Build new test configuration for later productive use



I am wondering what ould be the best way to build a complete new configuration for an UTM9 that you could use in the productive environment when done.

We have two SG430 running as productive systems.

I could use a UTM425 as a test machine.


Would it be a good way to just run the testmachine and configrue it with the new configuration and when i am happy i transfer the configuration to the prductive machines ?




  • Hallo Bernd,

    That sounds like a good plan.

    You might want to search here for the steps to take to get a 10-IP software license to run on your UTM 425.  There are ways to do that that retain the LCD.  Try a Google on: appliance home

    Cheers - Bob

  • In reply to BAlfson:

    I think to build a matching configuration i need more than 10 IPs so at the moment after a reinstall i get a eval license for one month with unlimited capabilities. If i need more time is it possible to backup the configuration and make a fresh reinstall and import the backup to go on working on the test config ? I think thats not possible so I guess I will have to talk to sophos about my plan to get a extended test license.


  • In reply to Bernd:

    Hi Bernd,

    if you don't get the configuration on time, you have to put a new eval license to your maschine. Reinstall does not work here.

    Try to contact your Sophos partner for this.

    Otherwise you can use a home license if 50 IPs are enough on your UTM 425, so you have a year time.

    Best regards

  • In reply to DKKDG:

    Hi DKNL,

    i allready talked with Sophos with the same result ... need to install a test license.




  • In reply to DKKDG:

    I am just wondering if there is any stuff i need to export form the "utm" when i import a complete new configuration to a UTM.

    I know i have to import the database for the hotspot stuff. Did that allready and it works!

    I know that i will lost the quarantined mails

    I know i maybe loose logfiles which is OK.

    What about S2S VPN will they still work?

    What about Remote Access for Roadrunners?

    Will i have problems with Mail- or Webserver Proxy?


  • In reply to Bernd:

    Hi Bernd,

    if S2S are configured the same as the old configuration there are no problems.

    Watchout for S2S with certificate authentication. Here you have to import the "old" ones.
    With RSA Authentication you have to use the new Key for the remote gateways.

    Remote Acces has also new certificates so you have to rollout the new config to every roadrunner.

    Mail and Web should also be no problem if the configuration is equal.
    If you use https scanning with the self-signed utm certificate you have to import the "old" one or rollout the new one.

    best regards

  • In reply to DKKDG:

    I can only see "Preshared Key" and "RSA Key" in the S2S VPN Section. As far as i understand you ... for Presharded Keys i will have no Problems but the local RSA Key will change? So i need to use the new public part of the RSA key and send it to the other partner to open the tunnel?

  • In reply to Bernd:

    Yes the RSA is different.

    So that you have to give the other partner the new key.

    Here is an info from the sophos utm help menu:

    With RSA authentication, RSA keys are used for authentication of the VPN endpoints. The public keys of the endpoints are exchanged manually before the connection is established. If you want to use this authentication type, you have to define a VPN identifier and create a local RSA key. The public RSA key of the gateway must be made available to remote IPsec devices that use IPsec RSA authentication with Sophos UTM.

    Note – Sophos UTM uses RFC 3110 format for RSA keys. RSA authentication will not work with 3rd party endpoints that use a different RSA key format.

    best regards

  • That's a great idea, Berned.