Connecting fails from internal network behind UTM 9 to foreign UTM 9 via VPN

Hello

I have the following problem: if I try to connect from our internal network behind a UTM-9 to a foreign UTM-9 (or other firewall) via VPN, the connection fails with the following error:

Wed Apr 24 14:34:48 2019 TCP: connect to [AF_INET]212.xx.xxx.xxx.xxx:4443 failed, will try again in 5 seconds: The system tried to assign a drive with SUBST to a directory located on a drive mapped with JOIN.

 

Here is a small diagram of what I'm trying to achieve:



 

Does anyone know what settings I need to adjust?

Kind regards

Didier

Didier

Translated with www.DeepL.com/Translator

  • Hi Didier

    the vpn connection might fail because your firewall does not allow a connection on port 4443.

    Do you have a firewall rule that allow this kind of traffic?

    Best Regards
    DKKDG

  • In reply to DKKDG:

    Hi DKKDG

    Do you mean this setting?

     

     

    Or is there another port to open?

     

    Kind regards,

    Didier

  • In reply to DidierCH:

    Hi Didier,

    this is just the configuration where you set the port from your utm where clients try to connect via vpn.

    You have to go to Network Protection -> firewall and add a rule for allowing tcp 4443 to the external ip of the foreign utm.

    Best Regards
    DKKDG

  • In reply to DKKDG:

    Hi DKKDG

    Thank you. Thought about that. I have another related question: would it be dangerous to open the tcp connection 4443 to any ip? Or is it better to specifie only the specific one?

     

    Kind regards,

    Didier

  • In reply to DidierCH:

    Hi Didier,

    I am not a fan of any objects.

    Just use them as last resort when you did not know source, service or destination.

    If you know source, service and destination just build the necessary firewall rule.

    With any objects you make an hole bigger than necessary in your wall ;)

    Best Regards

    DKKDG

  • In reply to DKKDG:

    Thank you DKKDG!

     

    Kind regards,

    Didier

  • In reply to DidierCH:

    Hallo Didier,

    Port 4443 is reserved in UTM for access by a SUM (Sophos UTM Manager).  You will want to choose a different port for that remote UTM.

    I believe that wireless providers block UDP and other ports that might be used for VPNs.  One reason to stay with the TCP 443 default for the SSL VPN is that your cellular data provider might block UDP.  My AT&T iPhone XS was unable to establish a working SSL VPN tunnel when using UDP 443 or UDP 1443.  Everything worked perfectly with TCP 443.

    Cheers - Bob

  • In reply to BAlfson:

    Thank you Bob

    Unfortunaltely I'm not free to choose the port for that remote UTM, because it doesn't belong to our organisation. I did as DKKDG suggested and opened this port only for the specific IP-Adress.

    Cheers

    Didier