Sophos UTM Architect (UTMA)

This course provides an in-depth study of UTM, designed for technical professionals who will be planning, installing, configuring and supporting deployments in production environments. The course will be delivered in a classroom setting, and consists of presentations and practical lab exercises to reinforce the taught content. Printed copies of the supporting documents for the course will be provided to each trainee. Due to the nature of delivery, and the varying experiences of the trainees, open discussion is encouraged during the training.



On completion of this course, trainees will be able to:

  • Understand the product architecture
  • Complete a complex evaluation or deployment.
  • Design and implement a solution to fit a customer’s requirements.
  • Complete a PoC

Target audience

This course is designed for technical professionals who will be planning, installing, configuring and supporting deployments in production environments. And for individuals wishing to obtain the UTM Certified Architect certification.


Prior to attending this course, trainees should:

  • Complete the Sophos Certified Engineer UTM course and should have passed the Certified Engineer exam
  • Have a strong working knowledge of network configuration and troubleshooting before attending this course. Similar to the level of knowledge required to pass the CCNA or CompTIA Network plus certification programs.
  • Have a good understanding of IT security. CompTIA Security plus and CISSP are good evidence of such knowledge.


To achieve the Sophos Certified Architect certification in UTM trainees must take and pass an online assessment. The assessment tests their knowledge of both the taught and practical content. The pass mark for the assessment is 80%, and it may be taken a maximum of three times.


4 days

Course Modules

Module 1: Engineer Review

  • Recall important information from the Engineer course
  • Lab
    • Configure a UTM without using the Setup Wizard
    • Deploy the HTTPS CA Certificate

Module 2: Deployment

  • Describe the deployment modes supported by the Sophos UTM
  • Understand the types of interfaces that can be created
  • Configure various routing options
  • Lab
    • Configure Uplink Balancing
    • Configure Multipath Rules
    • Configure Quality of Service (QoS)
    • Create a policy-based route for an MPLS scenario

Module 3: Network Protection

  • Understand the packet progression through the UTM
  • Examine firewall rules and NAT
  • Optimize IPS policies
  • Lab
    • Configure NATing and Routing for the simulated Intranet network
    • Configure NATing and Routing for the simulated Warehouse network
    • Advanced Intrusion Prevention (IPS) Configuration

Module 4: Web Server Protection

  • Describe the features in Webserver Protection
  • Configure the web application firewall
  • Implement reverse authentication
  • Configure SlowHTTP protection
  • Lab
    • Web Application Firewall
    • Load balancing with Web Server Protection
    • Web Server Authentication and path-specific routing

Module 5: Site-to-Site Connections

  • Configure IPsec VPNs using RSA and certificate authentication
  • Create a VPN to an Amazon VPC using the VPC connector
  • Configure advanced RED functions include: Balancing and failover, VLANS, UTM to UTM RED
  • Lab
    • Create an IP-SEC Site-to-Site VPN with Cross Signed Certificates
    • Create a RED Tunnel between Two UTMs
    • Configure Routing For a UTM-to-UTM RED Tunnel

Module 6: Authentication

  • Configure the Sophos Authentication Agent
  • Deploy STAS in a complex environment
  • Troubleshoot authentication
  • Lab
    • Configure an Active Directory Authentication Server
    • Sophos Authentication Agent
    • Configure Single Sign-On Using STAS
    • Configure STAS on Multiple Domain Controllers
    • SSO with STAS for Web Filtering

Module 7: Web Protection

  • Explain the different HTTPS scanning modes
  • Configure advanced Web Protection features including:
  • Proxy automatic configuration
  • Parent proxies
  • Proxy target services
  • Explain the difference between transparent and full transparent mode
  • Configure the FTP proxy

Module 8: Email Protection

  • Configure advanced Email Protection features, including:
  • DKIM
  • Modifying email headers
  • TLS settings
  • Enable POP3 scanning
  • Configure email encryption using Open PGP and S/MIME
  • Lab
    • Advanced email configuration
    • Encryption Using OpenPGP/ S/MIME

Module 9: Wireless Protection

  • Review wireless deployment
  • Configure mesh networks
  • Configure radius authentication for enterprise authentication
  • Understand what may effect wireless performance
  • Lab
    • Wireless Network Configuration
    • Hotspot Configuration

Module 10: Remote access

  • Use advanced remote access VPN configuration
  • Create L2TP over IPsec VPNs
  • Create IPsec VPNs
  • Lab
    • IPsec Remote Access

Module 11: High Availability

  • Configure two UTMs as a high-availability pair
  • Explain how workload is managed in a cluster
  • Create a cluster with two or more UTMs
  • Review log files on a slave node of a cluster
  • Lab
    • Active-Active Cluster
    • Active-Passive High Availability

Module 12: Sizing, Troubleshooting and API

  • Size a hardware, software or virtual Sophos UTM appropriately
  • Identify factors that can affect sizing
  • Perform basic troubleshooting using tcpdump
  • Enable debug logging
  • Understand how to use the API
  • Lab
    • Debug logging
    • Troubleshooting an Issue From an Imported Configuraton File