As so many times, you may have tried to upgrade Exchange to a new Cumulative Update (CU), find the newest here : Exchange Server build numbers and release dates

You download, you install, it completes etc. and you’re good!

Great!

But with Exchange 2013 CU22, things go otherwise, you download, you install, it comp….FAIL! :

[02-17-2019 09:32:58.0051] [1] [ERROR] Fatal error during installation
[02-17-2019 09:32:58.0051] [1] [ERROR] Installing product C:\Exchange Install\Exchange2013Cu22\exchangeserver.msi failed. Fatal error during installation. Error code is 1603. Last error reported by the MSI package is ‘Error reading from file: C:\Exchange Install\Exchange2013Cu22\Setup\Perf\ApaAgentPerfCounters.h.   Verify that the file exists and that you can access it.’.
[02-17-2019 09:32:58.0051] [1] [ERROR] Fatal error during installation
[02-17-2019 09:32:58.0066] [1] [ERROR] Installing product C:\Exchange Install\Exchange2013Cu22\exchangeserver.msi failed. Fatal error during installation. Error code is 1603. Last error reported by the MSI package is ‘Error reading from file: C:\Exchange Install\Exchange2013Cu22\Setup\Perf\ApaAgentPerfCounters.h.   Verify that the file exists and that you can access it.’.
[02-17-2019 09:32:58.0066] [1] [ERROR] Fatal error during installation
[02-17-2019 09:32:58.0098] [1] Ending processing install-msipackage
[02-17-2019 09:33:12.0306] [0] CurrentResult setupbase.maincore:396: 0
[02-17-2019 09:33:12.0306] [0] End of Setup

Now what is that all about?

You have been left with a broken Exchange server, a sunken ship

Some people have tested and written about all this, and the solution is actually simple!:

Map a network share on another server, copy the CU22 files into there, and just run it, from the command prompt:

\\<servername>\c$\temp\ex2013cu22\setup.exe /Mode:Upgrade /IAcceptExchangeServerLicenseTerms

And it completes, or at least should do

If you want to read more about this issue, you may check the following links:

https://social.technet.microsoft.com/Forums/en-US/55a3e902-a58f-411a-b02f-e8eb730c2ad3/exchange-2013-cu-21-22-install-issue-exchange2013cu22setupperfapaagentperfcountersh-verify?forum=exchangesvrdeploy

In Danish:

https://net-help.dk/index.php/exchange-2013/347-setup-perf-apaagentperfcounters-h-verify-that-the-file-exists-and-that-you-can-access-it

When using the newer streaming installers for Office 365 and Microsoft Office Online, you may encounter that install fails, that it cannot install or it cannot update Office.

This can be due to Sophos XG Web Filtering protection, it doesn’t like that traffic is being intercepted (Transparent proxy).

Luckily you can make an exception for this in the XG:

This is the regex code added in the “Target Domains” window:

^([A-Za-z0-9.-]*\.)?officecdn\.microsoft\.com\.edgesuite\.net/

Press save and it will work right away

Today Sophos released UTM 9.603. The release is GA and available to all via their Up2Date servers.

The update is very small, and does only fix a licensing issue for Amazon AWS users.

Up2Date Information

News

• Maintenance Release

Remarks

• System will be rebooted
• Configuration will be upgraded

Issues Resolved

• NUTM-10932 [AWS, Basesystem] License issue for AWS installations after the upgrading firmware to 9.602

In Windows 2016 server, when you have enrolled the server in a domain, and log in as domain admin, and you try to add an extra UI language, you will see the following:

c:\Windows\system32\systemsettingsadminflows.exe
Windows cannot access the specified device, path or file. You may not have the appropriate permissions to access the item

This can be fixed with changing the following:

Start –> Run

“secpol.msc” – ENTER

After this, log out, and in again, and give it another try

Links: https://docs.microsoft.com/da-dk/windows/security/threat-protection/security-policy-settings/user-account-control-admin-approval-mode-for-the-built-in-administrator-account

Sophos released SFOS v17.5.6 MR6 for the Sophos XG Firewall. Initially, the firmware will be available by manual download from your MySophos account. Sophos then make the firmware available via auto-update to a number of customers, which will increase over time.

Please visit the following link for more information regarding the upgrade process: Sophos XG Firewall: How to upgrade the firmware.

Guidance on recently discovered security vulnerability in Exim email server

Exim is used by XG Firewall v17.5, specifically if a customer has enabled Email Protection. On Friday 7 June 2019, Sophos released and automatically applied an over the air hotfix to all XG Firewalls with auto-updates enabled to address this issue. If your XG Firewall does not have auto-updates enabled, upgrading to 17.5 MR6 release could resolve the issue. Alternatively, you can review KB134199.

What’s New in XG Firewall v17.5 MR6

Radius SSO authentication between XG and APX

Wireless users can be authenticated using Radius SSO between XG and APX. Now supports framed IP addresses in client accounting messages.

Issues Resolved in SF 17.5 MR6

• NC-40785 [API Framework] Incorrect data types and values in API documentation
• NC-44687 [API Framework] Unable to update webadmin settings when WAF rule with port 80 is configured
• NC-43933 [Authentication] csd not cleaning up stale connections
• NC-45077 [Authentication] Some LDAP users are not associated with the expected group
• NC-45283 [Authentication] Memory leak in access server
• NC-46024 [Authentication] Guest user registration is not working after upgrading to 17.5 MR4
• NC-46572 [Authentication] Race condition in access server when setting authserverid
• NC-44178 [Backup-Restore] Unnecessary selection button when downloading backup without encryption password
• NC-45532 [Clientless Access] Clientless SMB Bookmark – Unable to upload files in a folder or share with an apostrophe
• NC-39353 [Core Utils] Brazilian timezone and DST problem
• NC-40924 [Core Utils] ATP patterns filling up /content/ folder
• NC-43506 [DHCP] Established connection is destroyed when dynamic WAN interface gets configured
• NC-46351 [DHCP] DHCP service dies on firmware upgrade
• NC-43624 [Dynamic Routing (PIM)] Coredump from  pimd while applying interfaces in pim-sm in HA-AA case
• NC-41225 [Email] Assertion while scanning mail with custom file mime type
• NC-42752 [Email] Issues with certificate chain
• NC-42986 [Email] Mail application usage reports shows 0bytes for POP and IMAP
• NC-43179 [Email] Mails stuck in queue when email id contains ‘=’
• NC-43285 [Email] Filtering for bounced mails freezes mail log page
• NC-43399 [Email] “DKIM: validation of body hash failed” when DKIM signed mail gets forwarded by XG
• NC-43445 [Email] Mails are split in different header information and hang in spool
• NC-43539 [Email] Unable to access appliance after restoring backup
• NC-44131 [Email] Core dumps in smtpd while deleting mail from mail spool page
• NC-44490 [Email] Unable to use CAs with ECC certificates
• NC-44559 [Email] Conan engine does not get upgraded on migration
• NC-44662 [Email] Mails with folded headers might not be processed correctly
• NC-45144 [Email] Exim complaining about illegal header file
• NC-45223 [Email] Unable to filter mail log with some special russian characters
• NC-46145 [Email] Email notification using external mail server not working after upgrading to 17.5 MR4
• NC-42902 [Firewall] IPsec traffic flows only after REKEY event
• NC-44344 [Firewall] Not able to enable IP Spoofing on more than 18 zones
• NC-46188 [Firewall] GUI icons broken in firewall rules
• NC-44083 [Hotspot] Hotspot voucher created in HA setup is expired and has used data attached to it
• NC-38688 [IPsec] Sporadic connection interruption to local XG after IPsec rekeying
• NC-41631 [IPsec] Tunnel not established in HA setup
• NC-43220 [IPsec] Unable to use “Reset” button on Sophos Connect settings page
• NC-43898 [IPsec] Improve udp/500 firewall rule activation
• NC-44072 [IPsec] Charon timeout while starting on small appliances with 20+ IPsec tunnels and auth type ‘rsa’
• NC-44240 [IPsec] XG not accepting MODP_1024 DH during IKE negotiations
• NC-44016 [Logging Framework] Garner segfault in Central Management plugin of garner
• NC-44693 [Logging Framework, SecurityHeartbeat] Reports are not being generated
• NC-45339 [Logging Framework] Assertion fail in garner causing RED clients to disconnect
• NC-46535 [Logging Framework] Memory leak in notification plugin
• NC-44531 [nSXLd] nSXLd connection handling improvements
• NC-46117 [Policy Routing] Traffic passing through IPSec link though policy route (MPLS) has high priority
• NC-30294 [PPPoE] PPPoE interface graph is showing incorrect bandwidth information
• NC-33657 [SFM-SCFM] API output shows “Configuration parameters validation failed”
• NC-44007 [SFM-SCFM] Error message on GUI: SSOD is stopped
• NC-44562 [SFM-SCFM] Backup snapshot has not been restored from SFM when SF having encrypted password for backup
• NC-43684 [SNMP] libsnmp segfaults for “AVVERSION Get”
• NC-44695 [SSLVPN] Unable to connect via SSL VPN after migrating from CROS
• NC-46253 [SupportAccess] Backport: Cannot connect to WebAdmin via SupportAccess
• NC-43936 [UI Framework] Guest Users page not loading after deleting the last page of available Guest Users
• NC-44018 [UI Framework] Type of icon should be drop-down instead of icon of increase-decrease
• NC-44283 [UI Framework] Cannot load Connection Details page of an IPsec VPN connection when Chinese characters are used in local/remote host configuration
• NC-45358 [WAF] Privilege escalation from modules’ scripts (CVE-2019-0211)
• NC-45544 [WAF] Reduce memory footprint
• NC-45974 [WAF] URL normalization inconsistency (CVE-2019-0220)
• NC-46104 [WAF] HTML rewriting in large embedded CSS causes appliance to reboot due to OOM
• NC-46810 [WAF] NULL pointer dereference in mod_proxy_html
• NC-43970 [Web] Policy editor window doesn’t close when new policy created
• NC-44089 [Web] Backslashes not properly escaped on User Activities page
• NC-44228 [Web] Web categorization fails randomly
• NC-44609 [Web] Incorrect parsing of DNS responses leads to 502 errors
• NC-45020 [Web] Memory leak in sandbox pending page
• NC-45094 [Web] SSL scan not on in case of force_ntlm on transparent connection
• NC-27524 [Wireless] Restoring backup of Cyberoam 10.6.5050 GA not working when WLAN is configured
• NC-45088 [Wireless] Selective export of WirelessNetworks with dependencies does not contain any dependencies
• NC-45405 [Wireless] Country field for AP shown empty while accepting it with multple pending APs
• NC-46142 [Wireless] SSID deleted but WiFi interface remains

Download

To manually install the upgrade, you can download the firmware from the MySophos portal. Please refer to Sophos XG Firewall: How to upgrade the firmware.

With SSL VPN in UTM, you will be disconnected, NO MATTER WHAT, efter 8 hours, this is default. Even if your are transfering data you will be kicked off

This can be changed, by modifying this parameter in UTM:

Here changed to 10 hours = 36000secs:

After that, press APPLY and all new connections will timeout after 10hours now

With SSL VPN in XG Firewall, you will be disconnected, NO MATTER WHAT, efter 8 hours, this is default. Even if your are transfering data you will be kicked off

This can be changed, by modifying this parameter in XG:

Here changed to 10 hours = 36000secs:

After that, press APPLY and all new connections will timeout after 10hours now

Please, also pay attention to the “Disconnect dead peer after” and “Disconnect idle peer after” parameters, so it’s not them, who is causing the issues

How to create a shared mailbox in Office 365 in hybrid environments?

Why can’t people send to the newly created shared mailbox, I created weeks ago, on Exchange Online, in my hybrid environment?

Well, as of writing this article, you do NOT create shred mailboxes in Exchange Online, when you have a hybrid environment, you do this (Microsoft Article):

Problem

Consider the following scenario:

• You have a hybrid deployment of on-premises Microsoft Exchange Server and Microsoft Exchange Online in Office 365.
• You create a shared mailbox directly in Exchange Online.
• You assign Full Access permissions to one or more users.

In this scenario, you experience one or more of the following issues:

• Users can’t open the shared mailbox in Outlook.
• Users can’t view free/busy information for the shared mailbox.
• Users can’t send mail to the shared mailbox.

Cause

These issues can occur if the shared mailbox is created by using the Exchange Online management tools. In this situation, the on-premises Exchange environment has no object to reference for the shared mailbox. Therefore, all queries for that SMTP address fail.

Solution

Create a remote mailbox in the on-premises environment, and then move the mailbox to Exchange Online. To do this, follow these steps.

1. Convert the shared mailbox to a regular mailbox by using the Exchange admin center in Exchange Online. To do this, follow these steps:
   1. Open the Exchange admin center in Exchange Online.
   2. Click recipients, and then click shared.
   3. Select the shared mailbox, and then click Convert.
   4. On the Warning page, select Yes to convert the shared mailbox.
2. Create an on-premises object for the cloud mailbox by using the New-RemoteMailbox cmdlet in the Exchange Management Shell.

    Note

   This object must have the same name, alias, and user principal name (UPN) as the cloud mailbox.

   For more information, see New-RemoteMailbox.

3. Set the ExchangeGuid property on the new on-premises object that you created in step 2 to match the cloud mailbox. To do this, follow these steps:
   1. Connect to Exchange Online by using a remote session of Windows PowerShell.

      For more information about how to do this, see Connect to Exchange Online using remote PowerShell.

   2. Use the Get-Mailbox cmdlet to retrieve the value of the ExchangeGuid property of the cloud mailbox. For example, run the following command:
      PowerShellCopy

      <span class="hljs-pscommand">Get-Mailbox</span> &lt;MailboxName&gt; | FL ExchangeGuid

      For more information, see Get-Mailbox

   3. Open the Exchange Management Shell on the on-premises Exchange server.
   4. Use the Set-RemoteMailbox cmdlet to set the value of the ExchangeGuid property on the on-premises object to the value that you retrieved in step 3b. For example, run the following command:
      PowerShellCopy

      <span class="hljs-pscommand">Set-RemoteMailbox</span> &lt;MailboxName&gt;<span class="hljs-parameter"> -ExchangeGuid</span> &lt;GUID&gt;

      For more information, see Set-RemoteMailbox.

4. Wait for directory synchronization to occur. Or, force directory synchronization.

   For more information, see Synchronize your directories.

5. Make sure that the Office 365 user object is displayed as “Synced with Active Directory.”
6. Move the mailbox from Exchange Online to the on-premises environment.

   For more information, see Move mailboxes between on-premises and Exchange Online organizations in 2013 hybrid deployments.

7. Convert the mailbox to a shared mailbox by using the Set-Mailbox cmdlet in the Exchange Management Shell. For example, run the following command:
   PowerShellCopy

   <span class="hljs-pscommand">Set-Mailbox</span> &lt;MailboxName&gt;<span class="hljs-parameter"> -Type</span> Shared

   For more information, see Set-Mailbox.

8. Move the mailbox from the on-premises environment to Exchange Online.

   For more information, see Move mailboxes between on-premises and Exchange Online organizations in 2013 hybrid deployments.

Alternative method

For on-premises environments that use Exchange Server 2013 (cumulative update 21 or later versions) or Exchange Server 2016 (cumulative update 10 or later versions):

Create an on-premises object for the cloud mailbox by using the New-RemoteMailbox cmdlet in the Exchange Management Shell.

For example, run the following command:

<span class="hljs-pscommand">New-Remotemailbox</span> sharedmailbox@contoso.com<span class="hljs-parameter"> -Remoteroutingaddress</span> sharedmailbox@contoso.mail.onmicrosoft.com<span class="hljs-parameter"> -Share</span>

You can find your info about your Exchange build here:

https://docs.microsoft.com/en-us/exchange/new-features/build-numbers-and-release-dates?view=exchserver-2019

Now it’s time to disable direct RDP access or at least patch it:

Sophos have made an BlueKeep exploit which changes the Windows accessibility shortcuts, and renames utilman.exe so you get shell :-O

Read more here:

https://news.sophos.com/en-us/2019/07/01/bluekeep-poc-demonstrates-risk-of-remote-desktop-exploit/?cmp=30727

Video:

https://vimeo.com/344915265

Yes – you read it alright!

In April I wrote this:

What reasons Microsoft had in their heads, when stating this, is to me, unclear

Here are some articles about it:

Greymatter:
https://www.greymatter.com/corporate/news/microsoft-drop-office-365-proplus-support-windows-server-2019-rdsh/

Compares/SoftwareOne:
https://comparex.com/en/blog/all-articles/2019/01/17/microsoft-office-365-proplus-on-windows-server-2019

Office 365 UserVoice:
https://office365.uservoice.com/forums/264636-general/suggestions/35642482-office-365-support-for-windows-server-2019?page=1&per_page=20

What to do?? (Greymatter):

• Run Windows Server 2016 (or a prior version until its support end date) rather than Windows Server 2019, Microsoft have extended Office 365 ProPlus support on Windows Server 2016 until October 2025, from January 2020.
• Use Windows Virtual Desktop (WVD) on Azure which offers multi-user Windows 10 session capabilities and will support Office 365 natively, this is expected to be released in the first quarter of 2019.
• For companies using Microsoft products to deliver its hosted Software Services to customers you can use Office ProPlus licensed under Microsoft SPLA, other licensing agreements don’t permit installation of Office on shared 3rd party cloud VMs
• Run Office locally on the users’ PCs rather than on Windows Server 2019 RDSH.

Hooray – NOT!!….

But its WRONG, Microsoft finally came to their senses and changed it all 1.July 2019

Microsoft 365 is designed to help organizations digitally transform workplace collaboration. Many customers that I work with use virtualization, and they’re always looking for ways to cut costs and improve the user experience. To help, we acquired FSLogix last November, and today I’m pleased to announce four new capabilities to further improve the user experience in virtualized environments:

• FSLogix technology, which improves the performance of Office 365 ProPlus in multi-user virtual environments, is now available at no additional cost for Microsoft 365 customers.

• Windows Server 2019 will add support for OneDrive Files On-Demand in the coming months.

• Office 365 ProPlus, our flagship Office experience, will be supported on Windows Server 2019.

• And we’ve added new capabilities to Outlook, OneDrive, and Microsoft Teams in Office 365 ProPlus to improve the user experience in a virtualized environment.

https://www.microsoft.com/en-us/microsoft-365/blog/2019/07/01/improving-office-app-experience-virtual-environments/

After 1/7, there are no longer a license key required and no other expiration date set in FSLOGIX, and if you have ONE of the following, you’re eligible to use it, as much as you want

https://blog.fslogix.com/fslogix-customer-faq

https://docs.microsoft.com/da-dk/fslogix/overview

You are eligible to access FSLogix Profile Container, Office 365 Container, Application Masking, and Java Redirection tools if you have one of the following licenses:

• Microsoft 365 E3/E5
• Microsoft 365 A3/A5/Student Use Benefits
• Microsoft 365 F1
• Microsoft 365 Business
• Windows 10 Enterprise E3/E5
• Windows 10 Education A3/A5
• Windows 10 VDA per user
• Remote Desktop Services (RDS) Client Access License (CAL) (SA not required)
• Remote Desktop Services (RDS) Subscriber Access License (SAL)

Since Windows server 2016, the attributes of theese tabs, are no longer applied:

This is because Microsoft changed the way it works, and therefore doomed it “legacy RCM”:

This article describes the Remote Connection Manager (RCM) and the changes to RCM in

Windows Server Standard, version 1803, Windows Server Datacenter, version 1803, Windows Server version 1709 and Windows Server 2016.

In Windows Server 2012 R2 and earlier versions, when a user logs on to a terminal server, the RCM contacts the domain controller (DC) to query the configurations that are specific to Remote Desktop on the user object in Active Directory Domain Services (AD DS). This information is displayed in the Remote Desktop Services Profile tab of a users object properties in the Active Directory Users and Computers MMC snap-in.

Starting in Windows Server 2016, RCM no longer queries the users object in AD DS. If you require RCM to query AD DS because you are using the Remote Desktop Services attributes, you must manually enable RCM.

Additionally, consider the following scenario:

• You install Windows Server Standard, version 1803, Windows Server Datacenter, version 1803, Windows Server version 1709 or Windows Server 2016 with the Remote Desktop Session Host role.

• You configure a local user account to start an application during logon by using the Local Users and Groups tool in Computer Management.

Luckily, it can be enabled, by adding this, on all your RDS hosts:

Regedit:

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services 
Name: fQueryUserConfigFromDC
Type: Reg_DWORD
Value: 1 (Decimal)

Then it will work again

Read more here:

Changes to Remote Connection Manager in Windows Serverchanges-to-remote-connection-manager-in-windows-server

Sophos released UTM 9.605-1 yesterday, it is a soft-release, as it is being rolled out in phases, but you can download it from their FTP here:

ftp://ftp.astaro.de/UTM/v9/up2date/u2d-sys-9.604002-605001.tgz.gpg

Release notes:
Up2Date 9.605001 package description:

Remarks:
System will be rebooted
Connected REDs will perform firmware upgrade
Connected APs will perform firmware upgrade

News:
Maintenance Release

Bugfixes:
Fix [NUTM-10885]: [Basesystem] Fallback log flooded since update to 9.6
Fix [NUTM-10667]: [Email] Emails are not being processed, have “Stale ID in DB” in debug log
Fix [NUTM-10870]: [Email] UTM not rejecting emails with dot at the end of the local part address
Fix [NUTM-10809]: [RED] Offline provisioned RED15 loses their config in case of UTM reboot
Fix [NUTM-10812]: [RED] RED can’t connect to UTM if it is configured in transparent/split mode and a DNS name as UTM hostname
Fix [NUTM-10903]: [RED] Transparent/split: DNS does not work if the gateway and DNS server are different but in the same network
Fix [NUTM-10962]: [RED] Fix for RED50 does not start up after firmware update for most scenarios
Fix [NUTM-10636]: [Reporting] Executive report not accurate – missing SSL VPN sessions
Fix [NUTM-10877]: [Sandstorm] Sandbox Activity in Webadmin does not show all activities since 9.6
Fix [NUTM-10822]: [WAF] Privilege escalation from modules’ scripts (CVE-2019-0211)
Fix [NUTM-10823]: [WAF] URL normalization inconsistency (CVE-2019-0220)
Fix [NUTM-10886]: [WAF] All HTTP requests are forwarded to HTTPS
Fix [NUTM-10978]: [WAF] reverseproxy.log does not show requested domain
Fix [NUTM-10986]: [WAF] HTML rewriting in large embedded CSS leaks memory
Fix [NUTM-10705]: [WebAdmin] Potential User Portal session cookie hijacking
Fix [NUTM-10862]: [WebAdmin] After updating to 9.6 read only admins cannot see advanced tabs
Fix [NUTM-10941]: [WebAdmin] Webadmin not accessible when user prefetch is running
Fix [NUTM-10952]: [WebAdmin] HTTPS pages sporadically no longer work with transparent proxy since 9.602
Fix [NUTM-10748]: [Web] Proxy restarted httpproxy.DeferredExpire
Fix [NUTM-10792]: [Web] Follow up: New Web Templates for content warn does not work in 9.6
Fix [NUTM-10802]: [Web] HTTPS websites are not accessible through http proxy if you follow the BSI recommendation regarding TLS
Fix [NUTM-10816]: [Web] Blockpage font rendered incorrectly in Firefox
Fix [NUTM-10876]: [Web] Web Proxy blocks range requests since 9.6
Fix [NUTM-10895]: [Web] Video from NEST CAM constantly loading
Fix [NUTM-10985]: [Web] HTTP proxy is getting crashed with segfault and core dump

RPM packages contained:
modauthnzaua-9.60-403.gcb78b67.rb51.i686.rpm
modauthzblacklist-9.60-385.g1471b81.rb43.i686.rpm
modavscan-9.60-422.g0c80dbc.rb46.i686.rpm
modcookie-9.60-0.g8f24856.rb50.i686.rpm
modcustomblockpage-9.60-412.gbe16bc0.rb46.i686.rpm
modfirehose-2.5_SVNr1309567-14.g4ab2622.rb51.i686.rpm
modformhardening-9.60-385.g1471b81.rb56.i686.rpm
modpcap-9.60-0.142961807.g994d6f0.rb51.i686.rpm
modproxymsrpc-0.5-121.gc7f8565.rb59.i686.rpm
modproxyprotocol-0.1-30.gac71dfd.rb44.i686.rpm
modreverseauth-9.60-95.g852e9e5.rb53.i686.rpm
modsecurity2-2.9.1-266.g649c52a.rb55.i686.rpm
modsecurity2_beta-2.9.0-460.g62b8fdb.rb55.i686.rpm
modsessionserver-9.60-0.247653793.g4179dcf.rb54.i686.rpm
modurlhardening-9.60-385.g1471b81.rb54.i686.rpm
modwafexceptions-9.60-0.237979534.g7d2ba1b.rb47.i686.rpm
modwhatkilledus-2.01-0.258193062.g46092ac.rb55.i686.rpm
oculusd-1.0.0-0.322335831.gdf96f5d.rb5.i686.rpm
oculusd-dlz_oculus-1.0.0-0.322335831.gdf96f5d.rb5.i686.rpm
oculusd-highmem-1.0.0-0.322335831.gdf96f5d.rb5.i686.rpm
oculusd-lowmem-1.0.0-0.322335831.gdf96f5d.rb5.i686.rpm
red-firmware2-5214-0.321960711.ge0654e660.rb5.noarch.rpm
red-unified-firmwares-9600-0.327764418.ge5aab2f.rb2.i586.rpm
red15-firmware-5214-0.321960646.g2b59b558a.rb5.noarch.rpm
ep-reporting-c-9.60-282.g439c02e.rb5.i686.rpm
ep-aua-9.60-37.gd6fadd4.rb6.i686.rpm
ep-branding-ASG-afg-9.60-70.g3766ff2.rb7.noarch.rpm
ep-branding-ASG-ang-9.60-70.g3766ff2.rb7.noarch.rpm
ep-branding-ASG-asg-9.60-70.g3766ff2.rb7.noarch.rpm
ep-branding-ASG-atg-9.60-70.g3766ff2.rb7.noarch.rpm
ep-branding-ASG-aug-9.60-70.g3766ff2.rb7.noarch.rpm
ep-confd-9.60-1409.g390f7642f.rb8.i686.rpm
ep-localization-afg-9.60-50.g1ea8977.rb5.i686.rpm
ep-localization-ang-9.60-50.g1ea8977.rb5.i686.rpm
ep-localization-asg-9.60-50.g1ea8977.rb5.i686.rpm
ep-localization-atg-9.60-50.g1ea8977.rb5.i686.rpm
ep-localization-aug-9.60-50.g1ea8977.rb5.i686.rpm
ep-mdw-9.60-1129.g3744ddeb.rb8.i686.rpm
ep-red-9.60-35.g77f779b.rb2.i686.rpm
ep-webadmin-9.60-1143.g4e7cb3c40.rb8.i686.rpm
ep-webadmin-contentmanager-9.60-69.g78f6e76.rb7.i686.rpm
ep-chroot-httpd-9.60-30.g7d1dbc2.rb3.noarch.rpm
ep-chroot-smtp-9.60-88.g5143477.rb4.i686.rpm
chroot-reverseproxy-2.4.25-346.g752163a.rb2.i686.rpm
ep-httpproxy-9.60-374.g025c0ad5.rb4.i686.rpm
ep-release-9.605-1.noarch.rpm

Sophos released 4.309-9 for their UTM manager (SUM), yesterday, it is being rolled out in phases, but it is important, as it fixed the TCP SACK vulnerability!

Download here:
ftp://ftp.astaro.de/SUM/v4/up2date/u2d-sys-4.308002-309009.tgz.gpg

Release Notes:

Up2Date 4.309009 package description:

Remark:
System will be rebooted

News:
Maintenance Release

Bugfixes:
Fix [NSU-315]: [Basesystem] TCP SACK PANIC – Kernel vulnerabilities
Fix [NSU-302]: [WebAdmin] Appliance Pictures are missing for new rev3 models

RPM packages contained:
glibc-2.11.3-17.109.1.0.291837963.g4cb7cfba.rb1.i686.rpm
glibc-locale-2.11.3-17.109.1.0.291837963.g4cb7cfba.rb1.i686.rpm
libopenssl1_0_0-1.0.1k-331.g2907bb32.rb3.i686.rpm
libopenssl1_0_0_httpproxy-1.0.1k-331.g2907bb32.rb3.i686.rpm
openssl-1.0.1k-331.g2907bb32.rb3.i686.rpm
perf-tools-3.12.40-32.gbedc728.i686.rpm
uma-9.30-4.g873ef29.i686.rpm
ep-commandcenter-4.28-1994.g19ae1e73b.i686.rpm
ep-confd-4.28-1805.g08d8bac9e.i686.rpm
ep-webadmin-4.28-1994.g19ae1e73b.i686.rpm
u2d-tib-9-18363.i686.rpm
kernel-smp-3.12.40-32.gbedc728.i686.rpm
kernel-smp64-3.12.40-32.gbedc728.x86_64.rpm
ep-release-4.309-9.noarch.rpm

Sophos released SFOS v17.5.8 MR8 for the Sophos XG Firewall. Initially, the firmware will be available by manual download from the Licensing Portal. They will then make the firmware available via auto-update to a number of customers, which will increase over time.

Please visit the following link for more information regarding the upgrade process: Sophos XG Firewall: How to upgrade the firmware.

Issues Resolved in SF 17.5 MR8

• NC-47055 [Authentication] Support >48 characters password length for Radius Server
• NC-46680 [Certificates] Completing CSR with certificate breaks SSL VPN
• NC-48512 [Dynamic Routing (PIM)] Multicast traffic getting stopped after update of interface
• NC-39749 [Email] Use FQDN in Quarantine Digest
• NC-40831 [Email] Add capability to increase size of Mail Quarantine area in UI
• NC-45305 [Email] SPX related reports not being displayed on the GUI
• NC-48542 [Email] Potential RCE via arbitrary file creation vulnerability
• NC-49003 [Email] Custom ports for SMTP proxy stopped working after 17.5
• NC-46938 [FQDN] FQDNd doesn’t update/create ipset
• NC-46401 [Import-Export Framework] “/conf” partition is at 100%
• NC-47095 [Interface Management] TSO changes are not permanent in HA
• NC-48031 [Interface Management] Wifi client did not get gateway and other config after reboot until enable and re-enable the wifi on client
• NC-48487 [IPS Engine] Postgres taking high CPU
• NC-48956 [IPS Engine] Modify IPS TCP Anomaly Detection setting to disabled in default setting
• NC-46079 [Logging Framework] Garner coredump on aux node following upgrade to 17.5 MR3
• NC-46780 [Logging Framework] Reports not being generated when Email Notification feature is enabled
• NC-46879 [Sandstorm] Add support for Sandstorm’s Frankfurt data centre
• NC-48718 [Service Object] Unable to edit service object that is assigned to a firewall rule
• NC-43625 [UI Framework] Adding VLAN interface fails in IE in HA Active-Active mode
• NC-45371 [UI Framework] Incorrect UI behavior for Web User Activities
• NC-45495 [Web] Policy Tester UI and overlay issues
• NC-45724 [Web] Full file download retry failure after 416 (Range Not Satisfiable) being returned by proxy
• NC-47626 [Web] Web category “Hacking” should be classified as “Objectionable” instead “Acceptable”
• NC-47075 [Wireless] Export of the WirelessAccessPoint does not contain the Group
• NC-47115 [Wireless] WirelessAccessPoint includes the wrong value for <DynChan5GHz>
• NC-47738 [Wireless] XML import is failing for wireless config failing when RADIUS Server and Pending Access Points data is present in import file

Download

To manually install the upgrade, you can download the firmware from the Licensing Portal. Please refer to Sophos XG Firewall: How to upgrade the firmware

So no v18 for know :-O

On my job, we have several customers, where a big rackmounted firewall, is way too big for their needs, therefore they buy smaller routers, in ex. the Sophos SG115 and XG 115 appliances.

Theese appliances can also be ordered at Sophos with rackmount kits as here:
Sophos Rackmount Kit Mounting Instructions XG 105(w)/115(w) Rev. 3

But unfortunately, ethernet ports, console port and usb port, are located on the back of the device, and are not easy to reach, in case that could be needed.

Then I found the rackmount kit from Rackmount.IT, they have a brilliant product, that matches exactly my needs:

Read more: https://www.rackmount.it/products/sorack/rm-sr-t7.html

Here I have mounted two Sophos XG 115, that run in HA:

I am very happy about theese kits, and it will surely not be the last time, I will use them

Sophos has released UTM 9.7 as beta, it is a very small “new” UTM version, with a small number of features, sadly, but their focus is on XG now, and UTM is moving towards EOL, it is not announced yet though, here are the releases notes, but remember, it’s BETA :

https://community.sophos.com/products/unified-threat-management/unified-threat-management-beta/sophos-utm-9-7-eap/f/sophos-utm-9-7-public-eap/114939/welcome-to-the-utm-9-7-early-access-program

Up2Date 9.670004 package description:

Remarks:
System will be rebooted
Configuration will be upgraded
Connected REDs will perform firmware upgrade
Connected APs will perform firmware upgrade

News:
Feature Release
.
Support for new APX AccessPoints
Certificate Chain support for WebAdmin and UserPortal
Certificate Chain Support for WebProxy
New RED Site 2 Site Protocol
Retirement of UTM Endpoint Management

Bugfixes:
Fix [NUTM-10804]: [Access & Identity] strongSwan vulnerability fix (CVE-2010-2628, CVE-2018-17540)
Fix [NUTM-10745]: [Email] Quarantine mail older than 14 days are not getting removed
Fix [NUTM-10958]: [Email] Quarantined SPX Mails which are released are still available on UTM
Fix [NUTM-10454]: [WAF] SAVI integration doesn’t support scanning files larger than 2GB
Fix [NUTM-10873]: [WAF] Underscore in DNS-Hostname makes WAF unusable

RPM packages contained:
libapr-util1-1.6.1-0.gd09a905.rb2.i686.rpm
libapr1-1.6.5-0.gdb882c9.rb2.i686.rpm
libsaviglue-9.70-35.g5c778eb.rb2.i686.rpm
cm-nextgen-agent-9.70-6.gac30f9d.rb2.i686.rpm
dehydrated-0.6.5-0.g6d4140c.rb2.i686.rpm
firmwares-bamboo-9400-0.328884155.gcf6a697.rb2.i586.rpm
hostapd-2.2-1.0.287145451.ga02be97.rb8.i686.rpm
modauthnzaua-9.70-270.gcb78b67.rb57.i686.rpm
modauthzblacklist-9.70-345.gb8b010d.rb9.i686.rpm
modavscan-9.70-359.g793e6f1.rb5.i686.rpm
modcookie-9.70-0.247140156.g8f24856.rb54.i686.rpm
modcustomblockpage-9.70-279.gbe16bc0.rb52.i686.rpm
modfirehose-2.5_SVNr1309567-14.g4ab2622.rb57.i686.rpm
modformhardening-9.70-252.g1471b81.rb62.i686.rpm
modpcap-9.70-0.142961807.g994d6f0.rb57.i686.rpm
modproxymsrpc-0.5-121.gc7f8565.rb65.i686.rpm
modproxyprotocol-0.1-30.gac71dfd.rb29.i686.rpm
modreverseauth-9.70-0.253882348.g852e9e5.rb59.i686.rpm
modsecurity2-2.9.1-266.g649c52a.rb61.i686.rpm
modsecurity2_beta-2.9.0-460.g62b8fdb.rb61.i686.rpm
modsessionserver-9.70-0.247653793.g4179dcf.rb60.i686.rpm
modurlhardening-9.70-252.g1471b81.rb60.i686.rpm
modwafexceptions-9.70-322.gd203205.rb13.i686.rpm
modwhatkilledus-2.01-0.258193062.g46092ac.rb61.i686.rpm
navl-tools-4.6.0.50-0.316899012.g8b86fac.rb3.i686.rpm
oculusd-1.0.0-0.322335831.gdf96f5d.rb6.i686.rpm
oculusd-dlz_oculus-1.0.0-0.322335831.gdf96f5d.rb6.i686.rpm
oculusd-highmem-1.0.0-0.322335831.gdf96f5d.rb6.i686.rpm
oculusd-lowmem-1.0.0-0.322335831.gdf96f5d.rb6.i686.rpm
perf-tools-3.12.74-0.327535988.gc5bb1a9.rb5.i686.rpm
python-PyYAML-3.12-1.0.317998409.gab3cfdd.rb2.i686.rpm
python-argparse-1.4.0-1.0.317998409.gab3cfdd.rb2.noarch.rpm
python-awscli-1.11.36-1.0.317998409.gab3cfdd.rb2.noarch.rpm
python-awscli-cwlogs-1.4.0-1.0.317998409.gab3cfdd.rb2.noarch.rpm
python-botocore-1.4.93-1.0.317998409.gab3cfdd.rb2.noarch.rpm
python-colorama-0.3.7-1.0.317998409.gab3cfdd.rb2.noarch.rpm
python-dateutil-2.6.0-1.0.317998409.gab3cfdd.rb2.noarch.rpm
python-docutils-0.13.1-1.0.317998409.gab3cfdd.rb2.noarch.rpm
python-futures-3.0.5-1.0.317998409.gab3cfdd.rb2.noarch.rpm
python-jmespath-0.9.0-1.0.317998409.gab3cfdd.rb2.noarch.rpm
python-ordereddict-1.1-1.0.317998409.gab3cfdd.rb2.noarch.rpm
python-pyasn1-0.1.9-1.0.317998409.gab3cfdd.rb2.noarch.rpm
python-rsa-3.4.2-1.0.317998409.gab3cfdd.rb2.noarch.rpm
python-s3transfer-0.1.10-1.0.317998409.gab3cfdd.rb2.noarch.rpm
python-simplejson-3.3.0-1.0.317998409.gab3cfdd.rb2.i686.rpm
python-six-1.10.0-1.0.317998409.gab3cfdd.rb2.noarch.rpm
red-unified-firmwares-9600-0.327764422.g822529a.rb2.i586.rpm
uma-9.70-1.gdb43019.rb2.i686.rpm
waf-ruledumper-1.0-0.318338720.g4e2e015.rb3.i686.rpm
xorg-x11-Xvnc-7.4-27.114.2.1931.gddf9adc5.rb1.i686.rpm
ep-reporting-9.70-39.gd06e9bb.rb5.i686.rpm
ep-reporting-c-9.70-158.g439c02e.rb4.i686.rpm
ep-reporting-resources-9.70-39.gd06e9bb.rb5.i686.rpm
ep-aua-9.70-9.gd6fadd4.rb4.i686.rpm
ep-awed-9.70-20.g6a8dbc3.rb2.i686.rpm
ep-branding-ASG-afg-9.70-37.gfc00437.noarch.rpm
ep-branding-ASG-ang-9.70-37.gfc00437.noarch.rpm
ep-branding-ASG-asg-9.70-37.gfc00437.noarch.rpm
ep-branding-ASG-atg-9.70-37.gfc00437.noarch.rpm
ep-branding-ASG-aug-9.70-37.gfc00437.noarch.rpm
ep-confd-9.70-588.g774f67a3f.i686.rpm
ep-confd-tools-9.70-470.gd129d9cd.rb11.i686.rpm
ep-init-9.70-9.g7905afa.rb4.noarch.rpm
ep-libs-9.70-12.g653adc3.rb4.i686.rpm
ep-localization-afg-9.70-37.gf4fd729.i686.rpm
ep-localization-ang-9.70-37.gf4fd729.i686.rpm
ep-localization-asg-9.70-37.gf4fd729.i686.rpm
ep-localization-atg-9.70-37.gf4fd729.i686.rpm
ep-localization-aug-9.70-37.gf4fd729.i686.rpm
ep-mdw-9.70-635.g15b10bc2.rb4.i686.rpm
ep-red-9.70-35.g94b4ce2.rb2.i686.rpm
ep-screenmgr-9.70-2.g224e1a8.rb3.i686.rpm
ep-tools-9.70-23.gb44eb11.rb3.i686.rpm
ep-tools-cpld-9.70-23.gb44eb11.rb3.i686.rpm
ep-up2date-9.70-15.g85f07d4.rb5.i686.rpm
ep-up2date-downloader-9.70-15.g85f07d4.rb5.i686.rpm
ep-up2date-pattern-install-9.70-15.g85f07d4.rb5.i686.rpm
ep-up2date-system-install-9.70-15.g85f07d4.rb5.i686.rpm
ep-webadmin-9.70-643.gbc4ac8ef3.i686.rpm
ep-webadmin-contentmanager-9.70-29.gf8059bd.i686.rpm
ep-chroot-httpd-9.70-18.gadbf8aa.rb2.noarch.rpm
ep-chroot-smtp-9.70-48.ga28fdc6.rb3.i686.rpm
chroot-httpd-2.4.18-10.g0c2e255.rb2.i686.rpm
chroot-ipsec-9.70-84.g84a2fe5.rb2.i686.rpm
chroot-reverseproxy-2.4.39-28.g4c96516.rb3.i686.rpm
ep-httpproxy-9.70-233.g5ff38467.rb3.i686.rpm
kernel-smp-3.12.74-0.327535988.gc5bb1a9.rb5.i686.rpm
ep-release-9.670-4.noarch.rpm

ftp.astaro.com/…/u2d-sys-9.605001-670004.tgz.gpg

When you setup Vmware Vcenter Server Appliance , it will default expires your root password for it, if you do not schedule a reset, it will eventually lock you out, showing this, when you login to http://vcenter.domain.local:5480:

This message will show if the password is expired, and you typed the correct old root password, if you did type a wrong password you will get:

How to fix:

1. Launch remote/web console to your VCSA by logging on to the vSphere ESXi server that is hosting it.
2. Press F2 to configure your vCenter appliance
3. When prompted, type in your root password (YES – the one’s that exiredv ;))
4. You will se an option to change root password from here, but it will not work, because it’s expired!!.
5. Go to “troubleshooting mode options” and enable BASH and enable SSH
7. Connect to your VCSA using SSH with ex. Putty – logging on with root and your expired root password.
8. Type “shell” and press enter
9. type “passwd” and press enter
10. Type the new root password twice here.
12. Verify it works by opening the management website again on port 5480 to your vCenter server and log on.

Prevent the root password from expiring again

Change as needed

Sophos has, after a very short EAP (Beta), released 9.7 as GA, this is what it contains and here it how to download it – it will be rolled out in phases:

• In phase 1 you can download the update package from the download area.
• In phase 2 we will make it available via our Up2Date servers in several stages.
• In phase 3 we will make it available via our Up2Date servers to all remaining installations.

What’s new in UTM 9.7?

• Support for new APX Access Points
  In addition to the legacy AP series access points, UTM 9.7 brings support for the newer Wave 2 APX series access points which can now also be added and managed with UTM 9. This includes support for APX 120, APX 320, APX 530 and APX 740.
• Certificate Chain support for WebAdmin and UserPortal
  Full certificate chains that are uploaded to UTM for use with WebAdmin and/or UserPortal will no longer be split but will be delivered in full when accessing WebAdmin and/or UserPortal and web browsers will no longer display warnings for these certificates.
• Certificate Chain Support for WebProxy
  When using an intermediate certificate to sign HTTPS decryption certificates in WebProxy, WebProxy will now build and return a full certificate chain for the generated certificate to avoid browsers showing a warning when not explicitly trusting the intermediate certificate. The root certificate has to be available within the verification CAs.
• New RED Site 2 Site Protocol
  RED Site 2 Site connections in UTM will now use the same protocol used within XG Firewall for RED Site 2 Site connections. This removes the need to specify legacy RED site 2 site connections in XG Firewall and provides enhancements to the RED site 2 site implementation in UTM.
• Retirement of UTM Endpoint Management
  As announced with UTM 9.6, UTM endpoint management will be end of life by the end of this year. UTM 9.7 will no longer include the option for Endpoint Management for the UTM Managed Endpoints, Sophos SEC integration is still part of UTM 9.7.

Up2Date Information

9.7 EAP1 to 9.7 GA

News

• Features Release
• .
• Support for new APX AccessPoints
• Certificate Chain support for WebAdmin and UserPortal
• Certificate Chain Support for WebProxy
• New RED Site 2 Site Protocol
• Retirement of UTM Endpoint Management

Remarks

• System will be rebooted
• Configuration will be upgraded

Bugfixes

• NUTM-10485 [Email] POP3 E-Mail blocked message won’t be displayed properly in some MS Outlook versions
• NUTM-11141 [Sandstorm] Add support for Sandstorm’s Frankfurt data centre
• NUTM-11162 [WAF] Authentication through WAF with URL hardening enabled and umlaut in password fails
• NUTM-11202 [Web] Conform to Apple’s new certificate requirements introduced in iOS13 and macOS10.15

9.6 MR5 to 9.7 GA

News

• Features Release
• .
• Support for new APX AccessPoints
• Certificate Chain support for WebAdmin and UserPortal
• Certificate Chain Support for WebProxy
• New RED Site 2 Site Protocol
• Retirement of UTM Endpoint Management

Remarks

• System will be rebooted
• Configuration will be upgraded
• Connected REDs will perform firmware upgrade
• Connected Wifi APs will perform firmware upgrade

Bugfixes

• NUTM-10804 [Access & Identity] strongSwan vulnerability fix (CVE-2010-2628, CVE-2018-17540)
• NUTM-10485 [Email] POP3 E-Mail blocked message won’t be displayed properly in some MS Outlook versions
• NUTM-10745 [Email] Quarantine mail older than 14 days are not getting removed
• NUTM-10958 [Email] Quarantined SPX Mails which are released are still available on UTM
• NUTM-10192 [RED] Patch OpenSSL (CVE-2018-0732)
• NUTM-11141 [Sandstorm] Add support for Sandstorm’s Frankfurt data centre
• NUTM-10454 [WAF] SAVI integration doesn’t support scanning files larger than 2GB
• NUTM-10873 [WAF] Underscore in DNS-Hostname makes WAF unusable
• NUTM-11162 [WAF] Authentication through WAF with URL hardening enabled and umlaut in password fails
• NUTM-11202 [Web] Conform to Apple’s new certificate requirements introduced in iOS13 and macOS10.15

Download

While the release is in soft-release phase, you can find the Up2Date package at:

• https://download.astaro.com/UTM/v9/up2date/u2d-sys-9.605001-700004.tgz.gpg
• https://download.astaro.com/UTM/v9/up2date/u2d-sys-9.605001-700004.tgz.gpg.md5

If you are already running 9.7 EAP1, please use the following package:

• https://download.astaro.com/UTM/v9/beta/u2d-sys-9.670004-700004.tgz.gpg
• https://download.astaro.com/UTM/v9/beta/u2d-sys-9.670004-700004.tgz.gpg.md5