SG UTM

Suggest, discuss, and vote on new ideas for SG UTM. The ultimate network security package.

SG UTM

Suggest, discuss, and vote on new ideas for SG UTM. The ultimate network security package.

Suggest an Idea...

(thinking…)

Enter your idea and we'll search to see if someone has already suggested it.

If a similar idea already exists, you can support and comment on it.

If it doesn't exist, you can post your idea so others can support it.

Enter your idea and we'll search to see if someone has already suggested it.

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. Let's Encrypt Integration

    It would be very nice if Let's Encrypt CA start with public certificates (letsencrypt.org), that we can get certs throug the UTM Gui. So that the "Let's Encrypt Client" is integrated in the UTM. Would it be possible?
    Best Regards

    1,060 votes
    Sign in
    Check!
    (thinking…)
    Reset
    or sign in with
    • facebook
    • google
      Password icon
      Signed in as (Sign out)

      We’ll send you updates on this idea

      169 comments  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
    • URL Redirection

      It would be great if it would be possible to redirect certain URLs

      For example:

      www.company.com => www.company.ch/site1
      www.company.com/site1 => www.company.com/newsite

      Thank you :)

      329 votes
      Sign in
      Check!
      (thinking…)
      Reset
      or sign in with
      • facebook
      • google
        Password icon
        Signed in as (Sign out)

        We’ll send you updates on this idea

        37 comments  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
      • websocket support for WAF

        we are hosting a SignalR hub (http://signalr.net/) behind a Sophos UTM 320. We use the Web Server Protection feature extensively in our environment, and as such have opted to use the same for this.
        SignalR will always try to use Web Sockets (http://en.wikipedia.org/wiki/WebSocket), a new HTML5 API, and fallback to other technologies where this isn't possible to be used.
        Since we've been hosting the hub via the reverse proxy, none of our clients are able to connect via Web Sockets :so having support for websockets in WAF would be super cool

        304 votes
        Sign in
        Check!
        (thinking…)
        Reset
        or sign in with
        • facebook
        • google
          Password icon
          Signed in as (Sign out)

          We’ll send you updates on this idea

          28 comments  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
        • Webserver Protection: Reverse Authentification with NTLM and Kerberos

          The Reverse Authentification feature (UTM 9.2) for WAF is a nice progres, but I'm hoping that it will soon be extended. There are many scenarios that require at least NTLM; Kerberos would be nice as well. Yes, we are coming from TMG :-)

          193 votes
          Sign in
          Check!
          (thinking…)
          Reset
          or sign in with
          • facebook
          • google
            Password icon
            Signed in as (Sign out)

            We’ll send you updates on this idea

            13 comments  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
          • Reverse Proxy: Authentication Offloading like TMG

            will there be a feature like Authentication / captive portal (e.g. the proxy settings"transparent with authentication" ) for enabling a reverse proxy?
            This would be so usfull for small installations with no frontend exchange / DMZ.
            (juniper calls this "webauth" )

            175 votes
            Sign in
            Check!
            (thinking…)
            Reset
            or sign in with
            • facebook
            • google
              Password icon
              Signed in as (Sign out)

              We’ll send you updates on this idea

              23 comments  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
              Planned  ·  Angelo ComazzettoAngelo Comazzetto responded

              We are hard at work on this feature and will deliver the first implementation of front end authentication as part of our Web Server protection (reverse proxy) in UTM 9.2. The public beta will begin in October. Stay Tuned!

            • Web Server Protection: Certificate-based Authentication

              I would appreciate to support certificate-based authentication like at Microsoft TMG. I don't know why Sophos is making advertisements for "Replace your TMG with Sophos UTM" if UTM even can't do this! I want the reverse proxy to check a client certificate, If this certificate is not valid or it doesn't exists it shows an error page.

              TMG Config: http://4sysops.com/wp-content/uploads/2011/07/SSL-Client-Certificate-Authentication_thumb.png

              144 votes
              Sign in
              Check!
              (thinking…)
              Reset
              or sign in with
              • facebook
              • google
                Password icon
                Signed in as (Sign out)

                We’ll send you updates on this idea

                12 comments  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
              • Web Application Firewall: Remote Desktop Gateway support

                Similar to support for Outlook Anywhere, it would be really beneficial if the WAF allowed for the publishing of Remote Desktop Gateway and handled those methods. RDG_OUT_DATA followed by RPC_IN_DATA and RPC_OUT_DATA, and including /RemoteDesktopGateway in the request. It seems like common functionality that many customers must be looking for...

                103 votes
                Sign in
                Check!
                (thinking…)
                Reset
                or sign in with
                • facebook
                • google
                  Password icon
                  Signed in as (Sign out)

                  We’ll send you updates on this idea

                  19 comments  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
                • Web Server Protection: Support for ActiveSync 14.1

                  WAF doesn't support ActiveSync 14.1, i.e. after you install SP3 for Exchange 2010, you can't use use WAF to protect your ActiveSync Server anymore. This is poor.

                  72 votes
                  Sign in
                  Check!
                  (thinking…)
                  Reset
                  or sign in with
                  • facebook
                  • google
                    Password icon
                    Signed in as (Sign out)

                    We’ll send you updates on this idea

                    Under Review  ·  5 comments  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
                  • Web Server Protection: Transparent reverse proxy

                    Please provide the option to use reverse proxy also with transparent mode. This way permits to have the real remote host IP traced on the web server log files instead of the IP of the firewall. Now without transparent mode, every web analyzer software is not able to give real traffic reports...

                    45 votes
                    Sign in
                    Check!
                    (thinking…)
                    Reset
                    or sign in with
                    • facebook
                    • google
                      Password icon
                      Signed in as (Sign out)

                      We’ll send you updates on this idea

                      11 comments  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
                    • Reverse proxy add encodedslashes option

                      Please provide the option in the Reverse proxy to enable encodedslashes for a specific virtual webserver.

                      Because some web applications use for example %2F for a slash and the reverse proxy cannot translate this back to / because of allowencodedslashes is not enabled by default. So this results in a 404 error.

                      http://httpd.apache.org/docs/current/mod/core.html#allowencodedslashes

                      When changing the configuration file of the reverseproxy it is working fine, but the configuration is overwritten all the time. So a checkbox in the Webadmin to enable this option would be nice.

                      41 votes
                      Sign in
                      Check!
                      (thinking…)
                      Reset
                      or sign in with
                      • facebook
                      • google
                        Password icon
                        Signed in as (Sign out)

                        We’ll send you updates on this idea

                        3 comments  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
                      • Make Web Application Firewall Site Path Routing case insensitive.

                        Site Path Routing should have an option to treat the path in a case neutral manner.

                        40 votes
                        Sign in
                        Check!
                        (thinking…)
                        Reset
                        or sign in with
                        • facebook
                        • google
                          Password icon
                          Signed in as (Sign out)

                          We’ll send you updates on this idea

                          4 comments  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
                        • Web server protection - Add HSTS header support

                          Request that the Sophos UTM supports HTTP Strict Transport Security (HSTS). RFC6797 - https://tools.ietf.org/html/rfc6797

                          34 votes
                          Sign in
                          Check!
                          (thinking…)
                          Reset
                          or sign in with
                          • facebook
                          • google
                            Password icon
                            Signed in as (Sign out)

                            We’ll send you updates on this idea

                            3 comments  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
                          • Web Application Security: White / Blacklist Support for Visitor IP's

                            I would like to see an option to deny or allow certain ip adresses that can access the webservers. Not only based on country but on the ip adres itself.

                            33 votes
                            Sign in
                            Check!
                            (thinking…)
                            Reset
                            or sign in with
                            • facebook
                            • google
                              Password icon
                              Signed in as (Sign out)

                              We’ll send you updates on this idea

                              Under Review  ·  14 comments  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
                            • Web Application Firewall OTP support for form to form authentication

                              Support for form to form authentication with one time passwords in the WAF.

                              The WAF should be able to pass authentication through to a website which authenticates using a form (as opposed to only basic auth) if there is configuration on the UTM that defines the URL to the page which can process the login (not the login form) and the field names for the username and password.

                              30 votes
                              Sign in
                              Check!
                              (thinking…)
                              Reset
                              or sign in with
                              • facebook
                              • google
                                Password icon
                                Signed in as (Sign out)

                                We’ll send you updates on this idea

                                1 comment  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
                              • WebServer Protection: Allow for larger upload handling

                                For web sites with larger uploads (e.g. ownCloud) there is currently a 128MB (134217728 byte) limit in Web Server protection, the so called request body limit in ModSecurity.
                                Please add the possibility to configure this parameter (it's "SecRequestBodyLimit" in the Apache config) to allow larger uploads to sites protected by WAF.

                                26 votes
                                Sign in
                                Check!
                                (thinking…)
                                Reset
                                or sign in with
                                • facebook
                                • google
                                  Password icon
                                  Signed in as (Sign out)

                                  We’ll send you updates on this idea

                                  2 comments  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
                                • WebServer Protection: GZIP encoding of proxied HTTP traffic

                                  The WAF strips the Accept-Encoding header from client requests, which is fine, as compression is not generally useful between the origin server and the proxy. However, it doesn't use the header itself, either. It doesn't compress proxied traffic before returning it to the client. Interestingly, pages generated by the WAF itself (such as error documents) are compressed. Only the proxied content remains uncompressed, and this can have a substantial impact on page speed.

                                  24 votes
                                  Sign in
                                  Check!
                                  (thinking…)
                                  Reset
                                  or sign in with
                                  • facebook
                                  • google
                                    Password icon
                                    Signed in as (Sign out)

                                    We’ll send you updates on this idea

                                    5 comments  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
                                  • Enable users to reset their domain user password using Web Mail

                                    There are many companies that force employees to reset domain user passwords very often. Now, when employees need to access mail using their Web Mail and their password has expired they will have to call IT to reset their password, but if working hours has finished and there is no IT personnel in the office, or maybe it's weekend, which is even worse, they will have to wait until next working day so that IT can help. In situation like this, enabling users to reset their domain account password using Web Mail Portal, like Microsoft TMG does, would help.

                                    22 votes
                                    Sign in
                                    Check!
                                    (thinking…)
                                    Reset
                                    or sign in with
                                    • facebook
                                    • google
                                      Password icon
                                      Signed in as (Sign out)

                                      We’ll send you updates on this idea

                                      1 comment  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
                                    • HTTPS Reverse Proxy

                                      When using ASG to terminate SSL sessions (SSL Offloading), it’s sometimes needed to get the client certificate (mutual authentication) and pass some SSL info such as SSL Session IDs and Client-SSL Certificate information (e.g. certificate fingerprint and serial number) inside HTTP header to be used and processed by the protected web applications.
                                      An example of this use; let’s assume that I have a plain-text web application with certificate-based user authentication, so, it’s necessary to have such features in my WAF appliance.

                                      20 votes
                                      Sign in
                                      Check!
                                      (thinking…)
                                      Reset
                                      or sign in with
                                      • facebook
                                      • google
                                        Password icon
                                        Signed in as (Sign out)

                                        We’ll send you updates on this idea

                                        2 comments  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
                                      • Enable OTP for WAF on a per-Authentication Profile basis

                                        At the Moment we can use the new OTP Feature just for all virtuell webserver. Therefore, it is not possible to use this great new function in most implementations.

                                        An example, many customers want to publish Exchange Services like OWA, ActiveSync and Outlook Anywhere. OWA with OTP and ActiveSync without OTP. But that is not possible.

                                        I suggest, you implement a new authentication Profile for OTP that we can use in the site path Routing.

                                        18 votes
                                        Sign in
                                        Check!
                                        (thinking…)
                                        Reset
                                        or sign in with
                                        • facebook
                                        • google
                                          Password icon
                                          Signed in as (Sign out)

                                          We’ll send you updates on this idea

                                          0 comments  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
                                        • Enable Web Application Firewall support to specify cipher strengths it can accept. Either cipher-by-cipher basis or on a weak/med/strong cat

                                          Enable Web Application Firewall support to specify cipher strengths it can accept. Either cipher-by-cipher basis or on a weak/med/strong category.

                                          18 votes
                                          Sign in
                                          Check!
                                          (thinking…)
                                          Reset
                                          or sign in with
                                          • facebook
                                          • google
                                            Password icon
                                            Signed in as (Sign out)

                                            We’ll send you updates on this idea

                                            5 comments  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
                                          ← Previous 1 3 4 5 6 7
                                          • Don't see your idea?

                                          Feedback and Knowledge Base

                                          icon-data-protection icon-endpoint-protection icon-phish-threat icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-mobile icon-sophos-utm icon-sophos-utm icon-sophos-utm icon-web-appliance icon-xg-firewall icon-xg-firewall icon-lightbulbCreated with Sketch.