 6. Confirm you can connect to http://192.168.2.1 On AcmeCorpServer: 7. Confirm you can connect to http://172.16.1.1 8. Disconnect from the VPN on both UTMs.
AL30: UTM
Page 46 of 57
Sophos Certified Architect
Task 2 Modify the existing IPsec site-to-site VPN to use cross signing authentication. Steps On LabServer: 1. Login to the WebAdmin of AcmeCorpGateway as admin. 2. Navigate to Site-to-site VPN | Certificate Management and generate a certificate with the following configuration: Name: acme-gw VPN Method: Generate VPN ID Type: Hostname VPN ID: acme-gw.acme.external Common Name: acme-gw.acme.external Email:
[email protected] 3. Download the certificate in PKCS#12 format with the password Sophos1985 to the desktop of LabServer. 4. Login to the WebAdmin of LabServer as admin. 5. Navigate to Site-to-site VPN | Certificate Management and generate a certificate with the following configuration: Name: lab-gw1 VPN Method: Generate VPN ID Type: Hostname VPN ID: lab-gw1.lab.external Common Name: lab-gw1.lab.external Email:
[email protected] 6. Download the certificate in PKCS#12 format with the password Sophos1985 to the desktop of LabServer. 7. In the LabGateway1 WebAdmin, create a new certificate with the following configuration: Name: Acme VPN Method: Upload File type: PKCS#12 (Cert+CA) File: the certificate downloaded from AcmeCorpServer. Password: Sophos1985 8. Navigate to Site-to-site VPN | IPsec | Remote Gateways and reconfigure the gateway for AcmeCorpGatewau to use the Local X509 Certificate you uploaded (Acme VPN). 9. In the AcmeCorpServer WebAdmin, create a new certificate with the following configuration: Name: Lab VPN Method: Upload AL30: UTM
Page 47 of 57
Sophos Certified Architect
File type: PKCS#12 (Cert+CA) File: the certificate downloaded from LabServer. Password: Sophos1985 10. Navigate to Site-to-site VPN | IPsec | Remote Gateways, reconfigure the gateway for LabGateway1 to use the Local X509 Certificate you uploaded (Lab VPN). 11. Open and monitor the IPsec live logs on both LabGateway1 and the AcmeCorpGateway. 12. Enable the IPsec VPN on both LabGateway1 and AcmeCorpServer. 13. Write down the following details from the IPsec log for the last connection made: NAT-Traversal result:________________________________________________________ Dead peer detection status:__________________________________________________ Variant:__________________________________________________________________ 14. Confirm you can connect to http://192.168.2.1 On AcmeCorpServer: 15. Confirm you can connect to http://172.16.1.1 16. Disconnect from the VPN on both UTMs.
Task 3 Modify the existing IPsec site-to-site VPN to use RSA keys Steps On LabServer: 1. 2. 3. 4. 5. 6.
Login to the WebAdmin of AcmeCorpGateway as admin. Navigate to Site-to-site VPN |IPsec | Local RSA Key and configure the VPN ID type to be IP Address. In the Re-generate local RSA key section click Apply. Copy the Current local public RSA key. Login to the WebAdmin of LabServer as admin. Navigate to Site-to-site VPN |IPsec | Remote Gateways and edit the gateway for AcmeCorpGateway by updating the following configuration: Authentication type: RSA key Public key: paste the public RSA key you copied from AcmeCorpGateway VPN ID type: IP Address VPN ID (optional): Leave blank 7. Select the Local RSA Key tab and configure the VPN ID type to be IP Address. 8. In the Re-generate local RSA key section click Apply. 9. Copy the Current local public RSA key. 10. In the WebAdmin of AcmeCorpGateway, navigate to Site-to-site VPN |IPsec | Remote Gateways and edit the gateway for LabGateway1 by updating the following configuration: Authentication type: RSA key AL30: UTM
Page 48 of 57
Sophos Certified Architect
Public key: paste the public RSA key you copied from LabGateway1 VPN ID type: IP Address VPN ID (optional): Leave blank 11. Open the IPsec live log and confirm that the IPsec connection is established successfully. 12. Confirm you can connect to http://192.168.2.1 On AcmeCorpServer: 13. Confirm you can connect to http://172.16.1.1 14. Disconnect from the VPN on both UTMs. 15. Create a backup called Architect Lab 12 on LabGateway1 and download it to the desktop of LabServer.
Review You have now successfully configured: A simple SSL site-to-site VPN. An IPsec site-to-site VPN using cross signed certificates. An IPsec site-to-site VPN using RSA authentication.
AL30: UTM
Page 49 of 57
Sophos Certified Architect
Lab 13: Remote access Objective Upon completion of this section you will be able to configure and test IPsec remote access with the Sophos IPsec client.
Requirements No prerequisites.
Task Configure an IPsec VPN on AcmeCorpGateway and test it with the Sophos IPsec client on LabServer. Steps On LabServer: 1. Login to the WebAdmin of LabGateway1 as admin. 2. Navigate to Network Protection | Firewall and create a new firewall rule with the following configuration: Sources: Internal (Network) Services: IPsec Destinations: Any 3. Login to the WebAdmin of AcmeCorpGateway as admin. 4. Navigate to Remote Access | IPsec and create a new IPSec remote access rule with the following configuration: Name: AD users to local network Interface: External Local Networks: Internal (Network) Policy: AES-256 Authentication type: X509 certificate Allowed users: Active Directory Users 5. Navigate to Network Protection | Firewall and create a new firewall rule with the following configuration: Sources: VPN Pool (IPsec) Services: HTTP Destinations: Any 6. Login to the User Portal of AcmeCorpGateway as TomJones. 7. Select the Remote Access tab and download the configuration file. 8. Download the PKCS#12 of the user certificate specifying the password Sophos1985.
AL30: UTM
Page 50 of 57
Sophos Certified Architect
9. Download and install the Sophos IPsec Client. Note: the IPsec client will be installed in demo mode with a trial license. 10. Launch the IPsec client and add a new certificate with the following configuration: Name: TomJones Certificate Certificate: from PKCS#12 file PKCS#12 Filename: select the certificate you downloaded from the User Portal PIN Request at each Connection: Selected 11. Add a new profile by importing the configuration file downloaded from the User Portal. 12. Edit the profile and select Identities on the left. In the Pre-shared Key section, select the certificate TomJones Certificate. 13. Reboot LabServer. 14. Initiate the VPN connection. 15. Confirm you can connect to http://192.168.2.1. 16. Disconnect from the VPN. 17. Create a backup called Architect Lab 13 on LabGateway1 and download it to the desktop of LabServer.
Review You have now successfully configured and tested IPsec remote access with the Sophos IPsec client.
AL30: UTM
Page 51 of 57
Sophos Certified Architect
Lab 14: Central management Objective Upon completion of this section you will be able to:
Configure Sophos UTM Manager. Connect a UTM to a Sophos UTM Manager. Import configuration from a UTM in to SUM. Create a new configuration in SUM. Deploy configuration from SUM to a UTM.
Requirements No prerequisites.
Task 1 Complete the Basic system setup of the Sophos UTM Manager and perform basic system configuration. Steps 1. Create a license for Sophos UTM Manager here: https://secure2.sophos.com/en-us/products/free-tools/sophos-utm-manager/download.aspx On LabServer: 2. Connect to Sophos UTM Manager at https://172.16.1.2:4444 and complete the Basic system setup with the following configuration: Hostname: sum.lab.internal Admin account password: Sophos1985 Admin account email address:
[email protected] 3. Once the basic system setup is complete, login and upload the license you created in Step 1. 4. Once the license has been installed, login. 5. Navigate to Management | System Settings | Time and Date and configure the correct time, date and time zone. 6. Remove all of the servers from the NTP Servers list and create a new NTP server with the following configuration: Name: Lab Active Directory Type: Host IPv4 Address: 172.16.1.1 7. Navigate to Management | Shutdown/Restart and select to Restart (Reboot) the system now. 8. Once SUM has rebooted login to the WebAdmin as admin 9. Navigate to Management | System Settings | Shell Access and Enable shell access.
AL30: UTM
Page 52 of 57
Sophos Certified Architect
10. Remove Any from the Allowed networks and add Internal (Network). 11. Set the passwords for the loginuser and root user to Sophos1985. 12. Navigate to Management | Up2Date | Cache and enable the Up2Date Cache with the following configuration: Allowed Networks: Internal (Network) 13. Navigate to Network Services | DNS | Forwarders and create a new DNS Forwarder with the following configuration: Name: Lab DNS Type: Host IPv4 Address: 172.16.1.1 14. Deselect the option Use forwarders assigned by ISP. 15. Navigate to Definitions & Users | Authentication Servers | Servers and add a new authentication server with the following configuration: Backend: Active Directory Server: Lab Active Directory Bind DN: cn=readonly,cn=users,dc=lab,dc=internal Password: Sophos1985 Base DN: dc=lab,dc=internal 16. Select the Global Settings tab and enable Automatic user creation for Sophos UTM Manager and WebAdmin. 17. Navigate to Definitions & Users | Users & Groups | Groups and create a new group with the following configuration: Group name: Domain Admins Group type: Backend membership Backend: Active Directory Limit to backend group(s) membership: Selected Active Directory Groups: cn=Domain Admins,cn=Users, dc=lab,dc=internal 18. Create a new group with the following configuration: Group name: Domain Users Group type: Backend membership Backend: Active Directory Limit to backend group(s) membership: Selected Active Directory Groups: cn=Domain Users,cn=Users, dc=lab,dc=internal 19. Navigate to Management | Sophos UTM Manager | Access Control and add the Domain Admins group to the Allowed Admins and add the Domain Users group to the Allowed Users. 20. Select the Device Security tab and configure Device authentication with the following configuration: Require authentication: Selected Automatic Update: Selected
AL30: UTM
Page 53 of 57
Sophos Certified Architect
Shared Secret: Sophos1985
Task 2 Connect LabGateway1 and LabGateway2 to SUM. Steps On LabServer: 1. Login to the WebAdmin of LabGateway1 as admin. 2. Navigate to Management | Central Management and enable SUM management with the following configuration: SUM host: add a new network definition o Name: SUM o Type: Host o IPv4 Address: 172.16.1.2 Authentication: Selected Shared Secret: Sophos1985 Use SUM server as Up2Date Cache: Selected Administration: Selected Reporting: Selected Monitoring: Selected Configuration: Selected 3. Repeat steps 1 - 2 on LabGateway2.
Task 3 Import an Endpoint policy from LabGateway1 on to SUM; clone and then deploy the policy to LabGateway2. Steps On LabServer: 1. Login to the Sophos UTM Manager as admin at https://sum.lab.internal:4422. 2. Navigate to Configuration | Import and configure the Type Select with the following settings: Gateways: gw1 Endpoint Protection: Antivirus Polices 3. Select the Import tab, select all of the objects and click Import. 4. Navigate to Configuration | Endpoint Protection, clone the Basic protection policy, rename it Lab 14 and enable Scan for PUA. 5. Click Deploy next to the Lab 14 policy and use the following configuration: Global EPP Definitions: Lab 14 Gateways: lab-gw2 AL30: UTM
Page 54 of 57
Sophos Certified Architect
6. Login to the WebAdmin of LabGateway2 as admin and navigate to Endpoint Protection | Computer Management and activate Endpoint Protection. 7. Navigate to Endpoint Protection | Antivirus and confirm that the Lab 14 policy is now available on LabGateway2. Notice that you cannot edit, delete or clone it. 8. In the Sophos Gateway Manager, edit the Lab 14 policy and disable the option Scan for PUA. 9. In WebAdmin on LabGatway2, confirm that the policy has been updated. 10. Create a backup called Architect Lab 14 on both LabGateway1 and LabGateway2 and download them to the desktop of LabServer.
Review You have now successfully:
Configured Sophos UTM Manager. Connected a UTM to a Sophos UTM Manager. Imported configuration from a UTM in to SUM. Created a new configuration in SUM. Deployed configuration from SUM to a UTM.
AL30: UTM
Page 55 of 57
Sophos Certified Architect
Lab 15: High availability Objective Upon completion of this section you will be able to configure two UTMs in both Active/Hot Standby mode and Cluster mode.
Requirements All instructions in Lab 1 must be completed successfully.
Task Configure high-availability between the two Lab gateway UTMs and then change them to cluster mode. Steps On LabServer: 1. 2. 3. 4. 5.
Login to the WebAdmin of LabGateway1 as admin. Navigate to Management | Up2Date and update the UTM to the latest version. Login to the WebAdmin of LabGateway2 as admin. Navigate to Management | Up2Date and update the UTM to the latest version. In the WebAdmin on LabGateway1, navigate to Management | High Availability | Configuration and set the Operation mode to Hot Standby with the following configuration: Sync NIC: eth3 Device Name: LabGateway1 Device Node ID: 1 Encryption key: Sophos1985 6. In the WebAdmin on LabGateway2, navigate to Management | High Availability | Configuration and set the Operation mode to Automatic configuration with the following configuration: Sync NIC: eth3 7. Review the HA Live Log on LabGateway1. 8. Once synchronization has completed (this can take up to 15 minutes), rename Node2 to LabGateway2. 9. Reboot LabGateway1. 10. Login to the high-availability master at https://gw1.lab.internal:4444. 11. Navigate to Management | High Availability and confirm that LabGateway2 is now the master and that you can still access the Internet. 12. Once LabGateway1 has finished synchronizing following its reboot, navigate to Management | High Availability | Configuration and set the Operation mode to Cluster. 13. Review the HA Live Log.
AL30: UTM
Page 56 of 57
Sophos Certified Architect
Review You have now successfully configured two UTMs in both Active/Hot Standby mode and Cluster mode.
AL30: UTM
Page 57 of 57