reference deployment

Sophos outbound web proxy on AWS

Outbound web filtering proxy with Sophos OTM and Outbound Gateway

This Quick Start automatically deploys an outbound web filtering proxy on the Amazon Web Services (AWS) Cloud, using the Sophos Unified Threat Management (UTM) virtual appliance. The Quick Start also uses Sophos Outbound Gateway to extend security to multiple virtual private clouds (VPCs).

Sophos UTM provides multiple security functions, including firewall, intrusion prevention, VPN, and web filtering. Sophos Outbound Gateway provides a distributed, fault-tolerant architecture to provide visibility, policy enforcement, and elastic scalability to outbound web traffic.

The Quick Start builds a cloud environment that enables you to whitelist AWS API calls without allowing internet access. You can also use this reference deployment to enable other proxy use cases with Sophos UTM.

logo-sophos-150

This Quick Start was developed by Sophos in collaboration with AWS. Sophos is an
APN Partner.

  •  What you'll build
  •  How to deploy
  •  Cost and licenses
  •  What you'll build
  • The deployment is automated by an AWS CloudFormation template, which sets up the virtual network and creates the networking resources and EC2 instances needed for the Sophos outbound proxy solution. The template deploys a highly available architecture that includes the following Sophos components:

    • Sophos UTM 9 virtual appliance helps you secure your infrastructure in AWS. Sophos UTM provides multiple security tools like Next-Gen Firewall (NGFW), Web Application Firewall (WAF), Intrusion Prevention System (IPS), and Advanced Threat Protection (ATP).
    • Sophos UTM Queen (Controller) provides administrative control and configuration management for UTM Workers.
    • Sophos UTM Workers terminate the Generic Routing Encapsulation (GRE) tunnels from the Outbound Gateways and proxy the traffic to the destination based on the policy configured within the Controller.
    • Sophos Outbound Gateway resides within an Availability Zone where clients need to connect out through the proxy.

    To centralize the proxy service for the clients, the Queen Controller and Workers are deployed into a dedicated proxy VPC.

    This Quick Start deploys a separate application VPC for the proxy clients. The application VPC contains the Outbound Gateway for AWS to support the connections from the clients, bastion host instances, and tester instances. You can use these instances to test the outbound web proxy functionality.

    You can extend the Quick Start architecture to include your existing VPCs and clients by adding an Outbound Gateway in other VPCs.

  •  How to deploy
  • To build your Sophos outbound web proxy environment on AWS, follow the instructions in the deployment guide. The deployment process includes these steps:

    1. If you don't already have an AWS account, sign up at https://aws.amazon.com.
    2. In AWS Marketplace, review and accept terms for the Amazon Machine Image (AMI) for Sophos UTM 9. Two licensing options are available:
    3. Launch the Quick Start. The deployment takes about 20 minutes.
    4. Configure the Sophos UTM Controller.
    5. Test outbound web filtering functionality.
    6. (Optional) Configure a URL whitelist.

    The Quick Start includes parameters that you can customize. For example, you can change instance types and CIDR blocks, and customize Sophos UTM settings.

  •  Cost and licenses
  • You are responsible for the cost of the AWS services used while running this Quick Start reference deployment. There is no additional cost for using the Quick Start. You can use the Simple Monthly Calculator to view typical costs for default template settings and adjust the configuration based on your deployment. Additional cost for licensing will vary based on the consumption model (BYOL or hourly) as well as instance sizes.

    Prices are subject to change. See the pricing pages for each AWS service you will be using in this Quick Start for full details.

    This deployment supports both the BYOL and the hourly model for the Sophos UTM software. If you already have a license for the Sophos UTM, you can select the BYOL option and upload your license file after deployment.

    This Quick Start launches Amazon Machine Images (AMIs) for the Sophos UTM Controller and Worker instances as well as bastion host and Linux testing instances.