To migrate fileshares into Microsoft 365 / OneDrive / Sharepoint, this tool come in handy.

It is not to be compared with the SharePoint Migration Tool, as it can only migrate fileshares, as the opposite can do both.

So we have this file share that we need moved to a SharePoint document library:

Go ahead and log into Migration Manager page of the new SharePoint admin center

Download the agent setup file and put it on the file server hosting the share, it will be used for a migration agent and you can install multiple of them, if yourenvironment needs it.

Run the file on the file server:

Remember the permissions and press next:

Fill in SharePoint admin on first prompt and domain admin on the next, press “Install”:

Do a test and press close:

Now head back to SharePoint Migration page, and your agent should show as ONLINE:

So we are go to GO!

Go to the “tasks” tab and Press “Global settings”, verify that everything is in right place (Can also be done later on individually on the task!):

Press “Save” if you changed anything, and select “Add task”:

We will go for “Single source and destination” migration in this example:

Enter source share:

Add destination SharePoint site:

Give it a name and press “Run now”:

The task is now in “Queued” state:

On the server, after some minutes, you will see the process “MigrationHost” using ressources it will eventually use 90-100%:

When you click the task in the SharePoint migration site, you can see how things are moving on:

And we can see the file server pushing data to the cloud:

Things are in progress, all we need now is to wait

And we are done:

Go ahead and delete the task and remove the agent from the server, enjoy your data in SharePoint

Some good FAQ’s: https://docs.microsoft.com/en-us/sharepointmigration/mm-faqs

Souce: https://docs.microsoft.com/en-us/sharepointmigration/mm-get-started

When extending a subnet with Microsoft DHCP you cannot change the SUBNET mask on the already running active scope, you need to export, edit, import

Open Powershell:

Export specified scopes and their leases

Export-DhcpServer -ComputerName “dhcpserver.contoso.com” -File “C:\exportdir\dhcpexport.xml” -ScopeId 192.168.35.0 -Leases

The open the XML file and search for the subnet:

Change the subnet for your requirements, ex. 255.255.0.0

Now go to the DHCP GUI and DELETE the SCOPE you have just exported – yes delete (I am sure you have checked you had the right data in the XML first – right?! )

Then run this in powershell:

Import configuration and lease data

Import-DhcpServer -ComputerName “dhcpserver.contoso.com” -File “C:\exports\dhcpexport.xml” -BackupPath “C:\dhcpbackup\” -Leases

Refresh the DHCP GUI and you should find that everything is in place, the subnet, though it’s still greyed out, have changed, and the leases already there by the clients are back, so no network issues will occur!

Source:

Export-DhcpServer (DhcpServer) | Microsoft Docs

Import-DhcpServer (DhcpServer) | Microsoft Docs

In vSphere 7 Update 1, vSphere Clustering Service (vCLS) was introduced, it basically provides DRS and HA even if vCenter server is down, cool

Read all about it here: vSphere 7 Update 1 – vSphere Clustering Service (vCLS) – VMware vSphere Blog

When backup up with Veeam Backup and Replication 10a, you will get failures, because of missing Linux credentials, you could disable Application aware backup, but as the vCLS VM’s are maintainted completely by the ESX agent, there are NO need to backup theese VM’s, as they are deleted/created when the server wants them to and they are only for running the environment as a “helper” VM.

The official support for vSphere 7.0U1 will be delivered in the Cumulative Patch 3 for Veeam Backup & Replication 10a

Until then, make an exception in Veeam for the vCLS VM’s

When running eDOC on terminal server farms, you will need to activate the licenses properly, else al lthe users will get their PDF’s watermarked with trial information

This can be done with this (From ITEKSOFT Support):

1. For activating by administrator,
   Please login as Administrator in the server and execute the shortcut inWindows –> Start –> Programs –> eDocPrinter PDF Pro –> Enter Registration Key.
   Copy and paste the same user id, company name (optional), and key code from the key email in [Enter Registration Key] dialog.

   Klik i Windows startmenuen på:  Start | Alle Programmer | eDocPrinter PDF Pro | Indtast registreringsnummer…
   Indtast bagefter dine licensoplysninger (Bruger-ID, Firmanavn, Registreringsnummer) i fanebladet ‘Om’ ved at klikke på ‘Indtast registreringsnummer’.

   After activation, it will save the key information in HKLM. (hence users can load Lic info from HKLM)
   (make sure your admin account have proper permission in writing HKLM, by default it is granted)
   If you have multiple servers, please activate by the administrator account in all servers.

   OR

2. For Ver 7.x, per-user activation deployment:For automatically deploying key information, please refer TSECLI activation below:
   https://edocprinter.info/download/doc/edocprinter-deploykey.pdf

Read more about eDoc here:

https://www.iteksoft.com/

Sophs has released v8 MR4:

XG Firewall v18 MR4 – Release Notes & News – XG Firewall – Sophos Community

Enhancements in XG Firewall v18 MR4

High Availability

• Improved FastPath performance for Active-Passive pairs
• HA support in Amazon Web Services using the AWS Transit Gateway (coming soon to the AWS marketplace)
• Improved high availability setup and upgrades

VPN Enhancements

• New advanced options for IPSec remote access (replacing scadmin)
• Sophos Connect VPN client downloads now available from the user portal
• Enforcement of TLS 1.2 for SSL VPN on site-to-site and remote-access connections

Security and other Enhancements

• Stronger password hash – which will prompt you to change your password when upgrading to take full advantage of this important feature (see prompt below)
• Password complexity have been enabled for all the passwords
• Web Filtering – Websites that are identified as containing child sexual abuse content by the Internet Watch Foundation (IWF) will be automatically blocked when any web filtering is enabled. See www.iwf.co.uk for more information on the IWF.
• Cloud Optix integration – Cloud Optix is now XG Firewall aware enabling the two solutions to work better together (full details).
• Synchronized Application Control – a new option will automatically clean up discovered apps that are over a month old
• Authentication – users can now be created for RADIUS using UPN format
• 70 field reported issues have been resolved (see the list below)

  
  Be sure to take advantage of the new secure password hash system by resetting your admin password when prompted.

New Sophos Central Enhancements

• New Partner Dashboard enabling Sophos partners to do group policy management across their customer base – make a change once and have it automatically replicate across multiple firewalls
• New Group Policy Import enables one firewall to define the group policy during group setup making it easy to migrate from legacy CFM or SFM platforms
• Scheduled Firmware Updates enables MR4 to be the first firmware you schedule using this new option
• Full HA Support enabling easier management and improved fail-over support

New Group Policy Import makes switching to Sophos Central from CFM or SFM quick and easy.

With legacy SFM and CFM platforms coming to end of life soon, Sophos Central provides the ultimate platform for managing all your firewalls moving forward.  If you haven’t already, now is the time to switch.

Issues resolved in v18 MR4

• NC-59149 [API Framework] CSC hangs as all 16 workers remains busy
• NC-50703 [Authentication] Access server restarted with coredump using STAS and Chrome SSO
• NC-54576 [Authentication] Sophos Connect connections exhausting virtual IP pool
• NC-57273 [Authentication] Create users for RADIUS in UPN format
• NC-59129 [Authentication] Authentication Failed due to SSL VPN (MAC BINDING) – Logging does not carry any information for the cause.
• NC-61017 [AWS] AWS: TX-DRP increases constantly and affecting production traffic
• NC-59574 [Base System (deprecated)] Sometimes hotfix timer is deleted
• NC-58587 [Clientless Access] Clientless access service crashes
• NC-59411 [DNS] Unable to add “underscore” character in DNS host entry
• NC-54604 [Email] POPs/IMAPs (warren) dropping connection due to ssl cache error
• NC-59897 [Email] Specific inbound mail apparently not being scanned for malware
• NC-60858 [Email] PDF attachment in inbound email got stripped by XG firewall Email Protection
• NC-63870 [Email] XG creates infinite connection to self on Port 25
• NC-59406 [Firewall] Kernel crashed due to conntrack loop
• NC-59809 [Firewall] Loopback rule not hit when created using Server access assistance (DNAT) wizard and WAN interface configured with network rather then host
• NC-59929 [Firewall] Firewall Rules not visible on GUI, Page stuck on Loading
• NC-60078 [Firewall] WAF: Certificate can’t be edit via API/XML import
• NC-61226 [Firewall] Different destination IP is shown in log viewer for Allow and Drop firewall rule when DNAT is enabled
• NC-61250 [Firewall] Memory leak (snort) on XG 430 rev. 2 running SFOS v18
• NC-61282 [Firewall, HA] Failed to enable HA when a New XG is replaced in place of another XG.
• NC-62001 [Firewall] Kernel Panic on XG550
• NC-62196 [Firewall] Policy Test for Firewall, SSL/TLS and Web with DAY does not match with Schedule rule
• NC-63429 [Firewall] Kernel stack is corrupted in bitmap hostset netlink dump
• NC-65492 [Firewall] User is not able to generate access code for policy override
• NC-59747 [Firmware Management] Upgrade to the v18 SR4 failed on Azure
• NC-58618 [FQDN] [coredump] fqdnd in Version 18.0.2
• NC-62868 [HA] HA – Certificate Sync fails in Aux
• NC-64269 [HA] IPv6 MAC based rule not working when traffic is load balanced to Auxiliary
• NC-64907 [HA] The auxiliary appliance crashes when broadcast packet is generated from it
• NC-65158 [Hotspot] Voucher Export Shows Encrypted PSKs With SSMK
• NC-57661 [IPS-DAQ-NSE] [NEMSPR-98] Browser ‘insecure connection’ message when NSE is on but not decrypting
• NC-58391 [IPS-DAQ-NSE] TLS inspection causing trouble with incoming traffic
• NC-61498 [IPS-DAQ-NSE] Symantec endpoint updates URL is getting failed when DPI interfere
• NC-63242 [IPS-DAQ-NSE] SSL/TLS inspection causing outbound problems with Veeam backups
• NC-59774 [IPsec] Charon shows dead Status
• NC-59775 [IPsec] Follow-up: Sporadic connection interruption to local XG after IPsec rekeying
• NC-60361 [IPsec] Intermittently incorrect IKE_SA proposal combination is being sent by XG during IKE_SA rekeying
• NC-61092 [IPsec] Strongswan not creating default route in table 220
• NC-62749 [IPsec] Responder not accepting SPI values after its ISP disconnects
• NC-61101 [L2TP] Symlink not created for L2TP remote access
• NC-62729 [L2TP] L2TP connection on alias interface not working since update to v18
• NC-59563 [Licensing] Apostrophe in email address : Unable to load the “Administration” page from System > Administration
• NC-63117 [Logging Framework] Garner is core-dumping frequently
• NC-61535 [Network Utils] Diagnostics / Tools / Ping utility not working with PPPoE interface
• NC-62654 [nSXLd] NSXLD Coredump caused device hang
• NC-59724 [RED] Back-up from v17.5 MR10 Fails to Restore on v18
• NC-60081 [RED] Unable to specify Username and Password when using GSM 3G/UMTS failover
• NC-60158 [RED] FQDN host Group appearing in RED configuration – Standard /split network
• NC-60854 [RED] Red S2S tunnel static routes disappear on firmware update
• NC-63803 [RED] FailSafe Mode After Backup Restore – Reason Unable To Start RED Service
• NC-55003 [Reporting] Keyword search engine report not working
• NC-59106 [Reporting] Security Audit Report missing information in “Number of Attacks by Severity Level” section
• NC-60430 [Reporting] XG firewall send duplicate copies of schedule executive report
• NC-60851 [Reporting] Scheduled reports won’t be sent
• NC-62804 [SecurityHeartbeat] Registration to central security heartbeat does not work via upstream proxy
• NC-62182 [SFM-SCFM] Admin can not able to change password of SF 18.0 device from SFM/CFM device level
• NC-61313 [SNMP] Memory Utilization mismatch between UI and atop/SNMP.
• NC-64454 [SNMP] XG86 – /tmp partition becomes 100% full because of snmpd logs
• NC-53896 [SSLVPN] Enforce TLS 1.2 on SSL VPN connections
• NC-60302 [SSLVPN] All the SSL VPN Live connected users get disconnected when admin change the group of one SSL VPN connected user
• NC-60184 [UI Framework] Missing HTTP Security Headers for HSTS and CSP
• NC-61206 [Up2Date Client] XG Fails To Fetch hotfixes/patterns : File /conf/certificate/u2dclient.pem Missing
• NC-62689 [VFP-Firewall] When fastpath (firewall-acceleration) is enabled ,traceroute will show time-out on the XG hop
• NC-63783 [VFP-Firewall] Unable to start the IPS
• NC-64470 [VFP-Firewall] Auto reboot/nmi_cpu_backtrace due to VFP.Disabling firewall acceleration did fix the issue
• NC-63058 [VirtualAppliance] Incorrect Virtual XG Firewall Model Name Showing in GUI and CLI
• NC-47994 [Web] Pattern updates for SAVI and AVIRA are failing
• NC-54173 [Web] URL Group – add URL control fails on leading/trailing whitespace
• NC-51888 [WebInSnort] IPP/AirPrint not accessible after upgrade software appliance firmware to 18.0 EAP1
• NC-54978 [WebInSnort] When a HTTPS connection is not decrypted, the reports will show a hit to the site but no bytes sent/received
• NC-62448 [WebInSnort] Core dump on Snort
• NC-63515 [WebInSnort] NSE: Unsupported EC type with App control and web policy
• NC-64875 [WebInSnort] HTTP Pipelining errors in DPI mode with non-pipelined traffic

Sometimes Windows services in companies are used for important things, and they could stop responding, meaning critical production tasks stops being executed or the Windows print Spooler service may hang, thus they need to be restarted.

Here you can see, how you can give a “normal” user the privileges for doing just that, and nothing else.

Download the subinacl.exe from the WIndows ressource kit fro mthe Web Achive, as it’s not avail anymore:

https://web.archive.org/web/20190830103837/http://www.microsoft.com/en-us/download/confirmation.aspx?id=23510

or download as zip from my blog here: subinacl.zip

Then run as elevated prompt and change to the directory, where the msi has been installaed to:

“C:\Program Files (x86)\Windows Resource Kits\Tools\”

Type:

subinacl.exe /service Spooler /grant=domain\jt=PTO

Here the access has been granted to the user domain\jt.

=PTO means this:

Now the user can start “Service manager” and connect to the server where you set this and start/stop pause this one service

When doing changes on your network, in ex. giving known hosts new IP’s or giving new servers the IP’s of the old ones, there will be a need to reset the ARP table to make sure that traffic can traverse the firewall again, this can be done by reboot’s or but doing a SSH conenction to the firewall and type this in root mode:

“ip -s -s neigh flush all”

On UTM:

Yoiu can also show the ARP entries currently in the system with command “arp -n”

The above command will also work on Sophos XG firewall in the shell, however it has a gui for the same:

Source: Sophos XG Firewall: How to Flush the Neighbor Cache

Sophos will remove support from the obsolete RED 10 device when running XG firewall:

• SFOS v18 MR-2 removed support for Sophos RED 10 devices
• SFOS v18 MR-6 will remove Sophos RED 10 devices from the UI

Please note that RED 10 devices were End-of-Life as of November 1st, 2018.

So it’s time to replace the RED 10 (And deal with the 30Mbit limitation it had ) with the SD-RED 20 or SD-RED 60.

Source: Sophos XG Firewall: End of Support for RED 10 devices – Release Notes & News – XG Firewall – Sophos Community

During a systemcrash, one of my domain controllers stopped showing the SYSVOL and Netlogon shares, I did a lot of debugging, and found out, that the DFS-R that was going on in Win2019 (Not NTFRS anymore :-)) what corrupted.

So the event log, on the failing DC showed me this:

And thus I restarted, waited, and waited som more, it never got passed the inititial point.

Luckily Microsoft have a solution for this, found here:

Troubleshoot missing SYSVOL and Netlogon shares for Distributed File System (DFS) Replication – Windows Server | Microsoft Docs

ad that article lead me to this one:

Force synchronization for Distributed File System Replication (DFSR) replicated sysvol replication – Windows Server | Microsoft Docs

So firstly I debugged with theese commands:

• Check for the SYSVOL share

  You may manually check whether SYSVOL is shared or you can inspect each domain controller by using the net view command:

  ConsoleCopy

  For /f %i IN ('dsquery server -o rdn') do @echo %i && @(net view \\%i | find "SYSVOL") & echo
  

• Check DFS Replication state

  To check DFS Replication’s state on domain controllers, you may query WMI. You can query all domain controllers in the domain for the SYSVOL Share replicated folder by using WMI as follows:

  ConsoleCopy

  For /f %i IN ('dsquery server -o rdn') do @echo %i && @wmic /node:"%i" /namespace:\\root\microsoftdfs path dfsrreplicatedfolderinfo WHERE replicatedfoldername='SYSVOL share' get replicationgroupname,replicatedfoldername,state
  

  The state values can be any of:
  0 = Uninitialized
  1 = Initialized
  2 = Initial Sync
  3 = Auto Recovery
  4 = Normal
  5 = In Error

And mine showed this:

So clearly DC01 has a status of “2”, which means “Initial Sync”, but I never moved across that part :-/

But I simply, (I can use that word now :-D) I followed AL steps in this article, and after that i ran the same command again:

Force synchronization for Distributed File System Replication (DFSR) replicated sysvol replication – Windows Server | Microsoft Docs

Also confirmed in the event log:

Hooray

To fix older systems running NTFRS (Pre 2016) you can use theese steps to fix the same:

Use BurFlags to reinitialize File Replication Service (FRS) – Windows Server | Microsoft Docs

Been debugging like crazy the last day with this symptom:

When you run the gpupdate /force command on a hybrid Azure Active Directory (Azure AD)-joined Windows device that’s enrolled in Microsoft Intune, you receive the following warning message:

Updating policy…

Computer Policy update has completed successfully.

The following warnings were encountered during computer policy processing:

Windows failed to apply the MDM Policy settings. MDM Policy settings might have its own log file. Please click on the “More information” link.
User Policy update has completed successfully.

For more detailed information, review the event log or run GPRESULT /H GPReport.html from the command line to access information about Group Policy.

Should have Googled it though, because this is “Expected behavior”

Cause

This issue occurs if the Auto MDM Enrollment with AAD Token Group Policy Object (GPO) is applied to the Windows device. In this case, it tries to enroll the device in MDM when you run the gpupdate /force command. Because the device was already enrolled, you receive the warning message.

This behavior is expected. You can safely ignore the warning message.

Source: Windows failed to apply MDM Policy settings – Intune | Microsoft Docs

Running the newest build of VCSA 7.0.1 from Dec. 17 2020, I could not login to the VAMI page:

https://<venterfqdn>:5480

It instantly wrote “Unable to Login”

After some digging around and rebooting, I found this article:

After updating vCSA to 6.7 U2 or higher, unable to log into the VAMI page- “Invalid Credentials” or “Unable to Login” (68149) (vmware.com)

Running all the commands and rebooted the VCSA, the applmgmt service started correctly, after the timeout was changed to 600 from 60!

After reboot, I could login as normal

This one, wow what a pain in the a******

It took me hours to finally debug this issue.

Had setup NPS on a Windows 2019 server, like many times before, registered it in the Active Directory, and installed the Use Azure AD Multi-Factor Authentication with NPS – Azure Active Directory | Microsoft Docs” plugin, setup the policies in NPS and all good, then I setup my radius client device, in this example a Sophos XG firewall, but no! – nothing worked, after som debugging I saw this on the Windows server event log:

So it was clear that the NPS extension module rejected it, but why?

Luckily this guy at “Sergii’s Blog” did some debugging with the extension in some other matters, and he found out why:

Looking at Azure AD portal – go to Enterprise Applications – Change the Application Type to All, search for Azure Multi-Factor Auth Connector and Azure Multi-Factor Auth Client, you will find theese guys:

in my example the ” Azure Multi-Factor Auth Client” was disabled, did not know why!!:

Just enable and save, check the other multifactor also. Right after this, the NPS MFA Extention worked perfectly.

Many many thanks to “Sergii’s Blog” for pointing in the right direction

Sophos UTM provided the ability to act as an NTP server, which was very usefull in many installations.

It looks like though, that Sophos has no intentions to add this feature to XG.

But Rob Andrews, in the Sophos Community, came up with a very simple workaround, a SNAT rule, that catches NTP traffic comming to the XG LAN IP and passes it on to the NTP server of your choice, I tried it out, and here is what I did:

Create a NAT rule:

Now point your NTP client to the LAN IP of the XG, and see what happends

Remember to create a firewall rule accordingly, if you do not allow LAN –> WAN (ANY)

Thanks for the workaround Rob!

Microsoft has detected multiple 0-day exploits being used to attack on-premises versions of Microsoft Exchange Server in limited and targeted attacks. In the attacks observed, the threat actor used these vulnerabilities to access on-premises Exchange servers which enabled access to email accounts, and allowed installation of additional malware to facilitate long-term access to victim environments. Microsoft Threat Intelligence Center (MSTIC) attributes this campaign with high confidence to HAFNIUM, a group assessed to be state-sponsored and operating out of China, based on observed victimology, tactics and procedures.

Read more: HAFNIUM targeting Exchange Servers with 0-day exploits – Microsoft Security

Important!

READ THIS BEFORE YOU START YOUR DAY

Exchange On Prem 0 day for all versions 2010+. Exchange Online not vulnerable, but even a single on prem box means a customer could be at risk.

March 2, 20212 – Exchange Out of Band Release – Multiple Security Updates Released for Exchange Server – HAFNIUM targeting Exchange Servers with 0-day exploits

Exchange Team Blog:
https://techcommunity.microsoft.com/t5/exchange-team-blog/released-march-2021-exchange-server-security-updates/ba-p/2175901

MSRC blog:
https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server

MSTIC blog:
https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/

Microsoft on the Issues
https://blogs.microsoft.com/on-the-issues/?p=64505

March 2, 2021 Security Update Release
March 2, 2021 Security Update Release – Release Notes – Security Update Guide – Microsoft

Microsoft has released a new, one-click mitigation tool, Microsoft Exchange On-Premises Mitigation Tool to help customers who do not have dedicated security or IT teams to apply these security updates. We have tested this tool across Exchange Server 2013, 2016, and 2019 deployments. This new tool is designed as an interim mitigation for customers who are unfamiliar with the patch/update process or who have not yet applied the on-premises Exchange security update.

By downloading and running this tool, which includes the latest Microsoft Safety Scanner, customers will automatically mitigate CVE-2021-26855 on any Exchange server on which it is deployed. This tool is not a replacement for the Exchange security update but is the fastest and easiest way to mitigate the highest risks to internet-connected, on-premises Exchange Servers prior to patching.

Download here:

https://aka.ms/eomt

Source:

One-Click Microsoft Exchange On-Premises Mitigation Tool – March 2021 – Microsoft Security Response Center

Sophos has announced that in SFOS v18.5, they will no longer support the older AP series:

Overview

Support for some legacy and end-of-life access points will be removed from upcoming versions of Sophos Firewall OS (SFOS) and on future hardware platforms.

Applies to the following Sophos products and versions
Sophos Firewall OS (SFOS) v18.5
AP Series: 5, 10, 30, 50, 15, 15C, 55, 55C, 100 and 100C

SFOS version 18.5 and higher on XG Series
AP Series: 5, 10, 30, 50
In SFOS version 18.5 and higher running on XG Series appliances, support will no longer be included for the AP Series access points which reached their end-of-life date in 2018.

Future hardware platforms
AP Series: 5, 10, 30, 50, 15, 15C, 55, 55C, 100 and 100C
As advised during the end-of-sale announcement for the above access points, future hardware platforms will not support any legacy AP Series models.

What to do
To continue to use your firewall to manage your Wi-Fi networks, you will need to refresh your AP Series hardware to the APX Series.

Learn more about the APX Series

Source: Legacy AP Series support on upcoming SFOS versions and future hardware platforms (sophos.com)

Sophos has released MR-5 for SFOS v18, it has many new great features, here are the release notes (Ps. have already installed it in my HA environment, and it works flawlessly):

XG Firewall v18 Maintenance Release 5 (MR5) is packed with enhancements to performance, security, reliability and central reporting.  With v18 MR5, we have published XG firewall integration for azure active directory and azure virtual WAN.

What’s new in v18 MR5:

VPN Enhancements

• A huge 50% increase in concurrent IPSec VPN tunnel capacity (learn more)
• Port 443 sharing between SSL VPN and the Web Application Firewall (WAF)
• IPSec provisioning file support for remote access via Sophos Connect v2.1

SD-WAN

• Integration with Azure Virtual WAN for a complete SD-WAN overlay network (learn more)

Authentication

• Integration with Azure Active Directory (learn more)

Certificate Management and Security

• Form enhancements for creating certificate signing requests and certificates
• Enhanced security for private keys
• Upload/download support for PEM format certificates
• Enhanced workflows for certificate management

Synchronized Security

• Enhanced registration and de-registration in high-availability (HA) installations
• Missing Heartbeat enhancements to reduce notifications sent for intended/expected changes in endpoint status

Sophos Central Firewall Reporting

• New Cloud Application (CASB) report
• MSP Flex Pricing for MSP partners

Issues resolved in v18 MR5

• 50+ field reported issues have been resolved

More info available here: v18 MR5 release notes

Upgrade as soon as possible

While we always encourage you to keep your firewalls up to date with the latest firmware, over the next few months we are recommending you rapidly apply maintenance releases to ensure you have all the important security, performance, and feature enhancements applied as soon as possible.

Also ensure you have automatic pattern updates enabled so that you can be assured you have the latest protection updates.

XG Firewall v18 MR5 is an easy and fully supported upgrade from XG Firewall v17.5 MR6+ (including the latest v17.5 MR15 release). Please refer to the Upgrade information tab in the release notes for more details.

How to get it

As usual, this firmware update is no charge for all licensed XG Firewall customers. The firmware will be rolled out automatically to all systems over the coming weeks, but you can access the firmware anytime to do a manual update through the Licensing Portal.  Please refer to the documentation for more information on how to apply firmware updates.

Source: XG Firewall v18 MR5 – Release Notes & News – Sophos (XG) Firewall – Sophos Community

Sophos made a great article regaring running Sophos XG with Azure AD authentication, here are the steps:

Overview

This document is applicable to all the XG Firewalls running all versions. To integrate the XG firewall with Azure AD, we need to create a new service called “Azure AD Domain services”.

With this integration, administrators can use Azure AD for the following:

1. Captive portal authentication of internal firewall users.
2. Authentication agent for windows, mac, linux.
3. SSL VPN authentication.
4. Sophos Connect client.
5. Use the SSO using the Synchronized security UserID*.

Note: SSO with synchronized security and Azure AD needs to meet some specific requirements which are outside the scope of this document.

Azure AD DS replicates identity information from Azure AD to a Microsoft-operated set of domain controllers, so it works with Azure AD tenants that are cloud-only, or synchronized with an on-premises AD DS environment. The same set of Azure AD DS features exists for both environments.

Azure AD domain services offer an LDAP interface to XG that can replicate the working of an on-premise Active Directory.  This article assumes there is an existing Azure AD environment in place.

Azure configuration

1. Login in to the Azure portal and create Azure AD domain services, this step will take 60-90 minutes to deploy. Please see the documentation from Microsoft on how to deploy Azure AD domain services.

2. Once the AD domain services are deployed, you should see the health status as “Running”.

3. Click on Synchronize, you can either select scoped or chose to synchronize all the Azure AD.

   Note: The following step is required for cloud-only user accounts in Azure AD, as the Azure AD account is not synchronized with AD domain services until the user has changed the password by logging in to their office365 login. This password change process causes the password hashes for Kerberos and NTLM authentication to be generated and stored in Azure AD.

4. Each user needs to login to the Office 365 portal and change the password. If it’s a new user logging into office 365 for the first time, they will be prompted for the password change.
5. Once the AD domain services are deployed, it’s recommended to enable LDAPs if the firewall is sending LDAP bind request over the internet. For additional security, Sophos recommends creating an IPsec tunnel to Azure over which to bind the LDAP.

   Note: Azure accepts self-signed certificates for this purpose. In this example, we use OpenSSL to generate a self-signed chain of certificates. Azure only accepts certs with “extendedkeyusage for server authentication”.

   Below is the process to generate self-signed Certs with EKU:serverauth:

   • In order to create the Certificate Authority Private Key and Certificate, you first need to create a private key for the CA with the name azureADca.key.

     $ openssl genrsa -out azureADca.key 4096
     Generating RSA private key, 4096 bit long modulus
     ……………………………………………………………………………………………………………………………………….++
     …………….++
     e is 65537 (0x10001)

   • Create the CA certificate to be used to validate signed certificates, called azureADca.pem.

     $ openssl req -x509 -new -nodes -key azureADca.key -days 3650 -out azureADca.pem
     You are about to be asked to enter information that will be incorporated
     into your certificate request.
     What you are about to enter is what is called a Distinguished Name or a DN.
     There are quite a few fields but you can leave some blank
     For some fields there will be a default value,
     If you enter ‘.’, the field will be left blank.
     —–
     Country Name (2 letter code) []:CA
     State or Province Name (full name) []:ON
     Locality Name (eg, city) []:Burlington
     Organization Name (eg, company) []:<Your org>
     Organizational Unit Name (eg, section) []:Salesengineering
     Common Name (eg, fully qualified host name) []:<Commaon name>
     Email Address []:email@email.com

   • Create a text file and copy/paste the below text. Save the file as “azureAD-eku.conf” or any name of your choice.

     [client_server_ssl]
     extendedKeyUsage = serverAuth

   • Now that this file exists, you need to generate a private key for the LDAP cert with the name “ldapssl_private.key”.

     $ openssl genrsa -out ldapssl_private.key 4096
     Generating RSA private key, 4096 bit long modulus
     ……………………………..++
     ……….++
     e is 65537 (0x10001)

   • Next, create a certificate signing request to sign with the CA you previously created with the name “azureADldapssl.csr” and fill in the following values in yellow.
     $ openssl req -new -key ldapssl_private.key -out azureADldapssl.csr
     You are about to be asked to enter information that will be incorporated
     into your certificate request.
     What you are about to enter is what is called a Distinguished Name or a DN.
     There are quite a few fields but you can leave some blank
     For some fields there will be a default value,
     If you enter ‘.’, the field will be left blank.
     —–
     Country Name (2 letter code) []:CA
     State or Province Name (full name) []:ON
     Locality Name (eg, city) []:Burlington
     Organization Name (eg, company) []:firewallinabox
     Organizational Unit Name (eg, section) []:Sales Engineering
     Common Name (eg, fully qualified host name) []:<yourdomainname>
     Email Address []:<email@email.com>

     Please enter the following ‘extra’ attributes
     to be sent with your certificate request
     A challenge password []:<Password>

   • You now need to sign the request, while including the signing extensions created earlier. The following command will create the signed cert with the name “azureADcert.crt”.

     $ openssl x509 -req -extensions client_server_ssl -extfile azureAD-eku.conf -in azureADldapssl.csr -CA azureADca.pem -CAkey azureADca.key -CAcreateserial -out azureADcert.crt -days 365
     Signature ok
     subject=/C=CA/ST=ON/L=Burlington/O=firewallinabox/OU=Sales Engineering/CN=firewallinabox.tk/emailAddress=email@email.com
     Getting CA Private Key
     $

   • Convert the certificate into PFX format, as Azure accepts the certs in the PFX format.

     $ openssl pkcs12 -export -out XGazureADcert.pfx -inkey ldapssl_private.key -in azureADcert.crt -certfile azureADca.crt
     Enter Export Password:
     Verifying – Enter Export Password:

   • Next, upload the XGazureADcert.pfx file into  Azure AD.

6. Under Azure AD domain service, navigate to properties and make a note of the following, Secure LDAP external IP address. If you are connecting through an IPsec tunnel, you can use the internal addresses which are 10.201.1.4 and 10.201.1.5 in this example.
7. Make sure the admin group is selected with the correct administrator group used on the XG to send LDAP bind requests to AD domain services.

8. In the Azure portal, navigate to Azure AD > Users and make sure the user is part of the AAD DC Administrators group inside Azure AD.

9. In the Azure portal, navigate to the Network security groups > Inbound security rules, then add a new inbound security rule allowing the LDAPs traffic from your firewalls public IP. (This is optional and only required if you are using an IPsec tunnel for additional security).

10. The administrator account you will be using on the XG Firewall must be first logged in to Office365, and the password needs to be changed upfront.

Firewall configuration

1. Login to the XG Firewall web UI and navigate to Configure > Authentication > Servers > Add and use the following settings we have from the Azure AD domain services.

2. Import the groups from Azure AD as shown below.

3. Select the server from the list of authenticated servers from Configure > Authentication > Services.

4. Test the authentication with the user portal and the login should be successful.

Source: Sophos XG Firewall: Integrate XG Firewall with Azure AD – Recommended Reads – Sophos (XG) Firewall – Sophos Community

This is for Exchange Online only (M365):

Today the IOS Outlook app finally got support for “Native external sender callouts”, this means that you will get a “tag” when a sender is “external”, that tag can be clicked and will reveal the email address, this is an attempt to help receipients fight phishing and spam.

This new feature shall replace the transport rules that some have setup earlier, adding a HTML line on the top of every email arriving from outside the organisation.

When implementing this, that transport rule should be disabled!

To set this up

1. Connect to Exchange Online PowerShell.
2. Exchange Online tenant admin will need to run the cmdlet Set-ExternalInOutlook to enable the new user interface for the whole tenant (this is available now); adding certain emails and domains to the allow list via the cmdlet is also possible.
3. Outlook on the web already supports this. Outlook Mobile (iOS & Android) and Outlook for Mac are rolling out this feature. Specific versions:
   • Outlook on the web: available now
   • Outlook for Windows: available in May 2021 (starting with Insider Fast)
   • Outlook mobile (iOS & Android): version 4.2111.0 and higher
   • Outlook for Mac: version 16.47 and higher

Here it is enabled for the whole organisation:

“Set-ExternalInOutlook -Enabled $true”

Outlook on the web, Mac, and mobile will display an External tag in the message list. Outlook Desktop and OWA will show the sender’s email address at reading pane info bar. Outlook mobile and Outlook for Mac will only see an external tag on the message reading pane, and users will need to click the tag to see the real sender’s email address.

Outlook on the web view of External sender:

In Outlook for iOS, External sender user interface in the message list, External tag when reading chosen email and view of sender’s email address after tapping External label:

Once this feature is enabled via PowerShell, it might take 24-48 hours for your users to start seeing the External sender tag in email messages received from external sources (outside of your organization), providing their Outlook version supports it.

If enabling this, you might want to notify your users about the new feature and update your training and documentation, as appropriate.

Sources:

Set-ExternalInOutlook (ExchangePowerShell) | Microsoft Docs

Native external sender callouts on email in Outlook – Microsoft Tech Community

Here we go again !!

Microsoft has released security updates for vulnerabilities found in:

• Exchange Server 2013
• Exchange Server 2016
• Exchange Server 2019

These updates are available for the following specific builds of Exchange Server:

IMPORTANT: If manually installing security updates, you must install .msp from elevated command prompt (see Known Issues in update KB article).

• Exchange Server 2013 CU23
• Exchange Server 2016 CU19 and CU20
• Exchange Server 2019 CU8 and CU9

Vulnerabilities addressed in the April 2021 security updates were responsibly reported to Microsoft by a security partner. Although they are not aware of any active exploits in the wild, their recommendation is to install these updates immediately to protect your environment.

These vulnerabilities affect Microsoft Exchange Server. Exchange Online customers are already protected and do not need to take any action.

Inventory your Exchange Servers

Use the Exchange Server Health Checker script, which can be downloaded from GitHub (use the latest release), to inventory your servers. Running this script will tell you if any of your Exchange Servers are behind on updates (CUs and SUs).

IMPORTANT: Read more here:

Sources:

April 2021 Update Tuesday packages now available – Microsoft Security Response Center

Released: April 2021 Exchange Server Security Updates – Microsoft Tech Community