APX 320 X, UTM Firewall + Wireless Protection

Hey Jean-Charles SIEGEL ,

Thank you for reaching out to the community, Please refer the following article:

> Removal of License Requirement in Sophos Central
> Try re-flashing the APX 320X - Recover bricked access points using the Sophos Flashing Tool
> Understand the Network requirements
> Follow - How to Register an Access Point
> APX 320 X is only Supported on Sophos Central.

Actually, I found a way to connect my APX 320 X to Sophos Central while Wireless Protection is activated on my UTM.

Step 1 : Create a dedicated VLAN for APX 32 X on the UTM and switches ....

Step 2 : Configure your UTM's DNS to accept requests from this VLAN.

Step 3 : Configure the DHCP for this VLAN with the UTM's IP address as DNS and gateway, domain if you want. 

Step 4 : Configure a masquerading rule for this VLAN in order to go properly on the Internet

Step 5 : Configure firewall rules to permit outgoing traffic to Internet from this VLAN and also and to permit radius requests to your radius server.

Don't forget to register your APX 320 X on Sophos Central and make the necessary configuration on the cloud platform.

Things you should not do : Add this VLAN to your Wireless Protection configuration on the UTM, so the traffic won't be intercepted by the UTM for this service.

We can say this is a hybrid configuration with Sophos Central and UTM's Wireless Protection.

This configuration works for me. I did it because I need to keep the Wireless Protection enabled for my other APs and I need Sophos Central for the APX 32 X.

Thank you for the update Jean-Charles SIEGEL !

We are glad it worked for you.

Salut, Jean-Charles - merci pour ta contribution !  C'est la première fois que je vois une solution pour l'UTM et l'APX 320.

Cordialement - Bob
PS Moving this thread to Recommended Reads

Hi,
I read your success story and wanted to ask you for help.
I have UTM 9 with wireless protection enabled with around 20 APs connected.
I need to expand the signal coverage and I need to buy the new AP6.
I can't turn off wireless protection as suggested in other posts, but I have to do a hybrid configuration for the moment.

On utm eth0 i configured my LAN 192.168.10.X and it is connected with the network cable to a switch that works as a star center for other floor switches.
There are no vlans on the switches.
Could you explain your steps to me in more detail? I'm a little confused about VLANs, tagged and untagged ports, trunks, etc.
thanks in advance.
Matt

Hi,
I read your success story and wanted to ask you for help.
I have UTM 9 with wireless protection enabled with around 20 APs connected.
I need to expand the signal coverage and I need to buy the new AP6.
I can't turn off wireless protection as suggested in other posts, but I have to do a hybrid configuration for the moment.

On utm eth0 i configured my LAN 192.168.10.X and it is connected with the network cable to a switch that works as a star center for other floor switches.
There are no vlans on the switches.
Could you explain your steps to me in more detail? I'm a little confused about VLANs, tagged and untagged ports, trunks, etc.
thanks in advance.
Matt

Your AP6 has to reach the internet like a simple client. ... but - unfiltered

You need:

- DHCP

- DNS

- (default) masquerading rule to reach the internet

- Firewall Rule AP -> Internet

- transparent proxy exception for AP#s IP

Hi Dirk!

thanks for replying.
what you wrote to me is all related to the utm. what should I do about the switches? 
I read that APs must be connected on untagged ports, because now my configuration is like this:
"On utm eth0 i configured my LAN 192.168.10.X and it is connected with the network cable to a switch that works as a star center for other floor switches."
On eth0 create the vlan of the APs, and follow all the instructions you gave me, but I don't know what to do for the various floor switches where the APs will be attached.

Thank you

Matt

Hello Matt,
you didn't mention whether multiple SSIDs are offered.
There weren't many other details either.
The settings I listed should enable the AP6 to reach Central and register.
If the AP6 should simply offer the local network in one SSID, no VLAN is necessary.
Anything else (network planning, VLAN, switches, ...) would amount to a small project. You should get your partner to help you with that.