Sophos UTM on AWS

Quick Start Guide

Document date: Thursday, October 26, 2017

The specifications and information in this document are subject to change without
notice. Companies, names, and data used in examples herein are fictitious unless oth
erwise noted. This document may not be copied or distributed by any means, in whole or
in part, for any reason, without the express written permission of Sophos Limited. Trans
lations of this original manual must be marked as follows: "Translation of the original
manual".
© 2017 Sophos Limited. All rights reserved.
http://www.sophos.com
Sophos UTM, Sophos UTM Manager, Astaro Security Gateway, Astaro Command Center,
Sophos Gateway Manager, Sophos iView Setup and WebAdmin are trademarks of Sophos
Limited. Cisco is a registered trademark of Cisco Systems Inc. iOS is a trademark of
Apple Inc. Linux is a trademark of Linus Torvalds. All further trademarks are the property
of their respective owners.

Limited Warranty
No guarantee is given for the correctness of the information contained in this document.
Please send any comments or corrections to [email protected].
Contents
1 Introduction 5

2 Overview 6

3 Deployment Model 7

3.1 Stand Alone 7

3.2 Stand Alone with HA (Cold and Warm Standby) 7
3.3 Auto Scaling 8
4 Amazon Machine Image 10

4.1 PAYG vs BYOL 10

4.2 EC2 Key Pair 11
5 UTM Subscription 12

5.1 Delivery Methods 12

5.1.1 Single AMI 12
5.1.2 CloudFormation Console (Stand Alone) 13
5.1.3 CloudFormation Console (Auto Scaling) 15
5.1.4 CloudFormation Outputs 17
5.1.5 CloudFormation Resources 17
5.2 AWS Marketplace Product Support Connection 17
6 Stand Alone Configuration 19

6.1 Connect to Your Sophos UTM (Single AMI) 19

6.2 Connect to Your Sophos UTM (CloudFormation Console) 20
6.3 License Your Sophos UTM 20
6.4 Configure HA (optional) 21
7 Auto Scaling Configuration 25

7.1 Connect to Your Sophos UTM (Auto Scaling) 25

7.2 License Your Sophos UTM 25
7.3 Create an Internal Load Balancer 26
7.4 Configure the UTM WAF 27
Contents

7.5 Outbound Gateway for AWS 28

7.5.1 Deploy Gateway via Resource Manager 30
7.5.2 Fallback Scenarios 33
8 Stop Using Sophos UTM (optional) 35

8.1 Terminate an Instance 35

8.2 Delete CloudFormation Stack 35
9 Sophos AWS Information 37

iv Sophos UTM on AWS

1 Introduction
Sophos UTM on AWS has been designed with AWS Cloud Architecture and AWS
Security Best Practice Guidance in mind. Our aim is to help customers with their AWS
Shared Security responsibilities and to conform to AWS recommendations on design
ing fault tolerant and scalable Cloud architectures. Full guidance on AWS Architecture
and Cloud security is out of scope for this document, but AWS provides very detailed
information on its own sites:
l https://aws.amazon.com/security/
l https://aws.amazon.com/architecture/
l https://aws.amazon.com/partners/

The goal of this document is to help customers quickly deploy and configure Sophos
UTM on AWS.
2 Overview
Sophos UTM on AWS is designed to easily deploy into AWS and provide you with secur
ity tools like NextGen Firewall, Intrusion Prevention System (IPS), Web Application Fire
wall (WAF), Web Protection, and Virtual Private Network (VPN) connections. UTM can
be deployed on a single Amazon Elastic Compute Cloud (EC2) instance, in High Avail
ability (HA) scenarios across AWS Availability Zones (AZs), and supports Auto Scaling
with Elastic Load Balancing (ELB) to distribute traffic across multiple UTMs.
UTM provides this protection by using multiple integrated security applications to scan
both inbound and outbound traffic to identify malware, potential threats, and anom
alies. This all-in-one security approach avoids the need for installing and paying for
multiple security products to protect your environment, which helps save on costs and
simplifies deployment.
l NextGen Firewall controls which augment or replace the AWS Security Groups
and/or Network Access Control Lists (NACLs)
l Inline Network IPS that provides deep packet inspection with signatures auto
matically updated by Sophos Labs
l VPN Gateway functionality to securely connect remote users and locations
l Integrated WAF with Reverse Authentication Support
l Outbound Web Security Controls to secure, protect and control connections from
EC2 Instances and Amazon WorkSpaces

UTM is built to provide advanced security without requiring expert level knowledge.
Designed to be useable and intuitive, UTM offers an easy to deploy and use suite of
security tools to secure and protect your AWS environment.
3 Deployment Model

3 Deployment Model
Before starting with UTM, choose the deployment method for AWS.
Sophos UTM on AWS supports three deployment models that include:
l Stand Alone (no redundancy)
l Stand Alone with HA (cold and warm standby)
l Auto Scaling for inbound and outbound traffic

3.1 Stand Alone

In this model, UTM is deployed on an EC2 instance into a single Availability Zone (AZ).
Typically customers configure all traffic to route in and out of UTM as the perimeter
gateway their Virtual Private Cloud (VPC). Sophos does not recommend this deploy
ment model.

3.2 Stand Alone with HA (Cold and Warm

Standby)
In this model, UTM is deployed on a primary EC2 instance in a single Availability Zone
(AZ) with a secondary EC2 instance in a different AZ. Using AWS CloudFormation,
Amazon Simple Storage Service (S3), and Health Checks for Auto Scaling instances,
UTM leverages AWS services to determine the status of the primary EC2 instance. If
the primary EC2 instance fails a health check, the Auto Scaling group transfers the
Elastic IP Address and all configuration settings stored in S3 over to the secondary
EC2 instance in a different AZ. You can select between cold standby (secondary EC2
instance has not been started) and warm standby (secondary EC2 instance is running
in parallel with the primary EC2 instance but not actively inspecting traffic).

7 Sophos UTM on AWS

 3 Deployment Model

Figure 1 Stand Alone with HA

3.3 Auto Scaling

In this model, UTM is deployed via three EC2 instances: one UTM controller and two
UTM workers (sometimes referred to as Queen and Swarm) that will scale depending
on your traffic. The UTM controller resides in an Auto Scaling group and stores con
figuration details, logs, and reports to an S3 bucket. The UTM controller uses the S3
bucket to restore configuration in the event that the EC2 instance is terminated and
also provides configuration details to UTM workers. The UTM workers reside in another
Auto Scaling group, typically behind an external Elastic Load Balancing (ELB) Classic
Load Balancer, and inspect all inbound traffic. The UTM workers pull down UTM con
figuration settings from S3 upon boot, if they receive a configuration change noti
fication via the Amazon Simple Notification Service (SNS), or when they scale out
depending on the traffic.
Auto Scaling UTM also offers an additional layer of security called Outbound Gateway
(OGW) which allows customers to inspect and scale security based on outbound con
nections. OGW works by deploying gateway instances in VPC subnets (both local and
remote) that forward all traffic to UTM workers via Generic Routing Encapsulation
(GRE) tunnels. After inspecting the traffic, the UTM workers forward the traffic outside
VPC or deny the request per the rules you configure.

Sophos UTM on AWS 8

3 Deployment Model

Figure 2 Auto Scaling

Below is a decision tree to help you decide which UTM deployment model fits your
needs.

Figure 3 Decision Tree for UTM Deployment

9 Sophos UTM on AWS

 4 Amazon Machine Image

4 Amazon Machine Image

Prior to deploying Sophos UTM on AWS, select which method of pricing you would like
for UTM and corresponding EC2 key pair available.

4.1 PAYG vs BYOL

UTM supports Pay As You Go (PAYG) and Bring Your Own License (BYOL) pricing and is
available in all AWS Marketplace regions. PAYG allows you to deploy UTM without any
software licenses and pay an hourly usage fee based on the pricing listed on AWS Mar
ketplace. PAYG is managed directly through AWS who charges your usage directly to
your AWS monthly statement. Additionally, PAYG comes preconfigured with Essential
Firewall, Network Protection, Web Protection, and Web Server Protection modules
enabled. For more information about the different UTM modules, please see Sophos
UTM Overview.
BYOL allows you to purchase a software licenses for one, two, or three years in
advance from a Sophos partner without incurring any hourly fees except for the EC2
instance charge. BYOL also allows you to pick and choose which UTM modules to
enable in addition to the Sandstorm module not available in PAYG
(https://www.sophos.com/en-us/lp/sandstorm.aspx). To inquire about purchasing
BYOL for Sophos UTM on AWS, please email [email protected] for
details.
The following table shows each UTM product in AWS Marketplace, the deployment
models supported, and pricing.
Product Name Deployment Models Supported
Stand Alone UTM
Sophos UTM (PAYG) Stand Alone UTM with HA (cold and warm
standby)
Stand Alone UTM
Sophos UTM (BYOL) Stand Alone UTM with HA (cold and warm
standby)
Sophos UTM  (Auto Scaling
Auto Scaling UTM
PAYG)
Sophos UTM  (Auto Scaling
Auto Scaling UTM
BYOL)

Sophos UTM on AWS 10

4 Amazon Machine Image

4.2 EC2 Key Pair

You will need to create or use an existing EC2 Key Pair to use Sophos UTM on AWS.
Please refer to http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-key-
pairs.html.

11 Sophos UTM on AWS

 5 UTM Subscription

5 UTM Subscription
To subscribe to Sophos UTM on AWS, follow these steps:
1. Navigate to https://aws.amazon.com/marketplace/ and search for Sophos UTM.
2. Select the product you would like to deploy based on the deployment model
(Sophos UTM 9 vs. Sophos UTM 9 Auto Scaling) and pricing (PAYG vs. BYOL) you
want.
3. Select the Region where you want to deploy.
4. Select the delivery methods under Pricing Details.
The delivery method will depend on how you’d like to launch Sophos UTM on AWS.
Generally speaking, there are two ways to deliver Sophos UTM on AWS:
l Single AMI
l CloudFormation Console
Once you complete either forms or delivery methods, you will be subscribed to
Sophos UTM on AWS.

5.1 Delivery Methods

UTM supports three delivery methods:
l Single AMI
l CloudFormation Console
l Manual Launch (EC2 Console, API, or CLI)

This Quick Start Guide will cover delivery methods Single AMI and CloudFormation Con
sole.

Note – For information on launching AWS Marketplace products within the EC2 con
sole, refer to How do I launch an AWS Marketplace product with the EC2 console?

Depending on how you deploy UTM, proceed to the appropriate selection.

Note – The only delivery method available for Sophos UTM (Auto Scaling) is the
CloudFormation Console.

5.1.1 Single AMI

Single AMI supports 1-Click Launch which allows you to install the Stand Alone UTM on
a single EC2 and specify settings like EC2 instance type, AMI version (we recommend
the latest), VPC settings, Security Groups, and Key Pair. Sophos has provided an EC2
Sizing Guide in the Sophos UTM on AWS Overview and Deployment Guide for

Sophos UTM on AWS 12

5 UTM Subscription

assistance in choosing the correct EC2 instance type for your deployment. For help
with the other settings, please refer to Launch Your Software on Amazon EC2.
1. Select Single AMI and click Continue.
2. Under the 1-Click Launch menu, specify the following:
l Applicable Instance Type
l Version (we recommend the latest)
l Region
l VPC Settings
l Security Groups
l Key Pair
3. Click on Accept Software Terms & Launch with 1-Click.
On the next page, you should see the Software Installation Details summarizing
the settings for the launch. From here, you can click Manage in the AWS Console
to check the launch state of Sophos UTM under the EC2 service. Once the instance
status reads as running, click on the Description tab to view the public IP address.
Please note the Public IP address to connect to your UTM (see chapter Stand
Alone Configuration). If you selected 1-Click Launch, you can now proceed to
chapter AWS Marketplace Product Support Connection.

5.1.2 CloudFormation Console (Stand Alone)

The CloudFormation Console allows customers to deploy Sophos UTM using a
CloudFormation template. This template provides options not available in the 1-Click
Launch such as defining the Elastic IP address, trusted Classless Inter-Domain Routing
(CIDR) networks, and Identity and Access Management (IAM) roles. You can follow the
steps listed in this section for access to Sophos CloudFormation templates or down
load all available templates at https://github.com/sophos-iaas/aws-cf-templates.
To use the CloudFormation Console, follow these steps:
1. In Amazon Marketplace click on one of the Sophos UTM search results and click
Continue.
2. Select CloudFormation Console as your delivery method.
3. Select a Version (we recommend the latest) and a Region.
4. Click Accept Software Terms.
After accepting the Software Terms, you should see a page with Next Steps indic
ating that an email has been sent to confirm the subscription.
5. After your subscription has been confirmed, click Return to Product Page and
select Launch with CloudFormation Console.
In the CloudFormation Console, you’ll be presented with the Create stack menu
with the prepopulated S3 template URL.
6. Click Next.

13 Sophos UTM on AWS

 5 UTM Subscription

7. Enter the parameter values for the CloudFormation template:

Stack Details
Stack name: A unique and descriptive name for the CloudFormation stack
VM Configuration
l AMI of UTM: Set to autodetect for the latest AMI
l UTM Instance size: Choose EC2 instance type for UTM. The default EC2
instance type is set to m3.medium or c4.large depending on your region
UTM Infrastructure Configuration
l VPC ID: Select in which VPC to install UTM
l Private Subnet ID: Select in which VPC private subnet to install UTM
l Public Subnet ID: Select in which VPC public subnet to install UTM
l Private Network CIDR: Classless Inter-Domain Routing (CIDR) address for
your VPC private subnet
l Public Network CIDR: Classless Inter-Domain Routing (CIDR) address for your
VPC public subnet
l Existing Elastic IP ID: If you have an existing Elastic IP address you’d like to
use for UTM, you can enter the address
Access Permissions
l SSH Key: EC2 Key Pair for SSH access
l Trusted Network CIDR (optional): Allows all traffic from this network
Tags (optional)
l Key: Arbitrary key that can be used to identify your stack for purposes such as
cost allocation
l Value: arbitrary value for the key
Permissions (optional)
IAM Role: An existing IAM service role that CloudFormation can assume
Advanced (optional)

Note – For more information on advanced options refer to http://

docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/cfn-console-
add-tags.html.

8. Click Next.
9. On the Review page, review the values for parameter and click Create.
This will take you to the CloudFormation management console where you can
watch the Status and Events of the CloudFormation stack creation.
Once the status reads CREATE_COMPLETE, navigate to Services > EC > Instances
within the AWS Management Console to confirm UTM has been deployed on a newly

Sophos UTM on AWS 14

5 UTM Subscription

created EC2 instance. Select the EC2 instance and the Description tab to view the
Public IP address. Please note the Public IP address to connect to your UTM (see
chapter Stand Alone Configuration). If you selected CloudFormation Console for UTM
(Stand Alone), you can now proceed to chapter AWS Marketplace Product Support Con
nection.

5.1.3 CloudFormation Console (Auto Scaling)

The CloudFormation Console allows customers to deploy Sophos UTM using a Sophos
created CloudFormation template. This template uses different AWS Resources such
as ELB, CloudWatch, Auto Scaling, and S3 to deploy and manage Sophos UTM. You can
follow the steps listed in this section for access to CloudFormation templates or down
load the templates at https://github.com/sophos-iaas/aws-cf-templates.
To use the CloudFormation Console, follow these steps:
1. In Amazon Marketplace, click on one of the Sophos UTM (Auto Scaling) search res
ults and click Continue.
2. Select CloudFormation Console as your delivery method.
3. Select a Version (we recommend the latest) and a Region.
4. Click Accept Software Terms.
After accepting the Software Terms, you should see a page with Next Steps indic
ating that an email has been sent to confirm subscription.
5. After your subscription has been confirmed, click Return to Product Page and
select Launch with CloudFormation Console.
In the CloudFormation Console, you’ll be presented with the Create stack menu
with the prepopulated S3 template URL.
6. Click Next.
7. Enter the parameter values for the CloudFormation template:
Stack Details
Stack name: A unique and descriptive name for the CloudFormation stack
Parameters
l awsAMI: Set to autodetect for the latest AMI
l awsAvailabilityZone1: Choose an AZ for the UTM controller and first UTM
worker
l awsAvailabilityZone2: Choose an AZ for the second UTM worker
l awsKeyName: EC2 Key Pair for SSH access
l awsNetworkPrefix: Choose between PAYG or BYOL
l awsTrustedNetwork: Specify a network that can access your VPC on these
ports (we recommend only trusted networks should be configured for SSH
and port 8080 access)

15 Sophos UTM on AWS

 5 UTM Subscription

l basicAdminEmail: Email address that will receive UTM and SNS notifications
(this information is not sent to Sophos)
l basicAdminPassword: Admin account password that will be used to access
the UTM WebGUI (this information is not sent to Sophos)
l basicCity: Used for configuring the self-signed Certificate Authority (this
information is not transmitted to Sophos)
l basicCountry: Used for configuring the self-signed Certificate Authority (this
information is not transmitted to Sophos)
l basicHostname: Used for configuring the self-signed Certificate Authority
(this information is not transmitted to Sophos)
l optionalExistingElasticIP: Elastic IP address assigned to UTM (if left empty a
new Elastic IP will be allocated automatically)
l optionalExistingS3Bucket: S3 bucket to store and restore backups (if left
empty a new bucket will be created automatically)
l optionalLicensePool: S3 bucket where UTM license is stored (only applicable
to BYOL)
Tags (optional)
l Key: Arbitrary key that can be used to identify your stack for purposes such as
cost allocation
l Value: Arbitrary value for the key
Permissions (optional)
IAM Role: an existing IAM service role that CloudFormation can assume
Advanced (optional)

Note – For more information on advanced options refer to http://

docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/cfn-console-
add-tags.html.

8. Click Next.
9. On the Review page, review the values for parameter.
This will take you to the CloudFormation management console where you can
watch the Status and Events of the CloudFormation stack creation. Stack creation
time may vary but typically takes anywhere from six to ten minutes to complete.
Once the Status reads CREATE_COMPLETE, you can review the information in the
Outputs tab.
10. Under Capabilities, select I acknowledge that AWS CloudFormation might create
IAM resources and click Create.

Sophos UTM on AWS 16

5 UTM Subscription

5.1.4 CloudFormation Outputs

This section contains information regarding resources created by the CloudFormation
template.
l PublicIPAddress: Elastic IP address (EIP) assigned to the UTM controller (Queen),
which can be used for VPN connections or inbound NAT
l QueenScalingGroup: Auto Scaling group for UTM controller
l S3Bucket: S3 bucket used to store license, logs, reports, and synchronize UTM
worker configurations
l ConfigurationSNSTopic: SNS topic to notify UTM workers of configuration
changes
l SwarmScalingGroup: Auto Scaling group for UTM workers (default setting of 2
workers)
l VPCID: VPC ID used for Auto Scaling groups
l Region: AWS Region for UTM
l ELB: public facing ELB load balancer for web traffic (ELB will not become func
tional until UTM WAF settings have been configured; DNS A record name is shown
under EC2 Load Balancers description)

5.1.5 CloudFormation Resources

This section provides the full list of AWS resources that have been created. Please
note the resource names for items such as worker CloudWatch alarms, Auto Scaling
policies, security groups, and Network Access Control Lists (NACLs). You will need this
information when adding additional layers to your VPC.

5.2 AWS Marketplace Product Support

Connection
After you have subscribed to Sophos UTM on AWS, you are eligible to receive Sophos
technical support. Sophos offers Premium support for all customers who select PAYG
pricing. Premium support provides 24/7 technical support direct from Sophos support
engineers. To receive this support, you’ll need to register your product with the AWS
Marketplace Product Support Connection (https://aws.amazon.
com/marketplace/support-contacts).
In addition to the benefits of Premium, AWS customers can also purchase another
level of supported called Enhanced Plus. This support tier is only available to cus
tomers who deploy Sophos UTM BYOL but gives priority case handling and VIP access

17 Sophos UTM on AWS

 5 UTM Subscription

to senior resources. For more information, please contact aws.

[email protected].

Note – For more information on the Sophos support levels, see https://www.sophos.
com/en-us/medialibrary/PDFs/Support/Sophos-Support-Plans.pdf

Sophos UTM on AWS 18

6 Stand Alone Configuration

6 Stand Alone Configuration

The following section covers required topics like connecting to Sophos UTM and licens
ing but also covers optional topics for the different deployment methods. Depending
on how you launched Sophos UTM, proceed to the appropriate selection.

6.1 Connect to Your Sophos UTM (Single

AMI)
After you have successfully deployed the UTM, you can access the WebGui via a web
browser, EIP, and port number of 4444, e.g., https://elastic_ip_address:4444/.
1. Connect to Sophos UTM.
The first time you connect you will see a browser warning due to a self-signed cer
tificate.
2. Click on the option to continue to the site.
This leads you to the Sophos UTM login page.

Figure 4 Sophos UTM Login

3. Enter the basic system information:

l Hostname

l Company
l City
l Country, etc.

19 Sophos UTM on AWS

 6 Stand Alone Configuration

Note – Both username and passwords are case-sensitive and the UTM by default
will block access attempts after three failed attempts. If you suspect that you
may have triggered this protection feature you must wait for the ten minutes
timeout period to expire before you can attempt access again.

Note – Use only alpha-numeric characters in the password field when entering
this parameter during stack creation. If you require a more complex password,
change it after logging in to Sophos UTM via the web console.

6.2 Connect to Your Sophos UTM

(CloudFormation Console)
After successful creation of your CloudFormation stack, use the Elastic IP address you
provided in the template to connect to your Sophos UTM. If you’ve forgotten this IP
address, you can review the CloudFormation Outputs section. You can access the
WebGui via a web browser, EIP, and port number of 4444, e.g., https://elastic_ip_
address:4444/. You’ll need to enter basic system information like hostname, com
pany, city, country, etc.

Note – Both username and passwords are case-sensitive and the UTM by default will
block access attempts after three failed attempts. If you suspect that you may have
triggered this protection feature you must wait for the ten minutes timeout period to
expire before you can attempt access again.

Note – Use only alpha-numeric characters in the password field when entering this
parameter during stack creation. If you require a more complex password, change it
after logging in to Sophos UTM via the web console.

6.3 License Your Sophos UTM

If you selected PAYG, you don’t need to license Sophos UTM as the license has already
been bundled with the AMI. You can also use a 30 day free trial for Sophos UTM
(Auto Scaling) to test the deployment before purchase.

Note – Free trials will be automatically converted to paid subscriptions upon expir
ation.

When using BYOL versions of Sophos UTM, you’ll need a license file to unlock the UTM
subscription features during free trial and production. You can store the BYOL license
file in an S3 bucket, which is loaded during the boot up process. After the free trial, you
can upload the production license in Management > Licensing > Installation section,

Sophos UTM on AWS 20

6 Stand Alone Configuration

and once the license had been uploaded details will be shown on the Management >
Licensing > Overview tab.
For more information on BYOL, please contact [email protected].

Figure 5 Sophos UTM Licensing Tab

6.4 Configure HA (optional)

After you have configured and licensed (if applicable) the Stand Alone UTM, you can
configure the system for High Availability (HA) as described in chapter Stand Alone
with HA (Cold and Warm Standby). The process requires that you run a conversion util
ity that converts the Stand Alone UTM to an HA (cold or warm standby).
Depending on the latest UTM release published in the AWS Marketplace, there may not
be an Amazon Machine Image (AMI) that supports the conversion utility for your ver
sion. If so, the user interface will post a message to check back in a couple of days
after the latest release is published.
Before proceeding with the Conversion feature, you will need a valid AWS Access Key
ID and AWS Secret Access Key. The AWS keys are created using the AWS IAM module.
You can follow the steps listed in Managing Access Key for IAM Users to create an
AWS Access Keys ID and AWS Secret Access Key.
After creating the Access Key ID and a Secret Access Key select the HA deployment
model for conversion. The conversion features support two HA models:
l HA (Cold Standby) – Active/Passive – in this deployment scenario, Sophos UTM
will be placed in an Auto Scaling group that will automatically start a new EC2
instance and transfer configuration settings in the event the current EC2 instance

21 Sophos UTM on AWS

 6 Stand Alone Configuration

hosting UTM fails a health check.

l HA (Warm Standby) – Active/Passive – in this deployment scenario, Sophos UTM
will be placed in an Auto Scaling group that will automatically transfer con
figuration settings to a running EC2 instance in the event the current instance
hosting UTM fails a health check.

To begin the conversion process, follow these steps:

1. Navigate to the Sophos UTM WebAdmin dashboard and select Management >
HA/Autoscaling.

Figure 6 Conversion Utility

2. Enter the AWS access key ID and the AWS secret key.

3. Select your Amazon deployment type.
4. Click Conversion Pre-Check.
This initiates the conversion process for Sophos UTM. The Conversion feature will
use CloudFormation templates to convert the stand alone Sophos UTM into HA
(warm or cold standby). We recommend you run the Conversion utility during a
maintenance window as the process will start and stop several services.
The Conversion Pre-Check screen will highlight:

Sophos UTM on AWS 22

6 Stand Alone Configuration

l The current EC2 Key Pair used for the deployment of the Sophos UTM
instance
l The current EIP, if available
l The VPC for the single/standalone UTM
l The current UTM license model (PAYG or BYOL)
l The VPC Subnets for your deployment model (two for HA solutions)
l The current Security Groups for the Sophos UTM EC2 Instance
l Current size of configuration, log, and database files
l AZ for your deployment model (two AZs are required for HA)
l CloudFormation Stack Name
l Optional – (Default) Copy log files from UTM standalone instance to new
deployment.
l Optional – (Default) Copy database from UTM standalone instance to new
deployment.
l Optional – (Not Default) Terminate UTM standalone after completion of con
version process.
5. Click Convert to begin the conversion process.
The conversion process will create the required AWS resources to support the
Sophos deployment model per your selection. Additional resources will include
VPC Subnets, Security Groups, Auto Scaling groups, and CloudWatch metrics to
support the new deployment model. You can watch the Conversion feature status
results and CloudFormation stack events under the CloudFormation Management
Console to check the status of the conversion.
After running the Conversion feature, you can review three menus to confirm the
completed status:
l Sophos UTM conversion results
l AWS EC2 Instance Status
l VPC subnets
The following figures show the completed status for the HA (Warm Standby) con
version.

23 Sophos UTM on AWS

 6 Stand Alone Configuration

Figure 7 Results of Conversion Utility

The EC2 Instances menu shows two new EC2 Instances replacing the previous stan
dalone instance.

Figure 8 New EC2 Instances Hosting UTM HA

Sophos UTM on AWS 24

7 Auto Scaling Configuration

7 Auto Scaling Configuration

The primary use case for Auto Scaling is to support inbound Web Application Firewall
(WAF) security using the Sophos UTM Webserver Protection feature set. This feature
set combines reverse proxy functionality and WAF protection and requires two ELB
load balancers (external and internal). The next section will guide a user connecting to
Sophos UTM, licensing the Sophos UTM, and creating an internal load balancer used for
EC2 instances hosting a web application.

7.1 Connect to Your Sophos UTM (Auto

Scaling)
Upon successful creation of your Auto Scale UTM Stack there will be three UTMs
shown in your EC2 Instances section:
l One Sophos UTM instance labeled “Queen”
l Two Sophos UTM instances labeled “Worker”

The solution is designed so that all configuration and management is done via the
Queen UTM, which then stores all configuration settings in S3 and gathers all logging
information via the syslog protocol.
The Queen Elastic IP used for management should match the Sophos UTM public IP
address shown in the CloudFormation Outputs section. Sophos UTM instance creation
will typically lag the CloudFormation creation and the EIP may not be attached to the
Queen UTM until the instance is fully launched and ready.

Note – Each UTM worker has a public IP and this can be used to connect to that UTM.
Any changes made on worker UTMs will be overwritten by the Queen configuration,
and will not be synchronized to other workers.

7.2 License Your Sophos UTM

If you selected PAYG, you don’t need to license Sophos UTM as the license has already
been bundled with the AMI. You can also use a 30 day free trial for Sophos UTM
(Auto Scaling) to test the deployment before purchase.

Note – Free trials will be automatically converted to paid subscriptions upon expir
ation.

When using BYOL versions of Sophos UTM, you’ll need a license file to unlock the UTM
subscription features during free trial and production. You can store the BYOL license
file in an S3 bucket, which is loaded during the boot up process. After the free trial, you

25 Sophos UTM on AWS

 7 Auto Scaling Configuration

can upload the production license in Management > Licensing > Installation section,
and once the license had been uploaded details will be shown on the Management >
Licensing > Overview tab.
For more information on BYOL, please contact [email protected].

Figure 9 Sophos UTM Licensing Tab

7.3 Create an Internal Load Balancer

To create an internal ELB, proceed as follows:
1. In the AWS EC2 area beneath Load Balancers click Create Load Balancer.
The Define Load Balancer page opens.
2. Make the following settings:
l Load Balancer Name: Enter a descriptive name.

l Create LB inside: Choose the VPC to install into.

3. Create an internal load balancer: Select this to ensure it is specified that you cre
ate an internal ELB.
4. Enable advanced VPC configuration: Select this option if you want to select sub
nets.
l Listener Configuration: The default listener configuration of using HTTP will
suffice for your test, but can be modified as needed.
l Select Subnets: Choose the private subnets you created in the last section.
3. Click Next: Assign Security Groups.
The Assign Security Groups page opens.

Sophos UTM on AWS 26

7 Auto Scaling Configuration

4. Select the default VPC security Group.

5. Click Next: Configure Security Settings.

Note – At this point you’ll be notified that your load balancer is not using a secure
listener.

6. Click Next: Configure Health Check.

For the example modify the default health check so that Ping protocol uses TCP.
7. Click Next: Add EC2 Instances.
8. Add the appropriate EC2 instances that will use the internal load balancer.
9. Click Next: Add Tags.
10. Add a tag and click Review and Create to continue.
11. Review your settings and click Create.
The load balancer is created and appears in the load balancer list.

7.4 Configure the UTM WAF

Now that you have configured the internal load balancer you can configure the UTM
Webserver Protection module so that it listens for HTTP traffic and, after scanning,
sends it to the internal ELB for distribution.
To do so, proceed as follows:
1. Log in to the controller UTM and navigate to Webserver Protection > Web Applic
ation Firewall.
2. Click on New Virtual Webserver and make the following settings.
l Name: Enter a descriptive name.
l Interface: Select the Sophos UTM interface where traffic will arrive on and
leave the Type and Port to HTTP and 80.
l Domains: Enter the DNS name assigned to your public ELB that was created
during the Stack creation. This is the URL that you will use for testing.

Note – This can be found in AWS EC2 area in the Load Balancers list. If you
have many ELBs listed in this section, you can confirm the correct one by
getting the name from the CloudFormation Resources section. Click on the
Description tab and copy the full DNS Name shown.

l Real Webservers: List the internal ELB you have created, which is what
traffic will be sent to once scanned. To create a new DNS object for this
internal ELB, click on the green Plus icon located to the right of the Real Web
servers text. Enter a descriptive name for the Real Webserver and then click
on the green Plus icon to the right of the Host field to create the actual DNS

27 Sophos UTM on AWS

 7 Auto Scaling Configuration

host object. Copy the internal ELB DNS name into the Hostname field and
enter a descriptive name for this new network definition.

Figure 10 Virtual Webserver Configuration on Sophos UTM

l Firewall Profile: Choose the Basic Protection firewall profile.

3. Click Save.
4. Enable the new Virtual Webserver by clicking the toggle switch.
The toggle switch turns green.

Note – To the right of the Real Webservers text you’ll see the status of the new
internal ELB DNS object you created. It should change to green as shown below
in a few moments. If it does not, check your settings as Sophos UTM is not able to
resolve the DNS name used.

7.5 Outbound Gateway for AWS

Sophos UTM on AWS is a solution designed to automatically scale for inbound web
application traffic and outbound web content filtering. This solution consists of mul
tiple UTMs with several roles (Queen & Worker) which work with AWS services. The
solution is designed to work across AWS Availability Zones in a single AWS region, and
to work with an Internet-facing Elastic Load Balancer that is used to distribute traffic
to UTM Workers for traffic scanning. To use the solution you need to subscribe to the
UTM via AWS Marketplace.

Sophos UTM on AWS 28

7 Auto Scaling Configuration

OGW (Outbound Gateway) is a setup in AWS where an Auto Scaling group of UTMs is
load-balanced by gateways. The whole setup, UTM plus gateway, is called Outbound
Gateway. OGWs act as outbound load balancers.
The OGW deployment serves two main purposes, firstly scaling of UTMs to handle
increasing outbound traffic loads, and secondly, in some cases, the establishment of a
communication path to the Internet for instances that are located within VPCs which
lack Internet gateways.
Use cases for the OGW include:
l VDI access to the Internet (e.g. AWS Workspaces) (main use case)
l Server instance access to the Internet (including web access)

Figure 11 OGW: Concept

The high level architecture of the OGW deployment is shown below. Typical deploy
ment per VPC will consist of three UTM instances, one controller where configuration
is performed, and two workers (one per Availability Zone). Both controller and workers
are contained within Auto Scaling groups, which will launch a replacement UTM should
one fail, and workers may also scale under high load. In addition to the UTMs, there are
gateway instances which are deployed within each VPC. There is a minimum of two of
these per VPC, where they are deployed into separate subnets, and provide High Avail
ability by way of a failover mechanism. To facilitate external traffic routing they con
nect to the UTM workers via GRE (Generic Routing Encapsulating) tunnels (established
during deployment of the gateways).

29 Sophos UTM on AWS

 7 Auto Scaling Configuration

Figure 12 Overview

To use the feature you have to deploy Outbound Gateway(s) for AWS in UTM. This can
be done:
l via the Resource Manager: The UTM will automatically deploy the CloudFormation
stack
l manually: Deploying the gateway manually with use of the CloudFormation tem
plate

Both methods utilize a CloudFormation template.

Note – You need to decide for a method during object creation. It cannot be changed
afterwards.

7.5.1 Deploy Gateway via Resource Manager

To deploy UTM-managed load balancers via the Resource Manager, proceed as fol
lows:

Sophos UTM on AWS 30

7 Auto Scaling Configuration

1. In the UTM navigate to Network Protection > Outbound Gateway for AWS.

Figure 13 Outbound Gateway for AWS

2. Click on New Outbound Gateway.

The Add Outbound Gateway dialog box opens with the activated Resource Man
ager checkbox.

Note – You cannot change the usage of the Resource Manager after creating the
gateway.

3. Make the following settings:

Failover Group: Define the group of load balancers for fallback.

Note – For more information on failover groups, see chapter Fallback Scenarios.

Group Name (if New Failover Group is selected): Enter the name of the new group.
Position: If requested, change the position number, defining the priority of the gate
way.
AWS Subnet ID: ID of a fresh and empty AWS subnet, the gateway should be
deployed to.

Note – Do not use an existing client subnet or a subnet which is already in use.

Networks: Insert the network object for the client subnet in the same Availability
Zone.
Comment (optional): Add a description or other information.

31 Sophos UTM on AWS

 7 Auto Scaling Configuration

Figure 14 Add OGW

4. Make the following advanced settings:

Gateway Network Prefix: If the displayed prefix is already in use, change it.

Sophos UTM on AWS 32

7 Auto Scaling Configuration

Figure 15 Add Network Gateway Prefix

5. Click Save.
The gateway is saved and displayed in the list.
6. Repeat the steps for second gateway using the data of the other two subnets.
You can only enable the object once CloudFormation reports the stack creation as
complete.

Note – If you have to change anything like changing the manual deployment into auto
matic deployment, delete the Outbound Gateway and create a new one.

7.5.2 Fallback Scenarios

There are several fallback scenarios which can be used.
l HA Scenario
In the HA scenario there is a fallback for every load balancer.
l Active-Active Scenario
In this scenario the load balancers are fallback for each other.
l 2 Active, 1 Fallback
In this scenario you have two active load balancers and one fallback for both.

33 Sophos UTM on AWS

 7 Auto Scaling Configuration

In every case the network numbers are more important than the order.
Example 1:
In this scenario Y takes over if X fails, because network A is not assigned to another
instance. Z works as passive standby. If X and Y fail, Z takes over.

Instance Order Network

Instance X 1 A
Instance Y 2 B
Instance Z 3
Example 2:
In this scenario Z is fallback for X and Y because both networks are also assigned to Z.

Instance Order Network

Instance X 1 A
Instance Y 2 B
Instance Z 3 A, B

Sophos UTM on AWS 34

8 Stop Using Sophos UTM (optional)

8 Stop Using Sophos UTM 

(optional)
If you wish to stop using Sophos UTM in your environment, you can terminate the
instance (Stand Alone) or delete the CloudFormation stack (all other Sophos UTMs).

8.1 Terminate an Instance

Before you terminate the instance, verify that you won't lose any data by checking that
your Amazon EBS volumes won't be deleted on termination and that you've copied any
data that you need from your instance store volumes to Amazon EBS or Amazon S3.
To terminate the instance, proceed as follows:
1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.
2. In the navigation pane, select Instances.
3. Select the instance and choose Actions.
4. Select Instance State, and then select Terminate.
5. Select Yes, Terminate when prompted for confirmation.

8.2 Delete CloudFormation Stack

Before you terminate the instance, verify that you will not lose any data by checking
that your Amazon EBS volumes won't be deleted on termination and that you have
copied any from the list of stacks in the AWS CloudFormation console, select the stack
that you want to delete (it must be currently running).
To delete a Stack, proceed as follows:
1. Click on the Stack and then either right-click or choose Delete Stack from the
Actions drop-down menu.
A message will appear asking you to confirm deletion.
2. Click Yes, Delete.

Note – After stack deletion has begun, you cannot abort it. The stack proceeds to
the DELETE_IN_PROGRESS state.

After the stack deletion is complete, the stack will be in the DELETE_COMPLETE state.
Stacks in the DELETE_COMPLETE state are not displayed in the AWS CloudFormation
console by default. To display deleted stacks, you must change the stack view setting
as described in the CloudFormation User Guide under Viewing Deleted Stacks.

35 Sophos UTM on AWS

 8 Stop Using Sophos UTM (optional)

If the deletion failed, the stack will be in the DELETE_FAILED state. For solutions, see
the Delete Stack Fails troubleshooting topic of the CloudFormation User Guide.

Sophos UTM on AWS 36

9 Sophos AWS Information

9 Sophos AWS Information

Sophos AWS landing page: http://www.sophos.com/aws
Other links:
EC2
Reseller Program
VPC

37 Sophos UTM on AWS

Glossary AWS Partner Network
Global partner program for Amazon
Web Services, which is focused on help-
A ing partners build a successful AWS-
based business.
Amazon WorkSpaces
Desktop computing service on the AWS AZ
cloud. Allows to provision cloud-based Availability Zone
virtual desktops.

AMI B
Amazon Machine Image BYOL

API Bring Your Own License

Application Programming Interface

C
APN
CIDR
AWS Partner Network
Classless Inter-Domain Routing
Auto Scaling
Classless Inter-Domain Routing
Web service to launch or terminate
Amazon EC2 instances automatically Set of IP standards to create unique
based on policies, schedules and identifiers for networks and individual
health checks. devices.

Availability Zones CLI

Each Amazon data center location is Command Line Interface
called a region, each region contains
CloudFormation Console
multiple distinct locations called Avail-
ability Zones, or AZs. User interface of the CloudFormation
service.
AWS
CloudWatch
Amazon Web Services
A component of Amazon Web Services
AWS CloudFormation which provides monitoring of AWS
Free service for AWS customers which resources and applications running on
provides tools needed to create and the Amazon infrastructure.
manage the infrastructure a particular
software application requires to run on E
AWS.
EBS
Elastic Block Store
Glossary

EC2
H
Elastic Compute Cloud
HA
EC2 Instance
High Availability
Compute instance in Amazon EC2 ser-
vice. High Availability

EIP System design protocol that ensures a

certain absolute degree of operational
Elastic IP continuity.
Elastic Compute Cloud
Amazon EC2 provides scalable com- I
puting capacity in AWS which allows
IAM
users to rent virtual computers to run
their own computer applications. AWS Identity and Access Management

Elastic IP Identity and Access Management

Static IP addresses for dynamic cloud Amazon web service to control who can
computing, which is associated with an use your AWS resources and in which
account. You control the address until way.
you explicitly release it.
Intrusion Prevention System
Elastic Load Balancing Network security and threat prevention
Load balancing solution which auto- technology that examines network
matically scales incoming application traffic flows to detect and prevent vul-
traffic across multiple targets. nerability.

ELB
N
Elastic Load Balancing
Network Access Control List

G Security layer which acts as firewall to

control traffic in and out of subnets.
Generic Routing Encapsulation
Tunneling protocol which provides a O
private, secure path for transporting
packets through an otherwise public net- OGW
work. Outbound Gateway
GRE
Generic Routing Encapsulation P
PAYG
Pay As You Go

39 Sophos UTM on AWS

 Glossary

Virtual Private Network

S
Private data network that makes use of
S3 the public telecommunication infra-
structure, maintaining privacy through
Simple Storage Solution
the use of a tunneling protocol such as
S3 bucket PPTP or IPsec.
Logical unit which stores objects that VPC
consist of data and metadata which
Virtual Private Cloud
describe the data.

Security Group W
Acts as virtual firewall for an AWS
instance to control inbound and out- WAF
bound traffic. Web Application Firewall

Simple Notification Service Web Application Firewall

Notification service which provides WAF, also known as reverse proxy,
mass delivery of messages, pre- applies a set of rules to an HTTP con-
dominantly to mobile users. versation and therefore protects web-
servers from attacks and malicious
Simple Storage Service behavior like cross-site scripting (XSS),
Amazon web service which provides SQL injection, and others.
storage through web services inter-
faces.

SNS
Simple Notification Service

SSH
Secure Shell

V
Virtual Private Cloud
VPC provides secure data transfer
between private enterprises and public
cloud provider. Each data remains isol-
ated from every other data both in
transit and inside the cloud provider's
network.

Sophos UTM on AWS 40