Do you recognize a good idea when you see one? We want to hear from you!
Header Image

UTM (Formerly ASG) Feature Requests

Do you have an idea for Sophos UTM? Do you recognize a good idea when you see one? We want to hear from you!

I suggest you ...

You've used all your votes and won't be able to post a new idea, but you can still search and comment on existing ideas.

There are two ways to get more votes:

  • When an admin closes an idea you've voted on, you'll get your votes back from that idea.
  • You can remove your votes from an open idea you support.
  • To see ideas you have already voted on, select the "My feedback" filter and select "My open ideas".
(thinking…)

Enter your idea and we'll search to see if someone has already suggested it.

If a similar idea already exists, you can vote and comment on it.

If it doesn't exist, you can post your idea so others can vote on it.

Enter your idea and we'll search to see if someone has already suggested it.

  • Hot ideas
  • Top ideas
  • New ideas
  1. Reverse Proxy: Authentication Offloading like TMG

    will there be a feature like Authentication / captive portal (e.g. the proxy settings"transparent with authentication" ) for enabling a reverse proxy?
    This would be so usfull for small installations with no frontend exchange / DMZ.
    (juniper calls this "webauth" )

    322 votes
    Vote
    Sign in
    Check!
    (thinking…)
    Reset
    or sign in with
    • facebook
    • google
      Password icon
      I agree to the terms of service
      Signed in as (Sign out)
      You have left! (?) (thinking…)
      22 comments  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
    • Webserver Protection: Redirect HTTP to HTTPS

      One of the most important problems of the website users is, when they want to open the page that is HTTPS, they forget to type HTTPS at the beginning of the address and the request is sent via HTTP. Therefore they can not view the page successfully. If the "URL redirection" feature will provided on Sophos UTM or WAF it is possible to automatically redirect all HTTP requests to HTTPS before the request reaches to the real web server. This will solve the problem of the website users.

      272 votes
      Vote
      Sign in
      Check!
      (thinking…)
      Reset
      or sign in with
      • facebook
      • google
        Password icon
        I agree to the terms of service
        Signed in as (Sign out)
        You have left! (?) (thinking…)
        20 comments  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
      • Web Server Protection: Support for ActiveSync 14.1

        WAF doesn't support ActiveSync 14.1, i.e. after you install SP3 for Exchange 2010, you can't use use WAF to protect your ActiveSync Server anymore. This is poor.

        147 votes
        Vote
        Sign in
        Check!
        (thinking…)
        Reset
        or sign in with
        • facebook
        • google
          Password icon
          I agree to the terms of service
          Signed in as (Sign out)
          You have left! (?) (thinking…)
          Under Review  ·  5 comments  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
        • Web Server Protection: Certificate-based Authentication

          I would appreciate to support certificate-based authentication like at Microsoft TMG. I don't know why Sophos is making advertisements for "Replace your TMG with Sophos UTM" if UTM even can't do this! I want the reverse proxy to check a client certificate, If this certificate is not valid or it doesn't exists it shows an error page.

          TMG Config: http://4sysops.com/wp-content/uploads/2011/07/SSL-Client-Certificate-Authentication_thumb.png

          124 votes
          Vote
          Sign in
          Check!
          (thinking…)
          Reset
          or sign in with
          • facebook
          • google
            Password icon
            I agree to the terms of service
            Signed in as (Sign out)
            You have left! (?) (thinking…)
            0 comments  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
          • Web Server Protection: Add Mod_Rewrite support (URL Rewriting)

            Astaro 8 now supports an HTTP reverse proxy, but it is not as feature rich as it does not allow for custom configurations. 10.0.0.1:5449/ ProxyPassReverse /director2/ http://10.0.0.1:5449/

            Since the Apache reverse proxy service is already configured for mod_rewrite, among other things, simply having a way to include these settings in an advanced section or via the command-line is all that may be necessary.

            108 votes
            Vote
            Sign in
            Check!
            (thinking…)
            Reset
            or sign in with
            • facebook
            • google
              Password icon
              I agree to the terms of service
              Signed in as (Sign out)
              You have left! (?) (thinking…)
              1 comment  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
            • Web Server Security: Support for Wildcard Domain Routing

              It would be great, if you could add " *.domain.com " in WAF.
              So that you dont need to add every single FQDN for every site.

              89 votes
              Vote
              Sign in
              Check!
              (thinking…)
              Reset
              or sign in with
              • facebook
              • google
                Password icon
                I agree to the terms of service
                Signed in as (Sign out)
                You have left! (?) (thinking…)
                6 comments  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
              • websocket support for WAF

                we are hosting a SignalR hub (http://signalr.net/) behind a Sophos UTM 320. We use the Web Server Protection feature extensively in our environment, and as such have opted to use the same for this.
                SignalR will always try to use Web Sockets (http://en.wikipedia.org/wiki/WebSocket), a new HTML5 API, and fallback to other technologies where this isn't possible to be used.
                Since we've been hosting the hub via the reverse proxy, none of our clients are able to connect via Web Sockets :so having support for websockets in WAF would be super cool

                83 votes
                Vote
                Sign in
                Check!
                (thinking…)
                Reset
                or sign in with
                • facebook
                • google
                  Password icon
                  I agree to the terms of service
                  Signed in as (Sign out)
                  You have left! (?) (thinking…)
                  1 comment  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
                • Web Server Protection: Transparent reverse proxy

                  Please provide the option to use reverse proxy also with transparent mode. This way permits to have the real remote host IP traced on the web server log files instead of the IP of the firewall. Now without transparent mode, every web analyzer software is not able to give real traffic reports...

                  56 votes
                  Vote
                  Sign in
                  Check!
                  (thinking…)
                  Reset
                  or sign in with
                  • facebook
                  • google
                    Password icon
                    I agree to the terms of service
                    Signed in as (Sign out)
                    You have left! (?) (thinking…)
                    10 comments  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
                  • Web Application Security: White / Blacklist Support for Visitor IP's

                    I would like to see an option to deny or allow certain ip adresses that can access the webservers. Not only based on country but on the ip adres itself.

                    47 votes
                    Vote
                    Sign in
                    Check!
                    (thinking…)
                    Reset
                    or sign in with
                    • facebook
                    • google
                      Password icon
                      I agree to the terms of service
                      Signed in as (Sign out)
                      You have left! (?) (thinking…)
                      Under Review  ·  11 comments  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
                    • WebServer Protection: GZIP encoding of proxied HTTP traffic

                      The WAF strips the Accept-Encoding header from client requests, which is fine, as compression is not generally useful between the origin server and the proxy. However, it doesn't use the header itself, either. It doesn't compress proxied traffic before returning it to the client. Interestingly, pages generated by the WAF itself (such as error documents) are compressed. Only the proxied content remains uncompressed, and this can have a substantial impact on page speed.

                      39 votes
                      Vote
                      Sign in
                      Check!
                      (thinking…)
                      Reset
                      or sign in with
                      • facebook
                      • google
                        Password icon
                        I agree to the terms of service
                        Signed in as (Sign out)
                        You have left! (?) (thinking…)
                        4 comments  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
                      • WebServer Protection: Allow for larger upload handling

                        For web sites with larger uploads (e.g. ownCloud) there is currently a 128MB (134217728 byte) limit in Web Server protection, the so called request body limit in ModSecurity.
                        Please add the possibility to configure this parameter (it's "SecRequestBodyLimit" in the Apache config) to allow larger uploads to sites protected by WAF.

                        38 votes
                        Vote
                        Sign in
                        Check!
                        (thinking…)
                        Reset
                        or sign in with
                        • facebook
                        • google
                          Password icon
                          I agree to the terms of service
                          Signed in as (Sign out)
                          You have left! (?) (thinking…)
                          2 comments  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
                        • Web Application Security: Remote Desktop Support

                          Equal as Outlook Anywhere Remote Desktop uses RPC requests. In the meantime Outlook Anywhere is supported officially by UTM 9.1 So I hope the effort for the develovers will be small to implement it as well. I think the advantage will be huge for many of use, because many customer ask for it.

                          36 votes
                          Vote
                          Sign in
                          Check!
                          (thinking…)
                          Reset
                          or sign in with
                          • facebook
                          • google
                            Password icon
                            I agree to the terms of service
                            Signed in as (Sign out)
                            You have left! (?) (thinking…)
                            9 comments  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
                          • Web Application Firewall OTP support for form to form authentication

                            Support for form to form authentication with one time passwords in the WAF.

                            The WAF should be able to pass authentication through to a website which authenticates using a form (as opposed to only basic auth) if there is configuration on the UTM that defines the URL to the page which can process the login (not the login form) and the field names for the username and password.

                            30 votes
                            Vote
                            Sign in
                            Check!
                            (thinking…)
                            Reset
                            or sign in with
                            • facebook
                            • google
                              Password icon
                              I agree to the terms of service
                              Signed in as (Sign out)
                              You have left! (?) (thinking…)
                              0 comments  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
                            • Web Application Firewall: Remote Desktop Gateway support

                              Similar to support for Outlook Anywhere, it would be really beneficial if the WAF allowed for the publishing of Remote Desktop Gateway and handled those methods. RDG_OUT_DATA followed by RPC_IN_DATA and RPC_OUT_DATA, and including /RemoteDesktopGateway in the request. It seems like common functionality that many customers must be looking for...

                              30 votes
                              Vote
                              Sign in
                              Check!
                              (thinking…)
                              Reset
                              or sign in with
                              • facebook
                              • google
                                Password icon
                                I agree to the terms of service
                                Signed in as (Sign out)
                                You have left! (?) (thinking…)
                                3 comments  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
                              • Extend Security for Microsoft Exchange OWA 2010 Publishing

                                The strong security features like URL-hardening, cookie-signing and form-hardening are still not available with owa newer than 2003. The knowledgebase just told me, to deactivate those feature. But they are important for higher security level.

                                30 votes
                                Vote
                                Sign in
                                Check!
                                (thinking…)
                                Reset
                                or sign in with
                                • facebook
                                • google
                                  Password icon
                                  I agree to the terms of service
                                  Signed in as (Sign out)
                                  You have left! (?) (thinking…)
                                  0 comments  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
                                • Enable Web Application Firewall support to specify cipher strengths it can accept. Either cipher-by-cipher basis or on a weak/med/strong cat

                                  Enable Web Application Firewall support to specify cipher strengths it can accept. Either cipher-by-cipher basis or on a weak/med/strong category.

                                  25 votes
                                  Vote
                                  Sign in
                                  Check!
                                  (thinking…)
                                  Reset
                                  or sign in with
                                  • facebook
                                  • google
                                    Password icon
                                    I agree to the terms of service
                                    Signed in as (Sign out)
                                    You have left! (?) (thinking…)
                                    4 comments  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
                                  • Source IP restriction for website / paths

                                    Please implement the ability to restrict access to specific paths on a website to defined source IP's. Usually this has been done on the webserver, but NAT'ting of the Webserver Protection breaks this feature on webservers (sees the internal IP of UTM instead of public source IP).

                                    Usage Examples:

                                    a)
                                    Website globally allowed
                                    path /administrator only allowed to defined source IP's

                                    b)
                                    Partner hosts a private company Website - should anly be accessible from Company public IP's
                                    path / only allowed to defined source IP's

                                    23 votes
                                    Vote
                                    Sign in
                                    Check!
                                    (thinking…)
                                    Reset
                                    or sign in with
                                    • facebook
                                    • google
                                      Password icon
                                      I agree to the terms of service
                                      Signed in as (Sign out)
                                      You have left! (?) (thinking…)
                                      3 comments  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
                                    • HTTPS Reverse Proxy

                                      When using ASG to terminate SSL sessions (SSL Offloading), it’s sometimes needed to get the client certificate (mutual authentication) and pass some SSL info such as SSL Session IDs and Client-SSL Certificate information (e.g. certificate fingerprint and serial number) inside HTTP header to be used and processed by the protected web applications.
                                      An example of this use; let’s assume that I have a plain-text web application with certificate-based user authentication, so, it’s necessary to have such features in my WAF appliance.

                                      23 votes
                                      Vote
                                      Sign in
                                      Check!
                                      (thinking…)
                                      Reset
                                      or sign in with
                                      • facebook
                                      • google
                                        Password icon
                                        I agree to the terms of service
                                        Signed in as (Sign out)
                                        You have left! (?) (thinking…)
                                        1 comment  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
                                      • Make Web Application Firewall Site Path Routing case insensitive.

                                        Site Path Routing should have an option to treat the path in a case neutral manner.

                                        15 votes
                                        Vote
                                        Sign in
                                        Check!
                                        (thinking…)
                                        Reset
                                        or sign in with
                                        • facebook
                                        • google
                                          Password icon
                                          I agree to the terms of service
                                          Signed in as (Sign out)
                                          You have left! (?) (thinking…)
                                          1 comment  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
                                        • Email and SNMP Notification for Web Application Firewall

                                          Add Email and SNMP Notification for Web Application Firewall (HTTP/S Reverse Proxy) when the ASG found a Virus in Web Application Firewall traffic.
                                          This is very useful for the Network Administrator to find any Security holes.

                                          14 votes
                                          Vote
                                          Sign in
                                          Check!
                                          (thinking…)
                                          Reset
                                          or sign in with
                                          • facebook
                                          • google
                                            Password icon
                                            I agree to the terms of service
                                            Signed in as (Sign out)
                                            You have left! (?) (thinking…)
                                            0 comments  ·  Web Server Protection  ·  Flag idea as inappropriate…  ·  Admin →
                                          ← Previous 1 3 4
                                          • Don't see your idea?

                                          Feedback and Knowledge Base