SG UTM

Suggest, discuss, and vote on new ideas for SG UTM. The ultimate network security package.

SG UTM

Suggest, discuss, and vote on new ideas for SG UTM. The ultimate network security package.

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. Let you utilize different web servers depending on URL folder path

    Microsoft ISA Server 2006 lets you configure separate protected web servers for any URL folder path. I liked that, because it made the entrypoint simple – everything was based on the path name, not the server name. Any chance you would add this functionality to your product to make it cover what Microsoft’s ISA server could do? See call #5242748 for more info.

    1 vote
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
  2. Configurable HTTPS DH parameter in the Web Application Firewall

    The web application firewall cannot support HTTPS connections by Java 6/7 clients because the DH parameter for HTTPS is set to a value greater than 1024 and this is not configurable.

    For an easy reference for the issue:
    http://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslcertificatefile

    The error message the clients will receive is:

    javax.net.ssl.SSLException: java.lang.RuntimeException: Could not generate DH keypair

    The only option is to manually add a DH-pair of 1024 or less into the first certificate generated by the sophos device under /var/chroot-reverseproxy/usr/apache/conf/ssl/ (and then, do that every time the configuration changes), or not use the WAF.

    Warnings for those who come across this post: …

    2 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
  3. Site Path Routing: Network Groups in Access Control

    Web Server Protection : Site Path Routing - Access control Lists

    Site Path Routing - Access control should allow Network Groups for management of large ACLs

    4 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
  4. Enable SPDY protocol for reverse proxy feature

    Please add the SPDY protocol to the reverse proxy to enhance HTTPS page load times through the UTM. Both on the client and server side, especially if the back end webserver supports the protocol.

    Thank you

    7 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
  5. Parallel Usage of VPN(SSL), Userportal and other HTTPS Sites on Port 443

    It would be nice if you could handle it, that we can either use port 443 for VPN (SSL) as also OWA/WAF and(!) Userportal. May this is possible?

    4 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
  6. Enable Sharepoint2013 encryption in SafeGuard Enterprise

    Enable that SafeGuard Enterprise client can encrypt files on SharePoint sites

    3 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
  7. Ability to publish FTP through the WAF

    Having the ability to publish FTP through the WAF instead of direct firewall passthrough, then you could detect and block brute force attacks and such at the sophos.

    7 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
  8. Allow customizable block pages for WAF

    Currently the WAF displays a generic HTTP status page (403 "Authentication required") for errors and blocked actions. This really break the general look and feel of the product as they feature no branding whatsoever.

    It would be very nice if these pages feature the same style as the status pages in the rest of the UTM (Email, Web), and if we could offer similar customizability for them.

    This will work two-fold: On the one hand it will make the generic blockpages prettier and more attuned to the rest of the product, and at the same time it will allow organizations…

    28 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
  9. Add file type filtering to WAF

    Allow admins to list a set of file extensions and MIME types they wish to filter from either upload, downloads or both.

    Include the true filetype detection already present in Web Protection (http://feature.astaro.com/forums/17359-utm-formerly-asg-feature-requests/suggestions/1468141-web-security-file-extension-blocking-inside-archi) to make evasion harder.

    Optionally: Make the list of file-types a reverse authentication attribute, so that different groups of users are allowed to use different types of files.

    This functionality will allow for greater flexibility and protection when using the WAF. It can work as a DLP filter in downloads, or as a way of blocking executable code in uploads.

    3 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
  10. Web Application Firewall - Allow more granular exceptions

    Allow exceptions to be defined more granular. For example allow specific protocol anomalies in HTTP Policy or specific checks in SQL Injection Attacks.

    5 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
  11. Outlook anywhere connection with WAF for Mac Clients

    At the moment, there is no support for Outlook Anywhere connections on Mac clients. Please make Outlook anywhere connection work with the WAF.

    3 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
  12. Make RBL list update possible via Pattern update or check their availability

    Recently the Web Server Security reverse proxy experienced timeout problems because "block clients with bad reputation" was active and one of the three internally user DNS RBL lists is down (dnsbl.proxybl.org).

    As the DNS RBL list stuff is not very reliable and often these lists are down due to DOS attacks or lack of administrators, it would make sense to react to such changes very quickly.

    So I suggest making updates of RBL lists using the pattern update mechanism (applies to both SMTP and reverse proxy and maybe Web Security as well).

    Another approach would be to chek the availability…

    5 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
  13. DNS blacklist outage fix.

    Recently dnsbl.proxybl.org went off line, a 3rd party blacklist Web Server Protection uses to block ips/domains with a "bad reputation"

    When this 3rd party provider went out. The WAF served up pages extremely slowly to the outside world ( it took about 1 minute for a page fully load).

    I'm guessing every time a file was requested over the WAF, a look-up was done on the requester's IP and it would wait until the look-up timed out.

    My suggestion is to run a heartbeat on any such 3rd party service that turns on if a timeout occurred, if the service…

    1 vote
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
  14. Reverse proxy add encodedslashes option

    Please provide the option in the Reverse proxy to enable encodedslashes for a specific virtual webserver.

    Because some web applications use for example %2F for a slash and the reverse proxy cannot translate this back to / because of allowencodedslashes is not enabled by default. So this results in a 404 error.

    http://httpd.apache.org/docs/current/mod/core.html#allowencodedslashes

    When changing the configuration file of the reverseproxy it is working fine, but the configuration is overwritten all the time. So a checkbox in the Webadmin to enable this option would be nice.

    68 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    12 comments  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
  15. MDM based access through Reverse Proxy

    With MDM (as a service) being connected to a UTM it would be good to be able to set up a Reverse Proxy (WAF) profile as counterpart. I.e.: only devices allowed by MDM may pass to ActiveSync.

    This way it would not be necessary to set up a dedicated machine for this task and DNAT rule (and you can still use 443 for other webservers as well on the same IP).

    This way UTM and MDM would benefit (UTM being more value to MDM SaaS customers). This will greatly emphasize Sophos product interconnection.

    12 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
  16. WAF Reverse Proxy with authentication: forward session cookie to backend http server

    When using the WAF (Web Server Protection) with authentication, a session cookie named BACKENDHOSTNAME_COOKIE is exchanged between Browser and UTM on each http request. For our application which is launched via Webstart from the web application and communicates via http we need to forward that session cookie to the external client process.

    Therefor the session cookie should be made optionally forwardably from the UTM to the backend http server.

    3 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
  17. Enable the use of the WAF as a front end for Remote Desktop Gateway.

    Include RDG over HTTP in the webserver protection firewall in a similar way to allowing Outlook Anywhere. to allow the use of Remote Desktop Gateway services, including the remote apps feature within /rdweb. Currently the HTTP based traffic is passed fine however when attempting to negotiate the use of a remote app the WAF resets the connection due to RDGOUTDATA not being a valid header. Would if be possible to pass this traffic uninspected as you do with RPC.

    Thank you.

    Mark

    10 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
  18. allow DNS-Group Objects in Webserver Protection Access List

    Hello,

    i really love your Access-List for the Site-Path-Routing in the Webserver-Protection Area, which comes with 9.3 i think. . We are able to put in Networks here, which works like a charm. But:
    We would like to add a DNS-Group here, too. Its a bunch of clients from differents subnets, simply put together to a dns-group. (it 's the same object as the "supportaccess.sophos.com " DNS Group.

    I would like to block a similar DNS Group (of course not the support-access-Group) with the access-list feature from the webserver protection.

    thank you

    3 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
  19. OCSP Stapling Support for WAF

    Please can you Support OCSP Stapling.

    The obvious advantage to OCSP Stapling is the improvement in
    speed and availability of the OCSP certificate status check.

    OCSP Stapling helps maintain the privacy of the end user, since a CA can see which web sites a user has visited (only those web sites that have certificates issued by the CA). If OCSP Stapling is used, the CA will see OCSP requests
    only from the web site, not the web site’s end users.

    Many wi-fi hotspots use Captive Portals to control access to the
    Internet, sometimes requiring entry of a credit card number…

    25 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
  20. (Webserver Protection) WAF + (Network Protection) Server Load Balancing.

    It would be great if there was a way to use the WAF but with Server Load Balancer setup in the Network Protection area or at least have the same type of control if not even more types of load balancing controls then there are now.

    As noted in another feature suggestion of having Layer 7 checks in the WAF Load balancer would be great. And I agree. But along those same lines I also have needs to specify load to not be round robin and to weight it. Which you can do to a degree in the Network Protection…

    16 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
  • Don't see your idea?

Feedback and Knowledge Base

icon-data-protection icon-endpoint-protection icon-phish-threat icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-mobile icon-sophos-utm icon-sophos-utm icon-sophos-utm icon-web-appliance icon-xg-firewall icon-xg-firewall icon-avid-secure icon-lightbulbCreated with Sketch.