Jump to:navigation, search
Wiki

Appliance Settings

From Securepoint Wiki






























In dieser Seite werden die Variablen für unterschiedliche Sprachen definiert.
Diese Seite wird auf folgenden Seiten eingebunden











































Global settings of the UTM

Last adaptation to the version: 14.1.2(02.2026)

New:
notempty
This article refers to a Beta version
Access: UTM-IP:Port or UTM-URL:Port
Port as configured at Network / Appliance Settings / Webserver
Default-Port: 11115
i.e.: https://utm.ttt-point.de:11115
Default: https://192.168.175.1:11115 Network Appliance Settings  Area Appliance Settings

```markdown








```
notempty
  • Support for certificates with a key length of 1024 bits or less will be removed starting with UTM version 14.2.
  • Support for certificates with the SHA1 signing algorithm will also be removed starting with version 14.2.
  • HTTP proxy or SSL VPN connections with such outdated certificates will no longer work as of v14.2!
  • Insecure certificates should be replaced urgently!
    The BSI recommends—as of January 2025—key lengths of 3000 bits or more and SHA256
    BSI – Technical Guideline – Cryptographic Methods: Recommendations and Key Lengths BSI TR-02102-1 | Chapter 2.3: RSA encryption

    The default setting of the UTM for new certificates is RSA encryption with 3072 bits and SHA256 as the hash algorithm

    • Show affected applications
    Hide affected applications
    Klicken für dauerhafte Anzeige
  • OpenVPN
  • Server certificate when acting as a server (Roadwarrior or S2S)
  • Client certificate for S2S
  • If applicable, certificate specified as client certificate via user attribute (Authentication → Users → Edit User)
  • Mailrelay
  • Relaying "Certificate" (under TLS encryption as server)
  • Reverse-Proxy
  • Settings → SSL Certificate
  • Webserver
  • Network → Server Settings → Webserver → Certificate
  • HTTP-Proxy
  • SSL Interception → CA Certificate

    • Caption Value Description Appliance Settings UTMuser@firewall.name.fqdnNetwork Appliance Settings

    Firewall

    Firewall
    Firewall Name:     Full Qualified Domain Name-Compliant firewall name.
    Here you can define how the UTM responds to requests.
     If the mail relay is to be used, it may be useful to enter the FQDN of the mail exchange (MX) here so that other mail servers can match it using the reverse resolution of the PTR resource record (PTR).

    Read out:
    extc global get variable "GLOB_HOSTNAME"
    Set:
    extc global set variable "GLOB_HOSTNAME" value "utm.firma.local"

    Global contact person:     This field is used to enter the name of the administrator or organization that will later be specified in the UTM error messages for queries.
    Global email address:     An email address is entered here to which mails can be sent that otherwise cannot be delivered.
    Otherwise, undeliverable mails remain on the hard disk space, which can lead to the fact that the available space is no longer sufficient at some point and no more mails will be accepted.
    As of version v12.4.2 have an email address has to be stored here.
    Otherwise the mail connector and proxy will not start!
    A global email address will be requested when logging in.

    notempty
    The global email address is also the postmaster address for the mail relay.

    Read out:
    extc global get variable "GLOB_ADMIN_EMAIL"
    Set:
    extc global set variable "GLOB_ADMIN_EMAIL" value "utm-admin@ttt-point.de"

    Report language: German Language in which UTM reports are sent.
    Alternatively to choose: English

    DNS-Server

    DNS-Server
    Check Nameserver prior to local cache: Off (Default) The local cache of the UTM initially answers the DNS queries (corresponds to 127.0.0.1) as the primary name server.
    On activation, the name servers entered here will check the name resolution before the local cache of the UTM.
    Primary Nameserver:

    Secondary Nameserver:    		    

           		 The IP addresses of two external name servers to which the UTM should forward the DNS queries can be entered here.
  • DNS servers that can be reached via the external interface should be entered here.
    • notempty
    Please do not enter a DNS server from your own internal network.

    Time Settings

    Time Settings
    Current Date: 2020-20-32 25:00:20 The current time can also be entered manually.
    Refreshes the display.
  • In the interaction of servers, VPN connections and especially with OTP authentication, it is important that all components are synchronized in time.
    • NTP-Server:
    notempty
    updated: Multiple entries possible
    		 »ntp.securepoint.de The required NTP servers can be entered here.
  • Entering an IP address can avoid problems with DoT and DNSSEC.
    • Timezone: Europe/Berlin Correct time zone

    Webserver

    Webserver







  • If the port for the admin or the user interface is set to a well known port (ports 0-1023), access by the browser can be blocked!
    Access may still be possible:
    • The start of e.g. Google Chrome or Edge is done with the start parameter --explicitly-allowed-ports=xyz.
    • For Firefox, a string variable with the value of the port to be released is created in the configuration (about:config in the address bar) under network.security.ports.banned.override.
    • It is possible to create a temporary policy for chromium-based browsers to allow its use.
      This is strongly discouraged for safety reasons!
  • Error message in Chome / Edge: ERR_UNSAFE_PORT
  • Error message in Firefox: Error: Port blocked for security reasons
    • Administration Webinterface Port: 11115 Port to reach the administration interface (which is used e.g. to display the web page shown in the image. In delivery state: 192.168.175.1:11115
    User Webinterface Port: 443 Port to reach the user interface. This is used for example to access filtered mails and VPN configurations.
    notempty
    The user interface port must be changed if port 443 (HTTPS) is used for the reverse proxy.

    notempty
    The user interface port must be changed if port 443 (HTTPS) is forwarded.
    Certificate:    

    ```markdown








    ```
  • Please note the minimum requirements for certificates from UTM version 14.2 onwards!
    notempty
    • Support for certificates with a key length of 1024 bits or less will be removed starting with UTM version 14.2.
    • Support for certificates with the SHA1 signing algorithm will also be removed starting with version 14.2.
    • HTTP proxy or SSL VPN connections with such outdated certificates will no longer work as of v14.2!
    • Insecure certificates should be replaced urgently!
      The BSI recommends—as of January 2025—key lengths of 3000 bits or more and SHA256
      BSI – Technical Guideline – Cryptographic Methods: Recommendations and Key Lengths BSI TR-02102-1 | Chapter 2.3: RSA encryption

      The default setting of the UTM for new certificates is RSA encryption with 3072 bits and SHA256 as the hash algorithm

    • Affected applications:
      • OpenVPN
        • Server certificate when acting as a server (Roadwarrior or S2S)
        • Client certificate for S2S
        • If applicable, certificate specified as client certificate via user attribute (Authentication → Users → Edit User)
      • Mailrelay
        • Relaying "Certificate" (under TLS encryption as server)
      • Reverse-Proxy
        • Settings → SSL Certificate
      • Webserver
        • Network → Server Settings → Webserver → Certificate
      • HTTP-Proxy
        • SSL Interception → CA Certificate

    • Without a dedicated selected certificate, the default certificate of the UTM is used, which was issued by the default CA: firewall.foo.local
    If the UTM should be recognized by the browser with a valid certificate, proceed as follows:
    1. Create a CA ( Authentication Certificates  Area CA button Add CA)
    2. Export the public part of the CA
    3. Create Certificate (Certificates Button Add Certificate
      1. Select the CA that was exported in step 2 as the CA
      2. Alias DNS FQDN - Name of the UTM , as in Network Firewall  Area Server Settings section
        Firewall
         field firewall name: entered
        Multiple entries are possible!
      3. AliasIP IP Address IP address under which UTM can be reached.
        Several entries are possible in each case!
    4. Select the just created certificate under Network Server Settings  Area Server Settings Section
      Webserver
       Certificate:
    5. Import the exported CA in the browser as a certificate authority
  • It is also possible to use ACME certificates.

    • Advanced Settings

    Advanced Settings
    Maximum Active Connections: 32000 Maximum number of active connections to the UTM.
    This includes:
    • Web interface
    • SMTP
    • SSH
    Last-Rule-Logging: SHORT - Log three entries per minute The Last-Rule-Logging setting controls the number of messages that are written to the Syslog.
    • NONE - Do not log
    • SHORT - Log three entries per minute : Only the first three log messages per minute are displayed.
    • LONG - Log everything
    notempty
    We recommend to leave the setting at short.
    Retrieved from "https://wiki.securepoint.de/index.php?title=UTM/NET/Servereinstellungen&oldid=100856"