SG UTM

Suggest, discuss, and vote on new ideas for SG UTM. The ultimate network security package.

SG UTM

Suggest, discuss, and vote on new ideas for SG UTM. The ultimate network security package.

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. Add a new option "type" for network definitions - AD computers

    Add a new option "type" for network definitions that allows for AD computers within an AD security group (much like the AD users/groups dynamic memberships). This would allow much more flexibilities on how to apply "hosts", such as when creating a Web Filter Profile, instead of adding "internal network" or a specific host/hosts, we would be able to add to "allowed networks" an Active Directory group that would consist of computers that I added into that group via Active Directory. This is specifically important, since this would allow Web Filter Profiles to differentiate between domain machines and guest machines on…

    3 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google Sophos Features & Ideas Laboratory
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  2. Join Workplace as Client AuthN

    Starting Windows 8, there is a feature called Workplace. It is using Email and Password to identify a User (it will lookup an SRV record on the email's domain name to identify the server to whom it has to talk to) and finally it will enroll the client with a certificate.
    Sophos could use this in order to identify clients on the UTM. First enroll with a UTM username and then identify the user for e.g. Web Protection.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google Sophos Features & Ideas Laboratory
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  3. Add ability to change password on Self Help screen in Sophos Safe Guard

    Sophos Safe Guard - Self Help screen allows viewing of the current password, but does not allow change of password. Enabling change of password at this screen would increase security level a step further.

    2 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google Sophos Features & Ideas Laboratory
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  4. add transparent mode browser authentication over HTTP

    This would allow the UTM admin to select the captive portal to be presented over http instead of https to prevent SSL errors on guest devices. I appreciate there's a security issue around this but it should be made clear while selecting this option that it's less secure

    2 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google Sophos Features & Ideas Laboratory
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  5. Removing the internal IP from OWA log in screen

    I've just set up WAF for my internal Exchange Server and Outlook Web Access. I noticed on the log in screen it says "The server %FQDN of mail server% is asking for your user name and password. the Server reports that it is from %internal IP%.

    This is such a huge security risk. Anyone attempting to access my mail server knows the internal IP structure. Please remove this from the log in screen!

    3 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google Sophos Features & Ideas Laboratory
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  6. Authentication: Dedicated AD / LDAP Server Agent

    We would like a program(s) that could install directly on our Active Directory or LDAP server that would update the appliance on what user currently has what IP(s). This way their user objects could be automatically kept current without the need of the Client-Agent you offer, and give me super precise control by User.

    5 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google Sophos Features & Ideas Laboratory
    Signed in as (Sign out)

    We’ll send you updates on this idea

    Under Review  ·  3 comments  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  7. Authentication: Single-Sign On for Astaro Authentication Agent

    Expand the Astaro Authentication Agent to (optionally) use the currently logged on Windows credentials instead of manually entering credentials.

    227 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google Sophos Features & Ideas Laboratory
    Signed in as (Sign out)

    We’ll send you updates on this idea

    19 comments  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  8. Provide a DC Authentication Agent

    Have an agent which polls Active Directory Domain Controllers for user logon events to determine which user is logged onto each machine. This would allow for all users on the domain to be authenticated without requiring any settings on their machines. There would need to be an option to exclude logon events for service accounts.

    6 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google Sophos Features & Ideas Laboratory
    Signed in as (Sign out)

    We’ll send you updates on this idea

    3 comments  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  9. authentication

    I believe we should be able to specify which authentication server to use for each login method.
    It should not fallback to any other servers not specified.

    3 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google Sophos Features & Ideas Laboratory
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  10. add U2F authentication to UTM and SUM

    The protocols and hardware already exist. See https://fidoalliance.org

    1 vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google Sophos Features & Ideas Laboratory
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  11. Provide the Two-Factor-Authetication as a radius service, too

    Hi, great that you know implemented a 2FA with OTPs. With that it is now possible to secure applications dealing with the Firewall or, in combination with reverse Proxys, even to secure web-based third-party applications. But what about non-browser based 3rd Party Tools? Wouldn't it be great to provide the 2FA also as a radius Service for those other programs? For us it would be. We are running e.g. a Password Server app that has a webinterface AND other user guis like Mobile apps. With a reverse Proxy, we could try to secure this Service from outsides threads via 2FA…

    8 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google Sophos Features & Ideas Laboratory
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  12. LDAP/TOTP Server proxy

    Astaro/Sophos UTM will happily use an external LDAP server as an authentication source. And then apply over that its own TOTP layer. But it cannot provide that TOTP service to other devices, except for internal websites using the reverse proxy.

    I'd like to see Astaro offer an external facing LDAP service, as a proxy for other LDAP servers with an optional OTP enhancement. This would allow an organisation to provide a single OTP source against a whole range of services such as mail servers, file servers and much more; all without configuring multiple OTP servers.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google Sophos Features & Ideas Laboratory
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  13. Add more card compatibility for token-based authentication for SafeGuard Enterprise drive encryption

    Specifically we are using a PIV card standard and the card is supplied by HID Global (purchased ActivIdentify 4 years ago). Yet the support matrix doesn't show support for this card nor does it show anything listed by HID Global who is one of the top manufacturer's/providers of smart cards, smart card solutions, and smart card readers in the industry.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google Sophos Features & Ideas Laboratory
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  14. Automatically disable user accounts after a period of inactivity

    A large percentage of our workforce is temporary workers and manually removing their account on the Astaro every time they leave us is impractical. It would be nice to have the Astaro automatically delete, or disable, user accounts after a certain period of inactivity (which the admin should be able to set).

    9 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google Sophos Features & Ideas Laboratory
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  15. Authentication: Delete UTM user-object when deleted from backend server

    When we remove a user from our LDAP Directory (namely eDirectory or ActiveDirectory) the User in UTM is untouched. It would be nice if the UTM could know about this and purge its matching user-object as well. (Or display us a report of users who are no longer seen on the backend server so we could trigger a delete periodically).

    84 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google Sophos Features & Ideas Laboratory
    Signed in as (Sign out)

    We’ll send you updates on this idea

    9 comments  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  16. SSO authentication apple's open directory in transparent mode and proper documentation

    SSO authentication apple's open directory. For it to work in transparent mode without the need to use a proxy. Have all of this work with Safari as it does not work at all right now. Have some proper documentation for the macintosh system.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google Sophos Features & Ideas Laboratory
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  17. WebAdmin: Force password change upon first login

    a optional Checkbox in user creation menu with that feature would be nice.

    8 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google Sophos Features & Ideas Laboratory
    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  18. Authenticate a user against multiple different backends

    Currently, a single user can only be authenticated against a single backend. If a user exists in multiple backend with the same username, you get all sorts of funny reactions.

    In the documentation about Dynamic Group Membership the described logic would make this possible. However, it doesn't work as described; Users end up in the wrong backend group and some UTM services throw authentication failure errors while the backend in question can successfully authenticate the user.

    Please make it work as described in the documentation!

    1 vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google Sophos Features & Ideas Laboratory
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  19. mapping authentication servers to facilities

    It would be naice to be able to map serrtain authentication servers tp certain functionalities. For instance: The inhouse end-user-portal needs no RSA-Token (Active Directory is used here) but the authentication for a VPN-Client should use RSA-Authentication.

    1 vote
    Sign in
    (thinking…)
    Sign in with: Facebook Google Sophos Features & Ideas Laboratory
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  20. include FTP Proxy in authentication

    Our customer used this feature on his old Proxy to controll who and with which rights a user can use the ftp. For our customer it is an essential Feature.

    3 votes
    Sign in
    (thinking…)
    Sign in with: Facebook Google Sophos Features & Ideas Laboratory
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  • Don't see your idea?

Feedback and Knowledge Base

icon-data-protection icon-endpoint-protection icon-phish-threat icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-mobile icon-sophos-utm icon-sophos-utm icon-sophos-utm icon-web-appliance icon-xg-firewall icon-xg-firewall icon-avid-secure icon-lightbulbCreated with Sketch.