How to set up RED 50

  • ID de l'article 118916
  • Mis à jour : 07 août 2014


This article describes how to set up RED 50.

Known to apply to the following Sophos product(s) and version(s)

Sophos RED 50

Operating systems

Sophos UTM 9.100 or higher

 

In this article

Information about RED 50

Deployment scenarios

How to set up RED 50


Information about RED 50

  • Easy and affordable way to securely connect offices
  • Small unit sent to non-technical staff in branch
  • Simply plug-in and it sets-up security automatically
  • Creates a secure link between branch and HQ
  • Forwards and filters branch office traffic
  • Centrally managed by Sophos UTM

New features:

  • Encryption: Hardware-accelerated
  • Bandwidth: Balanced
  • Backup: Failover

Technical specifications:

  • VPN-throughput: 360 Mbit/s
  • WAN ports: 2x Gbit
  • LAN ports: 4x Gbit
  • USB ports: 2

Deployment scenarios

UTM hostname = Failover

RED uplink = Failover

 

The RED establishes a connection between RED_WAN1 and UTM_WAN1.

 

 

If UTM_WAN1 is down: RED_WAN1 will connect to UTM_WAN2

 

 

If UTM_WAN1 and RED_WAN1 is down: RED_WAN2 will connect to UTM_WAN2

 

 

 

 

UTM hostname = Balancing

RED uplink = Failover


The RED establishes a connection between RED_WAN1 and UTM_WAN1 / UTM_WAN2

 

If RED_WAN1 is down: RED_WAN2 will connect to UTM_WAN1 / UTM_WAN2

 

 

 

 

UTM hostname = Failover

RED uplink = Balancing

 

The RED establishes a connection between RED_WAN1 / RED_WAN2 and UTM_WAN1

 

If UTM_WAN1 is down: RED_WAN1 / RED_WAN2 will connect to UTM_WAN2

 

 

 

UTM hostname = Balancing

RED uplink = Balancing

The RED establishes a connection between RED_WAN1 / RED_WAN2 and UTM_WAN1 / UTM_WAN2


 

Note -

If any interfaces go down, the interface will be checked until it is working again. The connection will be restored to the original interface if it becomes available again.

Ports used by RED 50

TCP Port 3400 (Control Connection, using SSL, authenticated with mutual X509 cert check)

UDP Port 3410 (Encapsulated traffic, AES256 (enc), SHA1-HMAC (auth)) 

Firmware Upgrades

The RED is able to update the firmware either via WAN and via 3G/4G connections.

Firmware will be downloaded from the UTM itself, not via a Provisioning server (only UTM v9.1 or higher). 

How to set up RED 50

Important: – It is vitally important that you keep the Unlock Code which is emailed instantly to the address provided on the Global Settings tab (during activation of RED) as soon as the RED appliance registers with the RPS. You will need the unlock code when you want to use the RED appliance with another UTM. If you do not have the unlock code available, the only way to unlock the RED appliance is to contact Sophos Support.

1. Browse to RED Management | [Server] Client Management and click on 'Add RED'. 
2. When the Add RED dialog box opens, complete as follows: 
Interface Configuration Options

Branch name: Enter a name for the branch where the RED appliance is located, e.g. "Office Munich".

Client type: Select RED 10 or RED 50 from the drop-down list, depending on the type of RED appliance you want to connect.

RED ID: Enter the ID of the RED appliance you are configuring. This ID can be found on the back of the RED appliance and on its packaging.

Tunnel ID: By default, Automatic is selected. Tunnels will be numbered consecutively. If you have conflicting IDs, select another ID from the drop-down list.

Unlock Code (optional): During the first deployment of a RED appliance, an unlock code is generated, a security feature, which ensures that a RED appliance cannot simply be removed and installed elsewhere. If the RED appliance you are configuring has been deployed before, you need to provide its unlock code. (If you do not have the unlock code, the only way to unlock the RED appliance is to contact Sophos Support.)

UTM hostname: You need to enter a public IP address or hostname where the UTM is accessible.

2nd UTM hostname: You can enter another public IP address or hostname of the same UTM. Note that you cannot enter the IP or hostname of a different UTM.

Use 2nd hostname for: You can configure what the second hostname should be used for:

Failover: Select this option to only use the second hostname if the first hostname fails.

Balancing: Select this option to activate active load balancing between both hostnames. Use this feature when the external interfaces that the 1st and 2nd hostnames refer to, have the same latency and throughput.

Uplink mode/2nd Uplink mode: You can define how the RED appliance receives an IP address, which can be either via DHCP or by directly assigning a static IP address. You define the uplink mode for each RED uplink Ethernet port separately.

DHCP client: The RED pulls an IP address from a DHCP server.

Static address: Enter an IPv4 address, a corresponding netmask, a default gateway and a DNS server. 

Note – There is no one-to-one association between UTM hostname and RED uplink Ethernet port. Each RED port will try to connect to each defined UTM hostname. 

Use 2nd uplink for: You can configure what the second uplink should be used for: 

Failover: Select to only use the second uplink in case the first uplink fails.

Balancing: Select to activate active load balancing between both hostnames. Use this feature when the external interfaces that the 1st and 2nd hostnames refer to, have the same latency and throughput.

Operation mode: You can define how the remote network will be integrated into your local network.

Standard/Unified: The UTM completely controls the network traffic of the remote network. Additionally, it serves as DHCP server and as default gateway. All remote network traffic will be routed through the UTM.
Standard/Split: The UTM completely controls the network traffic of the remote network. Additionally, it serves as DHCP server and as default gateway. In contrast to the Unified mode, only certain traffic will be routed through the UTM. Define local networks in the Split Networks box below which can be accessed by remote clients.
Transparent/Split: The UTM does not control the network traffic of the remote network, it neither serves as DHCP server nor as default gateway. On the contrary, it pulls an IP address from the DHCP server of the remote network to become a part of that network. However, you can enable access for remote clients to your local network. For that you need to define Split Networks that are allowed to be accessed by the remote network. Additionally, you can define one or more Split Domains to be accessible. If your local domains are not publicly resolvable, you need to define a Split DNS Server, which can be queried by remote clients.

You can find examples for all the operation modes on the Deployment Helper tab.

Optionally, the following advanced settings are available:

MAC filtering type: (Available with UTM v 9.1 and above) To restrict the MAC addresses allowed to connect to this RED appliance, select Blacklist or Whitelist. 

If you select Blacklist, you can create a blacklist in the MAC addresses (below); the addresses you list there will be prohibited, all other MAC addresses are allowed. 

If you select Whitelist, you can create a whitelist in the MAC addresses (below); only the addresses you list there will be allowed, all other MAC addresses are prohibited. 

MAC addresses: (Available with UTM v 9.1 and above) This field is only displayed if you have selected either Whitelist or Blacklist in 'Mac filtering type' above. This list of MAC addresses is used to control access to the RED appliance. MAC address lists can be created on the Definitions & Users | Network Definitions | MAC Address Definitions tab.

Activate the 3G/UMTS failover uplink: Starting with RED rev2, the RED appliance offers a USB port where you can plug in a 3G/UMTS USB stick. If selected, this stick can serve as Internet uplink failover in case of a WAN interface failure. For the necessary settings please refer to your Internet provider's data sheet.

Username/Password (optional): If required, enter a username and password for the mobile network.

PIN (optional): Enter the PIN of the SIM card if a PIN is configured.

Note: If you enter a wrong PIN, in the event of a WAN interface failure, the connection via 3G/UMTS cannot be established. Instead, the Activate the 3G/UMTS failover uplink checkbox of the RED appliance will automatically be deselected. Thus, the wrong PIN will only be used once. When the WAN interface comes up again, a warning will be displayed for the RED appliance:

A wrong PIN was entered for 3G/UMTS failover uplink. Please change the login data.

When you open the Edit RED dialog box, a message is displayed which tells you that the Activate the 3G/UMTS failover uplink was automatically deselected. Correct the PIN before selecting the checkbox again. Note: after three connection attempts with a wrong PIN, the SIM card will be locked. Unlocking cannot be done via the RED appliance or the UTM.

Mobile network: Select the mobile network type, which is either GSM or CDMA.

APN: Enter your provider's Access Point Name information.

Dial string (optional): If your provider uses a different dial string, enter it here. Default is *99#.

Note: You will need to perform the following configurations manually:

    1. Creating the necessary firewall rules (Network Protection | Firewall | Rules).
    2. Creating the necessary masquerading rules (Network Protection | NAT | Masquerading).

3. Click Save.

4. The RED appliance will now be set up, and the UTM will register with the Sophos RED Provisioning Service (RPS). 

Important:  It is crucial that you keep the Unlock Code which is emailed instantly to the address provided on the Global Settings tab (during activation of RED) as soon as the RED appliance registers with the RPS. You need the unlock code when you want to use the RED appliance with another UTM. If you then do not have the unlock code ready, the only way to unlock the RED appliance is to contact the Sophos Support. 

When you have configured the necessary firewall rules (and, if required, masquerading rules), the RED appliance on the remote site can be connected to the Internet. As soon as it has booted, it will fetch its configuration from the Sophos RED Provisioning Service (RPS). After that the connection between your UTM and the RED appliance will be established. You can view the status of all configured RED appliances on the RED overview page of WebAdmin. 

Deleting a RED Appliance

To delete a RED appliance, click the Delete button next to the appliance name.

There will be a warning that the RED object has dependencies. Be aware that deleting a RED appliance will not delete associated interfaces and their dependencies. This is intentional, since it enables you to move an interface from one RED appliance to another.

If you want to remove a RED appliance setup completely, you need to delete potential interface and other definitions manually.

 





 
Si vous avez besoin de plus d'informations ou d'instructions, veuillez contacter le support technique.

Évaluez cet article

Très mauvais Excellent

Commentaires