AL30 v9.2.65 - Architect Lab Workbook - UTM

AL30: UTM Page 1 of 57

Sophos Certified Architect AL30: UTM Lab Workbook

April 2014

Version 9.2.65

Sophos Certified Architect


2014 Sophos Limited. All rights reserved. No part of this document may be used or reproduced in any form or by any means without the prior written consent of Sophos. Sophos and the Sophos logo are registered trademarks of Sophos Limited. Other names, logos and marks mentioned in this document may be the trademarks or registered trademarks of Sophos Limited or their respective owners. While reasonable care has been taken in the preparation of this document, Sophos makes no warranties, conditions or representations (whether express or implied) as to its completeness or accuracy. This document is subject to change at any time without notice. Sophos Limited is a company registered in England number 2096520, whose registered office is at The Pentagon, Abingdon Science Park, Abingdon, Oxfordshire, OX14 3YP.



Contents

Introduction .................................................................................................................................................. 7

Prerequisites ............................................................................................................................................. 7

Workbook conventions ............................................................................................................................. 7

Lab environment ....................................................................................................................................... 7

Lab 1: System configuration ....................................................................................................................... 11

Objective ................................................................................................................................................. 11

Requirements ......................................................................................................................................... 11

Task 1 ...................................................................................................................................................... 11

Task 2 ...................................................................................................................................................... 13

Review ..................................................................................................................................................... 13

Lab 2: Uplink Balancing ............................................................................................................................... 15

Objective ................................................................................................................................................. 15

Requirements ......................................................................................................................................... 15

Task ......................................................................................................................................................... 15

Review ..................................................................................................................................................... 16

Lab 3: Multipath Rules ................................................................................................................................ 17

Objective ................................................................................................................................................. 17

Requirements ......................................................................................................................................... 17

Task ......................................................................................................................................................... 17

Review ..................................................................................................................................................... 18

Lab 4: Quality of Service ............................................................................................................................. 19

Objective ................................................................................................................................................. 19

Requirements ......................................................................................................................................... 19

Task 1 ...................................................................................................................................................... 19

Task 2 ...................................................................................................................................................... 19

Task 3 ...................................................................................................................................................... 20

Review ..................................................................................................................................................... 20

Lab 5: Authentication ................................................................................................................................. 21

Objective ................................................................................................................................................. 21

Requirements ......................................................................................................................................... 21



Task 1 ...................................................................................................................................................... 21

Task 2 ...................................................................................................................................................... 22

Review ..................................................................................................................................................... 22

Lab 6: Web protection ................................................................................................................................ 23

Objective ................................................................................................................................................. 23

Requirements ......................................................................................................................................... 23

Note ........................................................................................................................................................ 23

Task 1 ...................................................................................................................................................... 23

Task 2 ...................................................................................................................................................... 24

Task 3 ...................................................................................................................................................... 24

Task 4 ...................................................................................................................................................... 25

Review ..................................................................................................................................................... 27

Lab 7: Email protection ............................................................................................................................... 28

Objective ................................................................................................................................................. 28

Requirements ......................................................................................................................................... 28

Task 1 ...................................................................................................................................................... 28

Task 2 ...................................................................................................................................................... 29

Task 3 ...................................................................................................................................................... 29

Task 4 ...................................................................................................................................................... 31

Review ..................................................................................................................................................... 32

Lab 8: Endpoint protection ......................................................................................................................... 33

Objective ................................................................................................................................................. 33

Requirements ......................................................................................................................................... 33

Task 1 ...................................................................................................................................................... 33

Task 2 ...................................................................................................................................................... 34

Review ..................................................................................................................................................... 34

Lab 9: Wireless protection .......................................................................................................................... 35

Objective ................................................................................................................................................. 35

Requirements ......................................................................................................................................... 35

Task 1 ...................................................................................................................................................... 35

Task 2 ...................................................................................................................................................... 36

Task 3 ...................................................................................................................................................... 37



Review ..................................................................................................................................................... 38

Lab 10: Webserver protection .................................................................................................................... 39

Objective ................................................................................................................................................. 39

Requirements ......................................................................................................................................... 39

Task 1 ...................................................................................................................................................... 39

Task 2 ...................................................................................................................................................... 41

Review ..................................................................................................................................................... 42

Lab 11: RED ................................................................................................................................................. 43

Objective ................................................................................................................................................. 43

Requirements ......................................................................................................................................... 43

Task ......................................................................................................................................................... 43

Review ..................................................................................................................................................... 45

Lab 12: Site-to-site VPN .............................................................................................................................. 46

Objective ................................................................................................................................................. 46

Requirements ......................................................................................................................................... 46

Task 1 ...................................................................................................................................................... 46

Task 2 ...................................................................................................................................................... 47

Task 3 ...................................................................................................................................................... 48

Review ..................................................................................................................................................... 49

Lab 13: Remote access ................................................................................................................................ 50

Objective ................................................................................................................................................. 50

Requirements ......................................................................................................................................... 50

Task ......................................................................................................................................................... 50

Review ..................................................................................................................................................... 51

Lab 14: Central management ..................................................................................................................... 52

Objective ................................................................................................................................................. 52

Requirements ......................................................................................................................................... 52

Task 1 ...................................................................................................................................................... 52

Task 2 ...................................................................................................................................................... 54

Task 3 ...................................................................................................................................................... 54

Review ..................................................................................................................................................... 55

Lab 15: High availability .............................................................................................................................. 56



Objective ................................................................................................................................................. 56

Requirements ......................................................................................................................................... 56

Task ......................................................................................................................................................... 56

Review ..................................................................................................................................................... 57



Introduction

These labs accompany the Sophos Certified Architect UTM course and form the practical part of the certification. You should complete each section of labs when directed to do so in the training.

Throughout the labs there is information to be written down; you will require this information to pass the online assessment. We would recommend that you complete the course assessment while your lab environment is still active so that it is available for reference.

Prerequisites

To be able to complete these labs in the time suggested you should have the following prerequisites.

Comprehensive knowledge of networking.

Experience in installing and replacing network gateways and firewalls in production environments.

Sophos Certified Engineer level knowledge of Sophos UTM.

The following optional prerequisite knowledge would be beneficial but is not required.

Experience using Linux command line tools.

Workbook conventions

This workbook uses the following conventions throughout.

At the start of each lab are the objectives of what you should learn and any requirements that must

have been completed prior to starting the lab.

Labs which cover larger topics are divided in to several tasks. Each task has a short description

followed by the steps that are required to complete the task.

Short labs are presented as a single task.

Throughout the guide the following styles are used:

Bold text Computer names, applications,

Courier New font

Commands to be executed.

Underlined Hyperlinks.

Lab environment

These labs are designed to be completed on the hosted CloudShare environment; if you are not using CloudShare, for example if this course is being taught on a local environment, some details such as hostnames and IP addresses may vary.

You instructor will provide you with details of how to access the lab environment, and any localised changes.



Environment overview

The environment used to complete these labs is comprised of multiple computers and networks. This lab environment is based on the labs from the Certified Engineer course. Configuration created during the labs for that course is maintained in this environment with the addition of two new virtual machines; a second UTM gateway for the Lab Network and a Sophos UTM Manager.

Lab Server This is the computer you connect to for the majority of the labs. It represents a computer on an internal company network. In this lab environment it is also the Active Directory server, mail server, web server and DNS server.

Throughout this workbook this will be referred to as LabServer.

Lab Network This is the internal company network for your lab.

Secondary Link This network provides a second Internet link.

Sophos UTM Manager This is an unconfigured virtual UTM Sophos UTM Manager on the Lab Network.

Throughout this workbook this will be referred to as SUM.

Lab Gateway 1 This is the default gateway for the Lab Network. It has the configuration created during the Certified Engineer labs.

Throughout this workbook this will be referred to as LabGateway1.

Lab Gateway 2 This is an unconfigured virtual UTM which is the gateway and firewall for the Lab Network.

Throughout this workbook this will be referred to as LabGateway2.

External Network This network represents the Internet and provides access out to the real Internet. The gateway on this network is 192.168.1.254.

Services This server is the DNS server for the external domains used by the Lab Network and Acme Corp Network. It is connected to both the External Network and Secondary Link networks.

Throughout this workbook this will be referred to as Services.

Acme Corp Gateway This is a virtual UTM which has the configuration created during the Certified Engineer labs.

Throughout this workbook this will be referred to as AcmeCorpGateway.

Acme Corp Network This is the internal company network of another company Acme Corp.

Acme Corp Server This computer is the server for Acme Corp. It runs Active Directory, mail server, web server and DNS.

Throughout this workbook this will be referred to as AcmeCorpServer.



Network diagram



User accounts

The table below details the user accounts in the CloudShare lab environment.

Username Email Scope and privileges

admin [email protected]

[email protected]

Lab Gateway 1

Built-in admin account

administrator [email protected] Lab Domain

Domain administrator

JohnSmith [email protected] Lab Domain

Domain user

JaneDoe [email protected] Lab Domain

Domain user

readonly n/a Lab Domain

Domain user

admin [email protected]

[email protected]

Acme Corp Gateway

Built-in admin account

administrator [email protected] Acme Corp Domain

Domain Administrator

TomJones [email protected] Acme Corp Domain

Domain user

All passwords are Sophos1985.



Lab 1: System configuration

Objective

Upon completion of this section you will be able to:

Complete the initial configuration of the UTM without using the setup wizard.

Create a DHCP server on the UTM.

Requirements

No prerequisites.

Task 1

Complete the initial configuration of LabGateway2 without using the setup wizard.

Steps

On LabServer:

1. Launch your browser and connect to the WebAdmin of LabGateway2 at https://172.16.1.151:4444.

2. Complete the Basic System Setup.

Hostname: lab-gw2.lab.external

Company or Organization Name: Sophos

City: Abingdon

Country: Great Britain

admin account password: Sophos1985

admin account email address: [email protected]

3. Login to the WebAdmin of LabGateway2 as admin.

4. On the Welcome to Sophos UTM page, click Cancel.

5. Navigate to Interfaces & Routing | Interfaces create and enable a New interface with the following

configuration:

Name: External (WAN)

Type: Ethernet static

Hardware: eth1

IPv4 Address: 192.168.1.151

Netmask: /24 (255.255.255.0)

Default GW IP: 192.168.1.254

6. Navigate to Network Services | DNS | Forwarders and create a new DNS Forwarder with the

following configuration:

Name: Lab DNS

Type: Host



IPv4 Address: 172.16.1.1

7. Deselect the option Use forwarders assigned by ISP.

8. Navigate to the Request Routing tab and create a New DNS Request Route with the following

configuration:

Domain: lab.internal

Target Services: Lab DNS

9. Navigate to Management | System Settings | Time and Date and configure the correct time, date

and time zone.

10. Remove all of the servers from the NTP Servers list and create a new NTP server with the following

configuration:

Name: Lab Active Directory

Type: Host


11. Navigate to Management | Shutdown/Restart and select to Restart (Reboot) the system now.

12. Once LabGateway2 has rebooted login to the WebAdmin as admin

13. Navigate to Management | System Settings | Shell Access and Enable shell access.

14. Remove Any from the Allowed networks and add Internal (Network).

15. Set the passwords for the loginuser and root user to Sophos1985.

16. Navigate to Management | WebAdmin Settings | Advanced and set the WebAdmin idle timeout to

3600 seconds.

17. Select the HTTPS Certificate tab and import the WebAdmin CA Certificate.

18. Change the hostname of the WebAdmin in the Regenerate WebAdmin certificate section to the

internal hostname of LabGateway2 (gw2.lab.internal).

19. Close and re-launch your browser and connect to the WebAdmin of LabGateway2 using the internal

hostname gw2.lab.internal and login as admin.

20. Confirm that you no longer receive a certificate error in your browser.

21. Navigate to Support | Tools and test that LabGateway2 is able to ping 8.8.8.8.

22. Select the DNS Lookup tab and confirm that LabGateway2 can resolve the following hosts:

www.sophos.com

acme-gw.acme.external

23. Navigate to Network Protection | Firewall and create and enable a new rule to allow web browsing

with the configuration below:

Sources: Internal (Network)

Services: Web Surfing

Destinations: Any

24. Create and enable a new rule to allow DNS with the configuration below:


Services: DNS

Destinations: Any



25. Navigate to Network Protection | NAT and create and enable a new masquerading rule with the

configuration below:

Network: Internal (Network)

Interface: External (WAN)

Use address: >

26. Create a backup called Architect Lab 1 on LabGateway2 and download it to the desktop of

LabServer.

Task 2

Configure a DHCP server for the local Lab Network.

Steps

On LabServer:


2. Navigate to Network Services | DHCP and create and enable a new DHCP server for the Internal

network.

Interface: Internal

Range start: 172.16.1.1

Range end: 172.16.1.100

DNS Server 1: 172.16.1.101

DNS Server 2: 172.16.1.151

Default gateway: 172.16.1.101

Domain: lab.internal

Comment: Lab 1

3. Open a Command Prompt and run: ipconfig /all

4. Write down the Physical Address for the interface with the IP address on the Lab Network:

__________________________________________________________________________________

5. In the LabGateway1 WebAdmin, navigate to Definitions & Users | Network Definitions and edit the

LabServer host definition by adding the MAC address to the DHCP Settings and selecting the

Internal[172.16.1.1 172.16.1.100] IPv4 DHCP server.

6. Reconfigure the interface that is connected to the Lab Network to get its network settings via DHCP.

7. In the LabGateway1 WebAdmin, navigate to Network Services | DHCP and launch and review the

DHCP Live Log.


LabServer.

Review

You have now successfully:



Completed the initial configuration of a UTM without using the setup wizard.

Created a DHCP server on a UTM.



Lab 2: Uplink Balancing

Objective

Upon completion of this section you will be able to configure uplink balancing with multiple active interfaces and with standby interfaces.

Requirements

No prerequisites.

Task

Create a second external interface on LabGateway1 with a default gateway then configure uplink balancing.

Steps

On LabServer:


2. Navigate to Interfaces & Routing | Interfaces and create and enable a second external interface

with the following configuration:

Name: Uplink 2

Type: Ethernet static

Hardware: eth2

IPv4 Address: 192.168.3.101

Netmask: /24 (255.255.255.0)

Default GW IP: 192.168.3.254

3. Enable Uplink Balancing when prompted.

4. Select the Uplink balancing tab and configure the Uplink 2 interface to be a standby interface.

5. Select the Interfaces tab confirm that Uplink 2 is now enabled but Down.

6. Navigate to the Uplink balancing tab and disable Automatic Monitoring.

7. Add a new monitoring host with the following configuration:

Name: Services WAN network

Type: Host


8. Add a new monitoring host with the following configuration:

Name: Services Secondary Link network

Type: Host


9. Edit the monitoring settings to use the configuration below:

Monitoring type: HTTP Host



URL: /

Interval: 15

Timeout: 5

10. Navigate to the Dashboard and confirm that External (WAN) is Up and Uplink 2 is Down and in

Standby.

11. Launch Remote Desktop and connect to Services at 192.168.1.1 and login as the administrator.

12. Browse to Control Panel | Network and Internet | Network and Sharing Center | Change adapter

settings.

13. Right-click on Ethernet and click Disable then close the Remote Desktop window.

14. In the WebAdmin on LabGateway1, confirm that both External (WAN) and Uplink 2 are Up but that

External (WAN) has a link error.

15. Launch Remote Desktop and connect to Services at 192.168.3.1 and login as the administrator.

16. Right-click on Ethernet and click Enable then close the Remote Desktop window.

17. In the WebAdmin on LabGateway1, navigate to Interfaces & Routing | Interfaces and select the

Uplink balancing tab.

18. Enable Automatic monitoring and configure Uplink 2 to be an Active Interface.

19. On the Dashboard confirm that all interfaces are Up and there are no errors.


LabServer.

Review

You have now successfully configured uplink balancing with multiple active interfaces and with standby interfaces.



Lab 3: Multipath Rules

Objective


Create interface groups for routing.

Create multipath rules to route different services using interface groups.

Use tcpdump to confirm your multipath rules are working correctly.

Requirements

All instructions in Lab 2 must be completed successfully.

Task

Configure multipath rules on LabGateway1 which will route HTTP and FTP traffic out via different interfaces.

Steps

On LabServer:


2. Navigate to Network Protection | Firewall and add FTP to the Services in the Web Surfing firewall

rule.

3. Navigate to Interfaces & Routing | Interfaces | Multipath Rules and create and enable a new

multipath rule with the following configuration:

Name: Use Uplink 2 for HTTP

Source: Internal (Network)

Service: HTTP

Destination: Any

Itf. Persistence: by Connection

Balanced to: create a new interface group with the following configuration:

o Name: Uplink group 2

o Interfaces: Uplink 2

4. Launch Putty and connect to LabGateway1 using SSH.

5. Login as loginuser then change to the root user using the command: su

6. Use tcpdump to monitor HTTP traffic on Uplink 2 using the command: tcpdump i eth2 n port 80

7. Access the following URLs in your browser on LabServer and confirm that you can see that traffic in

tcpdump:

192.168.3.1



www.sophos.com

8. In the WebAdmin on LabGateway1 add and enable a new multipath rule with the following

configuration:

Name: Use Uplink 1 for FTP

Source: Internal (Network)

Service: FTP

Destination: Any

Itf. Persistence: by Connection

Balanced to: create a new interface group with the following configuration:

o Name: Uplink group 1

o Interfaces: External (WAN)

9. In your SSH session to LabGateway1, use tcpdump to monitor the FTP traffic on External (WAN)

using the command: tcpdump i eth1 n port 21

10. Launch FileZilla and connect to the following URLs:

ftp.astaro.com

11. Confirm that you can see that traffic in tcpdump.

12. In the WebAdmin on LabGateway1, reverse the rules so that HTTP is now balanced to Uplink group

1 and FTP is balanced to Uplink group 2. Test your configuration using tcpdump.

13. Disable your multipath rules.

14. In the Uplink balancing tab, remove Uplink 2 from the Active interfaces and add it to the Standby

interfaces.


LabServer.

Review


Created interface groups for routing.

Created multipath rules to route different services using interface groups.

Used tcpdump to confirm your multipath rules are working correctly.



Lab 4: Quality of Service

Objective


Limit bandwidth for an interface.

Shape traffic based on an application.

Throttle traffic based on a protocol.

Requirements

No prerequisites.

Task 1

Enable quality of service on LabGateway1 and define a bandwidth limit on an interface.

Steps

On LabServer:


2. Navigate to Interfaces & Routing | Quality of Service (QoS) and enable quality of service for all

interfaces.

3. Edit the Internal interface and limit the download bandwidth to 100 kbit/s.

4. Navigate to Web Protection | Web Filtering Profiles | Filter Actions and edit the Default content

filter action.

5. Remove .exe from Blocked file extensions.

6. Verify that the bandwidth limit is not being exceeded when downloading the file:

http://global.services.external/Thunderbird%20Setup%2017.0.5.exe

Task 2

Use the Flow Monitor to create a rule that will shape the traffic for Facebook.

Steps

On LabServer:


2. Navigate to Web Protection | Application Control and open the Flow Monitor on the eth1

interface.

3. Browse to http://www.facebook.com.

4. In the Flow Monitor shape the traffic for Facebook to 10kbit/s and limit to 20kbit/s.

5. In the WebAdmin, navigate to Interfaces & Routing | Quality of Service (QoS) and review the

Traffic Selector and Bandwidth Pool that have been created.



6. Write down the name of the Traffic Selector that has been created:

__________________________________________________________________________________

Task 3

Use the Flow Monitor to create a rule that will throttle all HTTP traffic.

Steps

On LabServer:


2. Navigate to Web Protection | Application Control and open the Flow Monitor on the eth1

interface.

3. Browse to http://www.sophos.com.

4. In the Flow Monitor throttle the traffic for HTTP to 25kbit/s for each source.

5. In the WebAdmin, navigate to Interfaces & Routing | Quality of Service (QoS) and review the

Traffic Selector and Download Throttling that have been created.

6. Disable the Download Throttling rule and Bandwidth Pool.

7. Disable quality of service on all interfaces.


LabServer.

Review


Limited the bandwidth for an interface.

Shaped traffic based on an application.

Throttled traffic based on a protocol.



Lab 5: Authentication

Objective

Upon completion of this section you will be able to configure:

The Sophos Authentication Agent.

One-time passwords.

Requirements

No prerequisites.

Task 1

Configure and test the Sophos Authentication Agent.

Steps

On LabServer:


2. Navigate to Definitions & Users | Authentication Services.

3. Select all options in the Automatic user creation for facilities section.

4. Navigate to Definitions & Users | Client Authentication and enable client authentication with the


Allowed networks: Internal (Network)

Allowed Users and Groups: Active Directory Users.

5. In the Client Authentication program section, download the EXE version and install it on LabServer.

6. Use Putty on LabServer to login to LabGateway1 as the loginuser then change to the root user using

the command:

su -

7. Follow the aua.log and endpoint.log files using the commands: cd /var/log

tail f aua.log endpoint.log

8. Launch the client authentication program and test it with the Active Directory user JaneDoe.

Note: do not save the password.

9. Confirm that the user JaneDoe has been created on the UTM following successful authentication.

10. Close the Sophos Authentication Agent.

11. Write down the following information from the entries written to the aua.log and endpoint.log

when you authenticated as JaneDoe:

aua.log: user, caller and engine

____________________________________________________________________________



endpoint.log: the name of the process that wrote to the log

____________________________________________________________________________

Task 2

Configure and test one-time passwords for the User Portal.

Steps

On LabServer:


2. Navigate to Definitions & Users | Authentication Services | One-time password and enable one-

time passwords.

3. Connect to the User Portal on LabGateway1 at https://gw1.lab.internal and login as johnsmith.

4. Click Proceed with login.

5. In the WebAdmin refresh the one-time passwords page.

6. Edit the token for johnsmith and create additional codes.

7. Write down one of the additional codes:

_________________________________________________

8. Login to the User Portal as johnsmith using the additional token code you wrote down.

9. Go to the OTP Token tab and view the token information.

10. Write down the encoding types your secret is displayed in:

__________________________________________________________________________________

__________________________________________________________________________________

11. In the WebAdmin, disable one-time passwords.


LabServer.

Review

You have now successfully configured:

The Sophos Authentication Agent.

One-time passwords.



Lab 6: Web protection

Objective


Automatic proxy configuration via DHCP.

File type blocking using MIME types.

Full HTTPS decrypt and scan.

Multiple profiles for different modes of authentication.

Requirements

All instructions in Lab 1 must be completed successfully.

Note

Use Internet Explorer for testing your configuration in this lab. Proxy auto-configuration via DHCP is unreliable in other browsers.

Task 1

Configure a proxy auto-configuration script.

Steps

On LabServer:


2. Navigate to Web Protection | Filtering Options | Misc and create and enable a proxy auto-

configuration script on the UTM which returns DIRECT for the lab.internal network and returns the

LabGateway1 as the proxy for all other sites. Example:

function FindProxyForURL(url, host)

{

// Local URLs from the domain lab.internal

// don't need a proxy

if (shExpMatch(host, "*.lab.internal"))

{

return "DIRECT";

}

// URLs within this network are local and dont

// need a proxy

if (isInNet(host, "172.16.1.0", "255.255.255.0"))

{

return "DIRECT";

}



// All other requests go through

// port 8080 of gw1.internal

// should that fail to respond, try to go direct

return "PROXY gw1.lab.internal:8080; DIRECT";

}

3. Navigate to Network Services | DHCP and edit your DHCP server by enabling the option Enable

HTTP Proxy Auto Configuration.

4. Navigate to Network Protection | Firewall and remove Web Surfing from the Web Surfing and

WebAdmin firewall rule.

5. Release and renew your IP address on LabServer. This can be done using the command: ipconfig /release && ipconfig /renew

6. Open Internet Explorer and confirm that:

You are able to access http://www.sophos.com.

http://www.games.com is blocked.

Task 2

Configure and test blocking files using MIME-type blocking.

Steps

On LabServer:


2. Navigate to Web Protection | Web Filtering Profiles | Filter Actions and edit the Default content

filter action.

3. Configure the filter action to warn for downloading of ZIP files based on MIME type.

4. Write down the MIME type for ZIP files: _________________________________________________

5. Try to download the test file from Services: http://192.168.1.1/zip.test

Task 3

Configure and enable Full decrypt and scan HTTPS scanning in the web filter.

Steps

On LabServer:


2. Navigate to Web Protection | Filtering Options | HTTPS CAs and Upload a new signing CA from the

file c:\certs\lab-LAB-SERVER-CA.p12 with the password Sophos1985.

3. Navigate to Web Protection | Web Filtering and select Decrypt and scan for HTTPS (SSL) traffic.

4. Confirm that you do not get a certificate error when you access: https://www.google.co.uk

5. View the details of the SSL certificate.



6. Write down the signing certificate authority for the certificate your browser received when you

accessed https://www.google.co.uk: ____________________________________________________

Task 4

Configure multiple web filtering profiles for different connection and authentication methods.

Steps

On LabServer:


2. Navigate to Definitions & Users | Users & Groups | Groups and add a new group with the following

configuration:

Group name: Contractors

Group type: Backend membership

Backend: Active Directory

Limit to backend group(s) membership: selected

Active Directory Groups: Contractors

3. Add a new group with the following configuration:

Group name: Domain Admins

Group type: Backend membership

Backend: Active Directory

Limit to backend group(s) membership: selected

Active Directory Groups: Domain Admins

4. Navigate to Web Protection | Filtering Options | Categories and create a New filter category with

the following configuration:

Name: Business

Included Sub-Categories: Business.

5. Remove the Business sub-category from the Community / Education / Religion filter category.

6. Navigate to Web Protection | Web Filtering Profiles | Filter Actions and create a new filter action

with the following configuration:

Name: Contractors

Block all content, except as specified below

Category:

o IT: Allow

o Business: Allow

7. Navigate to Web Protection | Web Filtering Profiles and create a new profile with the following

configuration:

Name: Standard mode with AD SSO authentication.

Allows networks: Internal (Network)



Operation mode: Standard

Default Authentication: Active Directory SSO

HTTPS (SSL) traffic: Decrypt and scan.

8. In Web Protection | Web Filtering Profiles create a new profile with the following configuration:

Name: Transparent mode with Browser authentication.

Allows networks: Internal (Network)

Operation mode: Transparent

Default Authentication: Browser

HTTPS (SSL) traffic: Decrypt and scan.

Policies: create and enable two new policies as below.

o Policy 1:

Name: Contractors

Users/Groups: Contractors

Filter Action: Contractors

o Policy 2:

Name: Domain Admins

Users/Groups: Domain Admins

Filter Action: Default content filter action

o Base Policy:

Filter Action: Default content filter block action

9. Arrange the profiles with the Standard mode with AD SSO authentication at the top and

Transparent mode with Browser authentication beneath it.

10. Open the Web Filtering Live Log and review it while you follow the steps below to test your

configuration.

11. Configure the browser proxy settings as below:

Proxy server: none

Automatic proxy script: none

Automatically detect settings: no

12. In your browser try to connect to http://www.sophos.com and authenticate as ContractorBob.

Note: be sure not to close the window with the logout button.

13. Confirm that you are unable to access http://www.bbc.co.uk.

14. Logout of the browser authentication as ContractorBob.

15. In your browser try to connect to http://www.sophos.com and authenticate as Administrator.

Note: be sure not to close the window with the logout button.

16. Confirm that you are able to access http://www.bbc.co.uk.

17. Logout of the browser authentication as Administrator.

18. Change your browser settings to explicitly use the proxy server on port 8080.



19. Browser to both http://www.sophos.com and http://www.bbc.co.uk and confirm you can access

them without authenticating.

20. Configure the browser proxy settings as below:

Proxy server: none

Automatic proxy script: none

Automatically detect settings: no

21. Navigate to Web Protection | Web Filtering Profiles and disable the Standard mode with AD SSO

authentication and Transparent mode with Browser authentication profiles.

22. Navigate to Web Protection | Web Filtering and configure the proxy settings as below:

Operation mode: Transparent mode

Default Authentication: None

HTTP (SSL) traffic: URL filtering only


LabServer.

Review


Automatic proxy configuration via DHCP.

File type blocking using MIME types.

Full HTTPS decrypt and scan.

Multiple profiles for different modes of authentication.



Lab 7: Email protection

Objective


End user sender blacklists through the User Portal and WebAdmin.

SMTP profiles for additional domains which override elements of the default SMTP configuration.

Email encryption using OpenPGP.

Email encryption using S/MIME.

Requirements

No prerequisites.

Task 1

Block an email using the per user sender blacklists in the User Portal.

Steps

On LabServer:

1. Connect to the User Portal on LabGateway1 and login as administrator.

2. On the Sender Blacklist tab add *[email protected] to the Sender Blacklist.

Note: ensure that you include the * as this is required for the email address to match with BATV

enabled.

On AcmeCorpServer:

3. Launch Thunderbird and send a test email from [email protected] to

[email protected].

On LabServer:

4. Login to the User Portal of LabGateway1 as administrator.

5. Select the Mail Log tab and review the entry for the test email.

6. Select the Mail Quarantine tab and write down why the test email was quarantined from the

Reason column:

__________________________________________________________________________________

7. First view, then release the email and confirm that you received it.

8. In the LabGateway1 WebAdmin, navigate to Definitions & Users | Users & Groups.

9. Edit the Administrator user and view the Sender Blacklist.

10. Add *@services.external to the Sender Blacker.



Task 2

Configure an additional SMTP profile for a different email domain.

Steps

On LabServer:


2. Navigate to Email Protection | SMTP and change the SMTP proxy to Profile mode.

3. Navigate to Email Protection | SMTP Profiles and add and enable a new SMTP Profile with the


Profile Name: sophos.external domain

Domains: sophos.external

Blocked Expressions: Use individual settings defined below

Blocked Expressions: create a regular expression to match a string of 16 numbers which

may optionally have a space between each block of 4 digits similar to a credit card

number. E.g., \b([0-9]{4}\s?){4}\b

On AcmeCorpServer:

4. Launch Thunderbird and send an email from administrator to [email protected]

containing the string 1234 5678 9012 3456.

5. Review the SMTP Live Log and write down the reason it was quarantined:

__________________________________________________________________________________

On LabServer:

6. Connect to the WebAdmin of LabGateway1.

7. Launch the Mail Manager and release the email from the quarantine.

8. Identify the message ID for the email from the SMTP Log in the Mail Manager.

9. Launch Putty and connect to LabGateway1 via SSH.

10. Login as the loginuser then change the root user using the command: su -

11. Change to the log directory using the command: cd /var/log

12. Search the maillog for entries containing the message ID using the following command: grep xxxxxxxxxxxxxxxx smtp.log

Note: where xxxxxxxxxxxxxxxx is replaced with the message ID you identified in step 8.

Task 3

Configure and test email encryption between two UTMs using OpenPGP.



Steps

On LabServer:


2. Navigate to Email Protection | Encryption and enable email encryption.

3. On the Internal Users tab create a New email encryption user with the following configuration:

Email Address: [email protected]

Full Name: Administrator (Lab)

4. Download the OpenPGP public key.

5. Launch Thunderbird and email the OpenPGP public key to [email protected].

On AcmeCorpServer:

6. Login to the WebAdmin of AcmeCorpGateway as admin.

7. Navigate to Email Protection | Encryption and enable email encryption.



Full Name: Administrator (Acme)

9. Download the OpenPGP public key.

10. Launch Thunderbird and email the OpenPGP public key to [email protected].

11. In the AcmeCorpGateway Webadmin, select the OpenPGP Public Keys tab.

12. Use the New public OpenPGP keys(s) option to import the key from [email protected].

On LabServer:

12. Connect to the LabGateway1 WebAdmin.

13. Select the OpenPGP Public Keys tab.

14. Use the New public OpenPGP keys(s) option to import the key from [email protected].

15. Launch Thunderbird and send an email to [email protected].

On AcmeCorpServer:

16. Launch Thunderbird and confirm that you received the email and that it was encrypted by the tag in

the subject line.

17. Write down the subject line tag:

__________________________________________________________________________________

18. Send an email to [email protected].

On LabServer:


the subject line.



Task 4

Configure and test email encryption between two servers using S/MIME.

Steps

On LabServer:


2. Navigate to Email Protection | Encryption and download the S/MIME CA Certificate.



Full Name: John Smith (Lab)

4. Launch Thunderbird and email the S/MIME certificate from [email protected] to

[email protected].

On AcmeCorpServer:


6. Navigate to Email Protection | Encryption and download the S/MIME CA Certificate.



Full Name: Tom Jones (Acme)

8. Launch Thunderbird and email the S/MIME certificate from [email protected] to

[email protected].

9. Save the S/MIME certificate from John Smith as lab-smime.pem.

10. In the AcmeCorpGateway WebAdmin, select the S/MIME Authorities tab and upload the lab-

smime.pem certificate.

On LabServer:

11. Save the S/MIME certificate from Tom Jones as acme-smime.pem.

12. In the LabGateway1 WebAdmin, select the S/MIME Authorities tab and upload the acme-

smime.pem certificate.

13. In Thunderbird send an email from [email protected] to [email protected].

On AcmeCorpServer:

14. Confirm you received the email and that it was signed by the tag in the subject line.


__________________________________________________________________________________

16. In the AcmeCorpGateway WebAdmin, select the S/MIME Certificates tab and confirm that John

Smiths certificate has been extracted.

17. Send an email to [email protected].



On LabServer:


the subject line.


__________________________________________________________________________________

20. In the LabGateway1 WebAdmin, select the S/MIME Certificates tab and confirm that Tom Jones

certificate has been extracted.


LabServer.

Review


End user sender blacklists through the User Portal and WebAdmin.

SMTP profiles for additional domains which override elements of the default SMTP configuration.

Email encryption using OpenPGP.

Email encryption using S/MIME.



Lab 8: Endpoint protection

Objective

Upon completion of this section you will:

Know where to look to monitor communication between an endpoint and UTM via LiveConnect.

Be able to configure antivirus exclusions.

Requirements

No prerequisites.

Task 1

Explore the logging of communication between the endpoint and UTM via LiveConnect.

Steps

On LabServer:

1. Login to the WebAdmin of LabGateway1 as admin. 2. Navigate to Management | System Settings | Reset Configuration and click Reset UTM ID. 3. Navigate to Endpoint Protection | Computer Management. 4. Enable Endpoint Protection and click Activate Endpoint Protection. 5. Select the Advanced tab. 6. In the Tamper Protection section set the password to Sophos1985 and click Apply. 7. Select the Deploy Agent tab. 8. Click Download Endpoint Installation Package Now. 9. Once it has downloaded run the installer. 10. On the Welcome to the Sophos Endpoint Security and Control Installer screen click Next. 11. On the Remove third-party security software screen click Install. 12. On the Install is complete screen click Finish. 13. In the WebAdmin navigate to Endpoint Protection. 14. Confirm that the LabServer is registered and online. 15. Browse to:

C:\ProgramData\Sophos\Management Communications System\Endpoint\Config

16. Write down what configuration is included in the config.xml by default:

__________________________________________________________________________________

17. Browse to:

C:\ProgramData\Sophos\Management Communications System\Endpoint\Persist

18. Open the EndpointIdentity.txt file then keep this file open while you do the following steps.

19. Launch Sophos Endpoint Security and Control and authenticate with Tamper Protection.


21. Navigate to Endpoint Protection, launch the Live Log.



22. Locate the log entry for where you authenticated against Tamper Protection.

23. Compare the mcs_id field to the contents of the EndpointIdentity.txt.

Task 2

Configure and test the antivirus exclusion.

Steps

On LabServer:


2. Navigate to Endpoint Protection | Antivirus | Exceptions and create a scanning exclusion for

Eicar.com and apply it to the Default group.

3. Wait for a minute to allow the policy to be applied on LabServer.

4. Launch your web browser and connect to http://www.sophos.com/en-us/press-office/press-releases/2003/01/eicar.aspx.

5. Open Notepad. 6. Copy the following text from the Sophos Eicar article and paste it in Notepad:

X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H* 7. Save the file as Eicar.com.

Note: ensure you save it without the *.txt extension. 8. Try to execute the file. This will not cause an anti-virus alert.

Note: the file will not run correctly as it is a DOS application.


LabServer.

Review


Monitored the communication between an endpoint and UTM via LiveConnect.

Configured antivirus exclusions.



Lab 9: Wireless protection

Objective


Configure multiple wireless networks for different users.

Connect and configure a wireless access point.

Create a hotspot.

Requirements

No prerequisites.

Task 1

Enable wireless protection and without using the wizard manually configure two wireless networks:

One for guest access using a separate zone.

One for lab access bridged to the access point network.

Steps

On LabServer:


2. Navigate to Wireless Protection| Global Settings.

3. Enable wireless protection using the following configuration:

Skip automatic configuration: Selected

Allowed interfaces: Internal

4. Navigate to Wireless Protection | Wireless Networks and create a wireless network with the


Network name: Guest

Network SSID: Guest

Encryption Mode: WPA2 Personal

Passphrase PSK: Sophos1985

Client traffic: Separate Zone

Client isolation: Enabled

5. Navigate to Interfaces & Routing | Interfaces and add and enable a new interface for the Guest

wireless network with the following configuration:

Name: Guest WiFi

Type: Ethernet Static

Hardware: wlan0




Netmask: /24 (255.255.255.0)

6. Navigate to Network Services | DHCP and create a new DHCP server for the wireless network with

the following configuration:

Interface: Guest WiFi

Range start: 172.16.21.1

Range end: 172.16.21.254

DNS Server 1: 172.16.21.1

Default gateway: 172.16.21.1

7. Navigate to Network Services | DNS add the Guest wireless network to the Allowed Networks.

8. Navigate to Network Protection | NAT and create and enable a new masquerading rule for the

Guest wireless network with the following configuration:

Network: Guest WiFi (Network)

Interface: Uplink Interfaces

User address: >

9. Navigate to Network Protection | Firewall and create and enable a new firewall rule that allows

web browsing from the wireless network to the Internet with the following configuration:

Sources: Guest WiFi (Network)


Destinations: Internet IPv4

10. Navigate to Wireless Protection | Wireless Networks create a wireless network with the following

configuration:

Network name: Lab

Network SSID: Lab

Encryption Mode: WPA2 Personal

Passphrase PSK: Sophos1985

Client traffic: Bridge to AP LAN

Client isolation: Enabled

Task 2

Connect a Sophos wireless access point to LabGateway1.

Steps

On LabServer:

1. Launch Putty and connect to LabGateway1 using SSH.

2. Login as the loginuser then change to root using the following command: su

3. As the root user run the following command: ./clienttest.pl --minc=5 --maxc=10 server=172.16.1.101

4. In the WebAdmin of LabGateway1, navigate to Wireless Protection | Access Points.



5. Click Accept for the access point and use the following configuration in the Edit Access Point dialog:

Label: Lab9

Group: >

Name: Training

6. Select the Grouping tab.

7. Edit the Training group and select Guest and Lab wireless networks.

8. In Putty run the clienttest.pl command again on LabGateway1.

Note: leave the SSH session open for the duration of the lab.

9. In the WebAdmin of LabGateway1, confirm that the access point is now active.

Note: this may take a couple of minutes.

10. Navigate to Wireless Protection | Wireless Clients and view the clients connected.

11. Navigate to Wireless Protection | Access Points and select the Grouping tab.

12. Create a new group with the following configuration:

Name: Lab only

Wireless networks: Lab

13. On the Overview tab edit the access point and change it from the Training group to the Lab group.

Task 3

Configure and test a voucher based hotspot.

Steps

On LabServer:


2. Navigate to Wireless Protection| Hotspots and enable it.

3. Select the Voucher Definitions tab and create a new voucher with the following configuration:

Name: Lab

Validity period: 5 Days

Data volume: 20 MB.

4. Select the Advanced tab and add Internal (Address) to the Allowed hosts/networks in the Walled

Garden section.

5. Select the Hotspot tab and create a new hotspot with the following configuration:

Name: Public

Interfaces: Internal

Hotspot type: Voucher

Voucher Definitions: Lab

6. Login to the User Portal of LabGateway1 as admin and create a Lab voucher.

7. Write down the voucher code:

_________________________________________________________________________________

8. Try to browse to http://www.sophos.com.



9. Enter the voucher code when prompted.

10. Write down the voucher information displayed:

__________________________________________________________________________________

__________________________________________________________________________________

__________________________________________________________________________________

11. Browse the Sophos website then refresh the hotspot portal page; note that the used Data volume

has increased.

12. Write down the Status of the voucher in the User Portal of LabGateway1:

__________________________________________________________________________________


14. Navigate to Wireless Protection| Hotspots and open the live log.

15. Write down the portal and user fields from your session.

__________________________________________________________________________________

__________________________________________________________________________________

16. Disable Hotpots on LabGateway1.


LabServer.

Review


Configured multiple wireless networks for different users.

Connected and configured a wireless access point.

Created a hotspot.



Lab 10: Webserver protection

Objective

Upon completion of this section you will be able to configure webserver protection for both HTTP and

HTTPS webservers and implement reverse authentication.

Requirements

No prerequisites.

Task 1

Configure a reverse proxy for HTTP and HTTPS webservers with a custom firewall profile.

Steps

On LabServer:

1. Open a Command Prompt and use OpenSSL to generate a server key. openssl genrsa out server.key

2. Create a server certificate signing request for the external hostname of LabGateway1 (lab-

gw1.lab.external). openssl req new key server.key out server.csr

Country Name: GB

State or Province Name: Oxfordshire

Locality Name: Abingdon

Organization Name: Sophos

Organizational Unit: Training

Common Name: lab-gw1.lab.external


A challenge password: leave blank

An optional company name: leave blank

3. Connect to the certificate authority on Services: https://global.services.external/certsrv/en-us.

4. Download the CA certificate in Base 64 encoded format to

C:\Users\Administrator\ca_certificate.cer.

5. Request a certificate using advanced certificate request.

6. Paste in the certificate signing request that you created then download the certificate in Base 64

encoded format to C:\Users\Administrator\certificate.cer.

7. Use OpenSSL to create a pkcs#12 file from the server key, certificate and CA certificate. openssl pkcs12 export out lab.p12 inkey server.key in certificate.cer

certfile ca_certificate.cer




9. Navigate to Webserver Protection | Certificate Management and create a new certificate with the


Name: lab-gw1 external

Method: Upload

File type: PKCS#12 (Cert+CA)

File: the lab.p12 you created in step 7

Password: the password you set in step 7

10. Navigate to Webserver Protection | Web Application Firewall | Firewall Profiles and create a New

Firewall Profile called Lab with the following features enabled:

Mode: Reject

Common Threats Filter

Cookie signing

Form hardening

Antivirus scanning

Mode: Single Scan

Direction: Uploads and Downloads

Block unscannable content

Block clients with bad reputation

11. Select the Real Webservers tab and create a New Real Webserver with the following configuration:

Name: ArGoSoft Webmail

Host: Lab Server

Type: Plaintext (HTTP)

Port: 80

12. Create another New Real Webserver with the following configuration:

Name: IIS

Host: Lab Server

Type: Encrypted (HTTPS)

Port: 443

13. Select the Virtual Webservers tab and create a New Virtual Webserver with the following

configuration:

Name: ArGoSoft Webmail

Interface: External (WAN) (Address)

Type: Plaintext (HTTP)

Port: 80

Domains: lab-gw1.lab.external

Real Webservers: ArGoSoft Webmail

Firewall Profile: Lab

14. Create another New Virtual Webserver with the following configuration:



Name: IIS

Interface: External (WAN) (Address)

Type: Encrypted (HTTPS)

Port: 81

Redirect from HTTP to HTTPS: Untick

Certificate: lab-gw1 external

Real Webservers: IIS

Firewall Profile: Lab

On AcmeCorpServer:

15. Connect to:

http://lab-gw1.lab.external - You should be able to access the ArGoSoft Webmail site.

https://lab-gw1.lab.external:81 You should be able to access the IIS default page with no

certificate error.

Task 2

Implement reverse authentication for the HTTPS website.

Steps

On LabServer:


2. In Webserver Protection | Reverse Authentication create a New Authentication Profile with the


Name: IIS Auth

Frontend mode: Form

Frontend realm: IIS

Backend mode: None

Form Template: Default Template

Users / Groups: Active Directory Users

3. Navigate to Webserver Protection | Web Application Firewall and select the Site Path Routing tab.

4. Edit the Site Path Route for IIS and select the IIS Auth Reverse Authentication profile.

On Services:

5. Connect to https://lab-gw1.lab.external:81.

6. You should be prompted to login via a form and you should not get any certificate errors accessing

the HTTPS site.

7. Write down the certificate authority that issued the HTTPS certificate:

__________________________________________________________________________________

8. Confirm you are able to login as johnsmith.




LabServer.

Review

You have now successfully configured webserver protection for both HTTP and HTTPS webservers and implemented reverse authentication.



Lab 11: RED

Objective

Upon completion of this lab you will be able to create a RED tunnel between two UTMs.

Requirements

No prerequisites.

Task

Configure a RED tunnel between LabGateway1 and AcmeCorpGateway.

Steps

On LabServer:


2. Navigate to RED Management | Global Settings activate RED Management.

3. Select the [Server] Client Management tab add a RED with the following configuration:

Branch Name: AcmeCorp

Client type: UTM

4. Download the provisioning file to the desktop of LabServer.

5. Launch Thunderbird and email the provisioning file to [email protected].

On AcmeCorpServer:

6. Launch Thunderbird and save the provisioning file from the email to the desktop of

AcmeCorpServer.

7. Launch a browser and connect to the WebAdmin of AcmeCorpGateway and login as admin.

8. Navigate to RED Management | Global Settings and activate RED Management.

9. Select the [Client] Tunnel Management tab and create a new tunnel using the following

configuration:

Tunnel Name: Lab

UTM host: Lab Gateway 1

Prov. File: the provisioning file saved to the desktop

On LabServer:

10. Select the Overview tab in the LabGateway1 WebAdmin and confirm that the connection is

established successfully.

11. Navigate to Interfaces & Routing | Interfaces and create and enable a new interface with the


Name: Acme RED




Hardware: reds1

IPv4 address 10.0.0.1

Netmask: /24 (255.255.255.0)

On AcmeCorpServer:

12. Open the AcmeCorpGateway WebAdmin.

13. Navigate to Interfaces & Routing | Interfaces and create and enable a new interface with the


Name: Lab RED


Hardware: redc1

IPv4 address 10.0.0.2

Netmask: /24 (255.255.255.0)

14. Navigate to Interfaces & Routing | Static Routing and create and enable a new static route with the


Route Type: Gateway route

Network: Lab Network

Gateway: create a new network definition

o Name: Lab RED Gateway

o Type: Host

o IPv4 Address: 10.0.0.1

On LabServer:

15. Navigate to Interfaces & Routing | Static Routing and create and enable a new static route with the


Route Type: Gateway route

Network: Acme Corp LAN

Gateway: create a new network definition

o Name: Acme RED Gateway

o Type: Host

o IPv4 Address: 10.0.0.2

16. Navigate to Network Protection | Firewall and create and enable a new firewall rule with the


Sources: Acme Corp LAN


Destinations: Internal (Network)



On AcmeCorpServer:

17. Connect to http://172.16.1.1 and confirm you see the ArGoSoft webmail website.

18. In the WebAdmin, disable the Lab RED tunnel, Lab RED interface and Lab RED Gateway static route.

On LabServer:

19. Disable the Acme RED tunnel, Acme RED interface, firewall rule and Acme RED Gateway static

route.


LabServer.

Review

You have now successfully created a RED tunnel between two UTMs.



Lab 12: Site-to-site VPN

Objective


A simple SSL site-to-site VPN.

An IPsec site-to-site VPN using cross signed certificates.

An IPsec site-to-site VPN using RSA authentication.

Requirements

No prerequisites.

Task 1

Configure and test a simple SSL site-to-site VPN.

Steps

On LabServer:


2. Navigate to Site-to-site VPN | SSL, create a server SSL connection with the following configuration:

Connection type: Server

Connection Name: Lab VPN

Local Networks: Internal (Network)

Remote Networks: Lab Network

Automatic Firewall rules: Selected

3. Download the peer configuration file to the desktop of LabServer and encrypt it using the password

Sophos1985.

4. Login to the WebAdmin of the LabGateway1 as admin.

5. Navigate to Site-to-site VPN | SSL and create a connection with the following configuration:

Connection type: Client

Connection Name: Acme VPN

Configuration file: the peer configuration file saved to the desktop of LabServer

Password: Sophos1985

Automatic Firewall rules: Selected

6. Confirm you can connect to http://192.168.2.1

On AcmeCorpServer:


8. Disconnect from the VPN on both UTMs.



Task 2

Modify the existing IPsec site-to-site VPN to use cross signing authentication.

Steps

On LabServer:


2. Navigate to Site-to-site VPN | Certificate Management and generate a certificate with the following

configuration:

Name: acme-gw VPN

Method: Generate

VPN ID Type: Hostname

VPN ID: acme-gw.acme.external

Common Name: acme-gw.acme.external

Email: [email protected]

3. Download the certificate in PKCS#12 format with the password Sophos1985 to the desktop of

LabServer.

4. Login to the WebAdmin of LabServer as admin.

5. Navigate to Site-to-site VPN | Certificate Management and generate a certificate with the following

configuration:

Name: lab-gw1 VPN

Method: Generate

VPN ID Type: Hostname

VPN ID: lab-gw1.lab.external

Common Name: lab-gw1.lab.external

Email: [email protected]

6. Download the certificate in PKCS#12 format with the password Sophos1985 to the desktop of

LabServer.

7. In the LabGateway1 WebAdmin, create a new certificate with the following configuration:

Name: Acme VPN

Method: Upload


File: the certificate downloaded from AcmeCorpServer.


8. Navigate to Site-to-site VPN | IPsec | Remote Gateways and reconfigure the gateway for

AcmeCorpGatewau to use the Local X509 Certificate you uploaded (Acme VPN).

9. In the AcmeCorpServer WebAdmin, create a new certificate with the following configuration:

Name: Lab VPN

Method: Upload




File: the certificate downloaded from LabServer.


10. Navigate to Site-to-site VPN | IPsec | Remote Gateways, reconfigure the gateway for LabGateway1

to use the Local X509 Certificate you uploaded (Lab VPN).

11. Open and monitor the IPsec live logs on both LabGateway1 and the AcmeCorpGateway.

12. Enable the IPsec VPN on both LabGateway1 and AcmeCorpServer.

13. Write down the following details from the IPsec log for the last connection made:

NAT-Traversal result:________________________________________________________

Dead peer detection status:__________________________________________________

Variant:__________________________________________________________________


On AcmeCorpServer:



Task 3

Modify the existing IPsec site-to-site VPN to use RSA keys

Steps

On LabServer:


2. Navigate to Site-to-site VPN |IPsec | Local RSA Key and configure the VPN ID type to be IP Address.

3. In the Re-generate local RSA key section click Apply.

4. Copy the Current local public RSA key.

5. Login to the WebAdmin of LabServer as admin.

6. Navigate to Site-to-site VPN |IPsec | Remote Gateways and edit the gateway for

AcmeCorpGateway by updating the following configuration:

Authentication type: RSA key

Public key: paste the public RSA key you copied from AcmeCorpGateway

VPN ID type: IP Address

VPN ID (optional): Leave blank

7. Select the Local RSA Key tab and configure the VPN ID type to be IP Address.

8. In the Re-generate local RSA key section click Apply.

9. Copy the Current local public RSA key.

10. In the WebAdmin of AcmeCorpGateway, navigate to Site-to-site VPN |IPsec | Remote Gateways

and edit the gateway for LabGateway1 by updating the following configuration:

Authentication type: RSA key



Public key: paste the public RSA key you copied from LabGateway1

VPN ID type: IP Address

VPN ID (optional): Leave blank

11. Open the IPsec live log and confirm that the IPsec connection is established successfully.


On AcmeCorpServer:




LabServer.

Review


A simple SSL site-to-site VPN.

An IPsec site-to-site VPN using cross signed certificates.

An IPsec site-to-site VPN using RSA authentication.



Lab 13: Remote access

Objective

Upon completion of this section you will be able to configure and test IPsec remote access with the

Sophos IPsec client.

Requirements

No prerequisites.

Task

Configure an IPsec VPN on AcmeCorpGateway and test it with the Sophos IPsec client on LabServer.

Steps

On LabServer:


2. Navigate to Network Protection | Firewall and create a new firewall rule with the following

configuration:


Services: IPsec

Destinations: Any


4. Navigate to Remote Access | IPsec and create a new IPSec remote access rule with the following

configuration:

Name: AD users to local network

Interface: External

Local Networks: Internal (Network)

Policy: AES-256

Authentication type: X509 certificate

Allowed users: Active Directory Users

5. Navigate to Network Protection | Firewall and create a new firewall rule with the following

configuration:

Sources: VPN Pool (IPsec)

Services: HTTP

Destinations: Any

6. Login to the User Portal of AcmeCorpGateway as TomJones.

7. Select the Remote Access tab and download the configuration file.

8. Download the PKCS#12 of the user certificate specifying the password Sophos1985.



9. Download and install the Sophos IPsec Client.

Note: the IPsec client will be installed in demo mode with a trial license.

10. Launch the IPsec client and add a new certificate with the following configuration:

Name: TomJones Certificate

Certificate: from PKCS#12 file

PKCS#12 Filename: select the certificate you downloaded from the User Portal

PIN Request at each Connection: Selected

11. Add a new profile by importing the configuration file downloaded from the User Portal.

12. Edit the profile and select Identities on the left. In the Pre-shared Key section, select the certificate

TomJones Certificate.

13. Reboot LabServer.

14. Initiate the VPN connection.

15. Confirm you can connect to http://192.168.2.1.

16. Disconnect from the VPN.


LabServer.

Review

Documents

AL30 v9.2.65 - Architect Lab Workbook - UTM