Sophos

Sophos :

Sophos UTM Administration Guide

1 Installation

 This section provides information on installing and setting up Sophos UTM on your network. The installation of Sophos UTM proceeds in two steps: first, installing the software; second, configuring basic system settings. The initial setup required for installing the software is performed through a console-based installation menu. The internal configuration can be performed from your management workstation through the web-based administrative interface of Sophos UTM called WebAdmin. Before you start the installation, check if your hardware meets the minimum system requirements. Note – If you are employing a Sophos UTM hardware appliance, you can skip the following sections and directly jump to the Basic Configuration section, as Sophos UTM hardware appliances ship with UTM Software preinstalled.

 The following topics are included in this chapter: 

l Recommended Reading l System Requirements l Installation Instructions l Basic Configuration l Backup Restoration

1.1 Recommended Reading

 Before you begin the installation, you are advised to read the following documents that help you setting up Sophos UTM, all of which are enclosed within the package of your Sophos UTM hardware appliance unit and which are also available at the Sophos UTM Resource Center: l QuickStart Guides Hardware l Operating Instructions

1.2 System Requirements  

The minimum hardware requirements for installing and using UTM are as follows: 1.2 System Requirements 1 Installation l 

Processor: 

IntelAtom Dual Core with 1.46 GHz (or compatible)

 l Memory:

  2 GB RAM 

 l HDD:

 40 GB SATA hard disk drive or SSD l CD-ROM Drive: Bootable IDE or SCSI CD-ROM drivel NIC: Two or more PCIe 2.0 Ethernet network interface cards l NIC (optional): One heartbeat capable PCI Ethernet network interface card. In a high availability system, the primary and secondary system communicate with one another through so-called heartbeat requests. If you want to set up a high-availability system, both units need to be equipped with heart-beat capable network interface cards. l USB (optional): One USB port for communications with a UPS device and one USB port for connecting a Sophos UTM Smart Installer(SUSI) l Switch (optional): A network device that connects (and selects between) network segments. Note that this switch must have jumbo frame support enabled. Sophos provides a list of hardware devices compatible with UTM Software. The Hardware Compatibility List (HCL) is available at the Sophos knowledgebase. To make the installation and operation of UTM Software less error-prone, you are advised to only use hardware that is listed in the HCL. The hardware and software requirements for the client PC used to access WebAdmin are as follows: l Processor: Clock signal frequency 2 GHz or higher l Browser: The UTM requires the latest version of Firefox (recommended), latest version of Chrome, latest version of Safari, or last two versions of Microsoft Internet Explorer. JavaScript must be enabled. In addition, the browser must be configured not to use a proxy for the IP address of the UTM’s internal network card (eth0).

1.2.1 UPS Device Support

 Uninterruptible Power Supply (UPS) devices maintain a continuous supply of electric power to connected equipment by supplying power from a separate source when utility power is not available. Sophos UTM supports UPS devices of the manufacturers MGE UPS Systems and APC. The communication between the UPS device and Sophos UTM is made via the USB interface. As soon as the UPS device runs in battery operation, a notification is sent to the administrator. If the power failure persists for a longer period and the voltage of the UPS device approximates a critical value, another message will be sent to the administrator—Sophos UTM will be shut down automatically. 18 UTM 9 WebAdmin Note – Please read the operation manual of the UPS device to connect the devices to Sophos UTM. UTM will recognize the UPS device when booting via the USB interface. Only boot Sophos UTM when you have connected the USB interfaces to each other. 

1.2.2 RAID Support A RAID

 (Redundant Array of Independent Disks) is a data storage scheme using multiple hard drives to share or replicate data among the drives? To ensure that the RAID system is detected and properly displayed on the Dashboard, you need to use a RAID controller that is supported by Sophos UTM. Check the HCL to figure out which RAID controllers are supported. The HCL is available at the Sophos knowledgebase. Use "HCL" as a search term to locate the corresponding page.

1.3 Installation Instructions 

What follows is a step-by-step guide of the installation process of Sophos UTM Software. Before you begin the installation, please make sure you have the following items available: l The Sophos UTM CD-ROM l The license key for Sophos UTM The setup program will check the hardware of the system, and then install the software on your

1.3.1 Key Functions During Installation 

In order to navigate through the menus, use the following keys (please also note the additional key functions listed at the bottom of a screen): l F1: Displays the context-sensitive help screen. l Cursor keys: Use these keys to navigate through the text boxes (for example, the license agreement or when selecting a keyboard layout). l Tab key: Move back and forth between text boxes, lists, and buttons. l Enter key: The entered information is confirmed, and the installation proceeds to the next step

l Space key:

 Select or unselect options marked with an asterisk.

 l Alt-F2: 

Switch to the installation console. l Alt-F4: Switch to the log. 

l Alt-F1:

 Switch to the interactive bash shell.

 l Alt-F1: Return to the main installation screen

1.3.2 Special Options During Installation

 Some screens offer additional options: View Log: Opens the installation log. Support: Opens the support dialogue screen. To USB Stick: Writes the installation log as a zip file to a USB stick. Remember to insert a USB stick before confirming this option. The zip file can be used to solve installation problems, e.g. by the Sophos UTM Support Team. Back: Returns to the previous screen. Cancel: Opens a confirmation dialogue window to abort the installation. Help: Opens the context-sensitive help screen.

1.3.3 Installing Sophos UTM 1.

 Boot your PC from CD-ROM drive or mount the downloaded ISO on a virtual drive. The installation start screen is displayed. Note – You can always press F1 to access the help menu. Pressing F3 in the start screen opens a troubleshooting screen. 2. Press Enter. The Introduction screen is displayed. 3. Select Start Installation. The Hardware Detection screen is displayed. The software will check the following hardware components: 20 UTM

l CPU

 l Size and type of hard disk drivel CD-ROM drivel Network interface cards l IDE or SCSI controllers If your system does not meet the minimum requirements, the installation will report the error and abort. As soon as the hardware detection is completed, the Detected Hardware screen is displayed for information purposes. 4. Press Enter. The Select Keyboard screen is displayed. 5. Select your keyboard layout. Use the Cursor keys to select your keyboard layout, e.g. English (UK), and pressEnter to continue. The Select Timezone screen is displayed. 6. Select your area. Use the Cursor keys to select your area, e.g. Europe, and pressEnter to continue. 7. Select your time zone. Use the Cursor keys to select your timezone, e.g. London, and pressEnter to continue. The Date and Time screen is displayed. 8. Set a date and time. If date and time are not correct, you can change them here. Use the Tab key and the Cursor keys to switch between text boxes. You can unselect the Host clock is UTC option by pressing the Space key. Invalid entries will be rejected. Confirm your settings with the Enter key. The Select Admin Interface screen is displayed. 9. Select an internal network card. In order to use the WebAdmin tool to configure the rest of Sophos UTM, select a network interface card to be the internal network card (eth0). Choose one of the available network cards from the list and confirm your selection with the Enter key. UTM 9 WebAdmin 21 1 Installation 1.3 Installation Instructions 1.3 Installation Instructions 1 Installation Note – Interfaces having an active connection are marked with [link]. The Network Configuration screen is displayed. 10. Configure the administrative network interface. Define the IP address, network mask, and gateway of the internal interface which is going to be the administrative network interface. The default values are Address: 192.168.2.100 Netmask: 255.255.255.0 Gateway: none You need to change the gateway value only if you wish to use the WebAdmin interface from a workstation outside the subnet defined by the netmask. Note that the gateway itself must be within the subnet.1 Confirm your settings with the Enter key. If your CPU supports 64 bit the 64 Bit KernelSupport screen is displayed. Otherwise, the installation continues with the Enterprise Toolkit screen. 11. Install the 64-bit kernel. Select Yes to install the 64-bit kernel or No to install the 32-bit kernel. The Enterprise Toolkit screen is displayed. 12. Accept installation of the Enterprise Toolkit. The Enterprise Toolkit comprises the Sophos UTM Software. You can decide to install Open Source software only. However, we advise to also install the Enterprise Toolkit to be able to use the full functionality of Sophos UTM. PressEnter to install both software packages or select No to install the Open Source software only. 1For example, if you are using a network mask of 255.255.255.0, the subnet is defined by the first three octets of the address: in this case, 192.168.2. If your administration computer has the IP address 192.168.10.5, it is not on the same subnet, and thus requires a gateway. The gateway router must have an interface on the 192.168.2subnet and must be able to contact the administration computer. In our example, assume the gateway has the IP address 192.168.2.1. 22 UTM 9 WebAdmin The Installation: Partitioning screen is displayed. 13. Confirm the warning message to start the installation. Please read the warning carefully. After confirming, all existing data on the PC will be destroyed. If you want to cancel the installation and reboot instead, select No. Caution – The installation process will delete all data on the hard disk drive. The software installation process can take up to a couple of minutes. The Installation Finished screen is displayed. 14. Remove the CD-ROM, connect to the internal network, and reboot the system. When the installation process is complete, remove the CD-ROM from the drive and connect the eth0network card to the internal network. Except for the internal network card (eth0), the sequence of network cards normally will be determined by PCR ID and by the kernel drivers. The sequence of network card names may also change if the hardware configuration is changed, especially if network cards are removed or added. Then pressEnter in the installation screen to reboot UTM. During the boot process, the IP addresses of the internal network cards are changed. The installation routine console (Alt+F1) may display the message "No IP on eth0" during this time. After Sophos UTM has rebooted (a process which, depending on your hardware, can take several minutes), ping the IP address of the eth0interface to ensure it is reachable. If no connection is possible, please check if one of the following problems is present: l The IP address of Sophos UTM is incorrect. l The IP address of the administrative computer is incorrect. l The default gateway on the client is incorrect. l The network cable is connected to the wrong network card. l All network cards are connected to the same hub. 

1.4 Basic Configuration

The second step of the installation is performed through WebAdmin, the web-based administrative interface of Sophos UTM. Prior to configuring basic system settings, you should have a UTM 9 WebAdmin 23 1 Installation 1.4 Basic Configuration 1.4 Basic Configuration 1 Installation plan how to integrate Sophos UTM into your network. You must decide which functions you want it to provide, for example, if you want to operate it in bridge mode or in standard (routing) mode, or how you want it to control the data packets flowing between its interfaces. However, you can always reconfigure Sophos UTM at a later time. So if you have not yet planned how to integrate Sophos UTM into your network, you can begin with the basic configuration right away. 1. Start your browser and openWebAdmin. Browse to the URL of Sophos UTM (i.e., the IP address of eth0). In order to stay consistent with our configuration example above, this would be https://192.168.2.100:4444(note the HTTPS protocol and port number 4444). Deviating from the configuration example, each Sophos UTM ships with the following default settings: l Interfaces: Internal network interface (eth0) l IP address: 192.168.0.1 l Network mask: 255.255.255.0 l Default gateway: none To access web admin of anySophos UTM, enter the following URL instead: https://192.168.0.1:4444 To provide authentication and encrypted communication, Sophos UTM comes with a self-signed security certificate. This certificate is offered to the web browser when an HTTPS-based connection to WebAdmin is established. If unable to check the certificate's validity, the browser will display a security warning. Once you have accepted the certificate, the initial login page is displayed.