SG UTM

Suggest, discuss, and vote on new ideas for SG UTM. The ultimate network security package.

SG UTM

Suggest, discuss, and vote on new ideas for SG UTM. The ultimate network security package.

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. VPN: An SSL-VPN Client for Android

    Would be great to have an installable SSL-VPN client for Android mobiles!

    257 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    45 comments  ·  VPN  ·  Flag idea as inappropriate…  ·  Admin →
    Completed  ·  Angelo Comazzetto responded

    This feature has been released as part of UTM 9.1. Enjoy! We have added support for the new OpenVPN Android (and IOS) client. You can download their free client from the marketplace and connect to your UTM with it!

    After installing the client on your phone, visit the UserPortal and use the new installer on the remote access tab under SSL VPN.

  2. VPN: SSL VPN For iPhone / iPad (iOS)

    In addition to the already-possible L2TP VPN and IPSec VPN, the SSL VPN would be a nice ability to have.

    66 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    11 comments  ·  VPN  ·  Flag idea as inappropriate…  ·  Admin →
    Completed  ·  Angelo Comazzetto responded

    This feature has been released as part of UTM 9.1. Enjoy! We have added support for the new OpenVPN iOS client. You can download their free client from the marketplace and connect to your UTM with it!

    After installing the client on your phone, visit the UserPortal and use the new installer on the remote access tab under SSL VPN.

  3. VPN: Manually Disconnect a logged-in User

    I would like to have a option on the Remote Access Status Page to throw out a logged-in-User. In some cases it would be necessary to log out a user manually with the webadmin-interface.

    130 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    24 comments  ·  VPN  ·  Flag idea as inappropriate…  ·  Admin →
  4. VPN: Local VPN ID choices when using Pre-Shared-Key

    If one side of a VPN is another product, it might not accept an 'ANY Remote VPN ID' option, while the UTM doesn't have a fixed IP.
    Thus, the other VPN gateway doesn't know the UTM IP, so it cannot use the IP as peer VPN ID. UTM cannot change its local VPN ID when we set up the Authentication type as Pre-Shared Key. The default local VPN ID is the external IP address and cannot be changed.

    Please support changing the local VPN ID when the Authentication type is Pre-Shared Key, then we can use hostname or email address…

    31 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    5 comments  ·  VPN  ·  Flag idea as inappropriate…  ·  Admin →
  5. VPN: Make Android IPSEC/L2TP Work Globally

    As for now for the most Android Users, regardless of version or ROM, the stock Android's IPSEC/L2TP connections does not work (just take a look at the many threads in the forums). There is some link between the problem when used over 3G.

    77 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    14 comments  ·  VPN  ·  Flag idea as inappropriate…  ·  Admin →
    Completed  ·  Angelo Comazzetto responded

    This feature has been completed and released as part of UTM 9. See http://www.astaro.com/blog/up2date/UTM9 for launch information.

    NOTE: Despite the R&D efforts, be aware it is increasingly more common that mobile providers are choosing to actively block VPN connections, and as such is beyond our control to fix. Further, some who are not currently blocking may begin to do so at any time to control clients and protect offered services.

  6. Reporting: VPN Activity

    Create reporting from the vpn logs to show who logged in when, did what, and over what protocols. Also would be good to display currently connected vpn users and their status and activity, and allow disconnection/managment of such connections (disconnect and block for 10 minutes, etc...). Gives more insight into the state of vpn connectivity and who is making use of it, doing what.

    181 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    21 comments  ·  VPN  ·  Flag idea as inappropriate…  ·  Admin →
  7. VPN: Site-to-Site Tunnel Bonding

    I am looking to have multiple VPN connections between two sites over different Internet connections.

    14 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    5 comments  ·  VPN  ·  Flag idea as inappropriate…  ·  Admin →
    Completed  ·  Angelo Comazzetto responded

    In UTM 9, you can create multiple connections using Site-to-Site RED, as well, we have just released the RED 50 which allows for dual WAN connections to be balanced to the central UTM site.

    In 9.1, you can bind IPSEC tunnels to interfaces in order to have multiple uplinks between sites using multiple VPN’s which can then use multipath rules to give you both automated balancing AND fail-over support. Enjoy!

  8. VPN: Connect to Amazon VPC Hardware VPN Easily

    in order to connect to Amazon VPC you need to have a special IPsec + BGP combination to create a resilitant connection with integration dynamic routing.
    Astaro should implement an easy way to quickly connect to amazon VPC without all the hassle.

    14 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    8 comments  ·  VPN  ·  Flag idea as inappropriate…  ·  Admin →
  9. VPN: Route-Delay Push for SSL Roadwarrior

    We have a fair amount of customers who have issues with getting the SSL VPN running correctly by default.

    This is normally easily remedied by adding:
    push "route delay 20 10"
    Just above: [<OPENVPNPUSHROUTES>]
    to /var/chroot-openvpn/etc/openvpn/openvpn.conf-default and restarting SSL VPN, but it would be nice to have this as an official part of the GUI (or an altered version of the VPN that makes sure the routes get set up before reporting the VPN is up)

    Part of the issue is older PCs with limited CPUs and another part is Antivirus products deleting the routes again if set…

    1 vote
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  VPN  ·  Flag idea as inappropriate…  ·  Admin →
    Completed  ·  Angelo Comazzetto responded

    This was treated as a bug and addressed in recent updates to the SSL VPN client itself. Routes should be properly set on all connecting clients.

  10. Remote Access: Multiple Uplink Interfaces Support for Connections

    Include option for adding the IP addresses of the standby uplink interfaces into the SSL VPN config file so if an uplink failover happens the SSL VPN clients automatically failover to the new uplink interface as well.

    Right now it is possible but the SSL VPN config file has to be edited on each client manually.

    7 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  VPN  ·  Flag idea as inappropriate…  ·  Admin →
    Completed  ·  Angelo Comazzetto responded

    as Marco’s mentions, you can use the dyndns hostname of the ASG as the connection target for the SSL VPN. This means the ASG will always have a hostname which is reachable by the SSL VPN users no matter what connection is currently active.

    You will find the ability to override the default preference of ASG (which is to use the system hostname) with the dyndns hostname in the advanced tab of the SSL VPN connection settings. This achieves the requested feature, so I’ll mark it as complete.
  11. Notifications: RED status notification

    Add a notification for the RED status (f.e. link down)

    11 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    3 comments  ·  VPN  ·  Flag idea as inappropriate…  ·  Admin →
    Completed  ·  Angelo Comazzetto responded

    This feature has been released as part of UTM 9.1. Enjoy!

    We have added VPN tunnel Up/Down notifications and included RED devices as part of this handling. While there is a separate feature on the portal for that. RED device monitoring is generating some questions so I’ll leave this feature un-merged and track it separately for others to see.

  12. Remote Access: SHA-2 algorithms for SSL-VPN authentication

    There should be more options under "Remote Access > SSL > Advanced > Authentication algorithm" than "MD5" and "SHA1" as the OpenVPN backend also supports SHA2 algorithms like SHA-224, SHA-256, SHA-384, SHA-512...and they appear to be there, just not available in WebAdmin?

    loginuser@vpn:/home/login > /var/chroot-openvpn/sbin/openvpn --show-digests
    You can specify a message digest as parameter to
    the --auth option.
    MD2 128 bit digest size
    MD5 128 bit digest size
    RSA-MD2 128 bit digest size
    RSA-MD5 128 bit digest size
    SHA 160 bit digest size
    RSA-SHA 160 bit digest size
    SHA1 160 bit digest size
    RSA-SHA1 160 bit digest size
    DSA-SHA 160…

    16 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    Completed  ·  0 comments  ·  VPN  ·  Flag idea as inappropriate…  ·  Admin →
  13. VPN: Standard CHAP Support for L2TP (Android)

    Android phones come with an L2TP ipsec PSK VPN client. Currently Astaro only allows MSCHAPv2 authentication for local users. The Android client wants to auth with plain CHAP. The authentication fails when the phone tries to login. Can we implement plain CHAP as an option for the upcoming swell of Android devices that need VPN access to an Astaro? We are limited in VPN options as the PPTP client in Android seem broken and openSSL currently requires root on the phone.

    108 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    16 comments  ·  VPN  ·  Flag idea as inappropriate…  ·  Admin →
  14. IPSec Tunnel Fail-Over

    If you have 2 Internetconnections an one is going offline (caus of the Telekom) then it would be great to configure a Fallback IPSEC Tunnel for having the Company Branch still connected

    5 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    4 comments  ·  VPN  ·  Flag idea as inappropriate…  ·  Admin →
    Completed  ·  Angelo Comazzetto responded

    This is possible using the new uplink monitoring feature in 7.5 and V8, which was designed to accomplish exactly this : light up a spare tunnel on another interface when the primary is down. enojy!

  15. VPN: Preferred Interface for IPSec with multiple connections

    For Site-to-Site VPN, add a "preferred interface" choice when "uplink Interfaces" is selected as local interface (and when uplink balancing is setup to multipath).

    We could then balance VPN connections to different uplinks, keeping the advantage of Mutlipath/failover functionality. When the "preferred interface" is down just switch the VPN connection to the next local interface in the "uplink balancing" interfaces list.

    8 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    5 comments  ·  VPN  ·  Flag idea as inappropriate…  ·  Admin →
    Completed  ·  Angelo Comazzetto responded

    This feature has been completed and released as part of UTM 9. See http://www.astaro.com/blog/up2date/UTM9 for launch information.

    You have a new object type “Interface Groups” which allows you to duplicate the “uplink interfaces” definition which we already have, and use it anyplace you can pick an interface. THis allows for this feature, and some other powerful abilities, to be possible.

  16. SSL VPN with own certificates

    Actually it is not possible to import an own certificate to the astaro to use this in an ssl vpn configuration (ssl remote access and/or site to site ssl vpn).

    The ssl vpn only supports local, selfsighned certificates. It is no problem to use this cert for IPSEC-VPN.

    This would be a nice feature for customers, who want to integrate an astaro in their existing OpneVPN environment.

    Thank you.

    Daniel Werner

    1 vote
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  VPN  ·  Flag idea as inappropriate…  ·  Admin →
    Completed  ·  Angelo Comazzetto responded

    On the advanced tab you can select the certificate you wish to use. Simply upload it first using certificate management, then make use of it via this drop down.

  17. VPN: SSL Client without ADMIN rights

    Even if it's already described how to workaround Windows Vista to run SSL vpn client without admin rights on openvpn website, would be important to have this configuration on the Astaro SSL vpn client built in.

    68 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    6 comments  ·  VPN  ·  Flag idea as inappropriate…  ·  Admin →
  18. IPSec Site-Site VPN with fqdn identifier

    Please implement the facility to use a fqdn as identifier, not the IP.

    4 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  VPN  ·  Flag idea as inappropriate…  ·  Admin →
    Completed  ·  Angelo Comazzetto responded

    As stated, this is already possible in ASG7 using the “hostname” selection from the identifier drop down.

  19. Hstname identifier for Remote in PSK-based IPsec

    Right now, the ASG onlys allow for IPsec connections using pre-shared keys to use the IP Address VPN ID. Cisco frequently uses Hostname VPN IDs. Technically, this should already be supported by the underlying software, yet the GUI doesn't allow to change the VPN ID Type.

    4 votes
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  VPN  ·  Flag idea as inappropriate…  ·  Admin →
  20. VPN: Create Site-To-Site VPNs using DYNDNS Names

    AVM Fritzboxes use commonly a dyndns address for site-to-site connections. There is already a guide for make a s2s-vpn with asg but this only works with static ips - not with dyndns addresses.

    1 vote
    Sign in Sign in with Log in with your Sophos ID
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  VPN  ·  Flag idea as inappropriate…  ·  Admin →
    Completed  ·  Angelo Comazzetto responded

    This is already possible in ASG 7+. Make a definition for a “DNS Hostname” of the dyndns hostname you wish to communicate with, and ASG will resolve it to the current IP and use it for building the tunnel. If you need more help you can make a ticket (if a customer) and/or ask the www.astaro.org community for assistance.

← Previous 1
  • Don't see your idea?

Feedback and Knowledge Base

icon-data-protection icon-endpoint-protection icon-phish-threat icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-mobile icon-sophos-utm icon-sophos-utm icon-sophos-utm icon-web-appliance icon-xg-firewall icon-xg-firewall icon-avid-secure icon-lightbulbCreated with Sketch.