Sophos UTM is a fantastic web gateway, but it also has many features that involve securing your environment from inbound traffic originating from the Internet. When you have a way to access your UTM from the Internet via a public IP and DNS record, you can make use of these features such as Web Server Protection, REDs, VPNs, and the user portal.
But in situations where your network is not guaranteed to always have the same public IP, it is not practical to manually update the public DNS record every time the ISP dips the line and the IP changes.
Thankfully, Sophos UTM’s native support for Dynamic DNS registration, makes it easy to deploy these features even when you don’t have a static public IP.
Dynamic DNS services such as Dyn, No-IP, DNSDynamic and others, solve this problem by allowing a machine to register a public IP with a DNS record, and then automatically update it when the public IP changes.
The process for doing this varies slightly depending on the Dynamic DNS provider you choose, and your router configuration, but fundamentally the concepts are the same.
I am going to step through using NO-IP.com on a DSL connection through Telkom using a normal consumer grade DSL router. The basic steps are as follows:
- Register with a Dynamic DNS provider
- Configure the UTM for Dynamic DNS
- Configure your router for inbound traffic forwarding
- Test inbound connectivity using the public DNS record
Register with a Dynamic DNS service
Deciding on a Dynamic DNS provider depends on your needs and budget. Most of them offer a free service using generic domains. Entry level packages allows you to register multiple domains and additional DNS record such as MX records.
Here is a list of the Dynamic DNS services supported by Sophos UTM, along with the features they provide:
- DNS-O-Matic, Hostname, MX, Backup MX , Wildcard
- DNSdynamic, Hostname
- DNS Park, Hostname, Aliases, MX
- DtDNS, Hostname, Aliases
- Dyn, Hostname, MX, Backup MX , Wildcard
- Easy DNS, Hostname, MX, Backup MX , Wildcard
- FreeDNS, Hostname, Aliases
- Namecheap, Hostname, Aliases
- NO-IP, hostname
- OpenDNS IP update, label (hostname)
- selfHOST, hostname
- STRATO AG, hostname
- zoneedit, Hostname, Aliases
Registering with NO-IP
I’ve used NO-IP a number of times in the past and like how quick and easy it is to get going.
- Got to https://www.noip.com/sign-up
- Fill in the form
- Click the link in the confirmation email
Configure Sophos UTM for Dynamic DNS
In this section you are going to configure Sophos UTM to make use of the service you just registered for.
- Log into the Sophos UTM Web Admin interface
- Select Network Services | DNS | DynDNS and click + New DynDNS
- Select the correct type (the service you registered for, such as No-IP.com)
- For IP strategy select Web service (IPv4)
- For the hostname filed specify the hostname you defined when signing up for the Dynamic DNS service
- Specify the username and password for the service
- Click Save
Sophos UTM will now attempt to register your current public IP address with your Dynamic DNS account. Sometimes it can take a bit of time. For lab usage I found that rebooting Sophos UTM was a good way to force a registration attempt.
After a few minutes, you should be able to confirm that the record is registered by going to the following site http://ping.eu/nslookup. This site tells you what your current public IP address is, and lets you also perform a name lookup for the hostname your registered. If you are on the same network as your Sophos UTM, the two should match. Below is a successful confirmation.
Configure your router for inbound traffic forwarding
This section is going to be very dependent on the router you are using, but the fundamentals are the same.
By default, your average DSL router will allow any outbound traffic but it won’t allow any inbound traffic initiated from the internet. But almost all of these routers can be configured to selectively forward traffic to an internal address. This is normally located in the router’s firewall or DMZ settings, and is usually called Port Forwarding or Virtual Server.
Since Sophos UTM is a full blown firewall, there is no reason not to forward all of the traffic to Sophos UTM’s external interface. Once this has been done, inbound Internet traffic should flow through to the UTM.
Testing External Connectivity
You may not be able to perform an external connectivity test from the internal network you are on, so an easy way to check this is using your phone or tablet’s 3G connection.
Since you may not have configured any of the features related to incoming internet traffic yet, a good test is to try to access the UTM’s Web Admin interface. To do this enter:
(replace your.DynDNS.hostname with your actual hostname you defined with your Dynamic DNS provider).
You should now have access to the management interface from the outside world! As a security consideration you should change access to the Web Admin management console to only be from a trusted network such as Internal or VPN.
Larger companies typically have the luxury of being able to pay for static IP addresses and the associated public DNS records required to use them. But there are a number of cases where having a dynamic public address accessible via a dynamic public DNS deployment is not only more cost effective, but also adds to your company’s resilience as far as public accessibility is concerned.
The Sophos UTM has you covered in this regard. Creating a reliable inbound connection to your UTM is the first step for many in enabling some more advanced functionality such as REDs, VPN, and Web Server Protection. More articles on how to enable and utilize some of these features coming soon!