Configuring the Sophos XG Firewall with VMware ESXi
The Sophos XG is a next generation firewall packed with enterprise grade features. The team at Sophos have been kind enough to offer a FREE software version of this firewall for home users, which I have managed to install using VMware ESXi.
Having the ability to install the firewall onto an ESXi server meant I could provision multiple VM’s on one machine and on the same network. Before setting the Sophos XG firewall up, I searched online to find guides on how to do this and to my surprise I didn’t find much, hence the reason for this post.
If your struggling to configure ESXi to work with the firewall or you just want some guidance then follow these steps to get your Sophos XG firewall up and running.
Example topology: The topology below is that of a small example network which will be referred to throughout this guide to help you set your firewall up.
Let me just explain this topology a little further….
- ISP router is at the edge of the network and is in modem only mode. You can keep it in routing mode but you may suffer from dropped connections, it is also suggested that you have WiFi off as you don’t want your internal hosts bypassing the firewall.
- ESXi server will have x2 physical interfaces, one acting as the WAN interface and the other the LAN interface. The topology shows two virtual machines on the ESXi server, one being the XG and the other Server 2012 (optional). The red dotted line is referring to the interface on the XG that will connect to the ISP router whereas the green dotted line refers to the internal interface connecting to the access point. The vSwitches and NICs are explained in more detail later.
- The device named “AP” is the internal router. This will be put into access point mode only and set with a static IP address and default gateway which will point to the internal interface of the Sophos XG.
Before we begin, lets make sure we have the right hardware and software.
- ISP Router
- Server with at least 500gb to 1TB storage and x2 NICs
- VMware ESXi software (Installed on your server)
- VMware vSphere software (Used to access ESXi and the VM’s within)
- Additional router (This is used to connect your LAN clients)
- VMware Workstation software (This is a paid software and is similar to vSphere however it does offer additional features)
- Server Operating System such as Server 2012 (Can be used to add devices to a domain and as a DHCP server)
Step 1: Installing and Configuring ESXi
- Install VMware ESXi onto your server. When the install has finished, you should be presented with a screen like the one below. Before we go any further, it is important that you have your server connected via ethernet to the same network as your LAN.
We will now configure ESXi with an IP address so that we can access it via vSphere/Workstation.
- Press F2 and you will and enter “password” as the password and now that we have access we can change this by clicking on “configure password”.
- When you have configured your password, click on “configure management network”.
- Now click on “Network Adapters” and make a note of the NIC that is being used for your LAN.
- Now click on “IP Configuration” and assign your management interface IP address. It is recommended that you select the “static” IP address option and assign an IP address that is not currently being used on your network.
You should now be able to access your ESXi server using vSphere, Workstation or both.
Step 2: Access ESXi via vSphere
- Open vSphere and connect to the ESXi server by inputting the IP address you have just assigned to the management interface in step 1 along with “root” as the username and the password you previously set in step 1.
- Once you have successfully logged in, navigate to the tab “Configuration” and select “Networking” on the left hand side. You should see that a “vmic” is already active for the management network, this will be used for the internal network i.e your LAN.
- Now create another vswitch and VMkernal for the external connection by clicking on “Add Networking” in the top right hand corner. First we will select “VMkernal” and select your second NIC. If you are unsure which one yours is then connect your ethernet cable from your second server port to the ISP router which should be in modem only mode. The interface should now be up.
- Click next and unless you wish to create VLANs press next again and enter another network IP address before getting to the summary.
- Now click on “Add networking” again and this time select Virtual Machine and select the NIC you have just chosen in the last step. Follow the settings through and finish off, you should now have another vSwitch with a separate kernel and vmnic.
Step 3: Install Sophos XG
You can use vSphere for this however I would highly recommend using Workstation to do the following. (These instructions will now refer to VMware Workstation).
- Sign into your ESXi server just as you did on vSphere.
- On VMware Workstation click “file” – “new virtual machine” and select the server IP address as the target.
- Go through the settings you prefer in order to get to the summary section but do not finish.
- Click on “Customise Settings” and add x2 network adapters and uncheck “connect on power on”. You will also need to add the Sophos XG image to the virtual hard drive. Once this is done, finalise the settings and start the machine.
- Depending on the size of the drive you have provisioned, the install could take some time.
- When the install has finished you will be asked to remove the installation disk and press “y” to reboot. Instead of pressing “y” to reboot, power off the machine and remove the image file from the virtual disk.
- Power up the machine again and wait for it to load. Once loaded you should be presented with a screen similar to the one below once you have signed in. The default username and password is admin – admin.
- Now press “1” for Network Configuration so that we can change the default internal IP address given.
- Press “1” again for Interface Configuration and proceed to press enter twice to get to the configuration of the IPv4 Address. Note: Your WAN interface is set to DHCP automatically and should have an IP address assigned, if not reset your modem only ISP router and repeat the last step along with this one again so you can validate that you have an IP address assigned to the WAN interface.
- When asked if you want to set the IPv4 address for Port 1 (LAN), select “y” and assign an IP address you have not yet assigned.
- You should now have access to the web based GUI by typing into your browser: https://IP ADDRESS:4444
- Once you have gained access you will need to confirm your license and this requires and internet connection which you should have through your external interface.
Step 4: Change your Internal Router into an AP
- Before proceeding with the Sophos wizard you should be able to change your internal router into an AP. You will need to give your AP the default gateway of the Sophos internal facing interface. Other clients on your network may loose connection as DHCP isn’t configured by default. This interface will be the new gateway for all internal clients.
- Regain connection to the web browser GUI and continue with the Sophos XG wizard.
Step 5: Sophos XG Install Continued…
- When the wizard has completed and applied all the configuration changes you will have to reload the GUI and regain access to the dashboard. The dashboard should look something like the one pictured below.
- Once you have access we need to configure a DHCP server for LAN clients to connect.
- Navigate to the “System” tab (looks like a cog)
- Click on “Network” and then “DHCP” as shown in the image below
Note: If you are using another device as a DHCP server you can also set-up DHCP Relay further down the same page.
- Under the DHCP server section click on “Add” where you will be taken to another page to enter your DHCP pool settings. Enter your settings accordingly but be mindful of any addresses already issued on your network.
Once these settings have been followed you should have full network connectivity again and your clients should be able to request a new DHCP address from the Firewall. All your internals hosts traffic will now pass through the Sophos XG firewall, giving you that extra layer of security. You can now go ahead and configure the firewall the way you want it.
I hope this has been helpful for you and I hope you have managed to get your firewall up and running. If you have any questions, I will do my best to answer them but otherwise please refer to the Sophos community.
You can also catch me on Twitter: @iwiizkiid