APX 320 X, UTM Firewall + Wireless Protection

Hello,

I have created an account on Sophos Central in order to manage some APX 320 X and I can't connect these APs to Sophos Central.

BUT, I already have Wireless Protection on my UTM 9 (firmware 9.713-19) enabled with nearly 60 APs configured.

I have read on this thread "AP did not connect to cloud within the timeout" that I should disable Wireless Protection the UTM. Is that correct ?

If it's correct, that doesn't suit me ....

Will Sophos support APX 320 X on UTM or not ?

Parents Reply
  • Actually, I found a way to connect my APX 320 X to Sophos Central while Wireless Protection is activated on my UTM.

    Step 1 : Create a dedicated VLAN for APX 32 X on the UTM and switches ....

    Step 2 : Configure your UTM's DNS to accept requests from this VLAN.

    Step 3 : Configure the DHCP for this VLAN with the UTM's IP address as DNS and gateway, domain if you want. 

    Step 4 : Configure a masquerading rule for this VLAN in order to go properly on the Internet

    Step 5 : Configure firewall rules to permit outgoing traffic to Internet from this VLAN and also and to permit radius requests to your radius server.

    Don't forget to register your APX 320 X on Sophos Central and make the necessary configuration on the cloud platform.

    Things you should not do : Add this VLAN to your Wireless Protection configuration on the UTM, so the traffic won't be intercepted by the UTM for this service.

    We can say this is a hybrid configuration with Sophos Central and UTM's Wireless Protection.

    This configuration works for me. I did it because I need to keep the Wireless Protection enabled for my other APs and I need Sophos Central for the APX 32 X.

Children
  • Thank you for the update  !

    We are glad it worked for you.

    Thanks & Regards,
    _______________________________________________________________

    Vivek Jagad | Team Lead, Technical Support, Global Customer Experience

    Log a Support Case | Sophos Service Guide
    Best Practices – Support Case  | Security Advisories 
    Compare Sophos next-gen Firewall | Fortune Favors the prepared
    Sophos Community | Product Documentation | Sophos Techvids | SMS
    If a post solves your question please use the 'Verify Answer' button.

  • Salut, Jean-Charles - merci pour ta contribution !  C'est la première fois que je vois une solution pour l'UTM et l'APX 320.

    Cordialement - Bob
    PS Moving this thread to Recommended Reads

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hi,
    I read your success story and wanted to ask you for help.
    I have UTM 9 with wireless protection enabled with around 20 APs connected.
    I need to expand the signal coverage and I need to buy the new AP6.
    I can't turn off wireless protection as suggested in other posts, but I have to do a hybrid configuration for the moment.

    On utm eth0 i configured my LAN 192.168.10.X and it is connected with the network cable to a switch that works as a star center for other floor switches.
    There are no vlans on the switches.
    Could you explain your steps to me in more detail? I'm a little confused about VLANs, tagged and untagged ports, trunks, etc.
    thanks in advance.
    Matt

  • Your AP6 has to reach the internet like a simple client. ... but - unfiltered

    You need:

    - DHCP

    - DNS

    - (default) masquerading rule to reach the internet

    - Firewall Rule AP -> Internet

    - transparent proxy exception for AP#s IP


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

  • Hi Dirk!

    thanks for replying.
    what you wrote to me is all related to the utm. what should I do about the switches? 
    I read that APs must be connected on untagged ports, because now my configuration is like this: "On utm eth0 i configured my LAN 192.168.10.X and it is connected with the network cable to a switch that works as a star center for other floor switches."
    On eth0 create the vlan of the APs, and follow all the instructions you gave me, but I don't know what to do for the various floor switches where the APs will be attached.
    Thank you

    Matt

  • Hello Matt,
    you didn't mention whether multiple SSIDs are offered.
    There weren't many other details either.
    The settings I listed should enable the AP6 to reach Central and register.
    If the AP6 should simply offer the local network in one SSID, no VLAN is necessary.
    Anything else (network planning, VLAN, switches, ...) would amount to a small project. You should get your partner to help you with that.


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.