Sophos UTM is very versatile when it comes to the deployment options available to you. You can purchase a physical hardware appliance, or deploy a virtual appliance on your own hardware, usually via VMWare or Hyper-V.
Ths guide takes you through all the steps necessary to Sophos UTM on Hyper-V.
Before you begin
The components you will need include:
- Physical machine with at least two physical network adapters or a similar multi-port adapter
- Internet connection such as DSL router or similar service from your ISP
- Windows Server 2012 R2
- Internal network using the 10.x.x.x range
Step 1 – Download Sophos UTM ISO
Start by downloading the Sophos UTM ISO image as this may take some time to complete, and you can perform step 2 below while you wait.
- Browse to http://www.sophos.com/en-us/products/free-tools/sophos-utm-home-edition.aspx
- Follow the download process and Sophos will email you a license key and grant you access to the downloads.
- You will need this key, in the form of a license file, to complete the setup.
Step 2 – Hyper-V configuration
This guide uses a Windows Server 2012 R2 host. The Hyper-V host is configured with two NICs. One will be patched directly into a DSL router. The other is patched into the internal corporate network.
Step 2.1 Configuring Host networking
Two virtual switches need to be created.
- The Internet facing virtual switch is named External – Internet
- The connection type is External and the relevant NIC is selected
- This virtual switch is not checked to “Allow management operating system to share this network adapter”
- The internal network facing virtual switch is named Internal – Corporate
- The connection type is External and the relevant NIC is selected
- This virtual switch is checked to “Allow management operating system to share this network adapter”
If you have a look at the Hyper-V hosts you should now see three adapters. Two network adapters that are the switches, and an additional adapter called “vEthernet” which is the host’s connection to the Internal – Corporate Switch.
Step 2.2 Creating the virtual Machine
The Sophos UTM appliance has very moderate minimum requirements from a CPU and RAM perspective. Because I have more resources available, I am going to create the virtual machine with the following specifications. I have found the UTM to perform smoothly with most options enabled with this specification:
- Generation 1 Virtual Machine
- 4 x CPU
- 4GB RAM Static
- HDD 127GB Dynamic
- Attached the downloaded Sophos UTM ISO from Step 1 above as a DVD Drive
- Configure TWO Network adapters:
- One Connected to the Internal – Corporate Switch
- One connected to the External – Internet Switch
Step 3 – UTM Installation
Start up the virtual machine and connect to it with the console. By default the VM will boot from the attached ISO (see step 2.2 above)
- Press Enter to start the installation
- Select Start
Make a note to ensure you know which eth (for Ethernet adapter) is associated with which Virtual Ethernet Card
- Select your keyboard layout (such as English USA)
- Select your Area
- Select your Timezone
Make sure these settings are correct in relation to your domain.
Select which interface you will use to access the Web admin user interface. This is normally your internal network
- Select eth0
- Specify the IP address details
- Select Yes to install with a 64Bit Kernel
- Select Yes to install the enterprise toolkit
- Confirm that the virtual disk can be partitioned
- Wait for the install to complete
Make a note of the IP address and Port as you will use this from your browser to access the Web Admin interface moving forward.
This completes the build section. If you are using a virtual machine this is a good place to take a snapshot or create a checkpoint.
Step 4 – Initial Configuration Wizard
You are now ready to start up your UTM for the first time. If you are still viewing this process from the console window you will see the following when the machine restarts. It simply show this white screen while it boots.
Pressing F2 will show you the boot up details.
If all the steps have been completed successfully, there should be no errors during start-up. In case you missed it, the web admin URL is listed at the bottom of the screen.
From now on you will stop using the console to work directly on the virtual machine. According to my source at Sophos, one of the UTM design goals is to never require an administrator to use anything other than the web interface.
Step 5 – Sophos UTMs Initial Configuration Wizard
Open your favourite browser and connect to the specified management URL.
- Specify the Hostname of the UTM
- Specify Company name
- City
- Country
- Admin password
- Admin email account
- Check the “I accept the license agreement” check box
- Click Perform basic system setup
As part of the wizard you will be logged off
- Log in with your new credentials
- Select Continue with the wizard and click Next
- Check your mailbox for the attached license file from Sophos.
- Save it locally on your machine
- Click the folder icon and select the file
- Click Next
- Here you specify the internal IP address of the UTM device as well as the subnet.
Only if you do not already have DHCP enabled should you check the Enable DHCP server box.
Selecting the Internet Uplink will be determined by the kind of internet connection available. In this setup, I have a DSL connection with fixed public IP address.
I am starting with the just a basic web surfing configuration
- Check the Web check box
- Click Next
To make it easier to check that your UTM is up and running, enable the ping options. These can be turned off later.
- For Intrusion Prevention, select the options relevant to your environment
- Click Next
- Enable Network Visibility
- Click Next
- Check the web categories you want to filter
- Click Next
It is a good idea to also filter additional categories to make it easier to test your deployment. You want to be able to access websites through the proxy but also know that it will filter URLs correctly. These can always be changed afterwards.
- Click Finish to complete this section.
Step 6 – Additional Post Deployment Steps
By this stage you should have a proxy that works fine for everything on its own internal subnet. If you have a small network deployment that only has one subnet you can skip this step.
Step 6.1 Create a static Route
To allow clients from other subnets to also be able to connect and use the proxy, you need to add a static route to all internal traffic correctly though the internal interface.
Routing basics: A machine can only have one default route. If the machine does not know where to route traffic, it will use that route. Since the UTM has two interfaces, one will be the default. This is always the external interface because it routes everything to the internet.
You therefore need to manually configure it to send any traffic destined for the internal network via the internal interface. Here’s how to do it:
- Select Interfaces & Routing
- Select Static Routing
- Click + New Static Route
- Route Type will be Gateway Route
- Click + next to Network to create a new network definition with the following settings:
- Name: Internal Corporate
- Type: Network
- IPV4 Address: 10.0.0.0
- Netmask: /8 255.0.0.0
- Click Save
- Click + next to Gateway to create another network definition with the following settings:
- Name: Internal Gateway
- Type: HOST
- IPv4 Address: (your internal subnet’s gateway)
- Click Save
Once this is configured, the internal traffic should now route correctly though the internal interface. Your static routing settings should now look like the following image.
You can use the support tools to check ping and trace route (tracrt).
Step 6.2 - Configure proxy
The next thing that needs to happen is that the proxy functionality needs to be configured.
- Select Web Protection | Web filtering
By default the allowed Network only includes the subnet that the UTM is on.
- Click the folder next to Allowed Networks
- Select and drag the Internal Corporate Network object we created earlier into the Allowed networks Box.
- Next, change the proxy mode from Transparent to Standard Mode
- Click Apply
You are nearly there!
Step 7 - Configure a browser
To use the UTM, you need to configure your browser’s proxy settings.
Each browser is slightly different, but all have an option to specify a manual proxy configuration. Specify the Sophos UTM's management IP address and Port 8080
You should be able to surf the Internet from anywhere within your corporate network. URL filtering should also prevent you from accessing sites blocked according to the specified categories.
With your Sophos UTM now configured, it is another great time to take a snapshot of your VM.
Don't Forget Reporting!
With the Web Filtering feature enabled, you now also have a great way of reporting on outbound web access across your organization using Fastvue Sophos Reporter. Just install Sophos Reporter on a new server or VM, add the new server as a syslog server in Logging and Reporting | Log Settings, and select the Web Filtering logs.
You'll start seeing your real time web traffic in a range of dashboards, be able to run detailed Overview and Activity Reports, and configure custom alerts.
Check out the Getting Started guide for more information.
Summary
If you have followed through the guide above, you should now have a fully functional Sophos UTM up and running, and you can start playing with all the other great features such as Application Control, IPS, Remote Access, Web Application Firewall and more.
I hope you have found this guide useful for getting your Sophos UTM basic configuration up and running. If you ran into any issues, please let me know in the comments!
Hi Etienne, I think you may have made an error with the Hyper V network setup above. Should it not be ” the internal switch is facing internal therefore connection type is Internal (not external). thanks for the great post.
Step 2.1 Configuring Host networking
Two virtual switches need to be created.
•The internal network facing virtual switch is named Internal – Corporate
•The connection type is External and the relevant NIC is selected
•This virtual switch is checked to “Allow management operating system to share this network adapter”
Hi Warren
Thanks for raising that question.
The terminology for the switch type is from Hyper-V. There are three kinds of switch types.
External
These refer to connection that connect to an actual physical network adapter on the host. This would give access to network external to the host.
Internal
This refers to a switch that can be share by virtual machines inside the host. One VM could network to another without physically breaking out of the host.
Private
Similar to internal but isolated.
But yes, even when writing this article, it felt very wrong to to call a connection that terminates on your internal network and “external connection” especially in the context of a firewall. If you consider that it is from the hyper-V host perspective it makes a bit more sense. There article is correct – even though it sounds a little odd :)
Hi Etienne
Have you installed the Sophos UTM on Hyper-V with intra VLAN routing done by the switch. I have this setup but struggling a bit. I’ve setup the Internal NIC as a Ethernet VLAN, given the correct VLAN ID and have the switch port tagged with the multiple VLAN’s
Thanks for the great posts.
Hi Ren
I am not sure what you are trying to accomplish here. Because there are both a physical and virtual switch in play here you need to specify where you are attempting to do what.
I am going to take a guess here but hopefully it covers what you are after.
When a Hyper-V host’s physical NIC is attached to a Virtual Switch it changes the mode from access to trunk.
Access mode only allows for a single vlan to be used, as such it does not have to be tagged.
Trunk mode allows for multiple VLANs and therefore requires the traffic be Tagged or it will default down to a single vlan
If you can explain what your requirement is and what your network constraints are I can hopefully give you a better answer.
Regards
Etienne
[…] running on Hyper-V, but you can apply the same concepts for VMWare. See my article on deploying Sophos UTM on Hyper-V for a detailed guide on getting started on […]
[…] a virtual router Fastvue Sophos Reporter How to Deploy Sophos UTM on Hyper-V in 7 Simple Steps: http://fastvue.co/sophos/blog/how-to-deploy-sophos-utm-on-hyper-v-in-7-simple-steps/ So far it’s not as simple as that leads one to think it is. I obviously have […]
For me Sophos on Hyper-V have network issues. I have tried using both normal adapter and legacy adapter but didn’t work.
Is there any advice to see what’s wrong and why I can’t reach or ping the network ? I have tried formatting the machine 3 times to no avail.
Thanks
Hi Mohammed
You need to go to the advanced properties of the network adapter and enable MAC address spoofing. This is normally the issue with this sort of problem. The other bit to check is that you have the correct vlan’s assigned and tagged on the hyper-v interface.
Etienne
Hi,
I tryed your proposal but i still cannot get the network interface to work proper. The connection gets lost. Im using 9.309
Thanks
Hi Martin
I am assuming your connection is lost from your “outside network” as in the physical network outside of Hyper-V. This could be due to a network driver issue in the hyper-v stack itself. I had a similar issue with Dell blade server on a converged FCOE adapter. The final solution to this was to disable SRV-IO on the adapter. You can do this with PowerShell https://technet.microsoft.com/en-us/library/jj130914.aspx
You can test if this is the cause by spinning up another VM and connecting it to a private network just between your test machine and the UTM.
One last thing to try is to switch to using legacy network adapters on the UTM.
Let us know how you get on.
Hi,
after creating a new Switch and ENable SR-IOV, it seems to work better on my “outside network”. But it is not working how it should work.
I configured two vSwitches (internal and external, I dont need private, the Server is hosted somewhere else). The internal vSwitch works fine, the external vSwitch loosed the connection for some seconds. It is not possible to connect via VPN on the Sophos:
responding to Main Mode from unknown peer x.x.x.x:10952
NAT-Traversal: Result using RFC 3947: peer is NATed
max number of retransmissions (2) reached STATE_MAIN_R2
There is no Sophos problem, the Network ist not working prober… :(
Hi Etienne,
Great guide, thanks for publishing it.
Just got stuck on the 10.38.x.x network for the internal nw. What functions as the gateway for this network?
I’m not able to access this from my hyper-v host. I thought the Internal – Corporate would act as a virtual switch and have the ip span covering 10.38.x.x, but I cant see any way for this.
What am I missing?
Aah on the switch. Nevermind! :)
[…] Liebetrau has already written a very clear and easy to follow blog on installing Sophos UTM in Hyper-V, and these steps are also very useful for installing Sophos UTM on a physical machine if you begin […]
[…] […]
[…] Installation der UTM selbst eingehen wer Hilfe bei der Installation benötigt sollte sich diesen Blog Artikel […]
[…] Liebetrau has already written a very clear and easy to follow blog on installing Sophos UTM in Hyper-V, and these steps are also very useful for installing Sophos UTM on a physical machine if you begin […]
So i have a comment, i added a dual port nic just for this, but my server already has a another dualport that i was using before for the vms. Do i assign the Internal – Corportate for my VMs or do i run that out to my switch and then back into my old nic?
Thanks!
How to do set DNAT , is not works for me .
Thanks.
Hi,
Can the Sophos UTM act a reverse proxy for Oracle E-Business Suite using the Web Server Protection ?
Thanks!
Hi Sebastian
It depends on the Oracle deployment to some degree but yes it is possible and I have a done so for one of my clients.
Regards
Etienne
[…] una guida step by step d’installazione è possibile fare riferimento alla seguente How to Deploy Sophos UTM on Hyper-V in 7 Simple Steps in cui viene utilizzata per l’installazione di Sophos UTM Home Edition una VM con le seguenti […]