This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Unable to access email appliance web interface over wifi/vpn

Hello,

I have a ES1100 that is connect to our palo alto firewall....Not sure if this is even the correct place to post this but I am unable to access the email appliance web interface via WiFi, whether I'm on the the corporate WiFi or whether I'm on the corporate vpn. Everything works fine when accessing via Ethernet I've looked over the policy NAT and security rules on the palo alto FW  and everything seems fine. My guess is it has to do with U-turn NAT but dont want to go down that road just yet. Again this probably not the right place to post this but I;m looking to see if anyone else has had this experience and can guide me on where to go next. 

 

Best,

EA



This thread was automatically locked due to age.
Parents
  • Hi Ed,

     

    the only requirement is that you allow the self signed certificate (unless you have put a ca certificate on the appliance)   and that you have access to port 18080

     

    the address should be  https://192.168.5.1:18080  

    assuming that's the appliance's ip.

     

    If you have verified the page is not been blocked for certificate reasons and used the apporiate address then you most likely need to address your firewall/infrastructure. 

  • Thanks RW,

     

    Let me clarify I'm trying to access the End User Web Quarantine page that uses port 10443 over wifi/vpn....does what you state above still apply? Is there some sort of configuration I need to complete?

     

    Best,

    Ed

Reply Children
  • Hi Ed,

     

    #1

    Under configuration / accounts / user preferences

    there is a checkbox on the left to enable the portal.

    then at the bottom is the "configure" button ensure the portal is 10443

    #2 

    verify the exact url

    configuration / policy / encryption / spx portal tab

    under the portal button it will display the exact url that the appliance will use and what port is for what (443 vs 10443)

     

    #3

    ensure you can resolve the hostname / ip address.

     

    The most common issue is sharing 443 with owa or another application, or port 10443 is blocked / dropping traffic.   etc. You could also verify that you are able to connect to any of the above addresses on the same network / subnet of the appliance.. This would verify any routing issues.

     

     

  • So I've figured it out.

     

    For anyone who is using Palo Alto firewall and is running into this issue and has verified it is not on the appliance side and is a networking issue..this is what I did to resolve the issue. Please take into consideration your enviornment will be different but the solultion is 3 fold.

     

    1) Under Policies>security, make a rule which allows your wifi network to your sophos public address (

    2) Under Polices>NAT, make a U turn NAT...(Destnation address should be the sophos public address and the destination translation should be the sophos private address...make sure to add port 10443 under the translated port area)

     

    3)Under polices>Policy based forwarding, you may or may not have a wifi PBF rule...under that rule negate your sophos private and public addresses under the " Destination/application/services" tab.

     

    These three rules allowed be to access the quarantine email on my coperate wifi ad vpn..your setup will be different but hopefully this helps.

     

    Best,

    EA