Sophos UTM Manager

Sophos UTM Manager (SUM) is the central management product of Sophos. You can connect several Sophos UTM on AWS appliances to a SUM where they centrally can be monitored, configured and maintained. SUM 4.2 supports configuring Sophos UTM on AWS 9.2 only. Other Sophos UTM on AWS versions will appear in SUM as well and can be monitored. If for example a Sophos UTM on AWS 9.2 connects with a SUM 4.1 it falls into legacy mode. Then backups and up2date installations are still allowed.

On this tab, you can configure the connection of your Sophos UTM on AWS to one or two SUMs.

Note – When using MSP licensing, disabling SUM, changing the SUM host, or modifying the rights of the SUM administrator can only be done by Sophos UTM Manager (SUM).

To prepare Sophos UTM on AWS to be monitored by a SUM server, proceed as follows:

  1. On the Sophos UTM Manager tab, enable SUM.

    Click the toggle switch.

    The toggle switch turns amber and the SUM Settings area becomes editable.

  2. Specify the SUM host.

    Select or add the SUM server the UTM should connect to. How to add a definition is explained on the Definitions & Users > Network Definitions > Network Definitions page.

  3. Activate authentication.

    If the SUM server requires authentication, activate authentication and make the following settings:

    • Authentication (optional): Enter the same password (shared secret) as configured on the SUM server.
    • SUM server certificate: To ensure that the UTM establishes a connection to the correct SUM server, upload the SUM server certificate. You can download it from the SUM WebAdmin under Management > Sophos UTM Manager > Device Security.
      Remove certificate: Select if you want to replace or remove the SUM certificate. Afterwards, you can upload a new certificate.
    • Use SUM server as Up2Date cache (optional): Up2Date packages can be fetched from a cache located on the SUM server. If you want to use this functionality for your gateway, select the option Use SUM server as Up2Date cache. Please ensure that on your managing SUM server the Up2Date cache functionality is enabled accordingly. Note that usage of the Up2Date cache functionality is mutually exclusive with using a parent proxy configuration for Up2Dates.
  4. Define the rights of the SUM administrator.

    On SUM, the administrator responsible for this UTM can only administer those areas of your UTM which are explicitly allowed to be administered here. The rights listed here correspond to the SUM Gateway Manager main menu and administrative options.

    Administration: If selected, the administrator can use all features located in the Maintenance and Management menus. He can, for example, view the inventory, create and restore backups, and schedule actions like firmware updates.

    Reporting: If selected, the administrator can use all features located in the Reporting menu. He can, for example, request reports from UTM.

    Monitoring: If selected, UTM will be displayed on the Monitoring pages and the administrator can use all associated features.

    Configuration: If selected, the administrator can use all features located in the Configuration menu. He can, for example, deploy objects (networks, hosts, VPNs) to UTM.

    Note – Please refer to the Sophos UTM Manager Administration Guide for detailed information.

  5. Click Apply.

    Your settings will be saved.

    The toggle switch turns green.

    UTM will now try to establish a connection to Sophos UTM Manager. Once the connection between both systems is established, the connection status will turn green. Then UTM can be monitored and administered by the SUM server selected here. You will be able to see the current connection status and health in the SUM Health section. Reloading the page will update this data. Please use the Open Live Log button and read carefully the messages from the message board to be able to diagnose connection problems should they occur.

Settings for a Second SUM

In this section, you can optionally add a second SUM. This is useful in case for example you do the configuration by yourself (first SUM server) but want your machines still to be monitored by a third party, e.g. your MSSP (second SUM server). The settings are almost identical to the first settings of SUM, except that the Configuration option is missing because they are limited to the first SUM. Sophos UTM on AWS will also not appear in the MSP section of the second SUM, which means MSP licensing is only possible from the first SUM.

Note – The communication between the gateway and SUM takes place on port 4433, whereas the Sophos UTM Manager can be accessed through a browser via the HTTPS protocol on port 4444 for the WebAdmin and on port 4422 for the Gateway Manager interface.

SUM Health

You will be able to see the current connection status and health in the section called SUM Health. Reloading the page will update this data.

SUM Objects

This area is disabled (grayed-out) unless there are objects that have been created via a SUM and if this SUM is now disconnected from Sophos UTM on AWS. SUM-created objects can be network definitions, remote host definitions, IPsec VPN tunnels, etc.

The button Cleanup Objects can be pressed to release any objects that were created by the SUM the device has formerly been managed with. These objects are normally locked and can only be viewed on the local device. After pressing the button, the objects become fully accessible and can be reused or deleted by a local administrator. In case there are objects which are not in use, they will be deleted directly and are not reusable.

Note – In case former SUM-created objects are cleaned up, they cannot be re-transformed when reconnecting to that same SUM. This means that if the remote SUM still hosts object definitions for a device which later re-establishes a connection to it, those objects will be deployed to the device again—although local copies will then already exist.

Live Log

You can use the live log to monitor the connection between your Sophos UTM on AWS and the SUM. Click the Open Live Log button to open the live log in a new window.