How to install, setup, and configure XG Home on Hyper-V

Welcome,

you can't change the XG address until you login.

I am able to login because I then get the menu system to aid in configuration. From there I'm not really sure where to get started. I thought the GUI might be more convenient but I can use the command line if need be. Is following the command line guide sufficient to get me up and running in a basic configuration?

I had a similar problems, but have got it sorted.

In Hyper-V I installed the XG from the iso and left everything at the defaults. For the VM settings, I configured two network adapters, both attached to 'external network'. Sophos configured one as 172.16.16.16 and the other picked up a 192.168 address from my LAN DHCP.

I installed a Server 2016 VM with two network adapters, both attached to 'external network'. I then reconfigured one of the network adapters to be:

IP: 172.16.16.15

Subnet: 255.255.255.0

Gateway: 172.16.16.16

The other Server adapter was left to pick up a 192.168 address from my DHCP server.

From the Server VM, I could then connect to the 172.16.16.16 web address and configure the XG to change the IP addresses into ones that made more sense for my setup.

Hope the above helps, but it would have been much simpler if appliance allowed IP addresses to be configured during the initial install.

As a follow up for further configuration...

On the server I have disabled the 192.168 interface, and changed the remaining interface to the 'Private' network in Hyper-V.

On the XG I have added Firewall rules to allow traffic on my private LAN in and out, and also changed the LAN port to be on the 'Private' network in Hyper-V.

Everything is working just fine, so it looks like I'm ready to carry on setting up my lab.

This is where I am current stuck.

My Environment:

Server 2016 Hyper-V on physical workstation - 2 physical NICs

1 VM is created using the minimum specs called out in the Virtual Appliance guide.

1 Virtual Processor - 2GB RAM - 2 vNIC - Primary Disk 4GB - Secondary Disk 80GB

I mounted the VM to the Sophos XG Home ISO and it installed with no problems. The installation ends at prompting for the password. I enter the default password and I then see a menu system that allows you to configure your firewall. I used menu option 1 to configure networking. One NIC is configured to use 172.16.16.16/255.255.255.0 out of the box which is incompatible with my internal IP address. The other NIC has no configuration as it's not connected to anything but a switch. I changed the IP address from 172.16.16.16 to 192.168.10.6/255.255.255.0. The VM Host workstation is able to successfully ping the firewall and it responds as expected. I did set the DNS initially once but I need to verify it is still there. I had this same problem even with DNS configured.

When I choose AA on the menu to activate my software, I get an error message that says no internet connection exists. The VM Host workstation can ping the firewall and any internet address but the firewall claims there is no internet connectivity which can't be true. I accessed the Sophos web interface at https://192.168.10.6:4444. I can see the GUI is in view, login and when I try to activate my software from this interface, there is also a no internet connectivity message.

This is a bit confusing. The VM Host workstation can ping the Sophos VM and the internet. This means that the firewall should have internet connectivity as well since they are all on the same subnet but that isn't the case here. How can I troubleshoot connectivity from the firewall's perspective? I'm considering to add another Linux VM to the host with a 192.168.10.xx address just to see if that computer is able to access the internet as a troubleshooting step.

-Rob

I disabled the vNIC that will be used for my internal network and booted up. I verified the network configuration is still correct and used the device console to verify connectivity to other devices. dnslookup was able to resolve the DNS IP addresses that I am using. When I try to activate, I get the following error message "Internet connectivity OK but unable to contact licensing system. This may be due to a network issue. Please check your network set up and connections and try again."

I did try deleting and recreating my virtual switches but that didn't help.

I have been looking around at the Sophos site in search of an answer and found a page where you can register your devices. I registered the serial number that was emailed to me and it was successfully activated. I noticed that the product type was being reported as UTM where I thought it would be XG Home or something like that. My original serial number is from Jan 2017 and I'm not sure if there is a time limit where you need to use the serial number in a certain timeframe. So I requested another serial number and registered that one successfully. The product type for that serial number is also UTM. None of the documentation says anything about registering your serial numbers on the Sophos website prior to use so I have no idea if this is going to help or not.

I have the new serial number. It was successfully registered on the Sophos website. I downloaded the ISO again and I plan to try installing from scratch again just in case I corrupted something in the course of changing settings. I'll report back with the results this evening when I try this out.

I have installed Firmware version SFOS 16.05.3 MR-3 over the top of the previous version and then changed the settings for IP/DNS.

IP: 192.168.10.6

Subnet Mask: 255.255.255.0

DNS: 192.168.10.1 (broadband router)

I'm still getting the error "Internet connectivity OK but unable to contact licensing system. This may be due to a network issue. Please check your network set up and connections and try again." I used the device console and verified I can ping other devices on the network. I tried to ping Comcast's primary DNS 75.75.75.75 and it is unreachable from the device console. I could not ping google.com either. The VM Host is able to ping 75.75.75.75 and google.com. The broadband router is set to use Comcast's primary and secondary DNS servers and all devices on my network have no connectivity issues.

I created another virtual machine using similar settings and installed Ubuntu Desktop. This virtual machine can ping all network devices, google.com and 75.75.75.75.

The firewall is unable to ping outside of my network but other devices have no problem at all.

-Rob

More than likely you haven't added a gateway to your XG.

Hi Rob,

One thing you haven't mentioned is how your broadband router is connected to your workstation running Hyper-V. The virtual switch you created to act as your WAN connection for the Sophos XG VM needs to be able to obtain an external IP address. I wonder if you're NAT is the problem. Here is what I had to do with my ISP router to get it working.

1. I connected directly from my router to my server NIC port
2. I placed this router connection into the DMZ (I didn't want there to be any NAT issues so this meant this connection would receive its own external IP)
3. I confirmed via cmd line that this NIC connection had a new IP assigned by my ISP. This meant that the NIC connected directly to the outside world with no NAT problems.
4. I created 2 virtual switches (both external) in Hyper-V. The first I named LAN and the second named WAN and selected the correct NIC connection for the WAN virtual switch that connected to my broadband router
5. I created a virtual machine and made sure that the first network I added was the LAN. By default, in these scenarios, Sophos XG uses the first connection as LAN and the second as WAN.
6. I added a second network interface to my VM after the wizard had created it and linked it to the WAN virtual switch
7. I started the VM and installed Sophos XG and rebooted at the end
8. I added a new IP address to my server NIC and gave it a 172.16.16.18 IP.
9. I used my server browser to connect to the https://172.16.16.16:4444 address and from there was able to finish the setup including license sync

The key for me was to ensure that I was able to get direct outside IP address from my router.

Hi Rob,

One thing you haven't mentioned is how your broadband router is connected to your workstation running Hyper-V. The virtual switch you created to act as your WAN connection for the Sophos XG VM needs to be able to obtain an external IP address. I wonder if you're NAT is the problem. Here is what I had to do with my ISP router to get it working.

1. I connected directly from my router to my server NIC port
2. I placed this router connection into the DMZ (I didn't want there to be any NAT issues so this meant this connection would receive its own external IP)
3. I confirmed via cmd line that this NIC connection had a new IP assigned by my ISP. This meant that the NIC connected directly to the outside world with no NAT problems.
4. I created 2 virtual switches (both external) in Hyper-V. The first I named LAN and the second named WAN and selected the correct NIC connection for the WAN virtual switch that connected to my broadband router
5. I created a virtual machine and made sure that the first network I added was the LAN. By default, in these scenarios, Sophos XG uses the first connection as LAN and the second as WAN.
6. I added a second network interface to my VM after the wizard had created it and linked it to the WAN virtual switch
7. I started the VM and installed Sophos XG and rebooted at the end
8. I added a new IP address to my server NIC and gave it a 172.16.16.18 IP.
9. I used my server browser to connect to the https://172.16.16.16:4444 address and from there was able to finish the setup including license sync

The key for me was to ensure that I was able to get direct outside IP address from my router.

Do you have to log in to your internet connection or is it always on? Is it a PPPoE connection?

Option 1:

If your internet connection IS PPPoE and you have to have your Netgear router to perform the login, enable DMZ and place the IP that Netgear has assigned to your Hyper-V server into the DMZ (this is done on the Netgear router). Then make sure your WAN Port in Sophos XG is set to PPPoE (this is done in Sophos). You'll then have the option to enter your login credentials for the WAN port in the firewall (also done in Sophos).

Option 2:

The easiest option is if you are NOT PPPoE and you can simply connect directly to your Surfboard modem and obtain an external IP address. In this case, you would have selected DHCP for your IP assignment in your WAN port on Sophos.

Try the option that best describes your situation (PPPoE yes or no) and see how that goes.

In my own scenario, I have a PPPoE connection so I followed option 1 and it works.

Rob Moorhead said:

 

 

Is there some way to determine from the device console which NIC the firewall thinks is eth0? I'm not sure I could say which is which without some inspection. Also, none of my network devices are using 172.x.x.x. It is much easier to IP the firewall with 192.168.10.6. Is it possible to get setup in this config or is 172.x.x.x required until configuration is complete?

  

Unfortunately, I never found an easy way to do this. It was trial and error. I took a laptop, set static IP to 172.16.16.18 and subnet 255.255.255.0. I then connected to each port and attempted to connect to the browser interface at 172.16.16.1:4444. When I was successful, I knew this was the LAN port.

When setting up the VM, I found it easier to assign the LAN virtual switch first, then add a second network connection AFTER the VM had been created. In this way, by default Sophos uses the first port as the LAN port.

Nash,

I do not need to log into my internet connection and it is always on.

How can I tell which NIC is eth0 so I know I'm using the correct one? I'm guessing that eth0 would be the built-in NIC.

Once the firewall is configured and running, I would re-IP and connect everything to suit my original plan?

-Rob

Rob Moorhead said:

I do not need to log into my internet connection and it is always on.

Perfect, then Option 2 is what I'd recommend you try.

Rob Moorhead said:

How can I tell which NIC is eth0 so I know I'm using the correct one? I'm guessing that eth0 would be the built-in NIC.

I used a laptop to see which one was the LAN NIC. Once I could connect to the LAN, I knew the other was the WAN.

Rob Moorhead said:

Once the firewall is configured and running, I would re-IP and connect everything to suit my original plan?

Yes. I found it easier to set all of my hosts and services ahead of my cutover so I had less work to do. I also wrote down all of my firewall rules and exceptions although Netflix did give me a hard time but finally got it working.

My only remaining problem is with VoIP.

Nash,

NashBrydges said:

Rob Moorhead

How can I tell which NIC is eth0 so I know I'm using the correct one? I'm guessing that eth0 would be the built-in NIC. 

 

I used a laptop to see which one was the LAN NIC. Once I could connect to the LAN, I knew the other was the WAN.

I hate to ask this question but I'm really unclear how you tested. Where did you physically connect your laptop to test the ports?

Also, the documentation made it sound like if you didn't meet the minimum configuration that the OS would not install. If you only had one NIC on your VM at the time of installation, it should have failed if the documentation is correct.

It seems odd or backwards that you configure while connected to the LAN NIC but at this point, I'll try anything.

Thank you so much for taking the time for all of your responses! I'll beat this thing yet...

-Rob

The minimum requirements are to have 2 NIC ports so as long as you have that, you should be fine. 

1. Create a virtual switch connected to one of the physical NIC ports and call that one LAN
2. Create a virtual switch connected to the other physical NIC port and call that one WAN
3. Create your VM from the Hyper-V GUI and when asked to select the network, select the LAN virtual switch
4. Complete the VM config
5. Once the VM config is complete, go back to the VM settings and choose Add Hardware and proceed to add a network adapter, selecting the WAN virtual switch
6. Proceed to start the VM and install Sophos

Once the VM boots up, I setup my laptop with a static IP address of 172.16.16.18 and subnet of 255.255.255.0 (gateway remains blank). I take my laptop and connect it to the physical server NIC port that I used when I created my LAN switch. Since Windows doesn't make it easy to identify which ACTUAL port was used (because it sometimes names them in some weird random order) I plugged into the first port and attempted to access the Sophos web interface. It took a few minutes to come online so be patient. If that doesn't work, then likely you'll need to use the other physical NIC port. Try it out to confirm. Once you confirm which one is the LAN (meaning you can access the Sophos web interface) then plug the other physical NIC port directly into your Surfboard. 

The key is to figure out which is your LAN, once you have that, by default, the other is your WAN.

Proceed with activation and license sync.

Nash,

Ok, I follow you now. I will take another shot at this tonight and report back.

-Rob

Good luck. Let me know if you still have problems. I'm no expert but I got mine to work in Hyper-V so I know it works.

Nash,

Good luck on VoIP. I won't be setting that up myself.

So here is what I accomplished so far:

Rebuilt my VM to your spec.

Reinstalled SFOS 16.05.3 MR-3 for a clean environment.

Disconnected both ethernet cables from the physical server, set my laptop for 172.16.16.18 and connected to the built-in NIC. I received a reply on this port so would be the LAN port. I connected to the other port and I was unable to receive a reply making this one the WAN port.

I labeled everything accordingly and now I'm out of time. I'll pick again tomorrow.

-Rob