For those of you running the Sophos UTM appliance and who are interested in running an Obi device behind your Sophos UTM appliance, we have put together a selection of firewall rules and other configuration changes for Sophos UTM configuration for Obi. ย First things first, we need to look at all the required ports that need to be opened for Obi. ย The forums on Obi recommend that you open the following ports to allow successful communication:
Allow Outgoing:
TCP Ports: 6800, 5222, 5223
UDP Ports: 5060, 5061, 10000 to 11000, 16600 to 16998, 19305
Allow Incoming on UDP Port: 10000
However, I have observed a couple of other UDP ranges that get smashed by Sophos UTM in testing:
Outgoing:
- Extended the range they mention above to include UDP ports 10000-12000
- Added a new range to include 12200-13000ย (You could actually just extend the range above from 10000-13000 to include this range, however, I literally included the ranges I saw in the firewall logs, so that is why I split both of them off.
Incoming:
So far on the incoming side, I have observed the same port connection they document, UDP port 10000
Obi Configuration Itself:
I had a pesky issue where my Obi in testing would work for a day or so and then I would pick up the phone and it would tell me that it wasn’t connected to Google Voice. ย I tested many different options with passwords, 2 Factor authentication and other issues.
The error message: “Backing off authentication error”
The resolution to the issue turns out to be DNS related as the Obi appears to not like the DHCP assigned DNS address of the Sophos box to make its way to Obitalk and other connections. ย Take a look at the official forum post from Obi here which describes this behavior with OpenDNS. ย To manually set your Obi device to a public DNS server, login directly to your Obi device (not Obitalk portal) and manually set the WAN setting DNS server to the public serverย 4.2.2.2ย as shown below. ย Note the forum post referenced on this issue has an outdated directive to updateย network settings, however, they have updated the portal or this was incorrect to begin with as on my Obi 200 this is found under WAN settings.
I was a bit skeptical at this workaround when I saw this on one of the forums, however, when the setting was implemented, the system has now been connected for several days and shows no signs of disconnecting as was the case before. ย If you guys find any other settings that would be helpful to mention other than the ones I have listed here, please comment in the comments section below and I will get the post updated to reflect those entries.