After months of hard work I’d like to present what we've prepared for our upcoming UTM 9.3 release and NOW IS OPEN to our valued community as a Beta version.
And as always, if you want to try out the Beta release be prepared and allow me a note of caution:
This is a Beta release of Sophos UTM and is not recommended in ANY way for production environments!
Not only is it not a final representation of the product we plan to offer for the general masses, but it will probably break things in your network at scheduled, random, or just impulsively evil intervals. If by deploying this early into an environment which cannot tolerate inconsistencies, downtime, or failures you may find yourself alone with no support to come to your aid. However if you, need to see new things at the earliest opportunity and want to familiarize yourself with what we will offer to the masses when it is fully-baked, then be invited and enjoy this beta release.
Overview
The UTM 9.3 will introduce new features and fixes that you will find in our new release – many of them as with all our Beta releases only fully covered and documented with our final release version which is due in November 2014. In addition to other threads in this forum led by our dear developers and community managers here are a few facts on the Beta:
[LIST=1]
- Up2Date Packages are available to move you from UTM 9.207 stable to the UTM 9.2 Beta track.
- You can restore a UTM 9.2 backup file into the 9.3 Beta release
- We will have an Up2Date from the Beta release to the GA version for all installations.
- License files for use by Beta testers are posted (and will be updated if needed) in this thread.
Major New Things
Live AV Lookups in E-Mail Protection
Introduced in UTM 9.2 for Web Protection, Live AV lookups now come to the E-Mail Protection to further increase the protection surface of UTM. This option will improve the malware detection rates by consulting the cloud infrastructure from SophosLabs for possible threat matches.
SPX Self-Registration
With the self-registration feature, recipients of an SPX encrypted email now are offered the option to register themselves through an online-portal where they will be able to create and reset (but not yet recover) passwords to access their encrypted emails. This will eliminate the need to manually communicate passwords to recipients of encrypted email.
SPX – Support Attachments on Reply Portal
When replying to an SPX-encrypted email, now recipients can add attachments to their message so that the full communication now can be encrypted in both ways.
Policy Tagging
With UTM 9.2 we introduced the ‘Website List’ feature where customers can add URLs and override the category. URL tagging extends this feature by allowing customers to apply zero or more custom tags, or labels to URLs. They can then use these tags in Web Policy to fine tune actions for specific sites. For example, if a customer has a restrictive policy but needs to access customer websites that would otherwise be blocked, they can add their customer sites to the Website List, tag them as ‘Customer Sites’ and then modify the policy to enable access to the 'Customer Sites’ tag.
Time Quotas
For many web gateway use cases it makes sense to offer ways to allow users access to personal websites for a limited time period. With the new feature in Web Protection, administrators can now set up time quotas allocations that can be assigned to specific sites, categories or groups of categories for specific users or groups. Users will be warned that they're using their quota. When a quota expires, they'll be informed accordingly.
Selective HTTPS filtering
To allow more flexibility and provide better performance we have implemented an option to allow selective HTTPS filtering. This will help security-conscious organizations to perform the important scans in HTTPS like (a) the ability to detect malicious content, (b) the ability to identify search terms and enforce safe search for Google and other search engines, and (c) the scanning webmail traffic for DLP only for specific sites.
Support for new hardware SG1xx, SG5xx and SG6xx
This release will add support for new hardware we are going to introduce later this year and will further extend our hardware product line. The support added includes SG1xx, SG5xx, SG6xx appliances as well as the new access points AP15 and AP100.
Hotspot improvements
We built an interface to communicate with Micros Fidelio hotel management software via the FIAS protocol. In addition, we have implemented support for HTTPS and the possibility to set up hotspots in a more multi-tenant fashion.
Multiple bridge support
For many advanced firewall configurations – especially when the UTM is not the main gateway – can be solved more easily by simply allowing multiple bridges. With introduction of this feature we at the same time cleared up the configuration options in the UTM Webadmin by moving the bridge configuration directly into the interfaces pane.
Minor Things
VLAN DHCP & Tagging
We removed some restrictions around VLANs to make live of an admin easier. First we now allow DHCP on VLAN interfaces. Secondly we now allow tagged and untagged interfaces on the same hardware.
[REMOVED]VPN performance improvements
--this item was removed from the current 9.3 scope--
True File Type Detection
In our web and mail proxy we now allow detection of file types inside a downloaded archive file (zip, rar, …). This allows blocking based on file types included in those archives – rather than blocking archive files in general.
Sophos Customer Support secure access to UTM
With increasing number of global support sites with different IP ranges, it is also increasingly complex for customers to allow Sophos Support teams access to their UTM via Webadmin and SSH. Therefore we implemented a function inside Webadmin that allows simple and secure access by Sophos Support on request and under control of the customer.
WAF allow /block lists
For the Web Application Firewall we now added lists to allow and block IP's, which now is possible in the sitepaths.
WAF wildcard extension
Exceptions for internal servers now allow wildcards also in the middle of the server path. This allows admins to easily add exceptions for multiple servers effectively eliminating the need to maintain long lists in Webadmin.
WAF prefix/suffix option
Some environments, most notably Microsoft servers like Exchange and Sharepoint, require UPN/domain-style user names for log in. By adding an option to append a prefix or suffix to usernames customers now are able to add e.g. a default domain to facilitate the use in such environments.
HyperV 3.5 Support
The UTM 9.3 now fully supports Microsoft Hyper-V Server 2012 R2. We are incorporating MS Integration Tools v3.5 for Hyper-V which include the latest drivers and additional capabilities like high availability and load balancing.
Other New Things
[Web] We have enhanced the https performance by several proxy improvements.
[Mail] Added fonts for Greek, Japanese, Chinese, Cyrillic PDF documents generated by SPX-encrypted emails.
[Mail] Added header manipulation possibilities in emails, in order to give customers the option to add/delete multiple headers to the message envelope.
[WiFi] Added Automatic Channel Selection (ACS), utilizing background scanning.
[AppCtrl] Updated Application Control Engine added better support for ATP and broader application coverage as well as IPv6 support.
[WAF] Added a setting to change WAF performance parameters
[WAF] Ability to upload custom rules (backend enablement required)
[WAF] Added scan size limit configuration
As always, there are chances that this list is not complete as something may have been left out of the documentation or simply escaped my attention. If you come by such an unnoticed change or new feature please be so kind to post a new forum thread with an [undocumented] tag in the subject so that we can pick it up.
In advance, I’d like to thank you for your feedback. Your effort to help us shape and optimize this amazing product until it finally gets to all of our valued users is highly appreciated.
Happy testing…
