This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SSL VPN and SFTP traffic redirection

Hello all,


I'm running into an issue where SSL VPN users who use FileZilla to SFTP transfer files are not able to do so while out off the office. Our partner's SFTP setup only allows access to their servers from the our internal site which has a site to site VPN tunnel established.

For example:

Working

Internal User (LAN) ==> FileZilla SFTP ==> Partner Server

 

Not Working

User Working from home ==> SSL VPN to Sophos SG ==> Same FileZilla SFTP client ==> Partner Server rejects the connections as not an auth'd IT

 

I know it is because FileZilla (or any other traffic but internal access requests while VPN'd) will show as coming (and goes out via) from the user's IP /  and be blocked.  

 

How do I force FileZilla (or any other traffic we deem necessary) to go through our internal network. As there are many users, anything server side that can be done? Do I have to setup a proxy? Would WebFiltering for VPN users work (or even be possible?)?

 

-Dave 



This thread was automatically locked due to age.
Parents
  • Hi Dave and welcome to the UTM Community!

    Jaydeep's answer is correct unless internal users reach the server through a site-to-site tunnel - that's just not clear in your explanation.

    If access is through an IPsec tunnel, several things must be done:

    1. The remote access SSL VPN Profile must include the IP of the Partner Server in 'Local Networks'.
    2. The IPsec Connection must not have 'Strict routing' selected.
    3. Instead of masquerading, make a NAT rule with automatic firewall rules like:

    SNAT : VPN Pool (SSL) -> SFTP -> Partner Server : from Internal (Address)

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • Hi Dave and welcome to the UTM Community!

    Jaydeep's answer is correct unless internal users reach the server through a site-to-site tunnel - that's just not clear in your explanation.

    If access is through an IPsec tunnel, several things must be done:

    1. The remote access SSL VPN Profile must include the IP of the Partner Server in 'Local Networks'.
    2. The IPsec Connection must not have 'Strict routing' selected.
    3. Instead of masquerading, make a NAT rule with automatic firewall rules like:

    SNAT : VPN Pool (SSL) -> SFTP -> Partner Server : from Internal (Address)

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
No Data