This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophis UTM and Unifi

Hi all,

I'm considering installing Sophos UTM at my business. I currently have a unifi setup. Fibre Modem --> Unifi USG --> Unifi Switch --> Unif APs.

I have a few questions about the install. Firstly do I install the UTM in between the fibre modem and the USG, or between the USG and Switch? The main reason for using Sophos UTM is to fill in the gaps that the Unifi USG cant do. Mainly keeping a records of Mac addresses and website visited and Web filtering. My plan was to use it in transparent mode. I understand the issue with using it to record HTTPS as i will need to install a custom cert which is fine or live with the HTTPS cert errors.

Also i have 4 VLANs setup so if i was to put the UTM in between the USG and switch will the UTM pass all the VLANs i.e. trunking? 

My other idea was to use the UTM as a VPN server, currently the Unifi one is very buggy. So ideally the UTM will need to be installed between the fibre modem and the USG. if so does the UTM support pppoe? 

And finally to test the system i will be using an old intel i3 3220 and a 4 port intel nic. will this be ok for web filtering/reporting and VPN? not too concerned about AV and IPS, maybe i can look at this another time. My line connection is currently 100/20 with the option to upgrade to 300/30.

Sorry for all the questions 



This thread was automatically locked due to age.
  • You can place the UTM where you wish. My advice? Connect the fibre modem directly to the UTM. Completely remove the USG as it will complicate things.

    The i3 will be ok. make sure you have enough ram and hard drive space (80gb) and if possible, place it on an SSD

  • ok thanks for the advice. going to build the UTM tomorrow and see what happens. will test it in both locations. I would like to keep the USG at the moment. 

    the PC i have has 8GB ram and a 120GB SSD so should be fine. in the future i would like to look at something lower powered. possibly a intel N3150. i see the gigabyte one has dual lan. i know they are realtek but it looks like other have used this board with success.

     

  • You can keep the USG without issue but I would put the UTM as the forward facing firewall and possibly disable at the firewall functions etc on the USG and just use it for routing etc.

    Having two firewalls in the mix with 2 sets of rules will complicate the setup although it can be done. Doing it that way would result in a DMZ with the outside interface of the USG becoming the DMZ.

    Don't forget the UTM can be a bit of a hungry beast as well depending on what you are asking it to do.

  • testing today hasnt gone so well. i had it setup up   fibre modem --> usg --> sophos utm --> lan switch.

     

    i setup a bridge using 2 lan ports and had a third for management. management was fine. the bridge got an IP from the correct range. internally all my devices were working however none could access the internet. when trying to get to any site i got a network unreachable. i was intermittently able to ping outside 8.8.8.8

    the problem seems to be 2 issues, the unifi controller was seeing the mac on the UTM as the Unifi USG. so was causing some weird issues with the usg. then im guessing the network unreachable issue was due to DNS. 

     

    if i install in this config  fibre modem --> utm --> usg --> switch     the fibre modem require pppoe, if i install it in transparent bridge mode will it work? what IP would the LAN side get?

  • The UTM can easily handle the PPPoE. My home setup is like that. You can't install the UTM in bridge mode doing this. Bridge mode is for when your USG is in front and the UTM sits between the USG and LAN.

    I've never set the UTM up in bridge mode as I normally put the UTM as front facing due to its capabilities. If you want to keep the USG, you will be dealing with a two NAT scenario and routing as the front facing router will not be aware of the inner most lan network and will need guidance particually if you plan on exposing some services from that lan.

    UTM WAN = 7.7.7.7
    UTM LAN = 10.0.0.1/24

    USG WAN = 10.0.0.2/24   <<<< this has to be on the same subnet as the UTM LAN and has to have the UTM LAN ip as it's gateway. This could be your DMZ network
    USG LAN = your current LAN

    The above is one way of doing it. There are others.

  • again thanks for the help. i like having the USG WAN facing as its simple to configure with the GUI, however it looks like i may have to put the UTM at the front. I'm guessing in Standard Mode. I do have services behind my USG so i spose the options are to have the firewall on the UTM open and let the USG deal with it, or the opposite way around firewall the UTM and have the USG open.

     

    I think i know where my testing was going wrong. when in bridge mode and fully transparent do i set the bridge IP to 0.0.0.0 or DHCP? i had it on DHCP so it was getting an IP from my internal network and then causing havoc with my USG. i'm guessing it needs to be 0.0.0.0 to be in seamless mode.

     

  • Not sure about bridging mode. You can have your USG at the front too but I think it would be a waste compared to what the UTM can offer you.

  • Hello Peter

     

    Not sure if you still want to do this but I managed to get this setup running

    Before you start, backup your unifi configuration!!!!

     

    Step 1: Edit all port forwarding rules to the XG Firewall, create new rule to forward UNIFI ports to the XG Firewall

    https://help.ubnt.com/hc/en-us/articles/218506997-UniFi-Ports-Used

     

    Step 2: Connect the XG Firewall to the LAN and to the router using a crossover cable

    Step 3: From your computer, login to the xg firewall via web browser and configure bridge mode, IP address has to be on the same subnet as your LAN, once this is done users should start browsing internet as normal

    Step 4: Configure the XG as a DHCP relay, create network rule that allows all traffic between UniFI gateway IP ADDRESS and the Controller PC IP ADDRESS, after this you should be able to see the gateway on the controller

    STEP 5: recreate your port mapping rules for forward from the XG Firewall to the server

     

    Hope this helps

     

     

     

  • I wrote this awhile back and submitted it for the WiKi, but it never made it in.    I hope it helps you understand the four common options, although you seem to introduce a fifth option which I did not consider:  placing UTM in front of the previous firewall.   My comments are general, the other replies have addressed particulars, such as the limitations when using PPPoE to your ISP.

     

    Options for deploying UTM into your Network

    When UTM is added to a network with an existing firewall, it can be configured in several ways.  Each option has an impact on the available defenses and on the complexity of implementation.

    1. As a node added anywhere on the internal network, behind the exiting firewall, but separate from the existing firewall.
      1. Limitations: Transparent Web Proxy, Transparent FTP, Transparent POP3, and Firewall Rules are not usable because traffic does not flow through the device on its way to the internet.   Transparent Web and FTP are important for ensuring complete protection from web-based threats.
      2. Security Risks: Loss of protection from the unusable features.
      3. Implementation: Nothing in the existing network is disrupted.   Traffic is routed to UTM by configuring Standard Web Proxy, WAF, SMTP Proxy, WebAdmin, VPN, and User Portal incrementally.
    2. Immediately behind the existing firewall in bridged mode.
      1. Limitations: QoS does not work on a bridged connection.  Transparent Web Proxy with AD SSO wil be unusable, because it will conflict with User Portal operating on the same IP Address and Port.  This can be avoided if you are willing to operate the User Portal on a non-standard port, but doing so may limit user’s ability to connect to the portal from some remote locations.  https://community.sophos.com/kb/en-us/121221
      2. Security Risks: Loss of protection from the unusable features.
      3. Implementation: Although it is somewhat complex to configure the UTM bridge, the new configuration is transparent to existing traffic.
    3. Immediately behind the existing firewall, in routed mode.
      1. Limitations:   This configuration should permit use of all features.
      2. Security Risks: None identified, because the existing firewall should block unneeded ports.   If implementing intermediate-risk zones, such as DMZ or Guest WiFi, the risks and limitations depend whether the intermediate zone is configured on the firewall or the UTM.  If configured on the UTM, the risks and defensive measures are the same as explained in the firewall replacement option.
      3. Implementation: This can be a difficult way to insert UTM into an existing network, because of the need to configure UTM and firewall settings at the same time.
    4. Replace the existing firewall.
      1. Limitations:   This configuration should permit use of all features.
      2. Security Risks: Failure to understand the UTM architecture, leading to unexpected openings on the internet.
        1. Create a DNAT to NULL entry for internet traffic to port 3400 for all internet-facing IP addresses. This port is opened on all interfaces and addresses when RED is enabled, but is not needed for internet-facing addresses.  https://community.sophos.com/kb/en-us/126989
        2. Create a DNAT to NULL rule for internet traffic to port 25, 465, and 587, for any internet IP addresses which are not intended for this purpose. When SMTP proxy is enabled, it opens these ports on all interfaces and addresses.  Because the proxy will protect all incoming traffic, it is not actually a security risk, but it tends to be flagged by security scanning services.  If SMTP authenticated submission  is not needed, 465 and 587 may be appropriate to DNAT-to-Null on all UTM IP Addresses.
    • A Filter Profile-Policy-Filter Action set may be needed for web traffic originating in an intermediate-trust zone such as a DMZ or Guest WiFi subnet. In these cases, it is appropriate to enable the Web Proxy to protect traffic heading to the internet, but block traffic destined for any IP address or DNS name that represents an internal destination.  This is needed because traffic from a DMZ to an internal destination, if allowed at all, should flow through the protective filter of a WAF site.   Both IP Address and DNS Name blocks can be configured in the Websites section of a Filter Action.
    1. Implementation: Unless the previous firewall configuration was trivial, this approach is difficult because of the need to replicate all configuration settings of the existing firewall at once.

    Changing from any one of these configurations to an alternative is likely to be difficult.  Given that the goal should be to enable all protection features, it is recommended to start with one of the last two options.

        

  • Doug's Options for deploying UTM into your Network is now in the Wiki.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA