al30 v9.2.65 - architect lab workbook - utm
DESCRIPTION
curso de certificaciónTRANSCRIPT
-
AL30: UTM Page 1 of 57
Sophos Certified Architect AL30: UTM Lab Workbook
April 2014
Version 9.2.65
-
Sophos Certified Architect
AL30: UTM Page 2 of 57
2014 Sophos Limited. All rights reserved. No part of this document may be used or reproduced in any form or by any means without the prior written consent of Sophos. Sophos and the Sophos logo are registered trademarks of Sophos Limited. Other names, logos and marks mentioned in this document may be the trademarks or registered trademarks of Sophos Limited or their respective owners. While reasonable care has been taken in the preparation of this document, Sophos makes no warranties, conditions or representations (whether express or implied) as to its completeness or accuracy. This document is subject to change at any time without notice. Sophos Limited is a company registered in England number 2096520, whose registered office is at The Pentagon, Abingdon Science Park, Abingdon, Oxfordshire, OX14 3YP.
-
Sophos Certified Architect
AL30: UTM Page 3 of 57
Contents
Introduction .................................................................................................................................................. 7
Prerequisites ............................................................................................................................................. 7
Workbook conventions ............................................................................................................................. 7
Lab environment ....................................................................................................................................... 7
Lab 1: System configuration ....................................................................................................................... 11
Objective ................................................................................................................................................. 11
Requirements ......................................................................................................................................... 11
Task 1 ...................................................................................................................................................... 11
Task 2 ...................................................................................................................................................... 13
Review ..................................................................................................................................................... 13
Lab 2: Uplink Balancing ............................................................................................................................... 15
Objective ................................................................................................................................................. 15
Requirements ......................................................................................................................................... 15
Task ......................................................................................................................................................... 15
Review ..................................................................................................................................................... 16
Lab 3: Multipath Rules ................................................................................................................................ 17
Objective ................................................................................................................................................. 17
Requirements ......................................................................................................................................... 17
Task ......................................................................................................................................................... 17
Review ..................................................................................................................................................... 18
Lab 4: Quality of Service ............................................................................................................................. 19
Objective ................................................................................................................................................. 19
Requirements ......................................................................................................................................... 19
Task 1 ...................................................................................................................................................... 19
Task 2 ...................................................................................................................................................... 19
Task 3 ...................................................................................................................................................... 20
Review ..................................................................................................................................................... 20
Lab 5: Authentication ................................................................................................................................. 21
Objective ................................................................................................................................................. 21
Requirements ......................................................................................................................................... 21
-
Sophos Certified Architect
AL30: UTM Page 4 of 57
Task 1 ...................................................................................................................................................... 21
Task 2 ...................................................................................................................................................... 22
Review ..................................................................................................................................................... 22
Lab 6: Web protection ................................................................................................................................ 23
Objective ................................................................................................................................................. 23
Requirements ......................................................................................................................................... 23
Note ........................................................................................................................................................ 23
Task 1 ...................................................................................................................................................... 23
Task 2 ...................................................................................................................................................... 24
Task 3 ...................................................................................................................................................... 24
Task 4 ...................................................................................................................................................... 25
Review ..................................................................................................................................................... 27
Lab 7: Email protection ............................................................................................................................... 28
Objective ................................................................................................................................................. 28
Requirements ......................................................................................................................................... 28
Task 1 ...................................................................................................................................................... 28
Task 2 ...................................................................................................................................................... 29
Task 3 ...................................................................................................................................................... 29
Task 4 ...................................................................................................................................................... 31
Review ..................................................................................................................................................... 32
Lab 8: Endpoint protection ......................................................................................................................... 33
Objective ................................................................................................................................................. 33
Requirements ......................................................................................................................................... 33
Task 1 ...................................................................................................................................................... 33
Task 2 ...................................................................................................................................................... 34
Review ..................................................................................................................................................... 34
Lab 9: Wireless protection .......................................................................................................................... 35
Objective ................................................................................................................................................. 35
Requirements ......................................................................................................................................... 35
Task 1 ...................................................................................................................................................... 35
Task 2 ...................................................................................................................................................... 36
Task 3 ...................................................................................................................................................... 37
-
Sophos Certified Architect
AL30: UTM Page 5 of 57
Review ..................................................................................................................................................... 38
Lab 10: Webserver protection .................................................................................................................... 39
Objective ................................................................................................................................................. 39
Requirements ......................................................................................................................................... 39
Task 1 ...................................................................................................................................................... 39
Task 2 ...................................................................................................................................................... 41
Review ..................................................................................................................................................... 42
Lab 11: RED ................................................................................................................................................. 43
Objective ................................................................................................................................................. 43
Requirements ......................................................................................................................................... 43
Task ......................................................................................................................................................... 43
Review ..................................................................................................................................................... 45
Lab 12: Site-to-site VPN .............................................................................................................................. 46
Objective ................................................................................................................................................. 46
Requirements ......................................................................................................................................... 46
Task 1 ...................................................................................................................................................... 46
Task 2 ...................................................................................................................................................... 47
Task 3 ...................................................................................................................................................... 48
Review ..................................................................................................................................................... 49
Lab 13: Remote access ................................................................................................................................ 50
Objective ................................................................................................................................................. 50
Requirements ......................................................................................................................................... 50
Task ......................................................................................................................................................... 50
Review ..................................................................................................................................................... 51
Lab 14: Central management ..................................................................................................................... 52
Objective ................................................................................................................................................. 52
Requirements ......................................................................................................................................... 52
Task 1 ...................................................................................................................................................... 52
Task 2 ...................................................................................................................................................... 54
Task 3 ...................................................................................................................................................... 54
Review ..................................................................................................................................................... 55
Lab 15: High availability .............................................................................................................................. 56
-
Sophos Certified Architect
AL30: UTM Page 6 of 57
Objective ................................................................................................................................................. 56
Requirements ......................................................................................................................................... 56
Task ......................................................................................................................................................... 56
Review ..................................................................................................................................................... 57
-
Sophos Certified Architect
AL30: UTM Page 7 of 57
Introduction
These labs accompany the Sophos Certified Architect UTM course and form the practical part of the certification. You should complete each section of labs when directed to do so in the training.
Throughout the labs there is information to be written down; you will require this information to pass the online assessment. We would recommend that you complete the course assessment while your lab environment is still active so that it is available for reference.
Prerequisites
To be able to complete these labs in the time suggested you should have the following prerequisites.
Comprehensive knowledge of networking.
Experience in installing and replacing network gateways and firewalls in production environments.
Sophos Certified Engineer level knowledge of Sophos UTM.
The following optional prerequisite knowledge would be beneficial but is not required.
Experience using Linux command line tools.
Workbook conventions
This workbook uses the following conventions throughout.
At the start of each lab are the objectives of what you should learn and any requirements that must
have been completed prior to starting the lab.
Labs which cover larger topics are divided in to several tasks. Each task has a short description
followed by the steps that are required to complete the task.
Short labs are presented as a single task.
Throughout the guide the following styles are used:
Bold text Computer names, applications,
Courier New font
Commands to be executed.
Underlined Hyperlinks.
Lab environment
These labs are designed to be completed on the hosted CloudShare environment; if you are not using CloudShare, for example if this course is being taught on a local environment, some details such as hostnames and IP addresses may vary.
You instructor will provide you with details of how to access the lab environment, and any localised changes.
-
Sophos Certified Architect
AL30: UTM Page 8 of 57
Environment overview
The environment used to complete these labs is comprised of multiple computers and networks. This lab environment is based on the labs from the Certified Engineer course. Configuration created during the labs for that course is maintained in this environment with the addition of two new virtual machines; a second UTM gateway for the Lab Network and a Sophos UTM Manager.
Lab Server This is the computer you connect to for the majority of the labs. It represents a computer on an internal company network. In this lab environment it is also the Active Directory server, mail server, web server and DNS server.
Throughout this workbook this will be referred to as LabServer.
Lab Network This is the internal company network for your lab.
Secondary Link This network provides a second Internet link.
Sophos UTM Manager This is an unconfigured virtual UTM Sophos UTM Manager on the Lab Network.
Throughout this workbook this will be referred to as SUM.
Lab Gateway 1 This is the default gateway for the Lab Network. It has the configuration created during the Certified Engineer labs.
Throughout this workbook this will be referred to as LabGateway1.
Lab Gateway 2 This is an unconfigured virtual UTM which is the gateway and firewall for the Lab Network.
Throughout this workbook this will be referred to as LabGateway2.
External Network This network represents the Internet and provides access out to the real Internet. The gateway on this network is 192.168.1.254.
Services This server is the DNS server for the external domains used by the Lab Network and Acme Corp Network. It is connected to both the External Network and Secondary Link networks.
Throughout this workbook this will be referred to as Services.
Acme Corp Gateway This is a virtual UTM which has the configuration created during the Certified Engineer labs.
Throughout this workbook this will be referred to as AcmeCorpGateway.
Acme Corp Network This is the internal company network of another company Acme Corp.
Acme Corp Server This computer is the server for Acme Corp. It runs Active Directory, mail server, web server and DNS.
Throughout this workbook this will be referred to as AcmeCorpServer.
-
Sophos Certified Architect
AL30: UTM Page 9 of 57
Network diagram
-
Sophos Certified Architect
AL30: UTM Page 10 of 57
User accounts
The table below details the user accounts in the CloudShare lab environment.
Username Email Scope and privileges
admin [email protected]
Lab Gateway 1
Built-in admin account
administrator [email protected] Lab Domain
Domain administrator
JohnSmith [email protected] Lab Domain
Domain user
JaneDoe [email protected] Lab Domain
Domain user
readonly n/a Lab Domain
Domain user
admin [email protected]
Acme Corp Gateway
Built-in admin account
administrator [email protected] Acme Corp Domain
Domain Administrator
TomJones [email protected] Acme Corp Domain
Domain user
All passwords are Sophos1985.
-
Sophos Certified Architect
AL30: UTM Page 11 of 57
Lab 1: System configuration
Objective
Upon completion of this section you will be able to:
Complete the initial configuration of the UTM without using the setup wizard.
Create a DHCP server on the UTM.
Requirements
No prerequisites.
Task 1
Complete the initial configuration of LabGateway2 without using the setup wizard.
Steps
On LabServer:
1. Launch your browser and connect to the WebAdmin of LabGateway2 at https://172.16.1.151:4444.
2. Complete the Basic System Setup.
Hostname: lab-gw2.lab.external
Company or Organization Name: Sophos
City: Abingdon
Country: Great Britain
admin account password: Sophos1985
admin account email address: [email protected]
3. Login to the WebAdmin of LabGateway2 as admin.
4. On the Welcome to Sophos UTM page, click Cancel.
5. Navigate to Interfaces & Routing | Interfaces create and enable a New interface with the following
configuration:
Name: External (WAN)
Type: Ethernet static
Hardware: eth1
IPv4 Address: 192.168.1.151
Netmask: /24 (255.255.255.0)
Default GW IP: 192.168.1.254
6. Navigate to Network Services | DNS | Forwarders and create a new DNS Forwarder with the
following configuration:
Name: Lab DNS
Type: Host
-
Sophos Certified Architect
AL30: UTM Page 12 of 57
IPv4 Address: 172.16.1.1
7. Deselect the option Use forwarders assigned by ISP.
8. Navigate to the Request Routing tab and create a New DNS Request Route with the following
configuration:
Domain: lab.internal
Target Services: Lab DNS
9. Navigate to Management | System Settings | Time and Date and configure the correct time, date
and time zone.
10. Remove all of the servers from the NTP Servers list and create a new NTP server with the following
configuration:
Name: Lab Active Directory
Type: Host
IPv4 Address: 172.16.1.1
11. Navigate to Management | Shutdown/Restart and select to Restart (Reboot) the system now.
12. Once LabGateway2 has rebooted login to the WebAdmin as admin
13. Navigate to Management | System Settings | Shell Access and Enable shell access.
14. Remove Any from the Allowed networks and add Internal (Network).
15. Set the passwords for the loginuser and root user to Sophos1985.
16. Navigate to Management | WebAdmin Settings | Advanced and set the WebAdmin idle timeout to
3600 seconds.
17. Select the HTTPS Certificate tab and import the WebAdmin CA Certificate.
18. Change the hostname of the WebAdmin in the Regenerate WebAdmin certificate section to the
internal hostname of LabGateway2 (gw2.lab.internal).
19. Close and re-launch your browser and connect to the WebAdmin of LabGateway2 using the internal
hostname gw2.lab.internal and login as admin.
20. Confirm that you no longer receive a certificate error in your browser.
21. Navigate to Support | Tools and test that LabGateway2 is able to ping 8.8.8.8.
22. Select the DNS Lookup tab and confirm that LabGateway2 can resolve the following hosts:
www.sophos.com
acme-gw.acme.external
23. Navigate to Network Protection | Firewall and create and enable a new rule to allow web browsing
with the configuration below:
Sources: Internal (Network)
Services: Web Surfing
Destinations: Any
24. Create and enable a new rule to allow DNS with the configuration below:
Sources: Internal (Network)
Services: DNS
Destinations: Any
-
Sophos Certified Architect
AL30: UTM Page 13 of 57
25. Navigate to Network Protection | NAT and create and enable a new masquerading rule with the
configuration below:
Network: Internal (Network)
Interface: External (WAN)
Use address: >
26. Create a backup called Architect Lab 1 on LabGateway2 and download it to the desktop of
LabServer.
Task 2
Configure a DHCP server for the local Lab Network.
Steps
On LabServer:
1. Login to the WebAdmin of LabGateway1 as admin.
2. Navigate to Network Services | DHCP and create and enable a new DHCP server for the Internal
network.
Interface: Internal
Range start: 172.16.1.1
Range end: 172.16.1.100
DNS Server 1: 172.16.1.101
DNS Server 2: 172.16.1.151
Default gateway: 172.16.1.101
Domain: lab.internal
Comment: Lab 1
3. Open a Command Prompt and run: ipconfig /all
4. Write down the Physical Address for the interface with the IP address on the Lab Network:
__________________________________________________________________________________
5. In the LabGateway1 WebAdmin, navigate to Definitions & Users | Network Definitions and edit the
LabServer host definition by adding the MAC address to the DHCP Settings and selecting the
Internal[172.16.1.1 172.16.1.100] IPv4 DHCP server.
6. Reconfigure the interface that is connected to the Lab Network to get its network settings via DHCP.
7. In the LabGateway1 WebAdmin, navigate to Network Services | DHCP and launch and review the
DHCP Live Log.
8. Create a backup called Architect Lab 1 on LabGateway1 and download it to the desktop of
LabServer.
Review
You have now successfully:
-
Sophos Certified Architect
AL30: UTM Page 14 of 57
Completed the initial configuration of a UTM without using the setup wizard.
Created a DHCP server on a UTM.
-
Sophos Certified Architect
AL30: UTM Page 15 of 57
Lab 2: Uplink Balancing
Objective
Upon completion of this section you will be able to configure uplink balancing with multiple active interfaces and with standby interfaces.
Requirements
No prerequisites.
Task
Create a second external interface on LabGateway1 with a default gateway then configure uplink balancing.
Steps
On LabServer:
1. Login to the WebAdmin of LabGateway1 as admin.
2. Navigate to Interfaces & Routing | Interfaces and create and enable a second external interface
with the following configuration:
Name: Uplink 2
Type: Ethernet static
Hardware: eth2
IPv4 Address: 192.168.3.101
Netmask: /24 (255.255.255.0)
Default GW IP: 192.168.3.254
3. Enable Uplink Balancing when prompted.
4. Select the Uplink balancing tab and configure the Uplink 2 interface to be a standby interface.
5. Select the Interfaces tab confirm that Uplink 2 is now enabled but Down.
6. Navigate to the Uplink balancing tab and disable Automatic Monitoring.
7. Add a new monitoring host with the following configuration:
Name: Services WAN network
Type: Host
IPv4 Address: 192.168.1.1
8. Add a new monitoring host with the following configuration:
Name: Services Secondary Link network
Type: Host
IPv4 Address: 192.168.3.1
9. Edit the monitoring settings to use the configuration below:
Monitoring type: HTTP Host
-
Sophos Certified Architect
AL30: UTM Page 16 of 57
URL: /
Interval: 15
Timeout: 5
10. Navigate to the Dashboard and confirm that External (WAN) is Up and Uplink 2 is Down and in
Standby.
11. Launch Remote Desktop and connect to Services at 192.168.1.1 and login as the administrator.
12. Browse to Control Panel | Network and Internet | Network and Sharing Center | Change adapter
settings.
13. Right-click on Ethernet and click Disable then close the Remote Desktop window.
14. In the WebAdmin on LabGateway1, confirm that both External (WAN) and Uplink 2 are Up but that
External (WAN) has a link error.
15. Launch Remote Desktop and connect to Services at 192.168.3.1 and login as the administrator.
16. Right-click on Ethernet and click Enable then close the Remote Desktop window.
17. In the WebAdmin on LabGateway1, navigate to Interfaces & Routing | Interfaces and select the
Uplink balancing tab.
18. Enable Automatic monitoring and configure Uplink 2 to be an Active Interface.
19. On the Dashboard confirm that all interfaces are Up and there are no errors.
20. Create a backup called Architect Lab 2 on LabGateway1 and download it to the desktop of
LabServer.
Review
You have now successfully configured uplink balancing with multiple active interfaces and with standby interfaces.
-
Sophos Certified Architect
AL30: UTM Page 17 of 57
Lab 3: Multipath Rules
Objective
Upon completion of this section you will be able to:
Create interface groups for routing.
Create multipath rules to route different services using interface groups.
Use tcpdump to confirm your multipath rules are working correctly.
Requirements
All instructions in Lab 2 must be completed successfully.
Task
Configure multipath rules on LabGateway1 which will route HTTP and FTP traffic out via different interfaces.
Steps
On LabServer:
1. Login to the WebAdmin of LabGateway1 as admin.
2. Navigate to Network Protection | Firewall and add FTP to the Services in the Web Surfing firewall
rule.
3. Navigate to Interfaces & Routing | Interfaces | Multipath Rules and create and enable a new
multipath rule with the following configuration:
Name: Use Uplink 2 for HTTP
Source: Internal (Network)
Service: HTTP
Destination: Any
Itf. Persistence: by Connection
Balanced to: create a new interface group with the following configuration:
o Name: Uplink group 2
o Interfaces: Uplink 2
4. Launch Putty and connect to LabGateway1 using SSH.
5. Login as loginuser then change to the root user using the command: su
6. Use tcpdump to monitor HTTP traffic on Uplink 2 using the command: tcpdump i eth2 n port 80
7. Access the following URLs in your browser on LabServer and confirm that you can see that traffic in
tcpdump:
192.168.3.1
-
Sophos Certified Architect
AL30: UTM Page 18 of 57
www.sophos.com
8. In the WebAdmin on LabGateway1 add and enable a new multipath rule with the following
configuration:
Name: Use Uplink 1 for FTP
Source: Internal (Network)
Service: FTP
Destination: Any
Itf. Persistence: by Connection
Balanced to: create a new interface group with the following configuration:
o Name: Uplink group 1
o Interfaces: External (WAN)
9. In your SSH session to LabGateway1, use tcpdump to monitor the FTP traffic on External (WAN)
using the command: tcpdump i eth1 n port 21
10. Launch FileZilla and connect to the following URLs:
ftp.astaro.com
11. Confirm that you can see that traffic in tcpdump.
12. In the WebAdmin on LabGateway1, reverse the rules so that HTTP is now balanced to Uplink group
1 and FTP is balanced to Uplink group 2. Test your configuration using tcpdump.
13. Disable your multipath rules.
14. In the Uplink balancing tab, remove Uplink 2 from the Active interfaces and add it to the Standby
interfaces.
15. Create a backup called Architect Lab 3 on LabGateway1 and download it to the desktop of
LabServer.
Review
You have now successfully:
Created interface groups for routing.
Created multipath rules to route different services using interface groups.
Used tcpdump to confirm your multipath rules are working correctly.
-
Sophos Certified Architect
AL30: UTM Page 19 of 57
Lab 4: Quality of Service
Objective
Upon completion of this section you will be able to:
Limit bandwidth for an interface.
Shape traffic based on an application.
Throttle traffic based on a protocol.
Requirements
No prerequisites.
Task 1
Enable quality of service on LabGateway1 and define a bandwidth limit on an interface.
Steps
On LabServer:
1. Login to the WebAdmin of LabGateway1 as admin.
2. Navigate to Interfaces & Routing | Quality of Service (QoS) and enable quality of service for all
interfaces.
3. Edit the Internal interface and limit the download bandwidth to 100 kbit/s.
4. Navigate to Web Protection | Web Filtering Profiles | Filter Actions and edit the Default content
filter action.
5. Remove .exe from Blocked file extensions.
6. Verify that the bandwidth limit is not being exceeded when downloading the file:
http://global.services.external/Thunderbird%20Setup%2017.0.5.exe
Task 2
Use the Flow Monitor to create a rule that will shape the traffic for Facebook.
Steps
On LabServer:
1. Login to the WebAdmin of LabGateway1 as admin.
2. Navigate to Web Protection | Application Control and open the Flow Monitor on the eth1
interface.
3. Browse to http://www.facebook.com.
4. In the Flow Monitor shape the traffic for Facebook to 10kbit/s and limit to 20kbit/s.
5. In the WebAdmin, navigate to Interfaces & Routing | Quality of Service (QoS) and review the
Traffic Selector and Bandwidth Pool that have been created.
-
Sophos Certified Architect
AL30: UTM Page 20 of 57
6. Write down the name of the Traffic Selector that has been created:
__________________________________________________________________________________
Task 3
Use the Flow Monitor to create a rule that will throttle all HTTP traffic.
Steps
On LabServer:
1. Login to the WebAdmin of LabGateway1 as admin.
2. Navigate to Web Protection | Application Control and open the Flow Monitor on the eth1
interface.
3. Browse to http://www.sophos.com.
4. In the Flow Monitor throttle the traffic for HTTP to 25kbit/s for each source.
5. In the WebAdmin, navigate to Interfaces & Routing | Quality of Service (QoS) and review the
Traffic Selector and Download Throttling that have been created.
6. Disable the Download Throttling rule and Bandwidth Pool.
7. Disable quality of service on all interfaces.
8. Create a backup called Architect Lab 4 on LabGateway1 and download it to the desktop of
LabServer.
Review
You have now successfully:
Limited the bandwidth for an interface.
Shaped traffic based on an application.
Throttled traffic based on a protocol.
-
Sophos Certified Architect
AL30: UTM Page 21 of 57
Lab 5: Authentication
Objective
Upon completion of this section you will be able to configure:
The Sophos Authentication Agent.
One-time passwords.
Requirements
No prerequisites.
Task 1
Configure and test the Sophos Authentication Agent.
Steps
On LabServer:
1. Login to the WebAdmin of LabGateway1 as admin.
2. Navigate to Definitions & Users | Authentication Services.
3. Select all options in the Automatic user creation for facilities section.
4. Navigate to Definitions & Users | Client Authentication and enable client authentication with the
following configuration:
Allowed networks: Internal (Network)
Allowed Users and Groups: Active Directory Users.
5. In the Client Authentication program section, download the EXE version and install it on LabServer.
6. Use Putty on LabServer to login to LabGateway1 as the loginuser then change to the root user using
the command:
su -
7. Follow the aua.log and endpoint.log files using the commands: cd /var/log
tail f aua.log endpoint.log
8. Launch the client authentication program and test it with the Active Directory user JaneDoe.
Note: do not save the password.
9. Confirm that the user JaneDoe has been created on the UTM following successful authentication.
10. Close the Sophos Authentication Agent.
11. Write down the following information from the entries written to the aua.log and endpoint.log
when you authenticated as JaneDoe:
aua.log: user, caller and engine
____________________________________________________________________________
-
Sophos Certified Architect
AL30: UTM Page 22 of 57
endpoint.log: the name of the process that wrote to the log
____________________________________________________________________________
Task 2
Configure and test one-time passwords for the User Portal.
Steps
On LabServer:
1. Login to the WebAdmin of LabGateway1 as admin.
2. Navigate to Definitions & Users | Authentication Services | One-time password and enable one-
time passwords.
3. Connect to the User Portal on LabGateway1 at https://gw1.lab.internal and login as johnsmith.
4. Click Proceed with login.
5. In the WebAdmin refresh the one-time passwords page.
6. Edit the token for johnsmith and create additional codes.
7. Write down one of the additional codes:
_________________________________________________
8. Login to the User Portal as johnsmith using the additional token code you wrote down.
9. Go to the OTP Token tab and view the token information.
10. Write down the encoding types your secret is displayed in:
__________________________________________________________________________________
__________________________________________________________________________________
11. In the WebAdmin, disable one-time passwords.
12. Create a backup called Architect Lab 5 on LabGateway1 and download it to the desktop of
LabServer.
Review
You have now successfully configured:
The Sophos Authentication Agent.
One-time passwords.
-
Sophos Certified Architect
AL30: UTM Page 23 of 57
Lab 6: Web protection
Objective
Upon completion of this section you will be able to configure:
Automatic proxy configuration via DHCP.
File type blocking using MIME types.
Full HTTPS decrypt and scan.
Multiple profiles for different modes of authentication.
Requirements
All instructions in Lab 1 must be completed successfully.
Note
Use Internet Explorer for testing your configuration in this lab. Proxy auto-configuration via DHCP is unreliable in other browsers.
Task 1
Configure a proxy auto-configuration script.
Steps
On LabServer:
1. Login to the WebAdmin of LabGateway1 as admin.
2. Navigate to Web Protection | Filtering Options | Misc and create and enable a proxy auto-
configuration script on the UTM which returns DIRECT for the lab.internal network and returns the
LabGateway1 as the proxy for all other sites. Example:
function FindProxyForURL(url, host)
{
// Local URLs from the domain lab.internal
// don't need a proxy
if (shExpMatch(host, "*.lab.internal"))
{
return "DIRECT";
}
// URLs within this network are local and dont
// need a proxy
if (isInNet(host, "172.16.1.0", "255.255.255.0"))
{
return "DIRECT";
}
-
Sophos Certified Architect
AL30: UTM Page 24 of 57
// All other requests go through
// port 8080 of gw1.internal
// should that fail to respond, try to go direct
return "PROXY gw1.lab.internal:8080; DIRECT";
}
3. Navigate to Network Services | DHCP and edit your DHCP server by enabling the option Enable
HTTP Proxy Auto Configuration.
4. Navigate to Network Protection | Firewall and remove Web Surfing from the Web Surfing and
WebAdmin firewall rule.
5. Release and renew your IP address on LabServer. This can be done using the command: ipconfig /release && ipconfig /renew
6. Open Internet Explorer and confirm that:
You are able to access http://www.sophos.com.
http://www.games.com is blocked.
Task 2
Configure and test blocking files using MIME-type blocking.
Steps
On LabServer:
1. Login to the WebAdmin of LabGateway1 as admin.
2. Navigate to Web Protection | Web Filtering Profiles | Filter Actions and edit the Default content
filter action.
3. Configure the filter action to warn for downloading of ZIP files based on MIME type.
4. Write down the MIME type for ZIP files: _________________________________________________
5. Try to download the test file from Services: http://192.168.1.1/zip.test
Task 3
Configure and enable Full decrypt and scan HTTPS scanning in the web filter.
Steps
On LabServer:
1. Login to the WebAdmin of LabGateway1 as admin.
2. Navigate to Web Protection | Filtering Options | HTTPS CAs and Upload a new signing CA from the
file c:\certs\lab-LAB-SERVER-CA.p12 with the password Sophos1985.
3. Navigate to Web Protection | Web Filtering and select Decrypt and scan for HTTPS (SSL) traffic.
4. Confirm that you do not get a certificate error when you access: https://www.google.co.uk
5. View the details of the SSL certificate.
-
Sophos Certified Architect
AL30: UTM Page 25 of 57
6. Write down the signing certificate authority for the certificate your browser received when you
accessed https://www.google.co.uk: ____________________________________________________
Task 4
Configure multiple web filtering profiles for different connection and authentication methods.
Steps
On LabServer:
1. Login to the WebAdmin of LabGateway1 as admin.
2. Navigate to Definitions & Users | Users & Groups | Groups and add a new group with the following
configuration:
Group name: Contractors
Group type: Backend membership
Backend: Active Directory
Limit to backend group(s) membership: selected
Active Directory Groups: Contractors
3. Add a new group with the following configuration:
Group name: Domain Admins
Group type: Backend membership
Backend: Active Directory
Limit to backend group(s) membership: selected
Active Directory Groups: Domain Admins
4. Navigate to Web Protection | Filtering Options | Categories and create a New filter category with
the following configuration:
Name: Business
Included Sub-Categories: Business.
5. Remove the Business sub-category from the Community / Education / Religion filter category.
6. Navigate to Web Protection | Web Filtering Profiles | Filter Actions and create a new filter action
with the following configuration:
Name: Contractors
Block all content, except as specified below
Category:
o IT: Allow
o Business: Allow
7. Navigate to Web Protection | Web Filtering Profiles and create a new profile with the following
configuration:
Name: Standard mode with AD SSO authentication.
Allows networks: Internal (Network)
-
Sophos Certified Architect
AL30: UTM Page 26 of 57
Operation mode: Standard
Default Authentication: Active Directory SSO
HTTPS (SSL) traffic: Decrypt and scan.
8. In Web Protection | Web Filtering Profiles create a new profile with the following configuration:
Name: Transparent mode with Browser authentication.
Allows networks: Internal (Network)
Operation mode: Transparent
Default Authentication: Browser
HTTPS (SSL) traffic: Decrypt and scan.
Policies: create and enable two new policies as below.
o Policy 1:
Name: Contractors
Users/Groups: Contractors
Filter Action: Contractors
o Policy 2:
Name: Domain Admins
Users/Groups: Domain Admins
Filter Action: Default content filter action
o Base Policy:
Filter Action: Default content filter block action
9. Arrange the profiles with the Standard mode with AD SSO authentication at the top and
Transparent mode with Browser authentication beneath it.
10. Open the Web Filtering Live Log and review it while you follow the steps below to test your
configuration.
11. Configure the browser proxy settings as below:
Proxy server: none
Automatic proxy script: none
Automatically detect settings: no
12. In your browser try to connect to http://www.sophos.com and authenticate as ContractorBob.
Note: be sure not to close the window with the logout button.
13. Confirm that you are unable to access http://www.bbc.co.uk.
14. Logout of the browser authentication as ContractorBob.
15. In your browser try to connect to http://www.sophos.com and authenticate as Administrator.
Note: be sure not to close the window with the logout button.
16. Confirm that you are able to access http://www.bbc.co.uk.
17. Logout of the browser authentication as Administrator.
18. Change your browser settings to explicitly use the proxy server on port 8080.
-
Sophos Certified Architect
AL30: UTM Page 27 of 57
19. Browser to both http://www.sophos.com and http://www.bbc.co.uk and confirm you can access
them without authenticating.
20. Configure the browser proxy settings as below:
Proxy server: none
Automatic proxy script: none
Automatically detect settings: no
21. Navigate to Web Protection | Web Filtering Profiles and disable the Standard mode with AD SSO
authentication and Transparent mode with Browser authentication profiles.
22. Navigate to Web Protection | Web Filtering and configure the proxy settings as below:
Operation mode: Transparent mode
Default Authentication: None
HTTP (SSL) traffic: URL filtering only
23. Create a backup called Architect Lab 6 on LabGateway1 and download it to the desktop of
LabServer.
Review
You have now successfully configured:
Automatic proxy configuration via DHCP.
File type blocking using MIME types.
Full HTTPS decrypt and scan.
Multiple profiles for different modes of authentication.
-
Sophos Certified Architect
AL30: UTM Page 28 of 57
Lab 7: Email protection
Objective
Upon completion of this section you will be able to configure:
End user sender blacklists through the User Portal and WebAdmin.
SMTP profiles for additional domains which override elements of the default SMTP configuration.
Email encryption using OpenPGP.
Email encryption using S/MIME.
Requirements
No prerequisites.
Task 1
Block an email using the per user sender blacklists in the User Portal.
Steps
On LabServer:
1. Connect to the User Portal on LabGateway1 and login as administrator.
2. On the Sender Blacklist tab add *[email protected] to the Sender Blacklist.
Note: ensure that you include the * as this is required for the email address to match with BATV
enabled.
On AcmeCorpServer:
3. Launch Thunderbird and send a test email from [email protected] to
On LabServer:
4. Login to the User Portal of LabGateway1 as administrator.
5. Select the Mail Log tab and review the entry for the test email.
6. Select the Mail Quarantine tab and write down why the test email was quarantined from the
Reason column:
__________________________________________________________________________________
7. First view, then release the email and confirm that you received it.
8. In the LabGateway1 WebAdmin, navigate to Definitions & Users | Users & Groups.
9. Edit the Administrator user and view the Sender Blacklist.
10. Add *@services.external to the Sender Blacker.
-
Sophos Certified Architect
AL30: UTM Page 29 of 57
Task 2
Configure an additional SMTP profile for a different email domain.
Steps
On LabServer:
1. Login to the WebAdmin of LabGateway1 as admin.
2. Navigate to Email Protection | SMTP and change the SMTP proxy to Profile mode.
3. Navigate to Email Protection | SMTP Profiles and add and enable a new SMTP Profile with the
following configuration:
Profile Name: sophos.external domain
Domains: sophos.external
Blocked Expressions: Use individual settings defined below
Blocked Expressions: create a regular expression to match a string of 16 numbers which
may optionally have a space between each block of 4 digits similar to a credit card
number. E.g., \b([0-9]{4}\s?){4}\b
On AcmeCorpServer:
4. Launch Thunderbird and send an email from administrator to [email protected]
containing the string 1234 5678 9012 3456.
5. Review the SMTP Live Log and write down the reason it was quarantined:
__________________________________________________________________________________
On LabServer:
6. Connect to the WebAdmin of LabGateway1.
7. Launch the Mail Manager and release the email from the quarantine.
8. Identify the message ID for the email from the SMTP Log in the Mail Manager.
9. Launch Putty and connect to LabGateway1 via SSH.
10. Login as the loginuser then change the root user using the command: su -
11. Change to the log directory using the command: cd /var/log
12. Search the maillog for entries containing the message ID using the following command: grep xxxxxxxxxxxxxxxx smtp.log
Note: where xxxxxxxxxxxxxxxx is replaced with the message ID you identified in step 8.
Task 3
Configure and test email encryption between two UTMs using OpenPGP.
-
Sophos Certified Architect
AL30: UTM Page 30 of 57
Steps
On LabServer:
1. Login to the WebAdmin of LabGateway1 as admin.
2. Navigate to Email Protection | Encryption and enable email encryption.
3. On the Internal Users tab create a New email encryption user with the following configuration:
Email Address: [email protected]
Full Name: Administrator (Lab)
4. Download the OpenPGP public key.
5. Launch Thunderbird and email the OpenPGP public key to [email protected].
On AcmeCorpServer:
6. Login to the WebAdmin of AcmeCorpGateway as admin.
7. Navigate to Email Protection | Encryption and enable email encryption.
8. On the Internal Users tab create a New email encryption user with the following configuration:
Email Address: [email protected]
Full Name: Administrator (Acme)
9. Download the OpenPGP public key.
10. Launch Thunderbird and email the OpenPGP public key to [email protected].
11. In the AcmeCorpGateway Webadmin, select the OpenPGP Public Keys tab.
12. Use the New public OpenPGP keys(s) option to import the key from [email protected].
On LabServer:
12. Connect to the LabGateway1 WebAdmin.
13. Select the OpenPGP Public Keys tab.
14. Use the New public OpenPGP keys(s) option to import the key from [email protected].
15. Launch Thunderbird and send an email to [email protected].
On AcmeCorpServer:
16. Launch Thunderbird and confirm that you received the email and that it was encrypted by the tag in
the subject line.
17. Write down the subject line tag:
__________________________________________________________________________________
18. Send an email to [email protected].
On LabServer:
19. Launch Thunderbird and confirm that you received the email and that it was encrypted by the tag in
the subject line.
-
Sophos Certified Architect
AL30: UTM Page 31 of 57
Task 4
Configure and test email encryption between two servers using S/MIME.
Steps
On LabServer:
1. Login to the WebAdmin of LabGateway1 as admin.
2. Navigate to Email Protection | Encryption and download the S/MIME CA Certificate.
3. On the Internal Users tab create a New email encryption user with the following configuration:
Email Address: [email protected]
Full Name: John Smith (Lab)
4. Launch Thunderbird and email the S/MIME certificate from [email protected] to
On AcmeCorpServer:
5. Login to the WebAdmin of AcmeCorpGateway as admin.
6. Navigate to Email Protection | Encryption and download the S/MIME CA Certificate.
7. On the Internal Users tab create a New email encryption user with the following configuration:
Email Address: [email protected]
Full Name: Tom Jones (Acme)
8. Launch Thunderbird and email the S/MIME certificate from [email protected] to
9. Save the S/MIME certificate from John Smith as lab-smime.pem.
10. In the AcmeCorpGateway WebAdmin, select the S/MIME Authorities tab and upload the lab-
smime.pem certificate.
On LabServer:
11. Save the S/MIME certificate from Tom Jones as acme-smime.pem.
12. In the LabGateway1 WebAdmin, select the S/MIME Authorities tab and upload the acme-
smime.pem certificate.
13. In Thunderbird send an email from [email protected] to [email protected].
On AcmeCorpServer:
14. Confirm you received the email and that it was signed by the tag in the subject line.
15. Write down the subject line tag:
__________________________________________________________________________________
16. In the AcmeCorpGateway WebAdmin, select the S/MIME Certificates tab and confirm that John
Smiths certificate has been extracted.
17. Send an email to [email protected].
-
Sophos Certified Architect
AL30: UTM Page 32 of 57
On LabServer:
18. Launch Thunderbird and confirm that you received the email and that it was encrypted by the tag in
the subject line.
19. Write down the subject line tag:
__________________________________________________________________________________
20. In the LabGateway1 WebAdmin, select the S/MIME Certificates tab and confirm that Tom Jones
certificate has been extracted.
21. Create a backup called Architect Lab 7 on LabGateway1 and download it to the desktop of
LabServer.
Review
You have now successfully configured:
End user sender blacklists through the User Portal and WebAdmin.
SMTP profiles for additional domains which override elements of the default SMTP configuration.
Email encryption using OpenPGP.
Email encryption using S/MIME.
-
Sophos Certified Architect
AL30: UTM Page 33 of 57
Lab 8: Endpoint protection
Objective
Upon completion of this section you will:
Know where to look to monitor communication between an endpoint and UTM via LiveConnect.
Be able to configure antivirus exclusions.
Requirements
No prerequisites.
Task 1
Explore the logging of communication between the endpoint and UTM via LiveConnect.
Steps
On LabServer:
1. Login to the WebAdmin of LabGateway1 as admin. 2. Navigate to Management | System Settings | Reset Configuration and click Reset UTM ID. 3. Navigate to Endpoint Protection | Computer Management. 4. Enable Endpoint Protection and click Activate Endpoint Protection. 5. Select the Advanced tab. 6. In the Tamper Protection section set the password to Sophos1985 and click Apply. 7. Select the Deploy Agent tab. 8. Click Download Endpoint Installation Package Now. 9. Once it has downloaded run the installer. 10. On the Welcome to the Sophos Endpoint Security and Control Installer screen click Next. 11. On the Remove third-party security software screen click Install. 12. On the Install is complete screen click Finish. 13. In the WebAdmin navigate to Endpoint Protection. 14. Confirm that the LabServer is registered and online. 15. Browse to:
C:\ProgramData\Sophos\Management Communications System\Endpoint\Config
16. Write down what configuration is included in the config.xml by default:
__________________________________________________________________________________
17. Browse to:
C:\ProgramData\Sophos\Management Communications System\Endpoint\Persist
18. Open the EndpointIdentity.txt file then keep this file open while you do the following steps.
19. Launch Sophos Endpoint Security and Control and authenticate with Tamper Protection.
20. Login to the WebAdmin of LabGateway1 as admin.
21. Navigate to Endpoint Protection, launch the Live Log.
-
Sophos Certified Architect
AL30: UTM Page 34 of 57
22. Locate the log entry for where you authenticated against Tamper Protection.
23. Compare the mcs_id field to the contents of the EndpointIdentity.txt.
Task 2
Configure and test the antivirus exclusion.
Steps
On LabServer:
1. Login to the WebAdmin of LabGateway1 as admin.
2. Navigate to Endpoint Protection | Antivirus | Exceptions and create a scanning exclusion for
Eicar.com and apply it to the Default group.
3. Wait for a minute to allow the policy to be applied on LabServer.
4. Launch your web browser and connect to http://www.sophos.com/en-us/press-office/press-releases/2003/01/eicar.aspx.
5. Open Notepad. 6. Copy the following text from the Sophos Eicar article and paste it in Notepad:
X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H* 7. Save the file as Eicar.com.
Note: ensure you save it without the *.txt extension. 8. Try to execute the file. This will not cause an anti-virus alert.
Note: the file will not run correctly as it is a DOS application.
9. Create a backup called Architect Lab 8 on LabGateway1 and download it to the desktop of
LabServer.
Review
You have now successfully:
Monitored the communication between an endpoint and UTM via LiveConnect.
Configured antivirus exclusions.
-
Sophos Certified Architect
AL30: UTM Page 35 of 57
Lab 9: Wireless protection
Objective
Upon completion of this section you will be able to:
Configure multiple wireless networks for different users.
Connect and configure a wireless access point.
Create a hotspot.
Requirements
No prerequisites.
Task 1
Enable wireless protection and without using the wizard manually configure two wireless networks:
One for guest access using a separate zone.
One for lab access bridged to the access point network.
Steps
On LabServer:
1. Login to the WebAdmin of LabGateway1 as admin.
2. Navigate to Wireless Protection| Global Settings.
3. Enable wireless protection using the following configuration:
Skip automatic configuration: Selected
Allowed interfaces: Internal
4. Navigate to Wireless Protection | Wireless Networks and create a wireless network with the
following configuration:
Network name: Guest
Network SSID: Guest
Encryption Mode: WPA2 Personal
Passphrase PSK: Sophos1985
Client traffic: Separate Zone
Client isolation: Enabled
5. Navigate to Interfaces & Routing | Interfaces and add and enable a new interface for the Guest
wireless network with the following configuration:
Name: Guest WiFi
Type: Ethernet Static
Hardware: wlan0
IPv4 Address: 172.16.21.1
-
Sophos Certified Architect
AL30: UTM Page 36 of 57
Netmask: /24 (255.255.255.0)
6. Navigate to Network Services | DHCP and create a new DHCP server for the wireless network with
the following configuration:
Interface: Guest WiFi
Range start: 172.16.21.1
Range end: 172.16.21.254
DNS Server 1: 172.16.21.1
Default gateway: 172.16.21.1
7. Navigate to Network Services | DNS add the Guest wireless network to the Allowed Networks.
8. Navigate to Network Protection | NAT and create and enable a new masquerading rule for the
Guest wireless network with the following configuration:
Network: Guest WiFi (Network)
Interface: Uplink Interfaces
User address: >
9. Navigate to Network Protection | Firewall and create and enable a new firewall rule that allows
web browsing from the wireless network to the Internet with the following configuration:
Sources: Guest WiFi (Network)
Services: Web Surfing
Destinations: Internet IPv4
10. Navigate to Wireless Protection | Wireless Networks create a wireless network with the following
configuration:
Network name: Lab
Network SSID: Lab
Encryption Mode: WPA2 Personal
Passphrase PSK: Sophos1985
Client traffic: Bridge to AP LAN
Client isolation: Enabled
Task 2
Connect a Sophos wireless access point to LabGateway1.
Steps
On LabServer:
1. Launch Putty and connect to LabGateway1 using SSH.
2. Login as the loginuser then change to root using the following command: su
3. As the root user run the following command: ./clienttest.pl --minc=5 --maxc=10 server=172.16.1.101
4. In the WebAdmin of LabGateway1, navigate to Wireless Protection | Access Points.
-
Sophos Certified Architect
AL30: UTM Page 37 of 57
5. Click Accept for the access point and use the following configuration in the Edit Access Point dialog:
Label: Lab9
Group: >
Name: Training
6. Select the Grouping tab.
7. Edit the Training group and select Guest and Lab wireless networks.
8. In Putty run the clienttest.pl command again on LabGateway1.
Note: leave the SSH session open for the duration of the lab.
9. In the WebAdmin of LabGateway1, confirm that the access point is now active.
Note: this may take a couple of minutes.
10. Navigate to Wireless Protection | Wireless Clients and view the clients connected.
11. Navigate to Wireless Protection | Access Points and select the Grouping tab.
12. Create a new group with the following configuration:
Name: Lab only
Wireless networks: Lab
13. On the Overview tab edit the access point and change it from the Training group to the Lab group.
Task 3
Configure and test a voucher based hotspot.
Steps
On LabServer:
1. Login to the WebAdmin of LabGateway1 as admin.
2. Navigate to Wireless Protection| Hotspots and enable it.
3. Select the Voucher Definitions tab and create a new voucher with the following configuration:
Name: Lab
Validity period: 5 Days
Data volume: 20 MB.
4. Select the Advanced tab and add Internal (Address) to the Allowed hosts/networks in the Walled
Garden section.
5. Select the Hotspot tab and create a new hotspot with the following configuration:
Name: Public
Interfaces: Internal
Hotspot type: Voucher
Voucher Definitions: Lab
6. Login to the User Portal of LabGateway1 as admin and create a Lab voucher.
7. Write down the voucher code:
_________________________________________________________________________________
8. Try to browse to http://www.sophos.com.
-
Sophos Certified Architect
AL30: UTM Page 38 of 57
9. Enter the voucher code when prompted.
10. Write down the voucher information displayed:
__________________________________________________________________________________
__________________________________________________________________________________
__________________________________________________________________________________
11. Browse the Sophos website then refresh the hotspot portal page; note that the used Data volume
has increased.
12. Write down the Status of the voucher in the User Portal of LabGateway1:
__________________________________________________________________________________
13. Login to the WebAdmin of LabGateway1 as admin.
14. Navigate to Wireless Protection| Hotspots and open the live log.
15. Write down the portal and user fields from your session.
__________________________________________________________________________________
__________________________________________________________________________________
16. Disable Hotpots on LabGateway1.
17. Create a backup called Architect Lab 9 on LabGateway1 and download it to the desktop of
LabServer.
Review
You have now successfully:
Configured multiple wireless networks for different users.
Connected and configured a wireless access point.
Created a hotspot.
-
Sophos Certified Architect
AL30: UTM Page 39 of 57
Lab 10: Webserver protection
Objective
Upon completion of this section you will be able to configure webserver protection for both HTTP and
HTTPS webservers and implement reverse authentication.
Requirements
No prerequisites.
Task 1
Configure a reverse proxy for HTTP and HTTPS webservers with a custom firewall profile.
Steps
On LabServer:
1. Open a Command Prompt and use OpenSSL to generate a server key. openssl genrsa out server.key
2. Create a server certificate signing request for the external hostname of LabGateway1 (lab-
gw1.lab.external). openssl req new key server.key out server.csr
Country Name: GB
State or Province Name: Oxfordshire
Locality Name: Abingdon
Organization Name: Sophos
Organizational Unit: Training
Common Name: lab-gw1.lab.external
Email Address: [email protected]
A challenge password: leave blank
An optional company name: leave blank
3. Connect to the certificate authority on Services: https://global.services.external/certsrv/en-us.
4. Download the CA certificate in Base 64 encoded format to
C:\Users\Administrator\ca_certificate.cer.
5. Request a certificate using advanced certificate request.
6. Paste in the certificate signing request that you created then download the certificate in Base 64
encoded format to C:\Users\Administrator\certificate.cer.
7. Use OpenSSL to create a pkcs#12 file from the server key, certificate and CA certificate. openssl pkcs12 export out lab.p12 inkey server.key in certificate.cer
certfile ca_certificate.cer
8. Login to the WebAdmin of LabGateway1 as admin.
-
Sophos Certified Architect
AL30: UTM Page 40 of 57
9. Navigate to Webserver Protection | Certificate Management and create a new certificate with the
following configuration:
Name: lab-gw1 external
Method: Upload
File type: PKCS#12 (Cert+CA)
File: the lab.p12 you created in step 7
Password: the password you set in step 7
10. Navigate to Webserver Protection | Web Application Firewall | Firewall Profiles and create a New
Firewall Profile called Lab with the following features enabled:
Mode: Reject
Common Threats Filter
Cookie signing
Form hardening
Antivirus scanning
Mode: Single Scan
Direction: Uploads and Downloads
Block unscannable content
Block clients with bad reputation
11. Select the Real Webservers tab and create a New Real Webserver with the following configuration:
Name: ArGoSoft Webmail
Host: Lab Server
Type: Plaintext (HTTP)
Port: 80
12. Create another New Real Webserver with the following configuration:
Name: IIS
Host: Lab Server
Type: Encrypted (HTTPS)
Port: 443
13. Select the Virtual Webservers tab and create a New Virtual Webserver with the following
configuration:
Name: ArGoSoft Webmail
Interface: External (WAN) (Address)
Type: Plaintext (HTTP)
Port: 80
Domains: lab-gw1.lab.external
Real Webservers: ArGoSoft Webmail
Firewall Profile: Lab
14. Create another New Virtual Webserver with the following configuration:
-
Sophos Certified Architect
AL30: UTM Page 41 of 57
Name: IIS
Interface: External (WAN) (Address)
Type: Encrypted (HTTPS)
Port: 81
Redirect from HTTP to HTTPS: Untick
Certificate: lab-gw1 external
Real Webservers: IIS
Firewall Profile: Lab
On AcmeCorpServer:
15. Connect to:
http://lab-gw1.lab.external - You should be able to access the ArGoSoft Webmail site.
https://lab-gw1.lab.external:81 You should be able to access the IIS default page with no
certificate error.
Task 2
Implement reverse authentication for the HTTPS website.
Steps
On LabServer:
1. Login to the WebAdmin of LabGateway1 as admin.
2. In Webserver Protection | Reverse Authentication create a New Authentication Profile with the
following configuration:
Name: IIS Auth
Frontend mode: Form
Frontend realm: IIS
Backend mode: None
Form Template: Default Template
Users / Groups: Active Directory Users
3. Navigate to Webserver Protection | Web Application Firewall and select the Site Path Routing tab.
4. Edit the Site Path Route for IIS and select the IIS Auth Reverse Authentication profile.
On Services:
5. Connect to https://lab-gw1.lab.external:81.
6. You should be prompted to login via a form and you should not get any certificate errors accessing
the HTTPS site.
7. Write down the certificate authority that issued the HTTPS certificate:
__________________________________________________________________________________
8. Confirm you are able to login as johnsmith.
-
Sophos Certified Architect
AL30: UTM Page 42 of 57
9. Create a backup called Architect Lab 10 on LabGateway1 and download it to the desktop of
LabServer.
Review
You have now successfully configured webserver protection for both HTTP and HTTPS webservers and implemented reverse authentication.
-
Sophos Certified Architect
AL30: UTM Page 43 of 57
Lab 11: RED
Objective
Upon completion of this lab you will be able to create a RED tunnel between two UTMs.
Requirements
No prerequisites.
Task
Configure a RED tunnel between LabGateway1 and AcmeCorpGateway.
Steps
On LabServer:
1. Login to the WebAdmin of LabGateway1 as admin.
2. Navigate to RED Management | Global Settings activate RED Management.
3. Select the [Server] Client Management tab add a RED with the following configuration:
Branch Name: AcmeCorp
Client type: UTM
4. Download the provisioning file to the desktop of LabServer.
5. Launch Thunderbird and email the provisioning file to [email protected].
On AcmeCorpServer:
6. Launch Thunderbird and save the provisioning file from the email to the desktop of
AcmeCorpServer.
7. Launch a browser and connect to the WebAdmin of AcmeCorpGateway and login as admin.
8. Navigate to RED Management | Global Settings and activate RED Management.
9. Select the [Client] Tunnel Management tab and create a new tunnel using the following
configuration:
Tunnel Name: Lab
UTM host: Lab Gateway 1
Prov. File: the provisioning file saved to the desktop
On LabServer:
10. Select the Overview tab in the LabGateway1 WebAdmin and confirm that the connection is
established successfully.
11. Navigate to Interfaces & Routing | Interfaces and create and enable a new interface with the
following configuration:
Name: Acme RED
-
Sophos Certified Architect
AL30: UTM Page 44 of 57
Type: Ethernet Static
Hardware: reds1
IPv4 address 10.0.0.1
Netmask: /24 (255.255.255.0)
On AcmeCorpServer:
12. Open the AcmeCorpGateway WebAdmin.
13. Navigate to Interfaces & Routing | Interfaces and create and enable a new interface with the
following configuration:
Name: Lab RED
Type: Ethernet Static
Hardware: redc1
IPv4 address 10.0.0.2
Netmask: /24 (255.255.255.0)
14. Navigate to Interfaces & Routing | Static Routing and create and enable a new static route with the
following configuration:
Route Type: Gateway route
Network: Lab Network
Gateway: create a new network definition
o Name: Lab RED Gateway
o Type: Host
o IPv4 Address: 10.0.0.1
On LabServer:
15. Navigate to Interfaces & Routing | Static Routing and create and enable a new static route with the
following configuration:
Route Type: Gateway route
Network: Acme Corp LAN
Gateway: create a new network definition
o Name: Acme RED Gateway
o Type: Host
o IPv4 Address: 10.0.0.2
16. Navigate to Network Protection | Firewall and create and enable a new firewall rule with the
following configuration:
Sources: Acme Corp LAN
Services: Web Surfing
Destinations: Internal (Network)
-
Sophos Certified Architect
AL30: UTM Page 45 of 57
On AcmeCorpServer:
17. Connect to http://172.16.1.1 and confirm you see the ArGoSoft webmail website.
18. In the WebAdmin, disable the Lab RED tunnel, Lab RED interface and Lab RED Gateway static route.
On LabServer:
19. Disable the Acme RED tunnel, Acme RED interface, firewall rule and Acme RED Gateway static
route.
20. Create a backup called Architect Lab 11 on LabGateway1 and download it to the desktop of
LabServer.
Review
You have now successfully created a RED tunnel between two UTMs.
-
Sophos Certified Architect
AL30: UTM Page 46 of 57
Lab 12: Site-to-site VPN
Objective
Upon completion of this section you will be able to configure:
A simple SSL site-to-site VPN.
An IPsec site-to-site VPN using cross signed certificates.
An IPsec site-to-site VPN using RSA authentication.
Requirements
No prerequisites.
Task 1
Configure and test a simple SSL site-to-site VPN.
Steps
On LabServer:
1. Login to the WebAdmin of AcmeCorpGateway as admin.
2. Navigate to Site-to-site VPN | SSL, create a server SSL connection with the following configuration:
Connection type: Server
Connection Name: Lab VPN
Local Networks: Internal (Network)
Remote Networks: Lab Network
Automatic Firewall rules: Selected
3. Download the peer configuration file to the desktop of LabServer and encrypt it using the password
Sophos1985.
4. Login to the WebAdmin of the LabGateway1 as admin.
5. Navigate to Site-to-site VPN | SSL and create a connection with the following configuration:
Connection type: Client
Connection Name: Acme VPN
Configuration file: the peer configuration file saved to the desktop of LabServer
Password: Sophos1985
Automatic Firewall rules: Selected
6. Confirm you can connect to http://192.168.2.1
On AcmeCorpServer:
7. Confirm you can connect to http://172.16.1.1
8. Disconnect from the VPN on both UTMs.
-
Sophos Certified Architect
AL30: UTM Page 47 of 57
Task 2
Modify the existing IPsec site-to-site VPN to use cross signing authentication.
Steps
On LabServer:
1. Login to the WebAdmin of AcmeCorpGateway as admin.
2. Navigate to Site-to-site VPN | Certificate Management and generate a certificate with the following
configuration:
Name: acme-gw VPN
Method: Generate
VPN ID Type: Hostname
VPN ID: acme-gw.acme.external
Common Name: acme-gw.acme.external
Email: [email protected]
3. Download the certificate in PKCS#12 format with the password Sophos1985 to the desktop of
LabServer.
4. Login to the WebAdmin of LabServer as admin.
5. Navigate to Site-to-site VPN | Certificate Management and generate a certificate with the following
configuration:
Name: lab-gw1 VPN
Method: Generate
VPN ID Type: Hostname
VPN ID: lab-gw1.lab.external
Common Name: lab-gw1.lab.external
Email: [email protected]
6. Download the certificate in PKCS#12 format with the password Sophos1985 to the desktop of
LabServer.
7. In the LabGateway1 WebAdmin, create a new certificate with the following configuration:
Name: Acme VPN
Method: Upload
File type: PKCS#12 (Cert+CA)
File: the certificate downloaded from AcmeCorpServer.
Password: Sophos1985
8. Navigate to Site-to-site VPN | IPsec | Remote Gateways and reconfigure the gateway for
AcmeCorpGatewau to use the Local X509 Certificate you uploaded (Acme VPN).
9. In the AcmeCorpServer WebAdmin, create a new certificate with the following configuration:
Name: Lab VPN
Method: Upload
-
Sophos Certified Architect
AL30: UTM Page 48 of 57
File type: PKCS#12 (Cert+CA)
File: the certificate downloaded from LabServer.
Password: Sophos1985
10. Navigate to Site-to-site VPN | IPsec | Remote Gateways, reconfigure the gateway for LabGateway1
to use the Local X509 Certificate you uploaded (Lab VPN).
11. Open and monitor the IPsec live logs on both LabGateway1 and the AcmeCorpGateway.
12. Enable the IPsec VPN on both LabGateway1 and AcmeCorpServer.
13. Write down the following details from the IPsec log for the last connection made:
NAT-Traversal result:________________________________________________________
Dead peer detection status:__________________________________________________
Variant:__________________________________________________________________
14. Confirm you can connect to http://192.168.2.1
On AcmeCorpServer:
15. Confirm you can connect to http://172.16.1.1
16. Disconnect from the VPN on both UTMs.
Task 3
Modify the existing IPsec site-to-site VPN to use RSA keys
Steps
On LabServer:
1. Login to the WebAdmin of AcmeCorpGateway as admin.
2. Navigate to Site-to-site VPN |IPsec | Local RSA Key and configure the VPN ID type to be IP Address.
3. In the Re-generate local RSA key section click Apply.
4. Copy the Current local public RSA key.
5. Login to the WebAdmin of LabServer as admin.
6. Navigate to Site-to-site VPN |IPsec | Remote Gateways and edit the gateway for
AcmeCorpGateway by updating the following configuration:
Authentication type: RSA key
Public key: paste the public RSA key you copied from AcmeCorpGateway
VPN ID type: IP Address
VPN ID (optional): Leave blank
7. Select the Local RSA Key tab and configure the VPN ID type to be IP Address.
8. In the Re-generate local RSA key section click Apply.
9. Copy the Current local public RSA key.
10. In the WebAdmin of AcmeCorpGateway, navigate to Site-to-site VPN |IPsec | Remote Gateways
and edit the gateway for LabGateway1 by updating the following configuration:
Authentication type: RSA key
-
Sophos Certified Architect
AL30: UTM Page 49 of 57
Public key: paste the public RSA key you copied from LabGateway1
VPN ID type: IP Address
VPN ID (optional): Leave blank
11. Open the IPsec live log and confirm that the IPsec connection is established successfully.
12. Confirm you can connect to http://192.168.2.1
On AcmeCorpServer:
13. Confirm you can connect to http://172.16.1.1
14. Disconnect from the VPN on both UTMs.
15. Create a backup called Architect Lab 12 on LabGateway1 and download it to the desktop of
LabServer.
Review
You have now successfully configured:
A simple SSL site-to-site VPN.
An IPsec site-to-site VPN using cross signed certificates.
An IPsec site-to-site VPN using RSA authentication.
-
Sophos Certified Architect
AL30: UTM Page 50 of 57
Lab 13: Remote access
Objective
Upon completion of this section you will be able to configure and test IPsec remote access with the
Sophos IPsec client.
Requirements
No prerequisites.
Task
Configure an IPsec VPN on AcmeCorpGateway and test it with the Sophos IPsec client on LabServer.
Steps
On LabServer:
1. Login to the WebAdmin of LabGateway1 as admin.
2. Navigate to Network Protection | Firewall and create a new firewall rule with the following
configuration:
Sources: Internal (Network)
Services: IPsec
Destinations: Any
3. Login to the WebAdmin of AcmeCorpGateway as admin.
4. Navigate to Remote Access | IPsec and create a new IPSec remote access rule with the following
configuration:
Name: AD users to local network
Interface: External
Local Networks: Internal (Network)
Policy: AES-256
Authentication type: X509 certificate
Allowed users: Active Directory Users
5. Navigate to Network Protection | Firewall and create a new firewall rule with the following
configuration:
Sources: VPN Pool (IPsec)
Services: HTTP
Destinations: Any
6. Login to the User Portal of AcmeCorpGateway as TomJones.
7. Select the Remote Access tab and download the configuration file.
8. Download the PKCS#12 of the user certificate specifying the password Sophos1985.
-
Sophos Certified Architect
AL30: UTM Page 51 of 57
9. Download and install the Sophos IPsec Client.
Note: the IPsec client will be installed in demo mode with a trial license.
10. Launch the IPsec client and add a new certificate with the following configuration:
Name: TomJones Certificate
Certificate: from PKCS#12 file
PKCS#12 Filename: select the certificate you downloaded from the User Portal
PIN Request at each Connection: Selected
11. Add a new profile by importing the configuration file downloaded from the User Portal.
12. Edit the profile and select Identities on the left. In the Pre-shared Key section, select the certificate
TomJones Certificate.
13. Reboot LabServer.
14. Initiate the VPN connection.
15. Confirm you can connect to http://192.168.2.1.
16. Disconnect from the VPN.
17. Create a backup called Architect Lab 13 on LabGateway1 and download it to the desktop of
LabServer.
Review