Configuring the Central Management Server & Sophos UTM

In this post I will be going over how to configure the Sophos UTM software appliance that we install here

Quick recap:
– We created two virtual switches, one for our internal Lab network, and one for the WAN.
– We created a new VM and installed Sophos UTM.

Feel free to read along below, or follow my YouTube video here.

Thinking logically, we actually do not currently have a way to configure the Sophos UTM, since we have no other devices on that “Sophos – Private” network! Not to worry though, we are about to start now.

In this lab we will be using software and Operating Systems provided by Microsoft. You can find links to the free trials on my blog posting here

Our lab will consist of multiple Windows Server installations and because of this it will be easier to have a centralized place to manage them from – instead of having to individually log into each server directly.

Let’s create the management VM!

1) Create a new Hyper-V VM with Windows Server 2012 R2
Here are my VM settings:

  • VM Name: Lab1-Mgmt1 – Easy name to remember this is a management PC
  • Generation 2, SecureBoot Off
  • 3GB of RAM, not Dynamic
  • Connected to “Sophos – Private” Network adapter
  • 30 GB Disk – We won’t be storing much on this disk, so I won’t allocate much. We can get away with 20, but I’ll stick with 30 to be safe.
  • Windows Server 2012 R2 setup ISO to boot

Begin by clicking through the Windows Setup process, and install the Standard non Core version of Windows Server.
Continue through the steps until you are able to create your local password, and login to the machine.
Once you are logged into the server, let’s go ahead and
2) Configure our network adapter with a static IP

  • Right click the network icon & select “Networking and Sharing Center”
  • Click on the blue “Ethernet” text
  • Click on “Properties”
  • Select Internet Protocol Version 4 (TCP/IPv4) and click on “Properties”

We will be assigning the following values:

  • IP Address: 192.168.2.2
  • Subnet Mask: 255.255.255.0
  • Default Gateway: 192.168.2.1
  • Preferred DNS Server: 8.8.8.8
  • Alternate DNS Server: 8.8.4.4

Remember that our Sophos is set to 192.168.2.1, and we currently don’t have any local DNS servers so we will stick with Google’s Public DNS Servers for now.
post2-mgmt-1.1
Click OK through the dialogs to save, and open up a web browser and browse to http://192.168.2.1:4444 to access the Sophos configuration UI
post2-mgmt-1.2
3) Configure the Sophos UTM Network Router & Firewall
As you can see, I was able to pull up the Sophos Web UI and begin the initial configuration process.
Type in your own information for the first page, click the “I accept the license agreement” checkbox, and click on “Perform Basic System Setup”.

You will a message in green text saying “Please wait, this will take 40 seconds”. Be patient during this process!

Next, we will be at the login screen. Provide the information you created in the previous page. The username is ‘admin’.

– We will be prompted to either perform a new setup, or restore from a backup. In this case, press on “Continue” to setup as new.
– We don’t have a license file, so leave this blank. This will allow us a 30 day trial period. If you end up liking Sophos UTM, you can create a Sophos account and generate a personal license for free.
– Leave the Internal (LAN) firewall IP as 192.168.2.1, since we don’t want to change this. Leave the Netmask default as well.
– I will be leaving the “Enable DHCP server on internal interface” unchecked since I will have Windows Server give out DHCP.
– On the “Internet Uplink (WAN) Settings” page select the only interface available in the dropdown box, and for “Internet uplink type” select “Standard Ethernet interface” with “Address Type” set to “Dynamic (DHCP)”.
Setting the WAN settings here automatically create the interface, and the corresponding NAT masquerading rules.
post2-mgmt-1.3
– On the “Allowed Services” page, go ahead and select the boxes that you think you will need. For me I selected Web, Terminal Services, DNS. Since the Sophos UTM is an advanced firewall, we can easily configure these later. These are just the barebones basics.
– On the “Advanced Threat Protection Settings” page, I left everything unchecked. Since this is a lab environment, I don’t see a reason to use resources for this function.
– Under “Web Protection Settings” I will also leave everything blank – but we will be revisiting this in a future blog post.
– Under “Email Protection Settings” leave everything unchecked.
– Click on “Finish” and you will be taken to the home page. You’ll see a bunch of red X’s but this is OK.
post2-mgmt-1.4

4) Create a “Firewall Off” rule
Since we will be spending a lot of time playing around with these devices, let’s go ahead and disable the firewall so we aren’t running into any strange networking issues.
Sophos does not provide a global ‘Firewall off’ button, but it should be pretty straight forward to accomplish with just one rule.
– Click on “Network Protection”
– Click on “Firewall”
– Click on “New Rule…”
– Do the following:

  • Position: Top
  • Sources: Any
  • Services: Any
  • Destination: Any
  • Action: Allow
  • Comment: Firewall Off

Make sure you enable this rule by putting the slider to the “On” position.
post2-mgmt-1.5

5) Confirm that you are able to reach the web!
In the Sophos WebAdmin, go to the search on the top left and type in ‘ping’ & click on the “Tools” under “Support”.
Type in 8.8.8.8 into the Hostname/IP Address box, and click Apply. You should be seeing a response.
If you get a response, try sending a Ping command from our Management server. Everything should be working now.
post2-mgmt-1.6
Recap
In this blog post we went over:

  • How to create a basic Windows Server 2012 R2 VM for management of our lab
  • Configure the network adapter in the management VM
  • Configure the Sophos using the built in Wizard
  • Create a firewall rule to disable the firewall

In the next blog post, we will begin to play around with Windows Server roles.

Starting the lab – Installing the Router / Firewall using Sophos UTM

Before we start working on building out our Windows Server roles it’s important to have a basic network setup so we can separate our lab traffic from our main network traffic, and it gives us a more ‘enterprise’ feel – as if we were setting it up for a client.

In this post I will go over how to setup Free Home Edition Sophos UTM software appliance inside of a Hyper-V VM.

Sophos UTM is my preferred choice over PFSense due to it’s ease of use, great looking UI, and advanced feature set.

Feel free to read along below, or follow my YouTube video here.

Let’s begin!

1) Download Sophos UTM Free
Start off by downloading the latest version here. Make sure you download the “Software Appliance” version, since we don’t own any Sophos Hardware! At the time of writing the latest version is 9.405-5.1, but this doesn’t matter – the general setup will be the same.

2) Create a new Virtual Switch inside of Hyper-V.
Select “Virtual Switch Manager” on the right menu of Hyper-V Manager. In my case I named it “Sophos – Private” since this will be a private (not accessible by the host) network shared only by the Lab VM’s.

post1-Sophos-Step2.1

Create one more Virtual Switch, and let’s make this one an External switch so that it can connect to the internet using our Hosts connection, and call it “WAN”. If you have more than one NIC or WiFi adapter in your computer, make sure the proper device is selected in the drop down under External Network. Make sure the checkbox for “Allow management operating system to share this network adapter” is checked!

2) Create a new Gen 1 Hyper-V VM.
My personal settings for this lab are listed below:

  • 2GB RAM – Not dynamic
  • New 20GB Disk
  • Attached “Sophos – Private” Network adapter
  • Attached “WAN” Network adapter
  • Selected the downloaded Sophos UTM ISO as the DVD boot device

You should have a basic VM with 2 NIC’s now created. We are ready to install Sophos.

3) Install Sophos
Connect to the console of your VM, and power it on.
On the first page go ahead and press Enter, and let the Linux installer begin doing it’s thing.
Continue pressing enter until you get to the screen that asks you for which interface will allow access to the WebAdmin UI.
If you followed my guide properly, eth0 will be set to our “Sophos – Internal” virtual NIC since it was the device added first. If you are not sure, open up your VM settings and confirm the order.
post1-Sophos-Step3.1

I will be setting this to eth0, so I can access the WebUI inside of my virtual network. You can press Tab to get to the option that says “Next”.
The next step will ask you for network address – this will be the subnet that our lab network lives on. Here are my settings:

  • Address: 192.168.2.1
  • Netmask: 255.255.255.0
  • Gateway: Leave this blank!

Continue pressing Next until you get asked “Do you wish to install all capabilities”, select Yes!
The final screen will show us that we can access the management UI on https://192.168.2.1:4444.
Remember this URL, since when we get another PC loaded onto the same subnet, we will be able to login to the Sophos and manage it.
Press the “Reboot” button, and wait for the appliance to reboot, and we will be ready to move onto the next step.

In the next blog post I go over how to configure the Sophos UTM, and how to setup a central management VM for our lab. Check it out here.