When running in remote desktop services environments, you also have the need to identify your thin client users, for maximum security (User identification), and for letting the firewall match your user ID’s

Sophos have this client called SATC (Sophos authentication for thin client) , which will solve this problem.

How to use it?

Read this great article, explaining how to use it in every way thinkable:

https://community.sophos.com/kb/en-us/127157

When migrating mailboxes to Office 365, you may get this error is the migration window:

“Request ‎’‎’ has already encountered more than ‎’5‎’ large items and can‎’t be given a limit of ‎’0‎’.”

This is due to the default mailboxplan, it only allows for mailitems, that are max. 35MB.

This can be changed through Exchange Online Powershell.

To migrate items to Office 365 that are larger than th​e defaults (35MB in 2018), you will need to run the following PowerShell commands.

First, you should run this script against your Office 365 environment to determine what your current settings are:

Get-Mailbox user01 | fl mailboxplan,maxsendsize,maxreceivesize

Note:

Remember to test against a user yo have not previously modified!
EX:

MailboxPlan: ExchangeOnlineEnterprise-77habc0fcc-8b91-4f2e-960c-334fhccc68

MaxSendSize: 35 MB (36,700,160 bytes)

MaxReceiveSize: 36 MB (37,748,736 bytes)

Now change the default 35MB to 150MB is the mailboxPlan:

Get-MailboxPlan | Set-MailboxPlan -MaxSendSize 150MB -MaxReceiveSize 150MB

Note:
New users will get this new limit, but users already on the platform, will need to be adjusted with this:

Get-Mailbox | Set-Mailbox -MaxReceiveSize 150MB -MaxSendSize 150MB

Then how to confirm it worked:

Get-Mailbox user01 | fl mailboxplan,maxsendsize,maxreceivesize

MailboxPlan: ExchangeOnlineEnterprise-77habc0fcc-8b91-4f2e-960c-334fhccc68

MaxSendSize: 150 MB (36,700,160 bytes)

MaxReceiveSize: 150 MB (37,748,736 bytes)

Done!

During a recent move from on-premise Exchange 2010 to Office 365 Hybrid, I wanted to create a new user in the AD and then enable a mailbox for it afterwards, this gave this error in Exchange 2010 Powershell:

Enable-RemoteMailbox user01@domain.com -RemoteRoutingAddress user01@companytenant.onmicrosoft.com
error:
ExchangeGuid is mandatory on UserMailbox.
Database is mandatory on UserMailbox.

After troubleshooting the issue, there where entries in the msEX… attributes of the user, that pointed to an old Exchange server.

Open the users object i ADUC Advanced mode, and look in Attribute Editor:

Find any entry beginning with msExh, and remove everything, so all msEx attributes are “”

Wait a little for AAD Connect to sync it’s stuff, or do a manual synchronization.

Suddenly IMAP can stop working on your server. As you look through your setup, you will find, that it’s still configured correctly, and the service is running! – So what could be wrong?

Exchange have since version 2013, used Server Component States to granular control over the state of the components that make up an Exchange Server .

When theese are not working as supposed (Read=inactive/offline!), the service that lays behind, stops working, even though you find it “Running” in Services manager.

Here we will troubleshoot the IMAP service, which has an underlaying IMAP.Proxy, so let’s head to Exchange management Shell:

So why this happens, can be difficult to know, as theese are ADAccess related, it could be that one or more DC’s are offline or have been rebooted, network problems or other issues. But here is how to fix it

Firstly, connect to Exchange Online Powershell, like described here:

https://docs.microsoft.com/en-us/powershell/exchange/exchange-online/connect-to-exchange-online-powershell/connect-to-exchange-online-powershell?view=exchange-ps

Then copy-paste this to a powershell.ps1 file, like calrights.ps1:

Foreach ($mbx in get-mailbox){

$calendar=$mbx.alias+”:\Calendar”

Add-mailboxfolderpermission -identity $calendar -user call -AccessRights Reviewer

}

• USERNAME is the user you will give the rights spcified, here is is the user “call”
• PERMISSION is the permission level (role) you want to give that user. The options are:
  • Author   CreateItems, DeleteOwnedItems, EditOwnedItems, FolderVisible, ReadItems
  • Contributor   CreateItems, FolderVisible
  • Editor   CreateItems, DeleteAllItems, DeleteOwnedItems, EditAllItems, EditOwnedItems, FolderVisible, ReadItems
  • None   FolderVisible
  • NonEditingAuthor   CreateItems, FolderVisible, ReadItems
  • Owner   CreateItems, CreateSubfolders, DeleteAllItems, DeleteOwnedItems, EditAllItems, EditOwnedItems, FolderContact,FolderOwner, FolderVisible, ReadItems
  • PublishingEditor   CreateItems, CreateSubfolders, DeleteAllItems, DeleteOwnedItems, EditAllItems, EditOwnedItems, FolderVisible,ReadItems
  • PublishingAuthor   CreateItems, CreateSubfolders, DeleteOwnedItems, EditOwnedItems, FolderVisible, ReadItems
  • Reviewer   FolderVisible, ReadItems

Normally Reviewer is enough for ex. 3.party to take telephone calls and check if user is occupied.

NOTE: If permissions for this user have already been defined, this cmdlet will not replace it!

Source: https://www.itjon.com/give-one-user-access-to-everyone-elses-calendar-in-office-365/

When you decide that the 90’s login script, .bat, .cmd files ;), has to leave for ex. GPO Drive maps, then you can remove it from all AD users with this simple command:

#Remove any login script from all users in the OU.
 
Import-module ActiveDirectory  
Get-ADUser -Filter * -SearchBase "OU=Marketing,DC=martinsblog,DC=local" | Set-ADUser -Clear scriptPath 
 
# Set a login script for all users is the OU
Import-module ActiveDirectory  
Get-ADUser -Filter * -SearchBase "OU=Marketing,DC=martinsblog,DC=local" | Set-ADUser –scriptPath “\\dc01\netlogon\myscript.bat”

And it’s gone:

Veeam has released update 4, which fixes a lot of things! – mainly support for ESXi 6.7 U1 which was long awaited and a lot more, in ex. Server 2019 support

Read the release notes here:

https://www.veeam.com/veeam_backup_9_5_whats_new_wn.pdf

https://www.veeam.com/veeam_backup_9_5_u4_release_notes_rn.pdf

Today they released UTM 9.601. The release will be rolled out in phases.

In phase 1 you can download the update package from their FTP server, in phase 2they will spread it via their Up2Date servers.

Download here:

ftp://ftp.astaro.de/UTM/v9/up2date/u2d-sys-9.600005-601005.tgz.gpg

Up2Date Information

News

• Maintenance Release

Remarks

• System will be rebooted
• Configuration will be upgraded
• Connected REDs will perform firmware upgrade

Issues Resolved

• NUTM-10492 [AWS] UTM on AWS Auto-scaling: Sync log setting to worker nodes
• NUTM-9746 [AWS] Standby UTM on AWS sending un-encrypted daily backups
• NUTM-9846 [AWS] IAM policy missing permission which causes conversion to fail
• NUTM-9675 [Access & Identity] Bypass Users doesn’t work for AD backend group with users
• NUTM-9838 [Access & Identity] SSL VPN connection through Webproxy not possible
• NUTM-10018 [Basesystem] MiddleWare starting up time takes long when having lots of multipath routes
• NUTM-10164 [Basesystem] Delay in accessing internal services after users connect to the remote access SSL VPN
• NUTM-10183 [Basesystem] Patch OpenSSL (CVE-2018-0732)
• NUTM-10280 [Basesystem] cURL: NTLM Authentication Code Buffer Overrun Vulnerability (CVE-2018-14618)
• NUTM-10306 [Basesystem] syslog-ng requiring huge amounts of memory over time
• NUTM-9660 [Basesystem] DHCP vulnerability (CVE-2018-5732 and CVE-2018-5733)
• NUTM-9976 [Basesystem] SG115 rev3 HA eth3 interface flapping
• NUTM-9648 [Documentation] Static route not applying when configuring Bind tunnel to local interface on IPsec connection
• NUTM-9712 [Documentation] ATP exception doesn’t work as expected
• NUTM-9872 [Documentation] Incorrect documentation for ReportAuditor rights
• NUTM-10078 [Email] Help text in quarantine mail truncated in Outlook
• NUTM-10112 [Email] User portal users still able to put senders on Whitelist even if Whitelist is disabled
• NUTM-10186 [Email] S/MIME signed mails have an invalid signature if 3rd party CA is used
• NUTM-10266 [Email] Wrong URL for Antispam IP reputation-check
• NUTM-10346 [Email] High CPU usage from smtp due to deadlock/timeout
• NUTM-10400 [Email] Coredump of SMTPD.BIN
• NUTM-10440 [Email] SPX encryption doesn’t work in case the sender address contains a “/”
• NUTM-9787 [Email] SMTPD core dumps with signal SIGABRT
• NUTM-10250 [Network] DNS Group Objects filling up with old IP addresses
• NUTM-10592 [Network] PPPoE connection fails after HA upgraded to 9.6
• NUTM-10168 [RED] REDs are displayed as “offline” even though the tunnel is working
• NUTM-10470 [RED] No traffic goes through RED Tunnel when compression is enabled
• NUTM-10325 [WAF] 500 Internal Server Error if max scan size limit is disabled
• NUTM-10419 [WAF] “Web Application Protection Auditor” permission is not sufficient to load Advanced Certificates tab
• NUTM-10133 [WebAdmin] Ping over interface does not work on VDSL PPPoE interface
• NUTM-10273 [WebAdmin] Webadmin session will be interrupted with pop-up “Backend connection failed”
• NUTM-9569 [WebAdmin] If an interface is deleted which is used in a policy route, it can cause a network outage
• NUTM-10244 [Web] AFC skip user/group specific rule if the user surfs through the HTTP Proxy although the ipset exist
• NUTM-10285 [Web] urid service restarting intermittently
• NUTM-10390 [Web] Huge HTTP logs because of “epoll_read_until: Transport endpoint is not connected”
• NUTM-10409 [Web] HTTP Proxy segfaults, coredumps
• NUTM-10500 [Web] HTTP “epoll_read_until: Transport endpoint is not connected” logs still growing after patch
• NUTM-4256 [Web] Sandboxd selfmon check sends wrong notification
• NUTM-9968 [Web] AD SSO Transparent Proxy redirects websites to User Portal

Source:

https://community.sophos.com/products/unified-threat-management/b/utm-blog/posts/utm-up2date-9-601-released

Hooray, finally, we have support for the new APX-series accesspoints

Had mine laying around for two months now, so looking forward to get it up and running

They finished SFOS v17.5.3 MR3. This release is available in stages. In first stage it will be available at MySophos. Then they start with a small amount of slots and will increase those over time. Later it will be available to all other installations as well.

Please see the following link for further information regarding upgrade – KBA 123285 Sophos Firewall: How to upgrade the firmware.

What’s New in XG Firewall v17.5 MR3

Airgap Support

Enables updates to XG Firewalls deployed in environments that are physically isolated from the internet.  Protection patterns, licenses, and firmware updates can be applied from a USB storage device. Learn more.

Manual Protection Pattern Update

Enables security pattern updates, client software updates, and firmware updates for access point and RED devices to be uploaded from a file via the XG Firewall management console. Learn more.

APX Series Wireless Access Point Support

Support for our new APX 320, 530, and 740 wireless access points with 802.11ac Wave 2 with 2-3x the performance and added device density over our legacy AP Series models.  Learn more.

• APX 740: Flagship 4×4:4 access point with high-density, high-capacity for the mid-market enterprise
• APX 530: High performance 3×3:3 access point for typical office environments of all sizes
• APX 320: 2×2:2 Dual 5 GHz based access point, perfect for tablets/phones, high-density environment in education, small retail scenarios

Broader Backup/Restore Support

Support for Migration to XG Series Hardware. Backups from XG Firewall running on SG Series devices can now be restored to XG Series devices.  In addition, backups from Cyberoam CROS and SFOS backups can be restored to XG Series devices without any manual conversion.

Improved Cyberoam Firewall Rule Migration Compatibility

Firewall rules will be automatically grouped based on source and destination zone when migrating to XG Firewall for consistency.

DHCP Client on Bridge Interface Support

Bridge interfaces can now receive IP4/IP6 IP address and DNS information via DHCP like standard Ethernet interfaces. 

Recipient verification using Active Directory lookup

Administrator can verify recipient email addresses against configured active directory and can reject emails to non-existent users.

Issues Resolved

• NC-29354 [API] Response for xmlapi get for SyslogServer is missing some value
• NC-29808 [API] API Authentication should be case insensitive
• NC-35920 [API] Wrong XML is generated for client-less users when username added with capital letter
• NC-30616 [Authentication] Guest username/id and passwords are changed after migration
• NC-33449 [Authentication] Group name showing under “undefined” during AD group import
• NC-35923 [Authentication] XML export of guest users contains wrong information of user validity
• NC-38607 [Authentication] Provide a JSON config download for GSuite in the XG UI
• NC-39026 [Authentication] Chromebook Support port is missing in port validation opcode
• NC-39106 [Authentication] Access_server is restarted due to missing service heartbeat
• NC-30365 [Base System] Fix error message for new firmware check on auxiliary device
• NC-37824 [Base System] SFM/CFM – at device dashboard AV version shows as 0
• NC-38546 [Base System] Fix log message for scheduled backup and update message
• NC-39177 [Base System] Garner – sigsegv_dump: Segmentation Fault
• NC-39179 [Base System] Customization of captive portal not working
• NC-39688 [Base System] Virtual firewall reboots after applying license
• NC-40157 [Base System] Garner service stopped with sigsegv_dump: Segmentation Fault
• NC-40268 [Base System] Not able to access HA device via Central Management
• NC-38469 [Email] Increase csc monitor time for avd service
• NC-38521 [Email] Add support for recipient verification via AD using STARTTLS
• NC-39827 [Email] Improve documentation for mail spool and SMTP policies
• NC-35434 [Firewall] csc worker gets killed causing errors in port forwarding
• NC-35521 [Firewall] Import of exported config does not recreate the device access permissions correctly
• NC-38318 [Firewall] XML change and revert details are not generated for “firewall group” entity when create firewall rule from SFM device Level
• NC-39316 [Firewall] Group edit fail when user edit existing group and new name have double space
• NC-39605 [Firewall] Modifying one time schedules fails, if timer has already triggered
• NC-40080 [Firewall] Improve UI and help for group creation based on EAP feedback
• NC-29296 [IPsec] Charon doesn’t reconnect in all cases
• NC-29365 [IPsec] IPSec tunnel fails when there are whitespaces at the begin or end of the PSK
• NC-30599 [IPsec] Checkboxes on IPSec UI pages do not work using Safari
• NC-38824 [IPsec] Spelling error in message when IPSec cannot be established
• NC-38946 [IPsec] Child SA going down randomly with Checkpoint IPSec connection
• NC-38603 [nSXLd] Custom URL web category list stopped working after updating to v17.1MR2
• NC-38958 [Reporting] Smart search filter is not working properly for “is not” filter in log viewer
• NC-39530 [Reporting] Logo is too close to the name of the report page
• NC-39770 [Reporting] ‘Context’ column getting removed after click on Reset to default for web content policy logs
• NC-39479 [Sandstorm] Dashboard message not correct for Single Scan Avira with Sandstorm
• NC-35750 [SecurityHeartbeat] Heartbeat widget not displayed on slave node when registered
• NC-38778 [SNMP] Unable to fetch the value for particular OID in SNMP server
• NC-35490 [Synchronized App Control] Application are not classified in Synchronized Application Control list
• NC-32342 [UI Framework] Restrict number of connection from particular IP at a particular time
• NC-39078 [UI Framework] Update Apache Commons Collections (CVE-2015-7501, CVE-2015-6420, CVE-2017-15708)
• NC-39081 [UI Framework] Update Apache Commons FileUpload (CVE-2016-3092, CVE-2016-1000031)
• NC-39910 [UI Framework] Policy Tester is not working via Central Management
• NC-38295 [WAF] WAF Rules not working after HA takeover
• NC-31388 [Web] URL Category Lookup doesn’t allow punycode-encoded domain names
• NC-31485 [Web] Skipping sandbox check is not being exported in the XML for WebFilterException
• NC-35585 [Web] Only 10 cloud applications are listed if the screen resolution is 2560*1440 or higher
• NC-36320 [Web] AppPolicy becomes DenyAll if all “characteristics” and any classification selected

Download

To manually install the upgrade, you can find the firmware for your appliance at MySophos portal. Please see the following KBA – Sophos Firewall: How to upgrade the firmware: KBA 123285.

A colleague of mine, showed this simple trick!

You may, as I, use Notepad for documentation in troubleshooting scenarios or other time sensitive logging incidents, and often type date and time into it, but hey, try run notepad and press “F5” and see what happens!

And if you want the file to be “marked” with time and date, just add “.LOG” in the beginning of it, then save and reopen, watch the magic

Long live the lazy people

When you setup a new device, in ex. a network switch, it will eventually get an IP from DHCP server, then you need to find out which IP it has gotten, so you can configure it.

There are several ways to do this:

1. Look in your DHCP server logfiles for a lease that matches the MAc address of the device.
2. A network scanner, ex. Softperfect Network scanner, which can resolve MAC addresses.
3. Simple: Command prompt!

Here I will show you how to use the command prompt.

Lets say your IP net has this net 10.210.3.0, then the broadcast address will be 10.210.3.255 if you have a /24 subnet (255.255.255.0):

Then open a command prompt and type:

“ping 10.210.3.255”

You will not get a reponse, but wait until all four pings have times out!

Then type this:

“arp -a”

And you should be able to find your MAC of your device, with it’s IP to the left

Hooray, with Microsofts announced the acquisition of FSLogix. Many companies can benefit from using FSLogix, which is now included in many Office 365 plans!:

FSLogix may be used when you have the one of the following licenses:

· Microsoft 365 E3/A3
· Microsoft 365 E5/A5
· Microsoft F1, Business
· Windows 10 Enterprise E3/E5
· Windows 10 Education A3/A5
· Windows 10 VDA per user
· Remote Desktop Services (RDS) CAL

Read more here:

http://microsoftplatform.blogspot.com/2019/03/fslogix-for-everyone.html

After upgrading to UTM 9.601, all RED devices will perform firmware update, but this also introduces a major change in the firmeware functions, as it introduces the new “unified firmware”, as Sophos both have UTM and XG, they want the two devices to use the same firmware, so it’s only needed to maintain one package.

Unfortunately some RED devices run bad, stops working og even breaks!

For know, there is no solution, just a workaround – which is NOT SUPPORTED on your UTM, if you do this by yourself, but is can be done via this command from SSH shell:

from su –

cc get red use_unified_firmware

if value returned = 1

cc set red use_unified_firmware 0

reds will update and reboot

After this, RED devices are running with the old firmware and are stable again.

I made this thread in the community about the troubleshooting – Sophos Support has confirmed this to be a bug, and a currently working on a solution!

https://community.sophos.com/products/unified-threat-management/f/remote-ethernet-device-red/111304/utm-9-601—red-issues

From within WebAdmin of UTM, you cannot reboot an accesspoint, from SSH it’s possible via the AWETOOL command:

1. Log into the command line interface (CLI) as follow:
   1. Enter the user-name: loginuser
   2. Enter loginuser password
   3. Type su for superuser
   4. Enter root password
2. Type the following command to connect to the Access Point’s console from the UTM’s console:awetoolNote: The above command can be used only after successful login with root user.
3. The following screen appears:Some user may need to select Add firewall rule to allow SSH traffic to the access point
   
4. Select option 1 to list the available APs.
5. Select the AP you would like to reboot.
6. Click on Ok.
7. The below screen appears, type there y to connect to the AP.
8. You’re now connected to the AP.
9. Type the command to reboot to restart the AP

Source: https://community.sophos.com/kb/en-us/133638

As with the UTM, it’s also possible to reboot specific access points from XG with the AWETOOL command:

1. Log into the command line interface (CLI) as follow:
   1. Login with username: admin
   2. Enter the admin password
   3. Use Option 5 for Device Management
   4. Use Option 3 for Advance shell
2. Type the following command to connect to the Access Point’s console from the XG’s console:awetool
3. The following screen appears:
4. Select option 1 to list the available APs.
5. Select the AP you would like to reboot.
6. Click on Ok.
7. The below screen appears, type there y to connect to the AP.
8. You’re now connected to the AP.
9. Type the command reboot to restart the AP

Source: https://community.sophos.com/kb/en-us/133686

Sophos finished SFOS v17.5.4 MR4. It’s a smaller update, and my APX accesspoints, turned RED after reboot. Only thing that fixed that, was to pull the plug on the AP’s and they went all green again

This release is available in stages. In first stage it will be available at MySophos. Sophos will then start with a small amount of slots and will increase those over time. Later it will be available to all other installations as well.

Please see the following link for further information regarding upgrade – KBA 123285 Sophos Firewall: How to upgrade the firmware.

What’s New in XG Firewall v17.5 MR4

Backup Encryption

Encryption of backup files can now use a personal password key for enhanced security.

Certificates

Ability to upload and use an EC certificates as the HTTPS scanning CA.

Chromebook Authentication

There’s now an option to generate the application configuration file from within the XG Firewall console to import into GSuite. It can be found under Authentication > Services > “Download GSuite App Config”.

Notification

Improved and expanded firewall notification via email.

PIM-SM

Added GRE and RED interface support for PIM-SM.

Web

Support for DHE key exchange cipher suites with HTTPS scanning.

Issues Resolved

• NC-28883 [Authentication] Able to change group membership of backend users when authserver doesn’t exist anymore
• NC-38834 [Authentication] access_server service getting restarted due to heartbeat found dead
• NC-39735 [Authentication] User under an OU falls under OPEN GROUP upon authentication
• NC-40072 [Authentication] Not able to delete surfing quota profile, delete opcode search for accesspolicyid instead of surfingquotapolicyid
• NC-40945 [Authentication] Failed and successful Logins at the same time
• NC-42329 [Authentication] Unable to upgrade from v17.1 MR4 to v17.5 GA
• NC-34479 [CSC] Virtual XG randomly rebooting – snort using up all swap
• NC-39990 [DHCP] When statically assigning an IP to a devices on multiple DHCP scopes, the gateway settings are pulled from the first one
• NC-34039 [Email] Websites are blocked by Sophos AV because of reason “Malware”
• NC-38555 [Email] File Protection can’t block MIME type doc
• NC-38840 [Email] Unable to delete a particular email which was quarantined
• NC-40071 [Email] GUI option for offline relate on/off for inbound mails
• NC-40131 [Email] Mail downloaded from error queue doesn’t get displayed properly in mail client
• NC-40364 [Email] Personal email exception manipulation by other authenticated users
• NC-40389 [Email] Mails released from spool get an incorrect firewall rule ID
• NC-40666 [Email] Coredump in mailscanner
• NC-41061 [Email]  SPX encryption leads to “carriage return and line feed” in attachments
• NC-41574 [Email] SPF should get applied on inbound mail sent from protected domain to protected domain from internet
• NC-41862 [Email] Mail log on GUI does not show delivered mails
• NC-42409 [Email] Bounce back mail due to recipients having MX records which point directly to an IP
• NC-43353 [Email] smtpd behavior is different from 17.1 to 17.5 (without subscription)
• NC-43703 [Email] Warren service unable to load EC type CA certificate.
• NC-35350 [Firewall] PPPoE interface status remains in status “Connecting” for 2 hours
• NC-39522 [Firewall] Network protection options in setup wizard of XG are misleading
• NC-39605 [Firewall] Modifying one time schedules fails, if timer has already triggered
• NC-39907 [Firewall] API command to enable SpoofProtection is not working
• NC-40176 [Firewall] Firewall rule is listed in business application rule destination network objects
• NC-40622 [Firewall] Incomplete MAC address shown in Log Viewer
• NC-41316 [Firewall] Update country host DB
• NC-41389 [Firewall] HA – system doesn’t send out garp upon failover
• NC-41632 [Firewall] Business Rule – port translation not working as expected
• NC-41652 [Firewall] Unable to delete vlan interface – “Interface could not be deleted”
• NC-42342 [Firewall] One time timer are executed before expected time
• NC-39813 [FQDN] Unable to use underscore in FQDN host creation
• NC-37771 [Hotspot] Duplicate vouchers in export files
• NC-38004 [Hotspot] Hotspot password of the day is not getting reflected into run time config
• NC-38120 [IPsec] L2TP over IPsec is sending keepalives forever
• NC-38746 [IPsec] S2S connection is not initiated after DHCPv6 interface update
• NC-39267 [IPsec] IE11: cannot create and update IPsec policy
• NC-41299 [IPsec] IPsec SA is updated with incorrect SA information
• NC-42099 [IPsec] Sophos Connect Client cannot connect to Sophos Connect Client policy using digital certificates
• NC-42290 [Licensing] Additional CPU cores not detected in v17.5  after license upgrade (NC-26328)
• NC-40282 [Logging Framework] High CPU usage from garner / active.db grows continuously
• NC-34323 [RED] HA active-active routing issue over RED S2S tunnel
• NC-42159 [RED] Validation of provisioning file failed
• NC-40444 [RED_Firmware] Tunnel compression does not work
• NC-38899 [Reporting] Scheduled custom mail reports received via email does not show the mail size
• NC-40303 [Reporting] Log Viewer is not loading new logs after screen unlock
• NC-40983 [Reporting] Follow-up for NC-26459: Reports for “Traffic Insight” not shown on dashboard
• NC-41788 [Reporting] Unable to upload custom logo
• NC-41232 [SecurityHeartbeat] Heartbeat status on XG showing “at risk” instead of “green”
• NC-36776 [Synchronized App Control] New Apps number doesn’t match the displayed list entries
• NC-37423 [Synchronized App Control] SAC Tab fails to load for high number of EPs and APPs
• NC-37815 [UI Framework] Guest User expiration is not correctly ordered
• NC-40158 [WAF] Disable TLS session tickets
• NC-34088 [Web] Application control shows blocked applications when they are not blocked
• NC-38892 [Web] Inappropriate description in web category for “Society & Culture”
• NC-39517 [Web] Webfilter memory usage is growing over time and not going down
• NC-39817 [Web] Application filtering using “Smart Filter” filter disappear randomly
• NC-40265 [Web] Unable to run web policy test for generic top level domains
• NC-40503 [Web] Web filter policies not getting updated after CR to SFOS migration
• NC-42264 [Web] Garner on Aux node dead after upgrade to v17.5
• NC-43056 [Web] Policy tester activities shows junk characters in result with file download is blocked
• NC-38368 [Wireless] APs randomly going to INACTIVE STATE
• NC-38868 [Wireless] Time based scan with DCS is not showing after configuration for 5.0Ghz
• NC-39840 [Wireless] Wireless interface going to UNPLUGGED STATE
• NC-39986 [Wireless] 5 Ghz band is not available in AP setting while country set to Qatar
• NC-40091 [Wireless] Disable TCP Segmentation Offload for separate zone interface
• NC-38085 [WWAN] Unable to detect 4G USB Modem D-Link DWM-222 A1 on XG 125 and XG 85 with HW Rev.3

Download

To manually install the upgrade, you can find the firmware for your appliance at MySophos portal. Please see the following KBA – Sophos Firewall: How to upgrade the firmware: KBA 123285.

After installing 17.5 MR4, you will see that here are issues with Sophos Connect client, this has been fixed in MR4-1, which has just been released, here from comunity:

Update: Due to an issue in IPSec in combination with Sophos Connect, we had to replace the initial SF 17.5 MR4 (17.5.4.409) with SF 17.5 MR4-1 (17.5.4.429). The new firmware is available for download from your MySophos account.

Azure AD Connect (AAD Connect) sync runs every 30 minutes. There are some situations, where you may want to force this earlier, in ex. of a new user you have created on-premise, and need this to be sync’ed to the cloud asap. This is luckily easy, through PowerShell, logon to the server where AAD Connect is installed and type the following to import the AAD Connect PowerShell module:

Import-Module ADSync

No to check the settings of the scheduler, and see if it’s already syncing:

Get-ADSyncScheduler

To force a delta sync (Only changes since last sync), type:

Start-ADSyncSyncCycle -PolicyType Delta

Check if it started:

If you want to force an initial sync (full), type this:

Start-ADSyncSyncCycle -PolicyType Initial

Then wait until “SyncCycleInProgress” is “False” again, and you should see the changes applied, in the cloud

Yes – you read it alright!

What reasons Microsoft had in their heads, when stating this, is to me, unclear

Here are some articles about it:

Greymatter:
https://www.greymatter.com/corporate/news/microsoft-drop-office-365-proplus-support-windows-server-2019-rdsh/

Compares/SoftwareOne:
https://comparex.com/en/blog/all-articles/2019/01/17/microsoft-office-365-proplus-on-windows-server-2019

Office 365 UserVoice:
https://office365.uservoice.com/forums/264636-general/suggestions/35642482-office-365-support-for-windows-server-2019?page=1&per_page=20

What to do?? (Greymatter):

• Run Windows Server 2016 (or a prior version until its support end date) rather than Windows Server 2019, Microsoft have extended Office 365 ProPlus support on Windows Server 2016 until October 2025, from January 2020.
• Use Windows Virtual Desktop (WVD) on Azure which offers multi-user Windows 10 session capabilities and will support Office 365 natively, this is expected to be released in the first quarter of 2019.
• For companies using Microsoft products to deliver its hosted Software Services to customers you can use Office ProPlus licensed under Microsoft SPLA, other licensing agreements don’t permit installation of Office on shared 3rd party cloud VMs
• Run Office locally on the users’ PCs rather than on Windows Server 2019 RDSH.

Hooray – NOT!!….

Sophos has released 9.602-3, fixing some problematic bugs, here are the relase notes:

Up2Date 9.602003 package description:

Remarks:
System will be rebooted
Configuration will be upgraded
Connected REDs will perform firmware upgrade

News:
Maintenance Release

Bugfixes:
Fix [NUTM-9877]: [Access & Identity] Configurable RADIUS timeout for L2TP over IPsec
Fix [NUTM-10728]: [Access & Identity] Race condition on configuration change of RED device
Fix [NUTM-10190]: [Basesystem] CVE-2018-15473: OpenSSH username enumeration
Fix [NUTM-10362]: [Email] MIME type detection doesn’t work as expected – header Content-Type always considered
Fix [NUTM-10480]: [Email] Mail Based XSS in Sophos UTM 9
Fix [NUTM-10484]: [Email] POP3 Proxy stops working sometimes
Fix [NUTM-10545]: [Email] Update SPX placeholder description
Fix [NUTM-10521]: [Logging] /tmp partition getting full when using livelog
Fix [NUTM-10291]: [Network] DNS Host object not updated/unresolved
Fix [NUTM-10460]: [Network] GeoIP dropping traffic from allowed region
Fix [NUTM-10537]: [Network] Additional IP address on a bridge interface exist in back-end even after deleting it
Fix [NUTM-10536]: [RED] Wifi traffic on the internal RED15w AP is always routed through the RED tunnel
Fix [NUTM-10594]: [RED] RED50 disconnects randomly
Fix [NUTM-10595]: [Sandstorm] Sandbox Activity Tab not accessible due to license error
Fix [NUTM-10852]: [Sandstorm] Sandboxd complaining on missing column in database/sqlite
Fix [NUTM-10626]: [WAF] Let’s Encrypt certificate renewal fails because of failing terms of service check
Fix [NUTM-10644]: [WAF] mod_session_cookie does not respect expiry time (CVE-2018-17199)
Fix [NUTM-10661]: [WAF] SSL redirect broken for wildcard certificates
Fix [NUTM-10322]: [Web] Proxy crash with coredump on UTM 9.508
Fix [NUTM-10633]: [Web] New web templates for content warn does not work in 9.6
Fix [NUTM-10657]: [Web] httpproxy uses up all CPUs in peak hours, resulting in slow browsing
Fix [NUTM-10668]: [Web] Quota relevant web page are accessible when using AD SSO
Fix [NUTM-10758]: [Web] Application Control – Skiplist not working for destination IP
Fix [NUTM-10546]: [Wireless] Updating to 9.6 GA with REDw devices causes corrupt payload and AP becomes inactive

RPM packages contained:
libopenssl1_0_0-1.0.2j-4.1.0.315434366.gda1fdce2.rb6.i686.rpm
libopenssl1_0_0_httpproxy-1.0.2j-4.1.0.315434366.gda1fdce2.rb6.i686.rpm
krb5-1.6.3-133.49.68.1.1.g32000da.rb4.i686.rpm
krb5-client-1.6.3-133.49.68.1.1.g32000da.rb4.i686.rpm
modauthnzaua-9.60-403.gcb78b67.rb34.i686.rpm
modauthzblacklist-9.60-385.g1471b81.rb33.i686.rpm
modavscan-9.60-422.g0c80dbc.rb29.i686.rpm
modcookie-9.60-0.g8f24856.rb34.i686.rpm
modcustomblockpage-9.60-412.gbe16bc0.rb29.i686.rpm
modfirehose-2.5_SVNr1309567-14.g4ab2622.rb34.i686.rpm
modformhardening-9.60-385.g1471b81.rb39.i686.rpm
modpcap-9.60-0.142961807.g994d6f0.rb34.i686.rpm
modproxymsrpc-0.5-121.gc7f8565.rb42.i686.rpm
modproxyprotocol-0.1-30.gac71dfd.rb34.i686.rpm
modreverseauth-9.60-95.g852e9e5.rb36.i686.rpm
modsecurity2-2.9.1-266.g649c52a.rb38.i686.rpm
modsecurity2_beta-2.9.0-460.g62b8fdb.rb38.i686.rpm
modsessionserver-9.60-0.247653793.g4179dcf.rb37.i686.rpm
modurlhardening-9.60-385.g1471b81.rb37.i686.rpm
modwafexceptions-9.60-0.237979534.g7d2ba1b.rb37.i686.rpm
modwhatkilledus-2.01-0.258193062.g46092ac.rb38.i686.rpm
navl-tools-4.6.0.50-0.316899012.g8b86fac.rb4.i686.rpm
openssh-6.6p1-36.15.0.g3e4df096.rb8.i686.rpm
openssl-1.0.2j-4.1.0.315434366.gda1fdce2.rb6.i686.rpm
red-firmware2-5211-0.319020363.g97048eeb4.rb2.noarch.rpm
red-unified-firmwares-9600-0.320161041.g6a7d182.rb2.i586.rpm
red15-firmware-5211-0.319020335.g5c1d61812.rb2.noarch.rpm
rubygem-addressable-2.5.0-0.317521299.g968dd6da.rb2.i686.rpm
rubygem-airbrake-5.7.1-0.317521299.g968dd6da.rb2.i686.rpm
rubygem-airbrake-ruby-1.7.1-0.317521299.g968dd6da.rb2.i686.rpm
rubygem-aws-sdk-v1-1.67.0-0.317521299.g968dd6da.rb2.i686.rpm
rubygem-blankslate-2.1.2.4-0.317521299.g968dd6da.rb2.i686.rpm
rubygem-builder-3.2.2-0.317521299.g968dd6da.rb2.i686.rpm
rubygem-celluloid-0.17.3-0.317521299.g968dd6da.rb2.i686.rpm
rubygem-celluloid-essentials-0.20.5-0.317521299.g968dd6da.rb2.i686.rpm
rubygem-celluloid-extras-0.20.5-0.317521299.g968dd6da.rb2.i686.rpm
rubygem-celluloid-fsm-0.20.5-0.317521299.g968dd6da.rb2.i686.rpm
rubygem-celluloid-pool-0.20.5-0.317521299.g968dd6da.rb2.i686.rpm
rubygem-celluloid-supervision-0.20.6-0.317521299.g968dd6da.rb2.i686.rpm
rubygem-chef-12.21.1-0.317521299.g968dd6da.rb2.i686.rpm
rubygem-chef-config-12.21.1-0.317521299.g968dd6da.rb2.i686.rpm
rubygem-chef-zero-5.3.2-0.317521299.g968dd6da.rb2.i686.rpm
rubygem-coderay-1.1.1-0.317521299.g968dd6da.rb2.i686.rpm
rubygem-crack-0.4.3-0.317521299.g968dd6da.rb2.i686.rpm
rubygem-diff-lcs-1.2.5-0.317521299.g968dd6da.rb2.i686.rpm
rubygem-docile-1.1.5-0.317521299.g968dd6da.rb2.i686.rpm
rubygem-docker-api-1.33.6-0.317521299.g968dd6da.rb2.i686.rpm
rubygem-erubis-2.7.0-0.317521299.g968dd6da.rb2.i686.rpm
rubygem-excon-0.57.1-0.317521299.g968dd6da.rb2.i686.rpm
rubygem-faraday-0.12.1-0.317521299.g968dd6da.rb2.i686.rpm
rubygem-ffi-1.9.14-0.317521299.g968dd6da.rb2.i686.rpm
rubygem-ffi-yajl-2.3.1-0.317521299.g968dd6da.rb2.i686.rpm
rubygem-fuzzyurl-0.9.0-0.317521299.g968dd6da.rb2.i686.rpm
rubygem-gssapi-1.2.0-0.317521299.g968dd6da.rb2.i686.rpm
rubygem-gyoku-1.3.1-0.317521299.g968dd6da.rb2.i686.rpm
rubygem-hashdiff-0.3.2-0.317521299.g968dd6da.rb2.i686.rpm
rubygem-hashie-3.5.6-0.317521299.g968dd6da.rb2.i686.rpm
rubygem-highline-1.7.8-0.317521299.g968dd6da.rb2.i686.rpm
rubygem-hitimes-1.2.4-0.317521299.g968dd6da.rb2.i686.rpm
rubygem-htmlentities-4.3.4-0.317521299.g968dd6da.rb2.i686.rpm
rubygem-httpclient-2.8.3-0.317521299.g968dd6da.rb2.i686.rpm
rubygem-iniparse-1.4.4-0.317521299.g968dd6da.rb2.i686.rpm
rubygem-inspec-1.31.1-0.317521299.g968dd6da.rb2.i686.rpm
rubygem-ipaddress-0.8.3-0.317521299.g968dd6da.rb2.i686.rpm
rubygem-json-1.8.3-0.317521299.g968dd6da.rb2.i686.rpm
rubygem-libyajl2-1.2.0-0.317521299.g968dd6da.rb2.i686.rpm
rubygem-little-plugger-1.1.4-0.317521299.g968dd6da.rb2.i686.rpm
rubygem-logging-2.1.0-0.317521299.g968dd6da.rb2.i686.rpm
rubygem-method_source-0.8.2-0.317521299.g968dd6da.rb2.i686.rpm
rubygem-mini_portile2-2.0.0-0.317521299.g968dd6da.rb2.i686.rpm
rubygem-mixlib-archive-0.4.1-0.317521299.g968dd6da.rb2.i686.rpm
rubygem-mixlib-authentication-1.4.1-0.317521299.g968dd6da.rb2.i686.rpm
rubygem-mixlib-cli-1.7.0-0.317521299.g968dd6da.rb2.i686.rpm
rubygem-mixlib-config-2.2.4-0.317521299.g968dd6da.rb2.i686.rpm
rubygem-mixlib-log-1.7.1-0.317521299.g968dd6da.rb2.i686.rpm
rubygem-mixlib-shellout-2.2.7-0.317521299.g968dd6da.rb2.i686.rpm
rubygem-multi_json-1.12.1-0.317521299.g968dd6da.rb2.i686.rpm
rubygem-multipart-post-2.0.0-0.317521299.g968dd6da.rb2.i686.rpm
rubygem-net-scp-1.2.1-0.317521299.g968dd6da.rb2.i686.rpm
rubygem-net-sftp-2.1.2-0.317521299.g968dd6da.rb2.i686.rpm
rubygem-net-ssh-4.1.0-0.317521299.g968dd6da.rb2.i686.rpm
rubygem-net-ssh-gateway-2.0.0-0.317521299.g968dd6da.rb2.i686.rpm
rubygem-net-ssh-multi-1.2.1-0.317521299.g968dd6da.rb2.i686.rpm
rubygem-net-telnet-0.1.1-0.317521299.g968dd6da.rb2.i686.rpm
rubygem-nokogiri-1.6.7.2-0.317521299.g968dd6da.rb2.i686.rpm
rubygem-nori-2.6.0-0.317521299.g968dd6da.rb2.i686.rpm
rubygem-ohai-8.24.1-0.317521299.g968dd6da.rb2.i686.rpm
rubygem-parallel-1.11.2-0.317521299.g968dd6da.rb2.i686.rpm
rubygem-parslet-1.5.0-0.317521299.g968dd6da.rb2.i686.rpm
rubygem-pg-0.19.0-0.317521299.g968dd6da.rb2.i686.rpm
rubygem-pidfile-0.3.0-0.317521299.g968dd6da.rb2.i686.rpm
rubygem-plist-3.3.0-0.317521299.g968dd6da.rb2.i686.rpm
rubygem-proxifier-1.0.3-0.317521299.g968dd6da.rb2.i686.rpm
rubygem-pry-0.10.4-0.317521299.g968dd6da.rb2.i686.rpm
rubygem-public_suffix-2.0.5-0.317521299.g968dd6da.rb2.i686.rpm
rubygem-rack-2.0.3-0.317521299.g968dd6da.rb2.i686.rpm
rubygem-rainbow-2.2.2-0.317521299.g968dd6da.rb2.i686.rpm
rubygem-retries-0.0.5-0.317521299.g968dd6da.rb2.i686.rpm
rubygem-rspec-3.5.0-0.317521299.g968dd6da.rb2.i686.rpm
rubygem-rspec-core-3.5.4-0.317521299.g968dd6da.rb2.i686.rpm
rubygem-rspec-expectations-3.5.0-0.317521299.g968dd6da.rb2.i686.rpm
rubygem-rspec-its-1.2.0-0.317521299.g968dd6da.rb2.i686.rpm
rubygem-rspec-mocks-3.5.0-0.317521299.g968dd6da.rb2.i686.rpm
rubygem-rspec-support-3.5.0-0.317521299.g968dd6da.rb2.i686.rpm
rubygem-rspec_junit_formatter-0.2.3-0.317521299.g968dd6da.rb2.i686.rpm
rubygem-rubyntlm-0.6.2-0.317521299.g968dd6da.rb2.i686.rpm
rubygem-rubyzip-1.2.1-0.317521299.g968dd6da.rb2.i686.rpm
rubygem-safe_yaml-1.0.4-0.317521299.g968dd6da.rb2.i686.rpm
rubygem-semverse-2.0.0-0.317521299.g968dd6da.rb2.i686.rpm
rubygem-sequel-4.43.0-0.317521299.g968dd6da.rb2.i686.rpm
rubygem-serverspec-2.39.1-0.317521299.g968dd6da.rb2.i686.rpm
rubygem-sfl-2.3-0.317521299.g968dd6da.rb2.i686.rpm
rubygem-simplecov-0.12.0-0.317521299.g968dd6da.rb2.i686.rpm
rubygem-simplecov-html-0.10.0-0.317521299.g968dd6da.rb2.i686.rpm
rubygem-slop-3.6.0-0.317521299.g968dd6da.rb2.i686.rpm
rubygem-sophos-iaas-1.0.0-1.0.317521299.g968dd6da.rb3.i686.rpm
rubygem-specinfra-2.69.0-0.317521299.g968dd6da.rb2.i686.rpm
rubygem-sslshake-1.2.0-0.317521299.g968dd6da.rb2.i686.rpm
rubygem-syslog-logger-1.6.8-0.317521299.g968dd6da.rb2.i686.rpm
rubygem-systemu-2.6.5-0.317521299.g968dd6da.rb2.i686.rpm
rubygem-thor-0.19.4-0.317521299.g968dd6da.rb2.i686.rpm
rubygem-timers-4.1.2-0.317521299.g968dd6da.rb2.i686.rpm
rubygem-toml-0.1.2-0.317521299.g968dd6da.rb2.i686.rpm
rubygem-train-0.25.0-0.317521299.g968dd6da.rb2.i686.rpm
rubygem-uuidtools-2.1.5-0.317521299.g968dd6da.rb2.i686.rpm
rubygem-vcr-3.0.3-0.317521299.g968dd6da.rb2.i686.rpm
rubygem-webmock-2.3.2-0.317521299.g968dd6da.rb2.i686.rpm
rubygem-winrm-2.2.3-0.317521299.g968dd6da.rb2.i686.rpm
rubygem-winrm-fs-1.0.1-0.317521299.g968dd6da.rb2.i686.rpm
rubygem-wmi-lite-1.0.0-0.317521299.g968dd6da.rb2.i686.rpm
ep-confd-9.60-1394.g835d306b2.i686.rpm
ep-confd-tools-9.60-1364.gd129d9cd7.rb15.i686.rpm
ep-ha-aws-9.60-262.g968dd6da.rb2.noarch.rpm
ep-init-9.60-33.g7905afa.rb2.noarch.rpm
ep-localization-afg-9.60-47.g76408d2.rb2.i686.rpm
ep-localization-ang-9.60-47.g76408d2.rb2.i686.rpm
ep-localization-asg-9.60-47.g76408d2.rb2.i686.rpm
ep-localization-atg-9.60-47.g76408d2.rb2.i686.rpm
ep-localization-aug-9.60-47.g76408d2.rb2.i686.rpm
ep-mdw-9.60-1124.g464bd824.rb7.i686.rpm
ep-red-9.60-31.g2124b05.rb2.i686.rpm
ep-restd-9.60-172.gbce82b8.rb3.i686.rpm
ep-sandboxd-9.60-85.g074e41f.rb2.i686.rpm
ep-tools-9.60-41.gb44eb11.rb4.i686.rpm
ep-tools-cpld-9.60-41.gb44eb11.rb4.i686.rpm
ep-up2date-9.60-25.g85f07d4.rb6.i686.rpm
ep-up2date-downloader-9.60-25.g85f07d4.rb6.i686.rpm
ep-up2date-pattern-install-9.60-25.g85f07d4.rb6.i686.rpm
ep-up2date-system-install-9.60-25.g85f07d4.rb6.i686.rpm
ep-webadmin-9.60-1135.g4f430a0a6.rb9.i686.rpm
ep-webadmin-contentmanager-9.60-55.g816da29.rb3.i686.rpm
ep-chroot-smtp-9.60-85.g7de6c72.rb2.i686.rpm
chroot-ipsec-9.60-8.g994f006.rb4.i686.rpm
chroot-reverseproxy-2.4.25-338.gb940164.rb3.i686.rpm
ep-chroot-pop3-9.60-21.g22817e3.rb2.i686.rpm
ep-httpproxy-9.60-356.g39864e02.rb4.i686.rpm
ep-release-9.602-3.noarch.rpm

Community link:

https://community.sophos.com/products/unified-threat-management/b/utm-blog/posts/utm-up2date-9-602-released

I will keep posted, when I get to work on next week, if the RED issues are fixed!