Hello dear colleagues on the front of our lovely and sometimes hated UTM and SG devices [H]
I create this threat to discuss my feature request and search for supporters and voters ;)
Everyone who needs to maintain hundrets of users on a UTM pleas read and vote @ http://feature.astaro.com/forums/17359-utm-formerly-asg-feature-requests/suggestions/14094174-improve-user-and-vpn-config-management-of-utm :
To import hundrets of remote authenticated (LDAP) or local Users to UTM is a pain! The only way is to hire a dozen of students to hack the users into the system. Then you can "bulk-download" users vpnconfig via webadmin. Have anyone tried to mark more then 25 users to download the config or delete the userobjects? On my SG430 no chance. I think many of you knows of the message: "script is running for more then 30 s - it is possible we do the job if you click ten times or more on continue - but we can not promise anything ..."
Until v 9.2xx there was a hidden solution for that job. The user_maintenance-Tool - a perfect script to maintain the users for SSL-VPN Connections. This tool is programmed by an Astaro-enginer who has leaved the company after the merge into Sophos. As i clarified with the support - this script is no longer maintened and supported. (available on every utm - try it on a testsystem;)
Description:
user_maintenance-Tool - nur auf Sophos UTM 9.2xx und v9.1xx verwenden!
Aufruf: user_maintenance.plx --action [create|delete|import|export|disable|enable|sslconfig|showCAs] options....
Aktionen:
create: erstellt neue Userobjekte und zugehoerige Zertifikate
delete: loescht die angegebenen User und alle zugehoerigen Objekte aus dem lokalen Confd unwiderruflich
export: exportiert alle zum User gehoerenden confd-Objekte in die Datei exportfile
import: importiert die auf einer ANDEREN ASG exportierten Objekten aus Datei importfile in den lokalen confd
disable: deaktiviert die angegebenen User, sodass ein Login nicht mehr moeglich ist, jedoch ohne sie zu loeschen
enable: aktiviert die angegebenen User, sodass ein Login wieder moeglich ist
sslconfig: erstellt die SSL VPN/OpenVPN Konfiguraitonsdateien
showCAs: listet die vorhandenen verification CAs auf
Optionen:
--noninteractive: non-interaktiver Modus (keine Benutzereingaben)
--usernamefile DATEI: die Benutzername, auf die die Aktion angewandt werden soll, stehen in Datei DATEI
--importfile DATEI: die vorher auf einer anderen ASG exportierten Daten finden sich hier zum Import (nur bei Aktion 'import')
--exportfile DATEI: die zu exportierten Daten werden hier gespeichert (nur bei Aktion 'export')
--target_CA REF_NAME: die zu importdierenden Zertifikatsdaten werden an diese Verification CA gebunden
(sorry - tool is in german - written for the needs of a german company when i'm right. @ this point sorry for my english - i know its not the best and sometimes google translate is my best friend;)
In larger enviroments it is a must have to automate the rollout and maintenance of users. There are workflows etablished for approval and deployment of the users to all nessesary systems, apply rules and rights and so on. Well known as IDM (Identymanagement). When i speak for our company: sophos utm is the only system where i have to manualy add the users ...
I wish:
- - a scripting api (like Sophos XG? But i dont know if it is possible with this api? As i read @ this time you can only login and logoff a user there?) with the functionality of the usermaintenance-Tool
- - abillity to sync users with ldap like active directory (auto import of users)
- - abillity to bulk renew certificates of users with autoenrollment to ssl-vpn clients. We have a solution developed where the vpn client requests the state of the certificate over a REST-service and if nessesary downloads the new certificate and starts the connection with the new one. this is needet because of our security policy to change certificates in defined intervals and for availability of remote access after a incident like heartbleed with the need of changing the certificates in a small timerange
- - ability for scripted export of vpn-configs (within a IDM-workflow with automatic creation of separate letters for username/password/CD with vpnclient and supporttools)
- - that's what comes to mind at the moment - any further ideas?
I have read some pages of features requests and: I'm not alone:
Requests for usermanagement:
http://feature.astaro.com/forums/17359-utm-formerly-asg-feature-requests/suggestions/540991-authentication-mass-deletion-of-user-accounts
http://feature.astaro.com/forums/17359-utm-formerly-asg-feature-requests/suggestions/4562948-user-definition-import-from-txt-or-csv-file
http://feature.astaro.com/forums/17359-utm-formerly-asg-feature-requests/suggestions/7318223-we-want-to-export-8000-user-with-password-in-plain
http://feature.astaro.com/forums/17359-utm-formerly-asg-feature-requests/suggestions/11534943-bulk-user-account-creation
http://feature.astaro.com/forums/17359-utm-formerly-asg-feature-requests/suggestions/9074578-user-migration
http://feature.astaro.com/forums/17359-utm-formerly-asg-feature-requests/suggestions/9116776-users-utm
Requests for vpn-config management:
http://feature.astaro.com/forums/17359-utm-formerly-asg-feature-requests/suggestions/178366-ssl-vpn-distribution-for-ssl-vpn-configurations
http://feature.astaro.com/forums/17359-utm-formerly-asg-feature-requests/suggestions/6953972-automated-vpn-config-download-for-deployment
I look forward to your comments and votes :)
This thread was automatically locked due to age.