Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Networking

Sophos UTM on AWS Auto Scaling Guide

Overview and Getting Started Guide
Sophos UTM on AWS
Auto Scaling Guide
Document date: October 2015
1
Sophos UTM on AWS
Contents
1
Forward ...................................................................................................................... 4
2
Sophos UTM in AWS Auto Scaling Overview................................................................. 4
3
Before you start .........................................................................................................11
3.1
Subscribe to the UTM software ....................................................................................... 11
3.2
Determine the proper UTM AMI ID to use ...................................................................... 12
3.3
Identify an EC2 Key pair ................................................................................................... 12
4
Launching UTM Auto Scaling using the CloudFormation Template ...............................12
4.1
Locating the CloudFormation Template .......................................................................... 12
4.2
Launching your UTM Auto Scaling Stack ......................................................................... 13
4.3
CloudFormation Information tabs ................................................................................... 15
4.3.1 Outputs tab ...................................................................................................................... 15
4.3.2 Resources Tab .................................................................................................................. 16
4.3.3 Events .............................................................................................................................. 16
4.3.4 Template .......................................................................................................................... 16
4.3.5 Parameters ...................................................................................................................... 16
5
Connecting to your UTM’s ..........................................................................................17
5.1
Connection Details........................................................................................................... 17
5.2
Licensing .......................................................................................................................... 18
5.2.1 Hourly/Marketplace UTM AMI ........................................................................................ 18
5.2.2 BYOL UTM AMI ................................................................................................................ 18
6
Example of how to test UTM Auto Scaling ...................................................................19
6.1
Create an Auto Scaling Launch Configuration for Windows Test Instances ................... 19
6.1.1 Create Windows IIS Server launch configuration ............................................................ 20
6.1.2 Create Auto Scaling Group .............................................................................................. 21
6.2
Creating an Internal ELB .................................................................................................. 26
6.3
Configuring the UTM WAF to send traffic to the Internal ELB ........................................ 27
2
Overview and Getting Started Guide
7
Testing traffic to UTM Worker nodes ..........................................................................29
8
Deleting your UTM Auto Scaling Stack ........................................................................30
8.1
Sophos AWS Information ................................................................................................ 31
8.2
AWS Links and Useful Information .................................................................................. 31
9
Legal notices...............................................................................................................31
3
Sophos UTM on AWS
1 Forward
Sophos UTM Auto Scaling has been designed with AWS Cloud Architecture and AWS Security
Best Practice Guidance in mind. Our aim is to help customers with their AWS Shared Security
responsibilities and to conform to AWS recommendations on designing fault tolerant and
scalable Cloud architectures. Full guidance on AWS Architecture and Cloud security is out of
scope for this document, but AWS provides very detailed information on their own sites
https://aws.amazon.com/security/, https://aws.amazon.com/architecture/ and additional
assistance is available via the APN partner community https://aws.amazon.com/partners/ . The
goal of this document is to help customers configure the Sophos UTM Auto Scaling solution
using the official Sophos provided CloudFormation Templates, and to provide an example of
how inbound traffic can be scanned by the UTM Web Server Protection module, and then
directed from the Auto Scaling UTM’s to an internal Elastic Load Balancer (ELB), and then onto
internal web servers.
2 Sophos UTM in AWS Auto Scaling Overview
The Sophos UTM on AWS Auto Scaling solution is designed for inbound Web Application Traffic
and is comprised of multiple UTM’s that are assigned roles (Controller & Worker), which then
work with AWS services that provide storage, notifications, monitoring, and auto scaling. The
solution is designed to work across AWS Availability Zones in a single AWS region, and to work
with an Internet Facing Elastic Load Balancer that is used to distribute traffic to UTM Workers for
traffic scanning.
4
Overview and Getting Started Guide
The solution is launched via a Sophos provided CloudFormation template that creates a new VPC
and installs and configures the components and services listed below. Note- At this time the
official Sophos CloudFormation template does not support installing into an existing VPC. The
solution consists of a single Queen (Controller) UTM that sites in its own Auto Scaling Group, and
which synchronizes it’s configuration details, logs, and reports to an S3 bucket. The S3 bucket is
used to restore the Queen UTM details in the event that the Queen UTM is terminated, and is
also used to provide configuration details to Swarm (Worker) UTM’s. The Swarm UTM’s sit in
their own Auto Scaling Group and will pull down the UTM configuration from S3 upon boot, or if
they receive a configuration change notification via the SNS service. Worker UTM’s will send all
logging data to the Queen UTM via the syslog protocol, which then allows for centralized
logging.
5
Sophos UTM on AWS
Once the solution has successfully launched via the CloudFormation service, inbound Web
Application traffic should be directed to the External ELB, which will then distribute the
connections across the members of the UTM Swarm Auto Scaling Group. Traffic can then be
processed and scanned by the Swarm UTM’s and then sent onto Internal EC2 Instances, or to an
Internal ELB which can then distribute traffic to attached EC2 Instances.
The Sophos provided CFT creates the following components:

One VPC with a user configured /16 CIDR and an Internet Gateway (IGW).

Four UTM Subnets distributed across multiple Availability Zones and used for the Queen
and Swarm UTM’s. Subnets will be configured as 10.x.1.0/24, 10.x.2.0/24 which will be
used for the Queen UTM, and 10.x.4.0/24, & and 10.x.5.0/24 which will be used by the
Swarm UTM’s.
o Each Subnet will be associated with a route table that sends all traffic to the
configured IGW.
o Each subnet will be associated with a Network Access Control List which will have
its own default Inbound and Outbound rules defined.
6
Overview and Getting Started Guide

One Internet Facing ELB that is used to distribute inbound WAF traffic to UTM Swarm
nodes. The ELB will be assigned Security Groups, span the Swarm UTM subnets, have a
predefined “Health Check. Note that the Health Check will fail until the UTM
configuration is configured to listen on port 80 and this will result in your Worker UTM’s
being shown as “OutOfService”. This is done by configuring the UTM Web Server
Protection functionality and is discussed later.

One UTM Controller Auto Scaling Launch Configuration labeled
“QueenLaunchConfiguration-xxxxx”. This Launch Configuration will define the UTM AMI
ID to use, the Instance type, the EC2 Keypair to use, and the User Data.

One UTM Worker Auto Scaling Launch Configuration labeled
“SwarmLaunchConfiguration-xxxxx”. This Launch Configuration will define the UTM AMI
ID to use, the Instance type, the EC2 Keypair to use, and the User Data.
7
Sophos UTM on AWS
 One UTM Queen Auto Scaling Group labeled “QueenScalingGroup-xxxx” which is linked
to the appropriate Launch Configuration and which defines the Auto Scaling policy.

One UTM Swarm Auto Scaling Group labeled “SwarmScalingGroup-xxxx” which is linked
to the appropriate Launch Configuration and which defines the Auto Scaling policy. Note
that the Swarm Auto Scaling policy contains specific “Scaling Policies” that define
Cloudwatch Alarms that control when Swarm UTM’s should be added to and removed
from the Auto Scaling group. By default 2 policies are defined called
“SwarmScaleDownPolicy” and “SwarmScaleUpPolicy”.

Three Cloudwatch Alarms. By default 2 of these are used to manage the Swarm UTM
Auto Scaling group. Note that custom alarms can be configured as needed, and once
configured can be used in the UTM Swarm Auto Scaling Group mentioned above.
8
Overview and Getting Started Guide

One SNS Topic that is used by Queen UTM to signal Swarm UTM’s of configuration
changes.

One UTM Queen EC2 Instance labeled “Queen” and assigned both a private IP from one
of the UTM Queen subnets, and a public Elastic IP. Note that the UTM is configured with
a single UTM Interface (eth0) and is assigned an IAM Role and Security Groups. The
Queen UTM ENI also has the Source/dest. Check set to False. This allows the UTM to act
as an outbound NAT instance if needed.
9
Sophos UTM on AWS
 2 UTM Swarm EC2 Instances labeled Worker UTM and assigned both a private IP from
one of the Swarm subnets, a Public DNS name, and a Public IP address. While this public
IP may be used to access the Swarm UTM it is typically not needed as all management
and configuration changes are done via the UTM Queen. Any changes made on individual
Swarm UTM’s will be overwritten during configuration synchronization updates. The
Swarm UTM’s will each be assigned an IAM role, Security Groups, and will have their
Source/Dest. Check flag set to True. At this time the UTM Auto Scaling solution does not
support outbound traffic processing as either a NAT device or forward proxy.

1 S3 bucket that is used to store persisent data such as the UTM configuration, logs &
reports.
10
Overview and Getting Started Guide
3 Before you start
Prior to attempting to launch the UTM Auto Scaling solution you must ensure that you have
subscribed to the Sophos UTM product via AWS Marketplace, you must have an EC2 Keypair
available for use by the CloudFormation Template, and you must identify the proper UTM AMI
ID to use. The Sophos UTM supports both BYOL and Hourly licensing and is available in all AWS
Marketplace regions. Each region and license type has its own AMI ID that must be used for
successful launching of the CloudFormation Template. Please see below for more details on
these pre-requisites.
3.1 Subscribe to the UTM software
This is done via the UTM AWS Marketplace page for the product you wish to use (BYOL or AMI
version of UTM). If you have never used the UTM software before you must navigate to the
marketplace page and click on the yellow Continue button, which will then take you to the
Launch on EC2 page.
On this page you should see displayed the Accept Terms button that must be clicked before the
software can be launched. Note that by default the AWS 1-Click Launch option will be used
which will result in UTM instances being launched without using the necessary CFT. To avoid this
click the Manual Launch tab before clicking the Accept Terms button.
11
Sophos UTM on AWS
3.2 Determine the proper UTM AMI ID to use
Prior to launching your CFT you will need to confirm the proper AMI ID to use for the region you
wish to launch into. Note that the AMI ID’s will change as versions are updated so what is shown
in this guide may not be valid. Please confirm that latest AMI ID’s by going to the Sophos UTM
Marketplace listing page and clicking on Continue button and then the Manual Launch section
where you accepted the Terms in the step above. In this section you will see listed the current
AMI ID’s for the product chosen.
BYOL
Hourly
3.3 Identify an EC2 Key pair
An existing EC2 keypair is needed by the CFT to configure various parameters during launch
creation. If one is not available it will have to be created in the EC2 Dashboard section prior to
launching the CFT.
4 Launching UTM Auto Scaling using the CloudFormation Template
4.1 Locating the CloudFormation Template
The link for the CFT can be found on the Sophos UTM Marketplace page in the description
section and is shown below. Note that the CFT defaults to using the UTM AMI for the N.
Virginia region. To use the CFT with other regions you must first determine the AMI ID to use as
discussed above in the pre-requisite section.
https://s3.amazonaws.com/sophos-nsg-cf/utm/utm-latest-autoscaling.template
12
Overview and Getting Started Guide
This CFT can be downloaded or the link can be copied for use with the AWS CloudFormation
service accessible via your AWS Administrator console.
4.2 Launching your UTM Auto Scaling Stack
Change to the AWS Region you wish to launch in and then Click the Create Stack button. In the
Choose a Template section either browse to the saved CFT, or paste the copied CFT link as
shown below and then click the Next button.
The CFT will now gather information the below information which will be used to configure both
the UTM and the AWS services needed for Auto Scaling.
Stack name – A unique and descriptive name describing your Auto Scaling stack.
awsAMI – The UTM AMI ID to use. The CFT shows the N. Virginia AWS Region AMI ID by default.
Please see the section above for information on how to find the UTM AMI ID’s for other AWS
regions.
13
Sophos UTM on AWS
awsAvailabilityZone1- Choose an available AZ from the drop down list. Note that AWS subnet
limits can result in the Stack failing to create.
awsAvailabilityZone2- Choose an available AZ from the drop down list. Note that AWS subnet
limits can result in the Stack failing to create.
awsKeyName – Choose the EC2 keypair to use.
awsNetworkPrefix – Specify the /16 CIDR block to use when creating the new VPC. The CFT
defaults to 10.15 but this can be changed to whatever you’d like.
awsTrustedNetwork – To ensure proper security for your VPC only trusted networks should be
configured for SSH and port 8080 access. Please specify a network that can access your VPC on
these ports. Note that this information can be changed after launch in the xxxx section.
basicAdminEmail – This is the UTM admin email address that will receive UTM and SNS
notifications. Note that this information can be changed after launch in the xxxx section. This
information is not transmitted to Sophos.
basicAdminPassword – This is the UTM admin account password that will be used to access the
UTM WebGUI. Please note this password as it will be need for accessing the UTM’s. This
information is not transmitted to Sophos.
basicCity – This information is used on the UTM as part of the initial setup parameters for
configuring the self signed Certificate Authority. This information is not transmitted to Sophos.
basicCountry - This information is used on the UTM as part of the initial setup parameters for
configuring the self signed Certificate Authority. This information is not transmitted to Sophos.
basicHostname - This information is used on the UTM as part of the initial setup parameters for
configuring the self signed Certificate Authority. This information is not transmitted to Sophos.
optionalExistingElasticIP - The Elastic IP to assign in the UTM instance. If left empty a new
Elastic IP will be allocated automatically.
optionalExistingS3Bucket - The S3 Bucket to store and restore backups. If left empty a new
bucket will be created automatically.
optionalLicensePool - S3 bucket where the UTM license may be stored if using the BYOL license
option.
Once all information is entered click the Next button and provide a descriptive Tag that can used
to identify your new resources. Once done click Next to Review your settings. Prior to creating
the Stack you will have to click the Acknowledge button located at the bottom of the review
screen. More detailed information about why this is required is shown along with a link to learn
more about IAM resources. After Acknowledging click the Create button to create your Stack.
14
Overview and Getting Started Guide
4.3 CloudFormation Information tabs
Stack Creation time is dependent on the AWS infrastructure so may vary, but is typically
estimated to take about 6 -10 minutes to complete. You can view the status of creation by
monitoring the Events tab, which will be automatically updated. Once your Stack creation has
completed the Status should change, and information on resources created will be available in
the various tabs.
4.3.1 Outputs tab
This section contains most of the information needed regarding your UTM Auto Scaling
environment.
PublicIPAddress – This is the Elastic IP address (EIP) that Administrators will use to access the
UTM Queen (Controller). This IP can also be used for non-WAF traffic such as VPN connections
and inbound NAT.
QueenScalingGroup – This is the Auto Scaling group created for the UTM Queen nodes.
S3Bucket – This is the S3 bucket that is being used by the UTM’s to store and synch
configurations, and by the Queen for storage of the license, logs, and reports.
ConfigurationSNSTopic – This is the Simple Notification Service topic that has been created to
notify Swarm UTM’s of changes made on the Queen UTM.
SwarmScalingGroup – This is the Auto Scaling group that has been created for UTM Swarm
nodes. The default settings for this group results in 2 Swarm UTM’s being created. This can be
modified in the EC2 Auto Scaling Groups section.
15
Sophos UTM on AWS
VPCID – This is the VPC ID used for the UTM Auto Scaling environment.
Region – This is the AWS Region that UTM Auto Scaling resides in.
ELB – This is the public ELB that has been created and will be used for inbound WAF traffic. This
ELB has been setup to work with the UTM Swarm nodes but will not become functional until the
UTM WAF settings have been configured. Note also that the full ELB DNS ‘A’ record name is not
shown in this section but can be found in the EC2 Load Balancers Description section.
4.3.2 Resources Tab
This tab provides the full list of AWS resources that have been created. Of note on this tab are
resource names for items such as Swarm CloudWatch Alarms, Auto Scaling policies, Security
Groups, and NACL’s. Some or all of these items may be needed when adding additional layers to
your VPC as discussed below.
4.3.3 Events
The Events tab will show the status of CloudFormation events and is useful in troubleshooting
any issues that may arise. Common issues relate to using the wrong AMI ID, the wrong Keypair
name, or running into issues with AWS VPC limits that define how many subnets or VPC’s may
be created. If an issue is encountered the CloudFormation service will rollback any already
completed changes to delete the resources. It will also show details on the item that caused the
failure (Scroll down to find the first item labeled “Create_Failed”.) In the below example there
was a problem using the specified Availability Zones.
4.3.4 Template
This section will show the CFT used.
4.3.5 Parameters
This section will show the parameters input during the Stack Creation.
16
Overview and Getting Started Guide
5 Connecting to your UTM’s
5.1 Connection Details
Upon successful creation of your Auto Scale UTM Stack there will be 3 UTM’s shown in your EC2
Instances section. You will have one UTM Instance labeled “Queen” and 2 UTM Instances
labeled “Worker”. The solution is designed so that all configuration and management is done via
the Queen UTM, which then synchronizes all setting to the Swarm, and gathers all logging
information via the syslog protocol. The Queen Elastic IP should match the UTM Public IP
address shown in the CloudFormation Outputs section, and it is this IP that will be used for all
management. The UTM Instance creation will typically lag the CFT creation by another minute or
two, and the EIP will not be attached to the Queen UTM until the Instance is fully launched and
is ready. Note that each Worker UTM also has a public IP and this can be used to connect to that
UTM. Any changes made on Worker UTM’s will be overwritten by the Queen configuration, and
will not be synchronized to other UTM’s.
To login to your Queen UTM open a new browser tab and using https go to the Elastic IP address
using port 4444. https://queenutmelasticip:4444/ The first time you connect you will be shown a
browser warning which varies by browser type. The warning is due to the fact that that UTM is
using a self signed certificate which your browser does not recognize. Click on the option to
continue to the site which should then show you the UTM login page. Note that if you do not see
login fields as shown below, click the reload icon shown on the UTM screen to the right of the
blue ? icon.
17
Sophos UTM on AWS
During the CloudFormation Stack creation one of the parameters set was the UTM admin
password. That is what will be used now along with the default account “admin”. Note that both
username and passwords are case sensitive and that the UTM by default will block access
attempts after 3 failed attempts. If you suspect that may have triggered this protection feature
you must wait for the 10 minute timeout period to expire before you can attempt access again.
5.2 Licensing
5.2.1 Hourly/Marketplace UTM AMI
If using the Hourly UTM licensing option no action is needed as the Hourly AMI bundles the UTM
licensing along with the EC2 Instance costs. A 30 day free trial is also available via the AWS
Marketplace listing so that you can test the features before purchasing. Note that free trials will
be automatically converted to paid subscriptions upon expiration.
5.2.2 BYOL UTM AMI
When using the BYOL AMI a license file is needed to unlock the UTM subscription features
during both a trial and in production. A BYOL license file may be hosted in an S3 bucket and
loaded during UTM boot if specified during the CloudFormation configuration step described
above. If that is not done then a license must be manually uploaded to the UTM via the
WebAdmin GUI. This is done in the Management>Licensing>Installation section, and once the
license had been uploaded details will be shown on the Management>Licensing>Overview tab.
18
Overview and Getting Started Guide
To obtain a UTM BYOL evaluation license, or to purchase a UTM BYOL license contact an
authorized Sophos channel partner using the partner locator, or contact Sophos region sales
using the following links.
Sophos Partner Locator https://www.sophos.com/en-us/partners/partner-locator.aspx
Sophos sales https://www.sophos.com/en-us/company/contact.aspx
6 Example of how to test UTM Auto Scaling
The primary use case for this version of UTM Auto Scaling is to support inbound Web
Application security using the UTM Web Server Protection feature set. This feature set combines
reverse proxy functionality and Web Application Firewall protection to protect against common
Web Application attacks. The above steps guides a user through launching the UTM Auto Scaling
solution across multiple availability zones and logging into your Queen UTM. The next steps will
guide a user through one example of how additional components can be added to an AWS
environment for more complete testing, and how your UTM can be configured with a basic WAF
profile for testing.
6.1 Create an Internal ELB and Auto Scaling Launch Configuration for Windows
Test Instances
For our example we will use the Microsoft Windows Server 2008 R2 with SQL Server Express and
IIS AMI from the AWS Marketplace Quick Start page.
19
Sophos UTM on AWS
6.1.1 Create Windows IIS Server launch configuration
Navigate to the EC2 Auto Scaling Launch Configuration section and click on Create launch
configuration. Using the Quick Start option, find and then Select the “Microsoft Windows Server
2008 R2 with SQL Server Express and IIS “ AMI.
Choose your desired EC2 Instance type and click the Next: Configure Details button. For our
example we’ll use the General Purpose t2.micro Instance.
Provide a descriptive name for your new Auto Scale launch configuration and then click Next:
Add Storage to either confirm or modify the default settings. For our example we’ll keep the
default settings and click the Next: Configure Security Group button.
Change the option for “Assign a security group” from the default setting to Select an existing
security group and then chose the Default VPC security group. Click the Review button to
confirm settings.
20
Overview and Getting Started Guide
After confirming details click on the Create launch configuration button which will then prompt
you to create or choose an existing EC2 Keypair. Note that you will need this Keypair to get your
Windows password prior to accessing the Instance. Once the Keypair is confgured click on the
Create Launch Configuration button.
6.1.2 Create Auto Scaling Group
Upon creation of the Launch configuration in the previous step you will be offered the option to
create an Auto Scaling group to use with the new configuration. Click the button Create an Auto
Scaling group using this launch configuration button.
Provide a descriptive name for your new AS Group, specify the initial Group size (UTM initial
group size is 2), and then click the drop down next to Network to choose the VPC. Note that if
unsure of the VPC to choose go back to your CFT Outputs tab to confirm. At this point you’ll also
be prompted to choose or create subnets to use. As we’ve created a new VPC we must now
create new private subnets for our protected IIS web servers.
21
Sophos UTM on AWS
Click on the Create new subnet option, which will launch a new tab showing the VPC subnet
section.
To make viewing easier, use the Filter by VPC option located in the upper left or your AWS
console screen to filter on the VPC you’re working in.
You should see subnets listed and all should show a route to the Internet Gateway as shown
below. These are your UTM subnets and all have access to the Internet as shown by the route
table.
22
Overview and Getting Started Guide
Click on the Create Subnet button and provide a descriptive name, choose the VPC to create in
from the drop down list, choose an availability zone, and specify the new CIDR block to use.
Repeat the step above so that you have 2 new Private subnets to host your protected Web
Application servers. Once both are created choose one of your new subnets and click on the
Route table tab and then click on the Route Table hyper link to go to the route table section.
23
Sophos UTM on AWS
In the Route Tables section click on the Route table to see its details, and then click on the
Subnet Associations tab. Click on the Edit button, choose your 2 newly created Private subnets,
and then click on the Save button.
Click on the Routes tab and then the Edit button. Add a new default route for your new subnets
by clicking on the Add another route button and using 0.0.0.0/0 for the “Destination” and then
your Queen UTM as the Target. You should be able to choose your Queen UTM by clicking on the
box located under target which should show the available options. Once done click on the Save
button.
24
Overview and Getting Started Guide
Once the subnets are created and routes added, navigate back to the Create Auto Scaling Group
tab and click on the refresh icon located to the left of the “Create new VPC” text. Once done you
should see your newly created subnets when you click into the box next to “Subnet”. Choose
your new subnets and then click Next: Configure scaling policies to continue.
In the next step you’ll be asked to choose options for scaling. For this example we’re going to
choose the Use scaling policies to adjust the capacity of this group option, which will allow us to
use the same policy that manages our UTM Swarm nodes. This will allow our application servers
to scale in parallel with our UTM Swarm. After clicking the Use scaling policies to adjust the
capacity of this group option set the number of Instances you wish to scale between.
Under Increase Group Size>Execute policy when choose the SwarmCPUAlarmHigh policy from
the dropdown menu options.
Next to Take the action set the number “1” for Instances to add.
Under Decrease Group Size>Execute policy when choose the SwarmCPUAlarmLow policy from
the dropdown menu options.
Next to Take the action set the number “1” for Instances.
25
Sophos UTM on AWS
Once you’ve configured the policies you can either skip to review, or you can configure
notifications. If you choose to configure notifications you can either subscribe to the already
created SNS topic (resource name can be found in the CloudFormation Resources section) or
create a new topic. Additionally you can then choose to Tag your new resources or skip. It’s
always suggested that you Tag AWS resources. From the “Review” tab confirm your chosen
settings and then click the Create Auto Scaling group button.
You can confirm the status of your new Auto Scaling group by looking at the Details section. If
after a few moments you do not see the number listed under Instances change from 0 there is
likely an issue. Click on the Activity History tab to view information on what is preventing the
Instance from launching.
6.2 Creating an Internal ELB
Navigate to the EC2 Load Balancing section and click on the Create Load Balancer button.
Provide a descriptive name and choose the VPC to install into. Note that in this example we’re
creating an Internal ELB so make sure the checkbox specifying this is checked as shown below.
The default Listener configuration of using HTTP will suffice for our test, but can be modified as
needed. Choose the Private subnets we created in the last section and then click Next: Assign
Security Groups.
Choose the Deafault VPC security Group and choose Next: Configure Security Settings
26
Overview and Getting Started Guide
At this point you’ll be notified that your Load balancer is not using a secure listener. Click Next:
Configure Health Check to continue.
For our example we’ll modify the default health check so that Ping Protocol uses TCP. Click Next:
Add EC2 Instances to continue.
Choose your newly created Windows EC2 Instance and click Next: Add Tags to continue. Add a
tag and click the Review and Create button to continue. Review your settings and then click the
Create button to continue.
6.3 Configuring the UTM WAF to send traffic to the Internal ELB
Now that we’ve configured our Internal Load Balancer we can configure the UTM Web Server
Protection module so that it listens for HTTP traffic and after scanning, sends it to the Internal
ELB for distribution to the ELB’s Instances. To do so login to the Queen UTM as described above
and then navigate to the WebServer Protection section.
27
Sophos UTM on AWS
Click on New Virtual Webserver to create the inbound connection. Provide a descriptive name,
choose the UTM Interface where traffic will arrive on, and leave the Type and Port to HTTP and
80. For the next section we’ll need to find the DNS Name assigned to our Public ELB that was
created during our Stack creation. This can be found in the EC2 Load Balancers section. If you
have many ELB’s listed in this section you can confirm the correct one by getting the name from
the CloudFormation Resources section. Click on the Description tab and copy the full DNS Name
shown.
This is the URL that you will use for testing, and is what needs to be listed in the Domains section
in your UTM Virtual WebServer definition. In the Real Webservers section we’ll need to list the
Internal ELB we’ve created which is what we will send traffic to once scanned. To create a new
DNS object for this Internal ELB, click on the green + icon located to the right of the Real
Webservers text. Provide a descriptive name for the Real Webserver and then click on the green
+ icon to the right of the Host text to create the actual DNS host object. Copy the Internal ELB
DNS name into the hostname section and provide a descriptive name for this new network
definition.
28
Overview and Getting Started Guide
Click save and save, and then check the box to the left of the new definition listed in the Real
Webservers section. Choose the Basic Protection firewall profile and then click the Save button.
The last step is to enable the new Virtual Webserver by clicking on the enable button, which will
turn it to Green. Note that to the right of the “Real Webservers” text you’ll see the status of the
new Internal ELB DNS object you created. It should change to green as shown below in a few
moments. If it does not check your settings as the UTM is not able to resolve the DNS name
used.
7 Sending traffic to UTM Worker nodes
To confirm that traffic is arriving on your UTM Swarm nodes, and being processed by the UTM
Web Server protection module you can do a simple test using multiple browsers. Simply open
up a web browser and paste your Internet facing ELB DNS name to initiate an HTTP connection.
This DNS name should match what is configured in the Webserver Protection object in the
Domains section. On your Queen UTM you can then view the “Web Application Firewall” log
which will show connection information including the Local IP which will match the UTM Swarm
instance that processed the traffic. Testing should show both UTM IP’s being used to handle
multiple connections.
29
Sophos UTM on AWS
8 Deleting your UTM Auto Scaling Stack
If you wish to remove the UTM Auto Scaling environment you must delete the CloudFormation
Stack that has been created. This is done via the AWS Console in the CloudFormation
Management section. To delete click on the Stack and then either right click or choose Delete
Stack from the Actions drop down menu. A message will appear asking you to confirm deletion
by clicking the red Yes, Delete button.
Note that in some cases the Delete action may fail. If this happens you can look at the Events
section to determine what causes the failure. Older events are listed at the bottom of the list so
you’ll need to scroll down to find the initial issue. A common example is that the created
Security Groups are not able to delete due to interlocked dependencies.
To resolve this you’ll need to modify the SG’s to remove the references. Note the Security Group
reference which is shown above as sg-4xxxxxx. Go to the EC2>Security Group of your AWS
console and search for the Security Group reference shown in the event section and once found
click to view details. Look at the Inbound and Outbound tabs to see which one has a reference to
the other SG.
Click the Edit button and then the ‘x’ at the far right of the rule to remove it. Click on save.
30
Overview and Getting Started Guide
Search for the second Security Group noted in the Events log and repeat the steps above to
remove the reference rule. Once both Security Groups have been modified the Delete Stack
action can be run from the CloudFormation Section again and should complete successfully.
8.1 Sophos AWS Information
Sophos AWS Landing page
http://www.sophos.com/aws
8.2 AWS Links and Useful Information
http://aws.amazon.com/
http://aws.amazon.com/ec2/
http://aws.amazon.com/partners/overview/consulting-partner/channel-reseller-program/
http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Introduction.html
9 Legal notices
Copyright © 2015 Sophos Group. All rights reserved. No part of this publication may be
reproduced, stored in a retrieval system, or transmitted, in any form or by any means,
electronic, mechanical, photocopying, recording or otherwise unless you are either a valid
licensee where the documentation can be reproduced in accordance with the license terms or
you otherwise have the prior permission in writing of the copyright owner.
Sophos, Sophos Anti-Virus and SafeGuard are registered trademarks of Sophos Limited, Sophos
Group and Utimaco Safeware AG, as applicable. All other product and company names
mentioned are trademarks or registered trademarks of their respective owners.
31
Related documents
Job Fair- 9/9: Landover, MD
Job Fair- 9/9: Landover, MD
FST Name: ___________________________________________________ Unit: Living Math
FST Name: ___________________________________________________ Unit: Living Math
tect20226-sup-0001-documentS1
tect20226-sup-0001-documentS1
Research Methods Classmates:
Research Methods Classmates:
Download