SSL VPN and SFTP traffic redirection

Hello all,


I'm running into an issue where SSL VPN users who use FileZilla to SFTP transfer files are not able to do so while out off the office. Our partner's SFTP setup only allows access to their servers from the our internal site which has a site to site VPN tunnel established.

For example:

Working

Internal User (LAN) ==> FileZilla SFTP ==> Partner Server

 

Not Working

User Working from home ==> SSL VPN to Sophos SG ==> Same FileZilla SFTP client ==> Partner Server rejects the connections as not an auth'd IT

 

I know it is because FileZilla (or any other traffic but internal access requests while VPN'd) will show as coming (and goes out via) from the user's IP /  and be blocked.  

 

How do I force FileZilla (or any other traffic we deem necessary) to go through our internal network. As there are many users, anything server side that can be done? Do I have to setup a proxy? Would WebFiltering for VPN users work (or even be possible?)?

 

-Dave 

  • Hi  

    Have you added the Partner Server network in Local Networks? I suggest you add it there and then also create a Masquerading rule for the SSL VPN network going to the Internet using the Specific ISP you want. Also, make sure that you don't add the SSL VPN Network in Web Filtering. This way, once a client connects to SSL VPN, it will create a route for the Server network going through UTM.

    Hope this helps.

  • Hi Dave and welcome to the UTM Community!

    Jaydeep's answer is correct unless internal users reach the server through a site-to-site tunnel - that's just not clear in your explanation.

    If access is through an IPsec tunnel, several things must be done:

    1. The remote access SSL VPN Profile must include the IP of the Partner Server in 'Local Networks'.
    2. The IPsec Connection must not have 'Strict routing' selected.
    3. Instead of masquerading, make a NAT rule with automatic firewall rules like:

    SNAT : VPN Pool (SSL) -> SFTP -> Partner Server : from Internal (Address)

    Cheers - Bob