Sophos has released MR1 for XG v18, providing support for new red devices, here are the release notes:

XG Firewall v18 MR1 is now available!

UTM Up2Date 9.703-3 Released

Every company, using email adresses, and have their own domain, should implement DMARC to get protection again phshing, CEO fraud and many other things, to get you started, please find info on the links here:

DMARC.DK – Henrik Schack drives this page (Danish) – He has done a great job, getting danish companies going, pay him a visit!

DMARCIAN – have all the tools you need, monitoing and so on, start here and they will guide you.

Yes yes

Finally the new HCW is here, fixing a lot of stuff, most importantly the OAUTH failueres you see, when you finish the HCW installer

Release notes:

1. HCW will no longer enable Federation Trust by default for all installations. Instead, it will only enable Federation Trust if there are Exchange 2010 servers on premises. HCW will call Get-ExchangeServer and if no Exchange 2010 servers are reported, the workflow to enable Federation Trust and subsequently require domain proof will not execute. Note that organization relationships are still created.

2. When uninstalling the hybrid agent and switching to Classic in the HCW, this action would sometimes fail with a “null reference” error. We have fixed this!

3. How many of you have hit the HCW 8064 error – unable to configure OAuth, and subsequently had no idea why OAuth failed to configure? Yes, we heard you loud and clear! In this release, we have completely changed the way we enable and configure OAuth. Instead of enabling OAuth at the service layer, we now enable OAuth via a Graph API under the context of the Tenant Admin. This in turn removes the error obfuscation we had with the service layer enablement and allows us to include a detailed error entry in the HCW log. So while you still see the HCW 8064 error in the HCW UI, you can now review the log for the specific error detail which will make it easier to troubleshoot and resolve.

4. When verifying DNS, we had a fallback mechanism that would reach out to an external site to verify domains. While this fallback mechanism was rarely hit, we received overwhelming feedback to not use this mechanism/site as it was not listed in our IPs & URLs web page. We have removed that fallback and now only use the endpoint “mshybridservice.trafficmanager.net”, which is listed in our endpoints documentation.

Download HCW here: http://aka.ms/hybridwizard

Source: https://techcommunity.microsoft.com/t5/exchange-team-blog/march-2020-significant-update-to-hybrid-configuration-wizard/ba-p/1238753

Sophos just posted this on saturday 25/4-2020:

Sophos received a report on April 22, 2020, at 20:29 UTC regarding an XG Firewall with a suspicious field value visible in the management interface. Sophos commenced an investigation and the incident was determined to be an attack against physical and virtual XG Firewall units. The attack affected systems configured with either the administration interface (HTTPS admin service) or the user portal exposed on the WAN zone. In addition, firewalls manually configured to expose a firewall service (e.g. SSL VPN) to the WAN zone that shares the same port as the admin or User Portal were also affected. For reference, the default configuration of XG Firewall is that all services operate on unique ports.

The attack used a previously unknown pre-auth SQL injection vulnerability to gain access to exposed XG devices. It was designed to exfiltrate XG Firewall-resident data. Customers with impacted firewalls should assume the data was compromised. The data exfiltrated for any impacted firewall includes all local usernames and hashed passwords of any local user accounts. For example, this includes local device admins, user portal accounts, and accounts used for remote access. Passwords associated with external authentication systems such as Active Directory (AD) or LDAP were not compromised.

What firmware versions of XG Firewall (SFOS) were impacted?

The vulnerability affected all versions of XG Firewall firmware on both physical and virtual firewalls. All supported versions of the XG Firewall firmware / SFOS received the hotfix (SFOS 17.0, 17.1, 17.5, 18.0). Customers using older versions of SFOS can protect themselves by upgrading to a supported version immediately.

Read more: Fixing SQL injection vulnerability and malicious code execution in XG Firewall/SFOS

Sophos has re-released MR1 for XG v18 again, after a critical bug earlier, but now it’s good!, it provides support for new red devices, here are the release notes:

XG Firewall v18 MR-1-Build396

Sophos has released this guide, to get your firewall secured as minimal best practice:

The focus of this document is to provide baseline guidance to secure the Sophos XG Firewall to a minimum level. The document will not provide guidance on each individual XG firewall feature that may, in turn, secure internal network devices and resources (a full, exhaustive Sophos XG Firewall best practice guide will be published in due course).

Download the guide here: Securing your Sophos XG Firewall – Best Practice Guide

Source: https://community.sophos.com/products/xg-firewall/f/recommended-reads/121461/sophos-xg-firewall-best-practices-for-securing-your-firewall

VMWARE has released vSphere 7 offering a lot of new and great features:

Read more about it here:

https://blogs.vmware.com/vsphere/vsphere-7

https://docs.vmware.com/en/VMware-vSphere/7.0/rn/vsphere-esxi-vcenter-server-70-release-notes.html

How to migrate:

As always, start by downloading the ISO from my.vmware.com and mount this on a Windows server in your environment.

So, let’s say you have a Windows vCenter server, you want to migrate to VCSA, then do the following:

When you download the ISO, you will find theese folders on it:

The “vcsa-ui-installer” folder has a win32 folder in it, in there, run the installer.exe and choose to MIGRATE (Yes I am migrating a 6.7 VCSA to 7 VCSA! )

Press Next

Connect to your source VCSA and enter credentials for it.

Specify the target ESXI host that is going to host your new vSphere 7 VCSA.

Specify the new name for your new VCSA 7 and the root password for it, remember the name cannot be a duplicate of the VCSA you are already running!

Set size:

It’s quite hungry for memory, but isn’t everything that theese days

Select datastores:

(I did go for thin-mode above, as my datastores in the, does now have the addequate space (1490GB needed!!)

Give it a temporary ip, it will take the ip that the source vcenter server uses, once it’s finished!:

Check all is good and press finish:

And we’re on the move with stage 1:

After a while it starts the new VCSA on this is displayed:

After several minutes, we see this:

And we are ready to continue:

Press Next to begin migration:

It will do some migration checks and will show this “warning”:

You decide here, I choose the smaller downtime:

Yes – I support CEIP

If all looks good, we can continue with stage 2 – Press Finish

(Remember to confirm that you have backed up the source vCenter server!)

Getting aware of that, we click OK:

Datamigration af the final stage 2 is now starting.

When you see this, the old server is shut down, and the new VCSA has the same IP and name, as the old vcenter server had.

Remember after this, your old vCenter server has to be deleted (Or renamed with new IP and vmware software removed – but not recommended.)

Notice that the old client is now long-gone, and only the HTML5 client is available.

Enjoy the cool new vCenter 7 Server Appliance

IMPORTANT:

An old bug was dicovered in the  Microsot DNS Server components, update your DNS server asap!!

SIGRed (CVE-2020-1350) is a wormable, critical vulnerability (CVSS base score of 10.0) in the Windows DNS server that affects Windows Server versions 2003 to 2019, and can be triggered by a malicious DNS response. As the service is running in elevated privileges (SYSTEM), if exploited successfully, an attacker is granted Domain Administrator rights, effectively compromising the entire corporate infrastructure.

Read the article from Checkpoint here:

https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/

Link to:

CVE-2020-1350 | Windows DNS Server Remote Code Execution Vulnerability

As always, I seem to forget things, among theese is the SNMP setup for Ubuntu, so now, for myself to remember, I created this little guide

This is btw. run on a Ubuntu Server 20.04 LTS

Run the following commands on the terminal:

1. Update all packages: sudo apt-get update
2. Install SNMP: sudo apt-get install snmpd
3. Edit snmpd.conf with text editor of your choice, I will be using nano, as this is an easy editor, so type: sudo nano /etc/snmp/snmpd.conf
4. Configure agentAddress: agentAddress udp:161,udp6:[::1]:161
   -This will set the server to listen on all IPv4 and IPv6 addresses (remove the ‘#’ in front of the agentAddress, to enable it!)
   – To bind it to a specific IP address use (ex.): agentAddress udp:192.168.1.5:161
5. Configure rocommunity: rocommunity public
   -Change “public” to your community name
6. Restart the SNMPD service: sudo service snmpd restart
7. Check that SNMPD is started OK with this: sudo service snmpd status

All good! – Now go setup your favorite monitoring tool for SNMP access

IBM / Lenovo just send out 3 FLASH: Security Bulletins:

FLASH: Security Bulletin: OpenSLP vulnerability affects IBM SAN Volume Controller, IBM Storwize, IBM Spectrum Virtualize and IBM FlashSystem products (2020.07.21)

FLASH: Security Bulletin: Network Security (NSS) vulnerability affects IBM SAN Volume Controller, IBM Storwize, IBM Spectrum Virtualize and IBM FlashSystem products (2020.07.21)

FLASH: Security Bulletin: Java vulnerabilities affect IBM SAN Volume Controller, IBM Storwize, IBM Spectrum Virtualize and IBM FlashSystem products (2020.07.21)

The OpenSLP is the most dangerous one:

OpenSLP, as used in Vmware used in ESXi and the Horizon DaaS appliances, is vulnerable to a heap-based buffer overflow, caused by improper bounds checking by slpd_process.c. By sending a specially-crafted request, a remote attacker could overflow a buffer and execute arbitrary code or cause a denial of service condition on the system.
CVSS Base score: 9.8

Download the new code here:

https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=Entry-level%20disk%20systems&product=ibm/Storage_Disk/IBM+Storwize+V3700&release=All&platform=All&function=all

If you do not know what Favorites in Outlook is, or it even existed, try the link here and find out how Outlook can cooperate with you

Outlook: Add or remove folders in Favorites

But sometimes the favorites you have added, tend to disappear after Outlook has been restarted, it could be them all or just some of them, it’s very annoying!

Luckily the fix is there, waiting to be exectuted by you

• Close Outlook
• Click on the START menu and just start typing “outlook.exe /resetnavpane”
• You should see this:

• You could also do this in the “Run” menu, if that fits you better
• Outlook will start with an emty favorites menu, and you can start adding your favorites again.
• Close Outlook
• Start Outlook
• All should be fine

If you still have problems, try for starters with a new Outlook profile or check if you have add-ins that may cause Outlook to crash unexspectedly.

Some of the things that I’ve seen at work, is that Sophos UTM VPN users are using one token for Sophos SSLVPN and another for ex. Office 365 services. Both tokens can be in Microsoft Authenticator, but only the one that Office 365 is using, can do the “pop-up”, letting the user easy sign-in, like this:

Nonetheless it’s easier for the IT dept. (and the user!) to maintain only one token solution

Here is the auth flow for Azure MFA with NPS Extension:

Nice isn’t it

So how to fix?

We setup Sophos UTM for RADIUS validation for SSLVPN and UserPortal access, and if you use the built-in OTP solution, disable that

To get started:

• If you do not have MFA enabled for your Office 365/Azure AD account’s you can enable it through following link: https://aka.ms/mfasetup
• And of course you need to have set Azure AD Connect to get your on-premise talking with Azure, I will not go into the details with this here, as I assume this is already setup and working

Let’s go:

1. Install the Network Policy Server (NPS) role on your member server or domain controller. Refering to the Network Policy Server Best Practices, then you will find this “To optimize NPS authentication and authorization response times and minimize network traffic, install NPS on a domain controller.” So we will go ahead and place this on the domain controller, but remember it’s also possible to do it on a domain joined member server!
   Press “Next” and the installation begins:
2. After installation has ended, go and join the NPS to the Active Directory, right-click NPS (Local):

3. Download and install the NPS Extension for Azure MFA here:
   https://www.microsoft.com/en-us/download/details.aspx?id=54688
   After it’s installed, go and follow the configure is like it’s stated here (Find TenantID and run Powershell script):
   https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-nps-extension#azure-active-directory
4. Go and configure your radius Client, here it’s the UTM:

   
   Remember the secret, we need it later on

5. Create a “Connection request policy”:
   
   See above the NAS Identifier, it’s “ssl”, it’s taken from this scheme:

   
   Found here: https://community.sophos.com/kb/en-us/116144

   Just set like above, and the rest of the settings, just leave them to their defaults

6. Now create a “Network Policy”
   Add a domain group, that shall have this access, to simplify, here I have choose domain\Domain Users
   Now the EAP types, UTM does only support PAP, as far as I have tested:

   
   You will get a warning telling you that you have choosen unencrypted auth (locally – not on the Internet!), just press OK.
   Just left the rest to their default’s and save the policy.

7. Now to create a firewall rule:

8. Now to setup the UTM for this:

   Add new Authentication server:

   Remember to choose RADIUS:

   
   Fill in as your environment matches:

   Type in the secret you wrote down earlier and create a host object for your NPS, also remember to change the timeout from 3 to 15 secs!

   You can now test is the authentication through NPS and Azure MFA is working, change NAS-Identifier to “ssl” type in a users username (e.mail adress) and password, and your phone should pop-up with Microsoft Authenticator

9. Now to grant the RADIUS users access to SSL-VPN

   Just add the built-in object “Radius Users” to your SSL-VPN profile:

10. Now login to the User Portal and download a VPN client (You cannot use the old ones, if you already had thoose installed)
11. Now connect through VPN, type in your full email in username and your password, then wait for MS Authenticator to pop-up, accept the token and you are logged into VPN

Sources:

https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-nps-extension-vpn

https://docs.microsoft.com/en-us/windows-server/networking/technologies/nps/nps-best-practices

Some of the things that I’ve seen at work, is that Sophos XG VPN users are using one token for Sophos SSLVPN and another for ex. Office 365 services. Both tokens can be in Microsoft Authenticator, but only the one that Office 365 is using, can do the “pop-up”, letting the user easy sign-in, like this:

Nonetheless it’s easier for the IT dept. (and the user!) to maintain only one token solution

Here is the auth flow for Azure MFA with NPS Extension:

Nice isn’t it

So how to fix?

We setup Sophos XG for RADIUS validation for SSLVPN and UserPortal access, and if you use the built-in OTP solution, disable that

To get started:

• If you do not have MFA enabled for your Office 365/Azure AD account’s you can enable it through following link: https://aka.ms/mfasetup
• And of course you need to have set Azure AD Connect to get your on-premise talking with Azure, I will not go into the details with this here, as I assume this is already setup and working

Let’s go:

1. Install the Network Policy Server (NPS) role on your member server or domain controller. Refering to the Network Policy Server Best Practices, then you will find this “To optimize NPS authentication and authorization response times and minimize network traffic, install NPS on a domain controller.” So we will go ahead and place this on the domain controller, but remember it’s also possible to do it on a domain joined member server!
   Press “Next” and the installation begins:
2. After installation has ended, go and join the NPS to the Active Directory, right-click NPS (Local):

3. Download and install the NPS Extension for Azure MFA here:
   https://www.microsoft.com/en-us/download/details.aspx?id=54688
   After it’s installed, go and follow the configure is like it’s stated here (Find TenantID and run Powershell script):
   https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-nps-extension#azure-active-directory
4. Go and configure your radius Client, here it’s the XG:

   Remember the secret, we need it later on

5. Create a “Connection request policy”:
   

   
   Type here the IP of the XG

   Just set like above, and the rest of the settings, just leave them to their defaults

6. Now create a “Network Policy”

   Add a domain group, that shall have this access, to simplify, here I have choose domain\Domain Users
   Now the EAP types, XG does only support PAP, as far as I have tested:

   
   You will get a warning telling you that you have choosen unencrypted auth (locally – not on the Internet!), just press OK.
   Just left the rest to their default’s and save the policy.

7. Now to create a firewall rule:

8. Now to setup the XG for this:

   Press ADD:

   Remember to choose RADIUS:

   Fill in as your environment matches:

   Type in the secret you wrote down earlier and create a host object for your NPS, also remember to change the timeout from 3 to 15 secs!

   You can now test is the authentication through NPS and Azure MFA is working, change Group name attribute to “SF_AUTH”

   Press the TEST CONNECTION butoon:

   type in a users username (e.mail adress) and password, and your phone should pop-up with Microsoft Authenticator

   You should see this soon after you accept the token:

9. Now head over to the Authentication –> Services section:

   Add the new RADIUS server to:
   – User portal authentication methods
   – SSL VPN authentication methods

   Also make sure that the group your AD / RADIUS users are in, is added to the SSLVPN profile:

10. Now login to the User Portal and download a VPN client (You cannot use the old ones, if you already had thoose installed)
11. Now connect through VPN, type in your full email in username and your password, then wait for MS Authenticator to pop-up, accept the token and you are logged into VPN

Sources:

https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-nps-extension-vpn

https://docs.microsoft.com/en-us/windows-server/networking/technologies/nps/nps-best-practices

https://community.sophos.com/kb/en-us/127328

UTM Up2Date 9.704 Released

Sophos released UTM 9.705. The release will be rolled out in phases.

• In phase 1 you can download the update package from their download server
• In phase 2 they will make it available via their Up2Date servers to all installations

Up2Date Information for 9.705

News

• Maintenance Release

Remarks

• System will be rebooted

Issues Resolved

• NUTM-12235 [Basesystem, SUM] UTM not accessible through SUM gateway manager
• NUTM-12234 [Basesystem] Remote Code Execution vulnerability in UTM WebAdmin
• NUTM-12250 [Wireless] AP Wireless Networks restart continuously-9.704

IMPORTANT: This release fixes a Remote Code Execution vulnerability in UTM WebAdmin, which, if you have the WebAdmin or Userportal open to any IP – which of course you have not, it could be exploited!! During COVID-19 there has been a lot of attacks on the perimeter equiment, so an exploit is likely to happen!

Another fix is that when you use Single Sign On from SUM, you will not get to the dashboard of the UTM, this is fixed with 9.705 also – I have tested it

Sophos has released the longly awaited MR-3 with many good fixes in the package, read all here:

RELEASE NOTES from Sophos:

Enhancements in v18 MR-3

Security enhancements:

• Several security and hardening enhancements – including SSMK (secure storage master key) for the encryption of sensitive data. Refer KB-000040174 for more details.
  
• Granular option to enable/ disable captcha authentication from CLI
  

VPN Remote Access enhancements:

• Increase in SSL VPN connection capacity across entire firewall line up; 6x increase for 2U HW. KB-000039345 is being updated with enhanced capacity.
  
• Group support for Sophos Connect VPN client
  

Cloud – AWS/ Azure/ Nutanix enhancements:

• Support for newer AWS instances – C5/ M5 and T3 (#)
  
• Support for CloudFormation Templates removing the need to run installation wizard in some cases (#)
• Virtual WAN Zone on custom gateway for post deployment single arm usage
  
  • On single arm – single interface in AWS or Azure – admin can create multiple custom gateway and attached different zones to those gateways. This allows admin to create access and security rules for traffic going in to those zones.
• XG Firewall is now Nutanix AHV and Nutanix Flow Ready. XG Firewall has been validated to provide two modes of operation within Nutanix AHV infrastructure.
• Optimize cloud costs and improve security across multi-cloud environments with Cloud Optix. Automatic identification and risk-profiling of security and compliance risks across AWS, Azure and Google Cloud enables teams to fix security gaps and insecure deployments before they are compromised. Learn more.

(# available after a few days of release on community, once v18 MR-3 is available in the AWS marketplace)

Central management enhancements:

• XG running in an HA configuration (either A-A or A-P) can now be managed by Sophos Central. Each firewall must be separately joined to the same Sophos Central account, and if grouped, both HA devices must be added to the same group.
  
• Audit trail went live under the task queue
  

Central Firewall Reporting enhancements:

• Earlier this month, we have released Save, schedule, export & download reports. Refer community post here.

Issues Resolved:

• 34 field reported issues including RED & HA cluster issues (list below) 

Note: Upgrading from v17.5 MR13/ MR14/ MR14-1 to v18 MR-3 is now supported.

Check out our recent blog and video series on how to make the most of the many great new capabilities in XG Firewall v18 such as the Xstream Architecture, TLS Inspection, FastPath acceleration, Zero-day threat protection, NAT, and much more.

We also have a new Sophos Techvids site for XG Firewall v18.

Get it now!

As usual, this firmware update is no charge for all licensed XG Firewall customers. The firmware will be rolled-out automatically to all systems over the coming weeks but you can access the firmware anytime to do a manual update through Licensing Portal. You can refer this article for more information on How to upgrade the firmware.

For fresh installations, the download links will be updated right here very soon.

Things to know before upgrading

• Supported hardware appliances
• Important upgrade information

Issues Resolved in v18 MR-3 

• NC-58229 [Authentication] Sophos AV and Avira AV Pattern updates failing
• NC-51876 [Core Utils] Weak SSHv2 key exchange algorithms
• NC-58144 [DNS] XG self reporting its own lookups in ATP causing flood of events
• NC-54542 [Email] Email banner is added to incoming emails
• NC-59396 [Email] Blocked senders are able to send the mails
• NC-58159 [Firewall] Unable to ping the external IPs from auxiliary appliance console
• NC-58356 [Firewall] Direct proxy traffic doesn’t work when RBVPN is configured.
• NC-58402 [Firewall] Firewall reboots randomly.
• NC-59399 [Firewall] ERROR(0x03): Failed to migrate config. Loading default.
• NC-60713 [Firewall] Userportal hotspot voucher config gets timeout
• NC-60848 [Firewall] HA cluster both nodes rebooting unexpectedly
• NC-59063 [Firmware Management] Remove expired CAs from SFOS
• NC-44455 [HA] System originated traffic is not flow from AUX when SNAT policy configured for system originated traffic
• NC-62850 [HA] Filesystem oddity in /conf
• NC-58295 [IPsec] Dropped due to TLS engine error: STREAM_INTERFACE_ERROR
• NC-58416 [IPsec] IKE SA Re keying won’t be re-initiate itself after re-transmission time out of 5 attempts 
• NC-58499 [IPsec] Sophos Connect Client ”IP is supposed to be added in the “##ALL_IPSEC_RW “
• NC-58687 [IPsec] IPsec tunnel not getting reinitiated after PPPoE reconnect
• NC-58075 [Netflow/IPFIX] Netflow data not sending interface ID
• NC-55698 [nSXLd] Not able to add new domain in custom category
• NC-62029 [PPPoE] PPPoE link does not reconnect after disconnecting
• NC-57819 [RED] XG Site to Site RED Tunnel disconnects randomly also with MR10 and v18
• NC-60240 [RED] Interfaces page is blank after adding SD-RED60 with PoE selected
• NC-61509 [RED] RCA s2s red tunnel static routes disappear on FW update
• NC-62161 [RED] RED connection with device becomes unstable after upgrading to v18.0 MR1 from v17.5 MR12
• NC-59204 [SFM-SCFM] Task queue pending but never apply with XG86W appliance
• NC-60599 [SFM-SCFM] Task queue pending but never apply due to no proper encoding
• NC-62304 [SFM-SCFM] The notification e-mail sent from the XG displays the wrong Central Administrator
• NC-61956 [UI Framework] WebAdmin Console and User Portal not accessible because space in certificate name
• NC-62218 [UI Framework] Post-auth command injection via User Portal 1/2 (CVE-2020-17352)
• NC-62222 [UI Framework] Post-auth command injection via User Portal 2/2 (CVE-2020-17352)
• NC-58960 [Up2Date Client] HA: IPS service observed DEAD
• NC-59064 [Web] Appliance goes unresponsive : Awarrenhttp high memory consumption
• NC-60719 [WebInSnort] DPI engine causing website to intermittently load slowly

Here are some direct links to helpful resources:

• Customer Training Portal (free Delta Training)
• Sophos Support v18 Playlist on YouTube
• Customer Resource Center
• Community Forum Recommended Reads
• What’s New and Release Notes
• XG Firewall v18 Complete Documentation
• XG Firewall v18 CLI Guide
• XG Firewall v18 User Portal Guide

Source: https://community.sophos.com/xg-firewall/b/blog/posts/xg-firewall-v18-mr3

When using Sophos UTM manager (SUM) to manage your UTM’s, you will find that it is a brilliant tool for central backup’s and firmware upgrades among other things.

Suddenly I kept getting theese mails at work:

“[INFO-132] SUM core daemon not running – restarted”

After some debugging at the SUM, I looked in the SUM Core logsfiles, I found this:

2020:10:10-00:00:00 sum accd: 6867436 [0xdc9dfb70] WARN server.device.DeviceCache null – DeviceCache::login() device is already connected 251[device;guid:<guid obfuscated for blog post);ip:<IP obfuscated for blog post)]
2020:10:10-00:00:00 sum accd: 6867436 [0xde9e3b70] WARN server.device.DeviceSession null – DeviceSession::clear() IO error during recv [device;guid:<guid obfuscated for blog post);ip:<IP obfuscated for blog post)]
2020:10:10-00:00:00 sum accd: 6867436 [0xea9fbb70] ERROR libs.io.Session null – send attempted after previous error [device;guid:<guid obfuscated for blog post);ip:<IP obfuscated for blog post)]
2020:10:10-00:00:00 sum accd: 6867436 [0xea9fbb70] WARN server.device.DeviceSession null – DeviceSession::clear() IO error during sendDone [device;guid:<guid obfuscated for blog post);ip:<IP obfuscated for blog post)]

So it looks like there are more than on UTM connected to this SUM with same GUID, no good!

This can happen if you import a backup to a new UTM device but did not take down the first one.

How to solve?

1. Connect to the device not allowed to connect – in other words, connect to the IP above from the log file (obfuscated)
2. Enable SSH
3. Run this: rm -f /etc/guid
4. And this: /var/mdw/scripts/nextgen-agent restart (restarting the next-gen agent will recreate a new guid for the one obove, that was deleted)
5. Next you will find that this blocked device will now show up in SUM
6. Case closed

When you are running in a hybrid setup and have a 3.party certificate installed on your Exchange server and it expires or has been revoked, thing’s stop to work.

You then install a new cert on the server and assigns it to the services in Exchange Control Panel, but mailflow is stil stalled, then it is because you need to assign the certificate to the send and receive connector’s – through Powershell

First get your certificate thumbprint:

Get-ExchangeCertificate

Copy and paste the thumprint, into the following commands:

–> Update the TLSCertificateName attribute on the Office 365 SendConnector.

$Cert = Get-ExchangeCertificate -Thumbprint <New Exchange Certificate>
$TLSCert = (‘<I>’+$cert.issuer+'<S>’+$cert.subject)
Set-SendConnector -Identity <Office 365 send Connector> -TLSCertificateName $TLSCert

–>Update the TLSCertificateName attribute on the Exchange On-Premises(Hybrid) Receive Connector which is receiving email from Office 365.

$Cert = Get-ExchangeCertificate -Thumbprint <New Exchange Certificate>
$TLSCert = (‘<I>’+$cert.issuer+'<S>’+$cert.subject)
Set-ReceiveConnector -Identity <Office 365 to On-Prem> -TLSCertificateName $TLSCert

If the HCW has been run, it normally labels the send connector like this: Outbound to Office 365

So it could look like this:

$Cert = Get-ExchangeCertificate -Thumbprint 1EB1172F9902FF8BF55497552DE038F4BB9BB500
$TLSCert = (‘<I>’+$cert.issuer+'<S>’+$cert.subject)
Set-SendConnector -Identity “Outbound to Office 365” -TLSCertificateName $TLSCert

After this, all should be good to go

Source: https://docs.microsoft.com/en-in/archive/blogs/lalitbisht/mailflow-issue-from-exchange-on-prem-to-office-365