Setting up Sophos UTM at home can be an awesome alternative to your ISP’s standard router. Offering more features and functionality than standard, and having many options that make setting up a secure home network easy and useful from hosting a blog at home, to allowing remote access to your network, all easily done through a good looking web interface on one machine. Today we will be looking at setting up Sophos UTM 9 on an ESXI 5.5 host, and some basic configuration. Later we will look at setting up a webserver on port 80, and allowing remote access using an SSL VPN, and possibly adding some security to the web interface.
We start off with installing Sophos onto an ESXI 5.5 host. This can be tricky, especially setting up the ESXI network. To setup the network, it is recommended to have 2 physical Ethernet ports, one for the WAN interface, and one for the LAN interface. It is possible to use VLAN’s, however, I will be sticking to the two physical ports option.
Once you have logged into the vSphere client, go to the Configuration tab, and select Networking. then select Add Networking.
Choose the option for Virtual Machine, and select one of the NICs from “Create a vSphere standard switch”.
Change the Network Label to whatever you prefer, leaving VLAN ID set to none.
Click next to review the summary, and click Finish to create the new vSwitch.
If you only have two ports, you can use the standard vSwitch0, which is by default a VM port group, and the management network for the LAN interface, and the second switch for the WAN interface. You will want all of your VMs to be on the LAN switch, and to move them, you need to edit their settings, delete the old network adapter, and add the new network adapter, which will be explain below. Note: best practice is to have 3 dedicated ports, one for the management network with a dedicated static IP, one for the LAN interface, going to a switch, and one for the WAN interface, going to the modem.
Once you have the network setup completed, it is time to download Sophos UTM 9.
To download and add the ISO of Sophos to your ESXI host; download Sophos from Sophos UTM 9 (Home Edition). Once the download has completed, to add the ISO to your datastore on the host, navigate to the summary page, right click the data store, and select Browse Datastore, a new windows will open, click the image of stacked disks with the up arrow, navigate to the downloaded ISO on your computer, and click Open. The file will transfer, and you are ready to create your virtual Sophos UTM appliance.
Create a new VM with custom settings, name the VM to your liking, select the datastore, select the VM version (the newer the better, I use 8), select Linux, and chose SUSE Linux Enterprise 11 (64-bit), chose the number of cores, 1 is usually ok, chose the amount of RAM (I used 2GB), select 2 NICs to connect, and chose NIC 1 to be the WAN interface, and NIC 2 to be LAN, chose your adapter type, I used VMXNET 3 adapters, chose the default SCSI Controller, choose “Create a new virtual disk, select a size, 16GB is good, do not change the advanced options, and select “Edit the virtual machine settings before completion” option on the last page. Select “New CD/DVD”, choose “Datastore ISO File, and select your Sophos ISO from the menu. Make sure to select “Connect at power on” and click finish. Once the virtual machine has been created, start it, and open the console.
Press Enter to start the installation, it will start the installation, and detect hardware.
Then select your area, enter the date and time information.
Select the admin interface (this is usually the NIC that is going to be for the LAN connection).
Configure the Administrative network interface (the internal IP address of the network, in this case I chose 192.168.2.100, and a netmask of 255.255.255.0 (default)).
I installed with a 64-bit kernel, however, if you notice issues, a 32-bit install should work better.
I installed the Enterprise Toolkit, I have not tried installing without the toolkit, so I am unsure how it works.
For this install I got an info message about my vm running in V8 mode due to only using 512MB of RAM. If you are using 2GB of RAM, you should not see this screen.
Select Yes, you want to proceed, the disk will be setup for Sophos. Remove the vCD from the system, and select Reboot. Once the machine has rebooted, and everything is completed, open the web-interface with the IP and port number listed. (my url is https://192.168.2.100:4444).
Once you have the web-interface open, you can start the setup. Enter the Hostname as sophos.[yourdomain.com] OR sophos.local. Enter the company name, for home use, use Home, city as your city, country is your country, set the admin password, and add an email address. Then select the license agrement. The system is now being setup.
Once the system is setup, login with user: admin, and the password you set. You will be shown a Setup Wizard. Click continue.
Then select your license file (downloaded from an email), or start with a 30-day trial by clicking next.
Setup the Internal LAN interface, the firewall IP is that of your Sophos vm, you can change it from the default (192.168.1.100) to any number (usually 192.168.1.100) and a netmask of /24. Select to enable a DHCP server, so that new clients can get IP addresses. Select the range, usually the default is ok.
Select the other Ethernet port as the WAN interface, and select the uplink type needed (I chose Standard Ethernet Interface), and chose dynamic, for a dynamic external IP, or static, for a static IP.
Choose services you want to allow (I chose all), and choose if the UTM responds to pings (this is useful for diagnostics, I chose to respond, and forward.).
Choose if you want Advanced Threat Protection, I enabled both, for added security on my network.
Choose webprotection settings, you can choose to block access to web pages that fall within the following categories, and if you want to scan for viruses.
You can choose to scan email for viruses and spyware, however this requires advanced setup, see the Sophos website for more information.
You will then find a summary page, where you can click Finish. Your UTM now has a basic installation.
I would recommend enabling some features on the UTM to make it secure. I will walk you through enabling Intrusion Prevention, Web filtering, for added security, if not hosting anything public, then you can enable country blocking.
Start by clicking on the item you want to enable to be brought to the menu.
Click on Intrusion Prevention, and enable it using the switch on the right side of the screen that comes up. Select the local network you want it to protect. Click the folder and Drag “Internal (Network)” to the box. Click Apply.
Go to the tab “Anti-DoS/Flood…” and click the boxes and hit Appply on all three sections, the defaults are ok to use.
Go to tab “Anti-Portscan” and enable it, the defaults are ok, and click Apply.
Turn on webfiltering by clicking on it in the dashboard, and using the switch. The defaults sould be ok for most networks.
Under HTTPS, choose either URL filtering only, or Decrypt and scan for more security. I choose Decrypt and scan.
Country Blocking is found under Network Protection >> Firewall and is a handy tool for preventing unathorized access to your network, or privately hosted (but accessable from the internet) services. Turn it on, and select the countries you want to block.
You should also enable Advanced Threat Protection, found under Network Protection. Unless you want to add an exception, leave the box blank, and choose apply.
This finishes the setup for an advanced, and secure network router. Your router is now configured for strong protection, and secure networking. Please follow the blog for tutorials on setting up websever protection (so you can host services on port 80/443 and keep them secure), as well as setting up a VPN to access your network securly from the outside.