In many environments, systems like this cause the admin to basically get inundated with requests, often without them ever saying "no". We have a system on the UTM which allows users to override the URL filter using their credentials (if allowed) which will let them bypass only that feature. (Not for example anti-virus).
We then fully log the details of the override (who, what site, when etc..) and their reason they entered (via a field on the override form) and provide that as a report you can audit at will to identify abuse or questionable overrides.
Would that solve your problem, or you still would like to manually process override requests?
To provide a status update. The .apc/.epc format you refer to is not just a .ovpn file which has been converted to a proprietary format. As there is no standard at all for site-to-site SSL VPN at this time, we needed to include more information than just tunnel parameters in the file that you download as "ours" from a UTM.
Conversely, a simple .OVPN file does not contain all the information a UTM needs in order to construct a site-to-site SSL VPN. There are configuration objects used by the UTM that are used by our CONFD in the underlying system overall, and these cannot be easily deduced and labelled by the system. As such, the idea of using a UTM-generated site-to-site SSL VPN configuration file with your OpenVPN server, or importing a .OVPN file (with all the gamut of parameters possible in such a file) into the UTM for easy cross-device SSL VPN site-to-site is a large technical challenge with too many places where assumptions we would have to make would limit the scope and usefulness any ways.
We will look at some sort of solution, but it isn't a simple thing we can easily do in the short term. Keep voting! We see you guys.
Hi "anonymous". Can you list a bit more on your feature request here please? What kind of use case would you like to address with that?
Hi, we actually have a filter there in the UserPortal to show expired vouchers. Do you need more? Otherwise, we'll mark this as already possible. Hope that helps! If not, let me know.
69 votesAngelo Comazzetto supported this idea ·
We already do wildcard by default, hence if someone is looking for "ryan seacrest" in google, and you type in just "searc" (no quotes of course) it will return all those log lines in the webfilter log when using the logfile search.
Does this solve what you need? If not, please provide a bit more info, as what you have asked for in your explanation is already the behaviour; searching for "jobs" would return all log lines with *jobs* in it....
So we clearly understand the request, can you please provide more information? Specifically on what you feel is lacking now; both the Web and Mail have profile-based configuration which can be used to create totally separate ways of filtering mail and web. What is needed?
Thanks for your reply. So I am clear, you want the HTTP proxy to masquerade equally to all or some (outgoing balanced) external IP's of the "additional addresses", or just want the ability to set which additional single IP the proxy should NAT to?
Can you elaborate on that with the use case please? Are you saying that perhaps LAN 192.168.0.x isn't being properly masqueraded to the external interface? I'd need some more details to properly file this request. Thanks!
Hi Oliver, could you let me know what you want to do by having this feature? You'd like to bridge the SSL VPN user pool to the local lan so they could share the same IP addresses easily I assume? Or is there other application(s) you are interested in for this?
To be clear, your asking for if you enter host.mycompany.com you should be able to ping just "host" ? How do you see the ASG solving that one?
This feature was implemented in XG Firewall
This feature is planned for UTM 9.1 which is targeted to begin beta in late 2012/early 2013 for release in Q1 2013.
Hi Warren, While we can keep increasing the options for customization, adding a completely customizable page-builder right in WebAdmin is very tedious and not the best way to solve that. We will rather look to add URL redirecting so you can build and host whatever page style you like for the various block reasons in an upcoming version. I'll merge this request into that one as a result.
Hi Peter, you can accomplish this by installing the Astaro Authentication Agent (Sophos Authentication Agent in UTM9) which will report/update a user object with their current IP after being installed on a workstation. We are working on various improvements to this agent.
Further, we will look at a dedicated server agent for the future as well, which I'll merge this one into.
Slightly adjusted description to ensure his request was appropriately posed.
We are reviewing this for the next version of UTM Endpoint Protection
Are you requesting a feature for the upcoming UTM9 product or an existing Sophos endpoint??
Are you looking to do this for purposes of VPN or just for LAN routing?
Again on this, currently the UserPortal will already limit the choices available on a per-user basis. However this will only be possible in the current system if you specify users per-feature. If you are using server-backend groups for a feature like SSL VPN, then indeed all users in that group would be enabled for this.
Is that your scenario or did you not already know we limit the choices automatically per-user? Let us know!
So we clearly understand, currently the system will not display any items for which a user is not permitted, but you then want one more level of exception, so that for example you can allow the "Receptionists" group to access the Hotspot feature, but then deny "Janice" who is in that group?
Hi. I must say this one confuses me. We didn't so much as over-think the feature as we did just not anticipate the need to setup server load balancing without 2 things to "balance" to. I'll leave the feature so it could gather votes however.