Sophos Utm Up2date

Posted By admin  On 01.05.21



UTM Up2Date 9.704 Released Sophos released UTM 9.704. The release will be rolled out in phases. In phase 1 you can download the update package from their download server, in phase 2 they will spread it via their Up2Date servers. Sophos UTM How to manually use Up2Date Note – Update packages can be downloaded from Sophos UTM FTP server Manual Up2Date Package Upload: If your gateway does not have direct access to the Internet or an Up2Date cache to download new update packages directly, you can upload the update package manually. To do so, proceed as follows. Sophos UTM Up2Date Failing Posted on Feb 19, 2018 by mikeapemberton Having had mixed results with the Sophos XG, and having hardware that just can’t keep up with the latest updates for it, I’ve reverted back to the Sophos UTM9.

Office 365 needs some IPs and URLs to be directly accessed without a proxy. Automate this with SophosEndpoints.

In this article we will cover the following points:

  1. Configure Sophos UTM (enable RESTful Api & add local user)
  2. Install SophosEndpoints
  3. How to use SophosEndpoints
  4. Configure AD for Group Managed Service Accounts
  5. Create scheduled task for automation

Configure Sophos UTM

In order to use the SophosEndpoints Module we have to enable the RESTful API and create a new API key mapped to a local user:

  1. Login to the WebAdmin GUI
  2. Go to Management > WebAdmin Settings > RESTful API
  3. Activate Enable RESTful API

Take a note of the URL of the API Endpoint (without the trailing slash), you are going to need this later.

To generate an API token, perform the following steps:

  1. Login to the WebAdmin GUI
  2. Go to Management > WebAdmin Settings > RESTful API > New API Token
  3. Map the token to a local Sophos UTM user (not an AD integrated account)
  4. (Optionally) under Advanced Settings create a whitelist with the IP of the machine you are going to use to run the scheduled task on.
  5. Click Save

Take a note of the API token, you are going to need this later.

If you don't have a local user account, create a new one:

  1. Login to the WebAdmin GUI
  2. Go to Management > Definitions & Users > Users & Groups
  3. Click on New User… and set Authentication to Local

The user must have administrative permissions.

Install SophosEndpoints

The SophosEndpoints Module can be installed from PowerShell Gallery. Open an elevated PowerShell on the machine you are going to create the scheduled task on. Run the following cmdlet.

Alternatively you can download SophosEndpoints from GitHub, unprotect the downloaded zip file and copy the SophosEndpoints folder to a folder in your PowerShell Path environment.

How to use SophosEndpoints

After installing the module you can use the cmdlet Set-EndpointsInUtm to update IPs and URLs used by Microsoft directly in Sophos UTM.

The most important parameters you are going to use are:

UtmApiUrl: This is the URL of the API Endpoint (without the trailing slash) and tells the cmdlet how to contact Sophos UTM.
Example value: https://sophos.testlab.live:4444/api
Default value (if you omit the parameter): https://sophos:4444/api

UtmApiKey: This is the API token we just created. This is needed to authenticate against Sophos UTM.
Example value: jHjhasjkhjhHUmqoPasdqN

TenantName: This is the name of your Office 365 tenant. It is the first part of your .onmicrosoft.com address. E. g. testlab.onmicrosoft.com. This is needed to customize some URLs like testlab.sharepoint.com
Example value: testlab
Default value: null

UtmIpPrefix: This is the prefix that is added to every network that is created by the Set-EndpointsInUtm. This should be unique, as this is used to identify the autocreated networks.
Example value: “Office 365 Endpoint”
Default value: “Microsoft365 Net”

UtmExceptionPrefix: This is the prefix that is added to every exceptionthat is created by the Set-EndpointsInUtm. This should be unique, as this is used to identify the autocreated exceptions.
Example value: “Office 365 Exception”
Default value: “Microsoft365 Exception”

UtmExceptionDisabledChecks: This is an array of strings that represent the checks, that are skipped in the web protection exception. Possible values can contain: ‘av’, ‘cache’, ‘certcheck’, ‘certdate’, ‘check_max_download’, ‘content_removal’, ‘contenttype_blacklist’, ‘extensions’, ‘log_access’, ‘log_blocked’, ‘patience’, ‘ssl_scanning’, ‘url_filter’, ‘user_auth’
Example value: @{‘av’, ‘ssl_scanning’}
Default value: @{‘sslscanning’, ‘user_auth’}

LogFilePath: The Path to a logfile.
Example value: “C:logsSophosEndpoints.log”
Default value: null

Typically you would execute the following in PowerShell:

Another example would be:

If you want to know more about additional parameters and settings run the following cmdlet:

Configure AD for Group Managed Service Accounts

In order to create a scheduled task that is not bound to your user account and automatically changes its password, we use a group managed service account (gMSA). This is much more safe and better to maintenance than your ordinary user account. If you haven't done so already we must first create a KDS Root Key (once per AD forest):

On your Domain Controller - or Adminbox with the ActiveDirectory PowerShell Module installed - open an elevated PowerShell and run the folowing cmdlet:

This takes up to 10 hours to replicate, so be patient - the security gain is worth the wait ;-)

If you are in a test environment (and only then!) you can run Add-KdsRootKey –EffectiveTime ((get-date).addhours(-10)) to create the key without waiting for replication.

Meanwhile we can create a global security group in AD and add the computer objects as members which will be allowed to use the gMSA. In our case the machines which will run the scheduled task. I created a group called SophosMaintainer and added the computer Adminbox as member.

You should restart the machines you added to the group, because group membership is evaluated at startup. Otherwise you won't be able to add the gMSA later on.

Sophos utm up2date command line

Now it is time to create the gMSA. On a DC open an elevated PowerShell and run the New-ADServiceAccount cmdlet. You have to specify a name (this is the sAMAccountName of the gMSA), an DNSHostName (this is the fqdn that the gMSA will be available under), the PrincipalsAllowedToRetrieveManagedPassword (this is the group we just created) and optionally some ServicePrincipalNames. In my testlab environment this is the cmdlet I used.

Next we can install the gMSA on the machine we want to configure the scheduled task. Open an elevated PowerShell on that machine and run the following cmdlets:

That's it, we successfully installed a group managed service account. In the next step we are configuring a scheduled task that runs in the context of this gMSA. In order to run the SophosEndpoints PowerShell the gMSA does not need any special permissions. However if you want to enable logging, you have to grant the gMSA permission to write to the folder in which you want to store the logfile. The gMSA can be referenced as a service account with name testlabupdateSophos$

Create scheduled task for automation

The last step is to create a scheduled task to automate the setting of networks and web protection exception for the Sophos UTM. As we are using a gMSA for the scheduled task we can't create a task using the GUI. We have to do this in PowerShell.

In order to create the task we have to define the action, trigger and principal of the scheduled task. In the action we are going to run a PowerShell script that executes the Set-EndpointsInUtm cmdlet. You should adapt this as explained in the section How to use SophosEndpoints. The trigger defines when the scheduled task will be run and the principal is the account used to execute the task. This is the gMSA we just created.

The content of C:scriptsrunSophosEndpoints.ps1 is in my testlab the following:

To create the scheduled task with these parameters run the following cmdlet.

After the first run you should check the status of the scheduled task. If you specified a LogFilePath you should also check the logs.

That's it, we don't have to worry about manually updating definitions for Office 365 anymore. The most current IPs and URLs used by Microsoft are automatically imported into Sophos UTM!

We’ve recently published UTM 9.003 as a two part Up2Date labelled 9.003-15 and 9.003-16. You can see more about this two-part package by reading on for the full details inside. Before that however, a small update that we plan to begin the ASG V8 to UTM V9 one-touch appliance upgrade process on Oct-22nd for the 220/320 appliances. Following a smooth roll out, the next week we will enable the rest of the appliance line, followed by HA/Cluster systems near the middle of November.

Now for 9.003 – the reason for this Up2Date is to allow for more Wireless Access Points, some improvements for our Webserver Protection, and support for the hotly-anticipated RED 50 appliance (featuring increased throughput and an innovative dual Internet connection balancer)which is in Beta and will be available soon! Read on for the full details, manual Up2Date information, and links for new ISO images. Enjoy!

The reason for the two-part numbering of 9.003 this time is that there was a small difference between our soft-released version (made available early via the User Forums) and the GA release. UTM 9 added the ability for us to issue incremental version Up2Date packages, and we will now work on how to bundle/hide versions of the same release yet with a different build from your systems. The end result we desire is that if you have 9.002, you would see only 9.003-16 to install. More to come on that in the future.

For today, to quote an agent of our system: “Grab 222 of your closest friends and have an access point party”, as we have increased the number of AP’s which can be connected to UTM from 100 to 223 to aid in larger deployments of our amazing wireless offering. The RED50 has begun a limited Beta period, and we’ll look to have that appliance available in our markets very soon. We are confident you will be impressed with the throughput over the smaller RED10 and the new dual-WAN balancer which provides full bandwidth across both connections, even for a single download. It offers much more than an inferior session-based round-robin approach. We also have new ISO images available. Here are the download details:

Sophos UTM 9.003-15/16 Up2Date Information

News:

  • Wifi: Removed general limit of 8 SSIDs per AP (now device dependent)
  • Wifi: Increased maximum number of AP’s from 100 to 223
  • WAF: Now adds a X-Forwaded-Proto header in server requests
  • RED: Added support for RED50 devices to support beta program

Remarks:

  • System will be rebooted
  • Configuration will be upgraded
  • Wifi Reporting will be reset

Bugfixes:

  • [21948] Cable Modem: every renew of IP address adds a new IP address to the DHCP interface (v9)
  • [22260] WebApplication firewall reporting does not work in timezones behind UT

Up2Date Downloads:

Version 9.003-15

Link: ftp://ftp.astaro.de/UTM/v9/up2date/u2d-sys-9.003015.tgz.gpg

Size: ~91MB

Up2date

MD5: a04bf1c361ef79dbc514b8f4fe5fe168

Version 9.003-16

Link: ftp://ftp.astaro.de/UTM/v9/up2date/u2d-sys-9.003016.tgz.gpg

Size: ~1MB

MD5: 3a28dd58bac91627cb8c7d3804f59387

UTM 9.003 ISO Images*

Software Appliances (for your own hardware or virtual platform)

Link: ftp.astaro.com/UTM/v9/software_appliance/iso/asg-9.003-16.1.iso

MD5: 7d2fb7eaa11dcfe87356a187b0aecf72

Size: ~480 MB

Hardware Appliances (for offically branded appliance models)

Link: ftp.astaro.com/UTM/v9/hardware_appliance/iso/ssi-9.003-16.1.iso

MD5: 156a6d02690b33db1a19d01ad9de11c6

Size: ~470 MB

*Our FTP server for UTM 9 also has links for the Smart installer V1 and V2 tools.

Up2Date Installation:Sophos Up2Date technology makes it easy to upgrade your Sophos UTM to the latest version. There are two ways to apply an already-downloaded Up2Date package to the system:

Sophos utm up2date files
  1. Log on to WebAdmin, navigate to Management >> Up2Date >> Overview and use Update to latest version now to install the Firmware Up2Date. Click on the “Watch Up2Date Progress in new window” and an extra browser window will show the progress of the Up2Date installation. (The System administrator will receive a notification email once the Up2Date process has finished.)
  2. Download the Up2Date package from our HTTP or FTP Server and install it under Management >> Up2Date >> Advanced:
Sophos UTM Up2Date FTP Mirrors:

Feedback

  • If you want to provide feedback or want to discuss any of the UTM V9 features you should post it on our User Bulletin Board. Please indicate the version you are using to help us (and everyone helping you). e.g. “[9.003] Adding more wireless access points”.
  • If you have any feedback on our help, manual, or any documentation (Online Help) please send it to nsg-documentations@sophos.com.
  • You are free to use our demo server environment without hassle, nags, or registration. Enjoy.

Sophos Utm Up2date Not Working

Up2date

Sophos Utm Up2date Command Line

-Angelo Comazzetto, Sophos