Sophos Web Protection

Table of Contents

Threat Protection. Configures protection features. We strongly suggest always using Sophos recommended settings. Endpoint setup Server setup. Update Management. Schedules updates to a specific time. For example, setting them after office hours. Endpoint setup Server setup. Stops users downloading risky files or accessing.

Surf the web with confidence, knowing Sophos Home protects your online shopping and banking from phishing and hacking. We Protect Your Privacy We’ve all seen the headlines: you trust a provider to keep you secure, and they turn around and sell your private data to third parties. We’re not here to sell your data – we’re here to protect it. Steps on how to authorize websites can be found in the following: For a Sophos Enterprise Console managed computer, go to the Enterprise Console page then click the file Enterprise Console Help HTML. Click Configuring policies followed by Authorizing items for use then next is Authorize websites. For Sophos Central, visit this link. Sophos Home will block bad websites known to contain malware. On some occasions, customers may need to turn off this feature for troubleshooting purposes. Note: This feature is on by default and should only be disabled temporarily for testing or configuration. Access your Sophos Home dashboard -If you do not have an account, use SSO instead.

Requirements

• A running instance of Sophos UTM with:
  • A public IP assigned to the external NIC of the Sophos appliance.
  • Basic Sophos configuration to serve as gateway for Internet access.
  • Either a full or trial Sophos license to be able to use the appliance's web protection feature.
• A web server behind the Sophos UTM appliance with a basic web page for testing purposes.

Optional items for testing

• A registered public DNS record (this can be emulated with local host files)
• An SSL certificate from a Certificate Authority (e.g. DigiCert, Comodo, etc.) to publish HTTPS sites.

Sophos Free Antivirus For Windows

Sample configurations used for this tutorial

The infrastructure for this tutorial will be hosted at ProfitBricks. Below are the sample configuration details that will be used for this scenario and a screen shot of the topology. Sophos Appliance Public IP: 162.254.X.X Sophos Appliance Internal IP: 192.168.1.1* Web Server Internal IP: 192.168.1.11

Reserve an additional public IP address

The first step is to reserve an additional public IP address to separate the core services provided by the UTM (user portal, SSL VPN, etc) from the Webserver Protection feature in order to avoid multiple services running on the same IP/Port combination.

This additional IP can be reserved from the ProfitBricks IP Manager by selecting the number of IP addresses needed and the region as depicted below.

Assign the new IP address to the Sophos UTM virtual machine

Once an additional IP has been reserved via IP Manager, assign it to the vNIC of the Sophos UTM virtual machine within the ProfitBricks Data Center Designer.

To do this:

1. Select the server element.
2. Go to the Network tab on the right-side Properties tab.
3. Select the new IP from the Additional IPs drop-down menu and provision the changes, as seen in this screenshot:

Add the second IP address to the Sophos UTM

At this point, this second IP address can be added to the Sophos UTM.

Log in to the Sophos appliance and perform the following steps:1. Click on the Interfaces and Routing menu on the left hand side.2. Click on Interfaces.3. Click on the Additional Addresses tab.4. Click the 'New Additional Address' button and enter fill out the details based on the IP that was reserved on step 2. Make sure to select the External (WAN) interface and a Netmask of /32.

Enable the new IP address

The new IP address will be disabled by default. Make sure to enable it by clicking on the toggle switch as shown below.

Configure the interface address

As mentioned in Step 2, Sophos services such as SSL VPN and User Portal use the ANY network by default to support these services. In other words, all IP addresses assigned to the Sophos UTM could be used for these services.

In order to prevent a potential conflict:1. Click on Remote Access on the left navigation menu.2. Click on the SSL sub-menu.3. Click on the Settings tab.4. Click on the folder icon next to the 'Interface Address' field.5. Drag and drop the External (WAN)(Address) into the Interface Address field.6. Click the Apply button.

Enable the user portal

If the user portal is enabled, set up the configurations: 1. Click on Management on the left navigation menu.2. Click on the User Portal sub-menu.3. Click on the Advanced tab.4. Scroll down to the Network Settings section and click on the folder icon next to the 'Listen address' field.5. Drag and drop the External (WAN)(Address) into the Interface Address field.6. Click the Apply button.

Define a Real Webserver

The next step is to define a Real Webserver. This is the internal web server's IP address that will be used by Sophos to forward traffic from the internet.

To do this:

1. Click on Webserver Protection on the left navigation menu.
2. Click on the Web Application Firewall sub-menu.
3. Click on the Real Webservers tab.
4. Click on the New Real Webserver button.
5. Specify a name for the Webserver.
6. Click '+' icon to define the host.
7. In the Add network definition pop-up box:
8. Specify the name of the server.
9. Set Type as Host. (Optionally, you can select DNS Host if Sophos can resolve the hostname of your webserver)
10. Enter the IP address.
11. Click Save.8 Back on the Real Webserver configuration, select Type: Plaintext (HTTP), and enter Port:80
12. Click Save.

Create the Virtual Webserver

We can now create the Virtual Webserver that will be Internet-facing and accessible from the Internet.

Here is a sample configuration:

1. Click on Webserver Protection on the left navigation menu.
2. Click on the Web Application Firewall sub-menu.
3. Click on the Virtual Webservers tab.
4. Click on the New Virtual Webserver button.
5. Specify a name for the Virtual Webserver.
6. Select the new IP address that was reserved earlier from the Interface drop-down menu.
7. Select Plaintext (HTTP) for the Type.
8. Select Port 80.
9. Under Domains, click the '+' icon to add the public IP address for testing.
10. Alternatively, a FQDN can be entered if a registered domain is available.
11. Under Real Webservers, check the box for the real webserver that was created in step 8.
12. Leave the Firewall Profile as No Profile for testing.
13. It is best practice to assign a Firewall profile. Please review the firewall profiles and/or create a new one according to your needs.
14. Click Save.

Turn on the Virtual Webserver

Remember to turn on the Virtual Webserver by toggling the switch button as depicted below.

Check the website

At this point, the website should be accessible by going to the public IP that was defined earlier over HTTP, or via the registered domain name if the DNS records were updated accordingly.

Create a secure site with HTTPS

Most sites need to be secured via HTTPS in order to encrypt the data being sent from the visitor's computer to the web server. You will need to obtain an SSL certificate from a well-known certificate authority (CA) in order to avoid browser warnings when visiting the site.

The procedure for publishing a secure site (HTTPS) is the same as for a regular HTTP site, except that you need to assign an SSL certificate to the virtual webserver.

To set this up on the virtual webserver page, use the following configurations:

• Type: Encrypted (HTTPS) or Encrypted (HTTPS) & redirect.
• Port: 443.
• Certificate: This can be uploaded via the Certificate Management section under Webserver Protection.

Table of Contents

Requirements

• A running instance of Sophos UTM with:
  • A public IP assigned to the external NIC of the Sophos appliance.
  • Basic Sophos configuration to serve as gateway for Internet access.
  • Either a full or trial Sophos license to be able to use the appliance's web protection feature.
• A web server behind the Sophos UTM appliance with a basic web page for testing purposes.

Optional items for testing

• A registered public DNS record (this can be emulated with local host files)
• An SSL certificate from a Certificate Authority (e.g. DigiCert, Comodo, etc.) to publish HTTPS sites.

Sample configurations used for this tutorial

The infrastructure for this tutorial will be hosted at ProfitBricks. Below are the sample configuration details that will be used for this scenario and a screen shot of the topology. Sophos Appliance Public IP: 162.254.X.X Sophos Appliance Internal IP: 192.168.1.1* Web Server Internal IP: 192.168.1.11

Reserve an additional public IP address

The first step is to reserve an additional public IP address to separate the core services provided by the UTM (user portal, SSL VPN, etc) from the Webserver Protection feature in order to avoid multiple services running on the same IP/Port combination.

This additional IP can be reserved from the ProfitBricks IP Manager by selecting the number of IP addresses needed and the region as depicted below.

Assign the new IP address to the Sophos UTM virtual machine

Once an additional IP has been reserved via IP Manager, assign it to the vNIC of the Sophos UTM virtual machine within the ProfitBricks Data Center Designer.

To do this:

1. Select the server element.
2. Go to the Network tab on the right-side Properties tab.
3. Select the new IP from the Additional IPs drop-down menu and provision the changes, as seen in this screenshot:

Add the second IP address to the Sophos UTM

At this point, this second IP address can be added to the Sophos UTM.

Sophos Web Protection Bypass

Log in to the Sophos appliance and perform the following steps:1. Click on the Interfaces and Routing menu on the left hand side.2. Click on Interfaces.3. Click on the Additional Addresses tab.4. Click the 'New Additional Address' button and enter fill out the details based on the IP that was reserved on step 2. Make sure to select the External (WAN) interface and a Netmask of /32.

Enable the new IP address

The new IP address will be disabled by default. Make sure to enable it by clicking on the toggle switch as shown below.

Configure the interface address

As mentioned in Step 2, Sophos services such as SSL VPN and User Portal use the ANY network by default to support these services. In other words, all IP addresses assigned to the Sophos UTM could be used for these services.

In order to prevent a potential conflict:1. Click on Remote Access on the left navigation menu.2. Click on the SSL sub-menu.3. Click on the Settings tab.4. Click on the folder icon next to the 'Interface Address' field.5. Drag and drop the External (WAN)(Address) into the Interface Address field.6. Click the Apply button.

Enable the user portal

If the user portal is enabled, set up the configurations: 1. Click on Management on the left navigation menu.2. Click on the User Portal sub-menu.3. Click on the Advanced tab.4. Scroll down to the Network Settings section and click on the folder icon next to the 'Listen address' field.5. Drag and drop the External (WAN)(Address) into the Interface Address field.6. Click the Apply button.

Define a Real Webserver

The next step is to define a Real Webserver. This is the internal web server's IP address that will be used by Sophos to forward traffic from the internet.

To do this:

1. Click on Webserver Protection on the left navigation menu.
2. Click on the Web Application Firewall sub-menu.
3. Click on the Real Webservers tab.
4. Click on the New Real Webserver button.
5. Specify a name for the Webserver.
6. Click '+' icon to define the host.
7. In the Add network definition pop-up box:
8. Specify the name of the server.
9. Set Type as Host. (Optionally, you can select DNS Host if Sophos can resolve the hostname of your webserver)
10. Enter the IP address.
11. Click Save.8 Back on the Real Webserver configuration, select Type: Plaintext (HTTP), and enter Port:80
12. Click Save.

Create the Virtual Webserver

We can now create the Virtual Webserver that will be Internet-facing and accessible from the Internet.

Here is a sample configuration:

1. Click on Webserver Protection on the left navigation menu.
2. Click on the Web Application Firewall sub-menu.
3. Click on the Virtual Webservers tab.
4. Click on the New Virtual Webserver button.
5. Specify a name for the Virtual Webserver.
6. Select the new IP address that was reserved earlier from the Interface drop-down menu.
7. Select Plaintext (HTTP) for the Type.
8. Select Port 80.
9. Under Domains, click the '+' icon to add the public IP address for testing.
10. Alternatively, a FQDN can be entered if a registered domain is available.
11. Under Real Webservers, check the box for the real webserver that was created in step 8.
12. Leave the Firewall Profile as No Profile for testing.
13. It is best practice to assign a Firewall profile. Please review the firewall profiles and/or create a new one according to your needs.
14. Click Save.

Turn on the Virtual Webserver

Remember to turn on the Virtual Webserver by toggling the switch button as depicted below.

Check the website

At this point, the website should be accessible by going to the public IP that was defined earlier over HTTP, or via the registered domain name if the DNS records were updated accordingly.

Create a secure site with HTTPS

Sophos Web Protection

Most sites need to be secured via HTTPS in order to encrypt the data being sent from the visitor's computer to the web server. You will need to obtain an SSL certificate from a well-known certificate authority (CA) in order to avoid browser warnings when visiting the site.

Sophos Web Protection Exception

The procedure for publishing a secure site (HTTPS) is the same as for a regular HTTP site, except that you need to assign an SSL certificate to the virtual webserver.

To set this up on the virtual webserver page, use the following configurations:

Download Sophos Antivirus

• Type: Encrypted (HTTPS) or Encrypted (HTTPS) & redirect.
• Port: 443.
• Certificate: This can be uploaded via the Certificate Management section under Webserver Protection.