This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos-Astaro on Amazon EC2

Hi,

We managed a lot of hardware Sophos-Astaro, but now we'd like to create our first in the amazon cloud. But how?

I read this blogpost: You, Us, and the Amazon Cloud by Angelo Comazzetto

But i don't understand how it works exactly.
I know how can i creat a ec2 vm. i installed a utm9 on ec2 with "ami-b71713c3", but how can i control the server behind the firewall.

how can i build this szenario in the amazon cloud?
[URL="http://picload.org/image/aailwio/ec2_astaro.jpg"]

[/URL]

Witch VPC i have to create? "VPC with a Single Public Subnet Only" ?

thanks for help

This thread was automatically locked due to age.

Parents

0 BAlfson over 12 years ago

We can't know if external links are safe, so, in the future, when attaching pictures, please [Go Advanced] and upload them to this BB.  I opened these in a sandbox, and they are malware-free at the moment.

I can't answer your question, but some observations...

As I said above, it's not clear to me why you need a second interface in the UTM; I would have preferred a single IP for the UTM and a fixed, public IP for each instance.  I'd think just a security group for the WinServer allowing only traffic from the UTM and outbound traffic to request Windows Updates.  I'd put a Full NAT at the UTM for RDP.

In your present solution, I don't see why you need to masquerade, and I wonder if it isn't part of the problem.  Your Firewall rule 1 has no effect.  In your DNAT, since you aren't changing the service, you should leave that empty - it's not important here, but it's a good habit since sometimes it does (service groups or ranges).

Cheers - Bob

Sophos UTM Community Moderator
Sophos Certified Architect - UTM
Sophos Certified Engineer - XG
Gold Solution Partner since 2005

MediaSoft, Inc. USA
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 BAlfson over 12 years ago

We can't know if external links are safe, so, in the future, when attaching pictures, please [Go Advanced] and upload them to this BB.  I opened these in a sandbox, and they are malware-free at the moment.

I can't answer your question, but some observations...

As I said above, it's not clear to me why you need a second interface in the UTM; I would have preferred a single IP for the UTM and a fixed, public IP for each instance.  I'd think just a security group for the WinServer allowing only traffic from the UTM and outbound traffic to request Windows Updates.  I'd put a Full NAT at the UTM for RDP.

In your present solution, I don't see why you need to masquerade, and I wonder if it isn't part of the problem.  Your Firewall rule 1 has no effect.  In your DNAT, since you aren't changing the service, you should leave that empty - it's not important here, but it's a good habit since sometimes it does (service groups or ranges).

Cheers - Bob

Sophos UTM Community Moderator
Sophos Certified Architect - UTM
Sophos Certified Engineer - XG
Gold Solution Partner since 2005

MediaSoft, Inc. USA
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 closer46 over 12 years ago in reply to BAlfson

As I said above, it's not clear to me why you need a second interface in the UTM; I would have preferred a single IP for the UTM and a fixed, public IP for each instance. I'd think just a security group for the WinServer allowing only traffic from the UTM and outbound traffic to request Windows Updates. I'd put a Full NAT at the UTM for RDP.

Hi Bob

Thanks for your post!
I don't understand it exactly.
I created a second interface for the utm, that i controll the traffic from the internet to the second subnet, were the server are, like a normal utm installation. WAN with the public ip and a lan with just private ip adresses.

but how can i control the traffic to the windows server, if the utm have just one ip?

do you have this szenario in a productive installation and it works?

thanks
Cancel
Vote Up 0 Vote Down

Cancel