This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

We've been locked out of our UTM appliance - help

Hi all,

 

Firstly apologies, we're new to these devices and have little or no experience of them.

We have a Sophos UTM device (Software that seems to have been installed on a Dell server?). It is used to terminate a site to site VPN between our branch office in Thailand and our European datacentre. We used to access the device from the local LAN on port 4444, however yesterday the VPN went down and we can no longer access the UTM web portal. The device is responding to ping, but no other ports whatsoever.

 

Today I received an email from the Thai supplier asking for our renewal PO. Now I may be a little naïve here, but as we cant log into the device to update the license, I can see how we can renew it. He is now saying that he can do it remotely.

This looks to me like we are being held to ransom.

Does anyone know if it is normal for access to a UTM device to be blocked when the license expires? I'm concerned that this local Thai supplier is behaving unethically.



This thread was automatically locked due to age.
Parents
  • Hey mate.

    It depends. If you are using AD authentication (or any other external authentication method) and your license expires it will not allow you to login using an external credential, as it will disable all services that are activated based on your subscription, including external authentication. The built-in admin user should still work, however.

    If you suspect they have changed you admin password, you could reset it by following https://community.sophos.com/kb/hu-hu/115346. As you stated this is a software install on a Dell server, I assume you are able to hook up a keyboard and monitor on the server and follow those instructions.

    If you have the root password, just follow the "WebAdmin password reset procedure" section from the link above to reset you admin password.

    If you don't have the root password, follow the "How to reset all passwords" section of the link to:

    1) Reset your root password, so you can access you device through the console 

    2) Use the console to reset your admin password and allow access to WebAdmin

    After you recover access to Webadmin you should be able upload your new license file and everything will just start working again.

    Regards,

    Giovani

  • Thanks Giovani,

    Its just using local credentials. Its not even responding on port 4444. So we can't even get to the login page. Its as though this "reseller" put a deny on any access to the web interface. Am I right in assuming we should at least be able to get to the login page if the license expires? We know the username and password. We had previously been able to get to it from any address on the local LAN, but now it only responds to ping, No other ports are open.

  • Sorry, I might have misunderstood. It's likely that your device won't allow WebAdmin access through WAN if any security best practices were followed, but LAN access should be enable. If you license has expired your VPN services will be down, that's to be expected. If you are using the internal IP of the device to access Webadmin from the remote site, that will no longer work as the VPN is down. The only way to access you device in this case should be to access WebAdmin from the local LAN of the device. Is this what you are trying to do?

    Regards,

    Giovani

  • We have connectivity to the internet and teamviewer is allowed. We can teamviewer onto any PC or server on the local lan. Lan subnet is 10.1.1.0. The UTM LAN address is 10.1.1.1.

    Before the license expired, we could open a web browser on a PC on the LAN and enter https://10.1.1.1:4444 and it would load the web admin login page.

    Since the license has expired, we cannot open the web admin page from any device. The UTM will only respond to PING.

    I suspect this local supplier in Thailand may have done something to lock us out of the device, so that only he can unlock it. This would stop us moving the renewal to our usual supplier. Of course I can't prove that.

     

    So should I still be able to get to the webadmin login from inside the Lan if the license has expired?

     

    Thanks for your responses.

  • Yes, most definitely.

    It could be a malfunction though. Have you tried rebooting your device?

    If they in fact locked you out by removing you local network from the WebAdmin allowed networks you can also bypass that: https://community.sophos.com/kb/en-us/115462

    Unfortunately it will require that you know the root password and have SSH access, otherwise you'll need to do this at the local console. If SSH is disabled or you are also locked out of it (SSH is not enable by default and if they locket you out of WebAdmin they would also lock you out of SSH), then you need to locally access the console to restore your access or reset your root password.

    Sorry, no easy way around this.

    Regards,

    Giovani

  • Thanks Giovani,

    That's really helpful. The think they are getting a Purchase order for £1000 on Monday, which they have said will enable them to unlock it. What they don't realise is the ASA with Firepower has just arrived in Bangkok ready configured. If they hadn't locked us out, we'd probably have renewed the license. Anyway, I really appreciate your time in helping us. Many thanks.

  • I'm terribly sorry and profoundly ashamed that a Sophos partner is causing you to abandon such a good product because of an unethical behaviour. Let me emphasize that this does not in any way reflect Sophos and Sophos Partners's way of doing business. As a Sophos partner myself, I would never hold a customer ransom.

    I do, however, suggest that you regain access to you device using the methods I provided you and open a ticket with Sophos so they can confirm that this is actually what happened. If that was relly this "partner" behavior, then they would take measures to disqualify them as partners, which would be the very least that should happen to them.

    Regards,

    Giovani

Reply
  • I'm terribly sorry and profoundly ashamed that a Sophos partner is causing you to abandon such a good product because of an unethical behaviour. Let me emphasize that this does not in any way reflect Sophos and Sophos Partners's way of doing business. As a Sophos partner myself, I would never hold a customer ransom.

    I do, however, suggest that you regain access to you device using the methods I provided you and open a ticket with Sophos so they can confirm that this is actually what happened. If that was relly this "partner" behavior, then they would take measures to disqualify them as partners, which would be the very least that should happen to them.

    Regards,

    Giovani

Children
No Data