Sophos UTM Firewall – SNAT, DNAT, 1-to-1 NAT and Full NAT – HowTo

 Astaro, Internet, Linux, Sophos, Sophos UTM  34 Responses »
Jul 032010
 

I’ve had my main web server directly on the net for some time now. The box runs CentOS and I always have it fully up to date, with a minimal install just to act as a web server.

It’s always concerned me a little bit, the fact is I keep the box up to date as much as possible, but it’s still always in the back of my mind.

This weekend I had some time to mess around with some stuff. I wanted to get it setup behind my Sophos UTM, however I did NOT want it to use the public IP address that it’s setup for as I have numerous static IPs all for different services.

I spent a good 3-4 hours doing lots of searching on Google, and Astaro.org. I saw a few people that wanted to do the same thing as me, but didn’t really find an explanation for anything.

Ultimately I wanted to setup another external IP address on the Sophos UTM software appliance box, and have that external IP dedicated to JUST the web server. Everything else would continue to run as configured before I started modifying anything.

I finally got it going, and I thought I would do a little write up on this since I saw a lot of people were curious, however no one was having luck with it. So far I’ve just done it for my main web server, however in the future I’ll be doing this with a few more external IPs and servers of mine. So let’s log into the Astaro web interface and get started!

PLEASE NOTE: I performed this configuration on Astaro Security Gateway Version 8, this will also work on a Sophos UTM

  1. Configure the additional IP  –              “Interfaces & Routing”, then choose “Interfaces”. Select the “Additional Addresses” tab on the top of the screen. Hit the “New additional address…” button and configure the additional IP. Please note this worked for me as all my static IPs use the same gateway for the most part, if you have multiple statics that use different gateways this may not work for you. In my case I called this address “DA-Web”. Make sure you enable this afterwards by hitting the green light!
  2. Configure the NAT Rules      –              On the left select “Network Security”, then choose the sub item “NAT”. We do not want to touch anything under “Masquerading” so lets go ahead and select the “DNAT/SNAT” tab. In this section we need to create two rules, one for DNAT, and one for SNAT. Keep in mind that “Full NAT” is available, but due to the setup of the traffic initiation I don’t think we want to touch this at all.
    1. Create the DNAT Rule            –              Hit the “New NAT rule” button. Set “Position” to Top”. “Traffic Source” and “Traffic Service” to “Any”. “Traffic Destination” set to the additional address you created (keep in mind this has the same name as the main external, only with the name of the connection inside of it). Set “NAT mode” to “DNAT”. And finally set Destination to the server you want this going to, or create a new definition for the server. Make sure “Automatic packet filter rule” is NOT checked. See image below for my setup.
    2. Create the SNAT Rule            –              Hit the “New NAT rule” button. Set the “Position” to top. “Traffic Source” should be set to the definition you created for the server you are doing this for. “Traffic Service” should be “Any”. “Traffic Destination” should be “Internet”. Keep in mind this is very important, we want to make sure that if you use multiple subnets inside your network that SNAT is ONLY performed when needed when data gets shipped out to the Internet, and NOT when your internal boxes are accessing it. Set “NAT mode” to SNAT. And finally “Source” being the additional IP you created (again this looks like your normal External IP, but hold the mouse over when selecting the definition to make sure it’s the “additional” IP you created). Make sure “Automatic packet filter rule” is NOT checked. See image below for my setup.
    3. Create Packet Filter Rules    –              Now it’s time to open some ports up so that your server can offer services to the internet. This is fairly standard so I’m sure that you can do it on your own. In my example I created a few rules that allowed HTTP, DNS, and FTP from “any” using the service, to the destination “DA-Webserver” to allow the traffic I needed.

This should be it, it should be working now. If you don’t want to create the packet filter rules and want ALL traffic allowed, you can simply forget section c above, and when creating the DNAT and SNAT rules check the “Create automatic packet filter rules” box on both rules. Keep in mind this will be opening your box up to the internet!

If you find this useful, have any questions, or want to comment or tell me how to do it better, please leave me a comment!

Thanks!

Random Pictures from Projects: 2004-2007

 Apple, DD-WRT, Internet, Linux, Mobile Computing, Trixbox, VMware, Wireless  No Responses »
Jul 012010
 

Here’s a few oldies I found while going through the millions of pictures I’ve taken over the years…

Astaro Security Gateway Version 8 – 64-Bit Support Information

 Astaro  No Responses »
Jul 012010
 

So, ASG 8 was released to partners this morning on July 1st, 2010.

I was super stoked about this, especially with Astaro announcing that this version will take advantage of 64-bit support. Immediately I went to go download it.

Since I run a vSphere cluster, I went ahead and downloaded the Virtual Appliance. After installing, restoring the old v7 backup configuration file, I noticed that running “uname –a” didn’t report back that it was running a 64-bit kernel.
So after some time and a few e-mails to and from my partner rep, I went ahead and downloaded the software appliance .iso hoping that the installation would provide the option and I was correct.
So as of this article, if you want to get version 8 of ASG setup, do NOT download the virtual appliance. Create your own VM, and use the installation .iso available from Astaro.

One last note, if you are using a partner license, you may have to contact your partner rep since the partner licenses use the old licensing scheme. You MUST use a new license (that uses the new licensing scheme) to use your partner license on the Astaro Security Gateway Version 8.
I LOVE Astaro!

Removing Hidden Proxy on Windows Mobile

 GSM, Windows Mobile  No Responses »
Apr 222010
 

For the longest time I’ve been on Fido with a unlocked (direct from Sony) Xperia X1a. I’ve never had any problems with it at all. Everything worked flawless. It was a great setup. Exchange, connecting to my VPN, etc…

Recently I setup a corporate plan with Rogers. Ended up getting a bunch of Xperia X1s at a discounted rate since I signed a 3 year on a bunch of lines… Turns out Rogers charges you for an “external IP” that you can use to connect to your business VPN. If you don’t add this option you will not be able to connect to a VPN.

After setting up the VPN.com apn on the new rogers (rogers firmware) Xperia X1s, I noticed that everything worked except simple web page browsing (in both browsers). No errors, just loaded completely blank pages. When changing apn back to internet.com everything worked fine. I automaticly assumed this was related to a “hidden proxy” configured somewhere on the phone.

From this behavior I went ahead and checked the config on the device, no proxies were configured anywhere. Rogers denied the proxy existed, I’m not sure if they do this because they don’t want anyone knowing their internet is being filtered/monitored, or if tech’s simply do not know.

While waiting for a call back from Tier 2 support, I went ahead and started fishing through the registry. I found a bunch of very odd registry entries pertaining to proxies. There was a SOCKS proxy configured, along with what appeared to be a HTTP Proxy, a few other entries also existed which were configured.

After removing these “odd” proxy registry keys, all of a sudden everything started working. Please note that if you modify these settings, you may break your configuration. Any of your providers “online” services (such as ring tone marketplace, application marketplace, etc…) also may cease to function properly (as these services are probably being hosted on their internal network).

To Remove:

1. Open your phone’s registry using any Windows Mobile Registry editor. I use “CeRegEditor” available at: http://ceregeditor.mdsoft.pl/

2. Open “HKEY_LOCAL_MACHINE”, then open “Comm”, then open “ConnMgr”. Under this value, you should be able to see all the devices configured GPRS/HSPA/HSDPA data connections. Browse through the folders and look for a “Proxy” entry. The “Proxy” entry is the configured hidden proxy. I simply deleted this key. If you find anything that has a value of “inet-new” or “inet-corp” you can safely ignore these as I have found they are part of the standard Windows Mobile firmware.

3. Take a look at the other folders under “ConnMgr”, you may notice a few items called “SOCKS”, and “HTTP”. Go into these folders, and remove the proxy values. As I mentioned before if you see any keys with the values “inet-new” or “inet-corp” you can safely ignore these.

Please note that this worked in my specific case. Your results may vary. Also insure that you have made a backup of the keys you have modified in case you need to revert back. Depending on the way your provider has configured your device you may also be tampering with other services (ie. MMS, WAP).

Push applications remotely using Windows Small Business Server 2008 (or Active Directory)

 Active Directory, Internet, Microsoft, Security, Small Business Server  2 Responses »
Apr 222010
 

Recently with the new vulnerabilities with Java, I needed to push the latest Java update remotely to all of my clients currently using my companies “Managed Services”.

The upgrade was being scheduled for certain dates per location, however as of Tuesday morning I noticed that some computers were being hit with some of the newer vulnerabilities recently discovered.

This all of a sudden changed the priority from “high priority” to “emergency”. I needed a  quick and efficient means of pushing this update to computers at client sites.

Active Directory allows system administrators to push, allow, or make available software installations to users. This is all controlled inside of Active Directory Group Policy Management.

To push the latest Java update to all computers on a network, I had to perform the steps below:

1. Download the “Offline Installation” of Java from the Java website. Open the file, do not proceed to continue the installation. (You will simply hit cancel after you extract the MSI and other files needed).

2. Open a explorer and browse to C:\Users\%USERNAME%\AppData\LocalLow\Sun\Java\jre1.6.0_20. After navigating to this location copy “Data1.cab”, “jre1.6.0_20.msi”, and “sp1033.MST” to a new folder (I chose a folder on my desktop).

3. Log into the remote server, create a file share (for example NetInstall), and configure users read access only.

4. Copy the folder you created on your desktop to the new file share on the server. Remember to use a naming scheme for the applications you wish to push so that they all make sense and can be organized.

5. On the server, go to Start -> Administrative Tools -> Group Policy Management

6. Either create a new GPO, or use an existing on that you have configured. If you are unfamiliar with this, it may be worth while doing some online research on GPOs. In my case I right clicked, and chose edit on the “Windows SBS Client Policy” GPO on SBS 2008.

7. Expand Computer Configuration, policies, Software Settings, Software installation. Right click on “Software Installation” and select new package. Follow the instructions.

8. When choosing the location of the .msi file, PLEASE make sure that you browse to it using your UNC network path. This location has to be somewhere where all the computers have access to. (I.E. don’t use C:\Folder\file.msi, you would rather use \\servername\sharename\programname\file.msi).

At this point you have now configured the server to force install Java on all the computers that apply to that GPO. This is perfect to make sure that all your clients are running the latest versions of free software available. It will also help with managing vulnerabilities with aging software, etc…

Please note: If this doesn’t work right away it is because the client workstations need to refresh their GPO. After the GPO is refreshed on the client workstation side, the system should install the package on next reboot.

There are some other neat things you can do with GPOs, and pushing applications on your network, however I’m not covering it in this document. For example instead of using “Computer Configuration”, you could use “User Configuration”, and instead of forcing applications you could actually make applications available for install through “Add/Remove Programs” for users to install.

Please always make sure that any applications you use are properly paid for and/or licensed.

 Older Entries  Newer Entries